RE: Foolish? Only the accusations.

Replies are listed 'Best First'.
RE: RE: Foolish? Only the accusations. by Ozymandias (Hermit) on Sep 14, 2000 at 21:03 UTC
I'm not sure what your problem is. I said that in this EXACT situation, which you did not explain until the what, third reply, this is a solution. It is. I personally disagree that it's a good one, but hey, you can do as you like. In a general sense, which is what you initially presented it as, it is a bad idea. That's not a personal attack, it's a simple fact. This method of network/system security is a bad one, something that every single experienced security admin knows. Take a class, read a book, ask a pro. They will all say the same thing. Regardless of method or formula, the general paradigm for security is to lock down as tight as possible consistent with the function of the server to prevent something from happening. Monitor the server using logs or programs similar to Tripwire (preferably both) so that if someone DOES break into the system or otherwise do something they shouldn't, you have a record of it and notification of the event. If you react, do so after the fact; minimize the damage, close any back doors that may have been installed, repair the initial system breach. Sometimes you can only do that with a total system rebuild. If you react directly to the threat, react only in person, and do so by, for example, blocking the attacker's IP and throwing them off the system, shutting down networking, or otherwise minimizing the harm that can be done. Don't taunt them, don't threaten them, don't try to retaliate - simply remove the threat. That's the security hole in your code, Aigh. You're advocating a dangerous security method. The code itself is fine, I'm sure, but it doesn't matter; it can and, used improperly, will cause problems as surely as if you'd written `system "rm -rf *";` yourself. That's all I'm saying about it. In this case, it worked. Fine. Congratulations. The only person being offensive and throwing personal accusations or attacks is you. I've been patient and tried to simply explain where the problem lies, and you don't seem to understand that I'm not interested in a flame war. I really don't care if you don't like me; you're certainly not giving me any reason to like you. If you'd like respect, sure. Not a problem. Stop acting like a child and show me a reason why what you're advocating is a good idea, generally speaking. Unless you can answer that, this conversation is finished. - email Ozymandias	[reply] [d/l]

Replies are listed 'Best First'.

RE: RE: Foolish? Only the accusations.
by Ozymandias (Hermit) on Sep 14, 2000 at 21:03 UTC

In a general sense, which is what you initially presented it as, it is a bad idea. That's not a personal attack, it's a simple fact. This method of network/system security is a bad one, something that every single experienced security admin knows. Take a class, read a book, ask a pro. They will all say the same thing. Regardless of method or formula, the general paradigm for security is to lock down as tight as possible consistent with the function of the server to prevent something from happening. Monitor the server using logs or programs similar to Tripwire (preferably both) so that if someone DOES break into the system or otherwise do something they shouldn't, you have a record of it and notification of the event. If you react, do so after the fact; minimize the damage, close any back doors that may have been installed, repair the initial system breach. Sometimes you can only do that with a total system rebuild. If you react directly to the threat, react only in person, and do so by, for example, blocking the attacker's IP and throwing them off the system, shutting down networking, or otherwise minimizing the harm that can be done. Don't taunt them, don't threaten them, don't try to retaliate - simply remove the threat.

That's the security hole in your code, Aigh. You're advocating a dangerous security method. The code itself is fine, I'm sure, but it doesn't matter; it can and, used improperly, will cause problems as surely as if you'd written system "rm -rf *"; yourself. That's all I'm saying about it. In this case, it worked. Fine. Congratulations.

The only person being offensive and throwing personal accusations or attacks is you. I've been patient and tried to simply explain where the problem lies, and you don't seem to understand that I'm not interested in a flame war. I really don't care if you don't like me; you're certainly not giving me any reason to like you. If you'd like respect, sure. Not a problem. Stop acting like a child and show me a reason why what you're advocating is a good idea, generally speaking. Unless you can answer that, this conversation is finished.

- email Ozymandias

[reply]
[d/l]