[Noisebridge-discuss] Fw: continuing adventures in the brave new world.

Will Sargent will.sargent at gmail.com
Thu Apr 5 19:24:14 UTC 2012

On Thu, Apr 5, 2012 at 12:54 AM, Zephyr Pellerin
<zephyr.pellerin at gmail.com>wrote:

> > Does anyone know the author of that site?  I'm simultaneously impressed
> > and a bit concerned because I'm not very confident about their threat
> model.
> > It seems like the threat model includes offline attacks but it has -- in
> > the scheme of things -- very little test for structure so it doesn't
> really
> > know the difference between passwords built Diceware-style out of words
> and
> > completely random strings.
> Come come, any hacker worth their salt hasn't kept D8.dic on their box
> since the turn of the century. It's prohibitively expensive and today
> developers basically manufacture exploitable software as a release
> requirement. sudo, the privilege escalation binary we all know and
> left, just had an exploitable FORMAT STRING bug in it (Didn't we get
> rid of all of those in like, 1999?).
> Backdoored login scripts or LDAP forest managers are considerably more
> likely than someone cracking a dump, especially considering
> xp_cmdshell is default in SQL08, file reading queries in pgsql are as
> well ( COPY X from Y where Y is a filepath is a real thing), and ways
> to turn sqli into shells on mysql are too numerous to list.
> Still, the real weakest chain in your security is your web browser and
> what plugins your web browser loads - flat out. This has been the
> preferred method to pop people-you-don't-know's box for at least 3
> years (Or at least since that pesky /GS switch & --stack-protection
> happened :)  Thats doubly true of breaking server side daemons - Any
> application developer worth his salt (or using these newfangled ORMs)
> will use prepared queries or a DB firewall, will be installed on a box
> with address randomization, safe exception handlers, W^X etc, but will
> probably not check his box for kernel mode rootkits that are hooking
> his tty every day.
> The fact that people care about passwords reflects a little (a lot?)
> out of date perception of how it's actually done. Virtually all
> computers compromised today are done with either a clever web bug or
> some memory corruption bug (perhaps not accounts, but certainly
> computers).  Just because the deep well of stack based buffer
> overflows has (mostly) dried up doesn't mean use after frees and
> friends don't happen all the time, and no matter what your platform
> is, if you *really* think your patch cycle is 0 day turnaround.. well,
> I'd take a hard look at your sanity (laff).
> As far as how hotmail is being compromised, theres been quite a few
> bugs in password recovery in both hotmail & yahoo's systems. Don't
> rely on them for  security, Even our venerable lord Gmail has had it's
> fair share of remote mail reading bugs -

I agree that bad security is commonplace, and there are many areas which
are not covered.

I have noticed a pattern though, which is that it's a lot easier to point
out security vulnerabilities than it is to talk about how to harden and
protect against them.  People post "exploits" -- they don't post "exploits"
and "how this could have been prevented or ameliorated" and then "how to
design to protect against this class of problem."

Which is what I'm trying to do with the webapp-hardening thing -- if there
are kernel mode rootkits out there that are compromising you, what's the
correct response to that?  How do you assess the risk and counter it?  I'm
sure that we could better educate people -- if you were giving a talk on
how to do good security, how would you do it?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.noisebridge.net/pipermail/noisebridge-discuss/attachments/20120405/206d42b2/attachment.html>

More information about the Noisebridge-discuss mailing list