BayLISA - July 15, 2004 - Mark Langston's Through a Sniffer Darkly

• Previous message: BayLISA - July 15, 2004 - Mark Langston's Through a Sniffer Darkly
• Next message: BayLISA - July 15, 2004 - Mark Langston's Through a Sniffer Darkly
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jul 22, 2004 at 09:29:44AM -0700, Piotr T Zbiegiel wrote:
> People probably never describe your ideas as devilish, fiendish, or 
> devious, do they?

Hee.  No comment.

> Personally, I see Mark's code more easily harnessed 
> as a call-back mechanism.  Combine that with the log message 
> communication mechanism

Which requires the recipient to be able to listen to the log messages.
Becuse you do have desktops and admin systems on the same network, right?

> While Mark's tool may not be "kiddie-ready", it does raise 
> interesting issues.

Of course it does.  I'll also say it's clever, and neat, and damn smart,
which I'm sure are all qualities that are applicable to Mark, too.  

> Just because you or I or even Mark may not be able 
> to figure out all the logistics and problems with this mechanism doesn't 
> mean that someone else can't come along, see it all clearly, and create 
> one hell of a evil application, put it in a worm or rootkit, and let it rip.

When did I say otherwise?

> The long and short of it is that the world is full of networks that 
> don't have all the right settings.  It's great to to use the terms 
> "reasonable" and "best-practice" but that's not how things always work. 
>    There will always be a place for the wily hacker, cracker, 
> script-kiddie, worm, rootkit, etc. as long as there is an Internet. 
> Don't dismiss things as unworkable, you may be reading an article on it 
> in Phrack before you know it...

One of the problems I've found with IT people (and God damn, but if it
doesn't show up in our meetings sometimes) is the desire we occasionally
have to show how smart we are by finding points on which to disagree.  

I never said Mark's program would not work; nor did I say that there
wouldn't be a bunch of places in the world where it would work rather well.
What I did say was that saying "Oh my God! There's no way to stop it!" is
simplistic and wrong.  There _are_ ways of stopping it from working; those
ways have costs associated with them, and sysadmins will need to
communicate those costs to businesses which will then need to decide
whether or not the benefit of stopping covert communication channels is
worth the costs.  Some places will; some places won't.  I'm not even
necessarily advocating what is right in this case (other than "thou shalt
do egress filtering."  I still believe sysadmins who don't need to be
spanked), just pointing out that there are solutions to this problem.

-roy

• Previous message: BayLISA - July 15, 2004 - Mark Langston's Through a Sniffer Darkly
• Next message: BayLISA - July 15, 2004 - Mark Langston's Through a Sniffer Darkly
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]