[66617] in North American Network Operators' Group
Re: sniffer/promisc detector
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Sat Jan 17 14:23:51 2004
To: haesu@towardex.com
Cc: nanog@merit.edu
In-Reply-To: Your message of "Sat, 17 Jan 2004 12:55:17 EST."
<20040117175517.GA18545@scylla.towardex.com>
From: Valdis.Kletnieks@vt.edu
Date: Sat, 17 Jan 2004 14:22:31 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_820498607P
Content-Type: text/plain; charset=us-ascii
On Sat, 17 Jan 2004 12:55:17 EST, haesu@towardex.com said:
> by the time you think your enemy is less capable than you, you've already lost
> the war.
On the other hand, does the fact that police usually only catch the stupid crooks
mean that police forces are a bad idea?
1) How often is your site graced by the presence of a script kiddie who *would* fall
for a honeypot, but who has enough exploits stashed to be a serious threat? (Remember,
it only takes 1 unpatched 1U back there in row 17, rack 4, for him to get a foothold).
2) How often is your site visited by a talented Black Hat who's more capable than you,
and who wouldn't be tricked by a honeypot?
3) How do you even know your answer to (2) is correct? Think long and hard
about this one - when was the last time you took *everything* down and booted
from known good media and checked for rootkits? And how do you know it was
good media? (Go and re-read Ken Thompson's "On Trusting Trust" and Karger and
Schell's paper on a Multics pen-test, and then take another REALLY close look
at that boot CD.)
I tend toward paranoia. However, I once received a box claiming to be from IBM
Software Distribution, with the format of shipping labels that IBM SD had, and
even sealed with IBM anti-tamper Q-tape the same way IBM SD does.
There was a birthday card in it. Addressed to me. From a friend who wasn't an
IBM employee at the time. I was most impressed. ;)
--==_Exmh_820498607P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFACYt3cC3lWbTT17ARAtijAKDXILNXM9a2cQ5qd0SVITSic32FXACffJlA
hV62lXuo/w/qhYn6KW99bU4=
=b45W
-----END PGP SIGNATURE-----
--==_Exmh_820498607P--
