Re: Wanted: hackers for tiger team (new england area)

Mark (mark@netsys.com)
Sat, 8 Oct 1994 15:09:47 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Doug Hughes: "Re: Security Info (root broken)"
Previous message: Christopher Klaus: "SGI patch"
In reply to: G.J.W. Hagenaars: "Re: Wanted: hackers for tiger team (new england area)"
Next in thread: Alan Hannan: "Re: Wanted: hackers for tiger team (new england area)"

>% As long as we can be sure the person/group is going to tell _all_
>% that they found..... then we are interested in paying/contracting ect..
>% We don't want to pay someone to bang on the doors and then tell us 1/2
>% of our bugs and then tell the cracker comunity the other half :-) :-(
>% :-(.... The half we get is commonly the half we already know e.g. not
>% worth our time/money.
>
>This is rich... You get a tigerteam to bang on the doors, and you
>haven't even plugged all the old holes yet? I could understand this if
>you were a normal everyday company, just on the road to get their
>internet connection up and running. But not from Sun Microsystems Inc.
>You guys are supposed to be able to fix things from source, right?

Err I have to stick my (stupid) head up in support of sun here... do you
realise the scale of their operations? They have 10's of thousands of
hosts, operations in countries from dubai to venezuala. The big problem
with sun is their lack of funding for proper security... they are too
busy getting on with the company mission to slow down and do all that
painful stuff that the crackers sof the world make nescessary.

Sun was started as a can-do sort of company with some great personnel,
and they have a relaxed atmosphere that is conducive to producing the
types of machines and systems that you like so much on your desks. Now,
back to the issue of contracting someone elses tiger team, the deal is
suns internal security the NSG, "Network Security Group" (name changes
a lot :) consists of (and I quote) "NSG is me (Alec), Brad, Ken, Tim
and Nick (the boss)". Not especially huge. I wont mention their patching
system, it might explain too much. (Hi Mark). Now the NSG, being so small
has a damn hard job to do, they have to co-ordinate audits, secure new
connections, and all the other jobs you'd expect a team to do. Thats in
conjunction to trying to co-ordinate the huge amount of traffic, fix
the hounders of bugs, keep out the door knockers and lock pickers.
The result is either complacency, being buried in the load, or a frame
of mind that doesnt see what is there.

They need fresh blood occasionally to check their work and make sure
nothing slipped by in the rush. The tiger team idea is good, it
gives them another look at their internals with approaches they havent
used.

Before you jump at them, consider what they have to do and what they have
to work with. They need more funding and fresh blood and a mental shakeup
to clear the cobwebs. They are essentially preventative and therein lies
the greatest problem, you can only do so much with what you have, with
the amount of things to do, steps are missed. If new methods are created
dark hats then it can be a while before they learn about it and cover
themselves.

(Most of this was gleamed from social chatting with some of them, they
are easy going types and I can appreciate their task).

>And if you'd want to know exactly what the "doorknockers" are up to...
>ever considered logging keystrokes?

Now thats a new one.. Thanks!....

>% trust is something to be earned not assumed.

See my rant note I posted earlier :)

>I trust /etc/hosts.equiv does not contain wildcards when shipped, do I
>assume correct?

Heh, I like that.

Unencumbered by sleep,
Mark

Next message: Doug Hughes: "Re: Security Info (root broken)"
Previous message: Christopher Klaus: "SGI patch"
In reply to: G.J.W. Hagenaars: "Re: Wanted: hackers for tiger team (new england area)"
Next in thread: Alan Hannan: "Re: Wanted: hackers for tiger team (new england area)"