BayLISA - July 15, 2004 - Mark Langston's Through a Sniffer Darkly

Thu Jul 22 14:50:04 PDT 2004

Roy S. Rapoport wrote:
> On Thu, Jul 22, 2004 at 09:29:44AM -0700, Piotr T Zbiegiel wrote:
> 
>>People probably never describe your ideas as devilish, fiendish, or 
>>devious, do they?
> 
> 
> Hee.  No comment.
> 

It's just because you said "reasonable" so many time in your email.

> 
>>Personally, I see Mark's code more easily harnessed 
>>as a call-back mechanism.  Combine that with the log message 
>>communication mechanism
> 
> 
> Which requires the recipient to be able to listen to the log messages.
> Becuse you do have desktops and admin systems on the same network, right?

There's that lack of "evil-genius" vision again.  Why did so many at the 
meeting latch onto the comment that was made about how you can't see the 
log messages over the wire because you are on a different segment.  Is 
that supposed to stop me?  Is that supposed to be a problem?  We're 
sysadmins, we should know better than that.

If I am infiltrating your company from the outside and you have 
perimeter firewalls and DMZs my first stop will be your web, mail, and 
dns servers.  All of them write logs, all are ripe for subversion. 
Remember, no one said the recipient of the messages had to be human.

And let's not even talk about internal attackers, cracking most places 
is trivial from the inside.

No one said you have to listen to the log messages at your desk.  One 
owned server + a little arp poisoning and it starts routing all the 
packets on the segment through its network interface.  Now I can see all 
the log messages coming by and a whole lot more.

And that's just one idea.  There's a million more ways to subvert the 
network.  Some of them are practically unstoppable if you expect to have 
a functional, scalable network that isn't a management nightmare.

Remember just because you don't see the possibilities doesn't mean that 
other more devilish, fiendish, and devious people don't see them either.

Later,
Peter