Home page logo

basics logo Security Basics mailing list archives

Re: Secure host newbie - fun - humm
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Wed, 07 Apr 2004 09:05:32 -0400

Ranjeet Shetye wrote:

ok, lets talk facts.

I consider kernel.org to be a well-secured site, because it is secured
(in various ways - best practices, technological locks, user awareness,
IDS etc.) against all known attacks as of today.

However, based on the intangible "some form of knowledge" that you've
laid claim to, you say that kernel.org is insecure even today.

Prove it. Show us that kernel.org is insecure.

I'll let the facts speak for themselves.

OK - let's talk facts.

Though I've been in black hat circles before as an observer, I'm not a black hat. I don't have access to undisclosed vulnerabilities and basically all of my free time (which, as you can tell, amounts to about minutes a day) yesterday was spent sending e-mails to you about your misunderstandings regarding the nature of security. But, you see, regardless of all of that, I don't need to prove my point. You made the initial allegation - therefore, you're the one who needs to back it up -- show us that kernel.org is secure. Show us that there are NO vulnerabilities out there that it might be susceptible to. You can't do that. I think you know that you can't. But, according to you, the proper thing to do would be to shut down kernel.org since there's a possibility that someone might hack into it.

If you understood security, you'd know that the best position to start from is the belief that something is insecure and then to work forward securing it. But, you seem to be coming from the perspective that it has to be shown that something is insecure. Philosophically, your method is unsound.

Another reason I don't need to prove my point in this way is because it's a basic fact that there are undisclosed vulnerabilities. If you're denying that this is the case (which it seems you are here) you need to back away from this conversation right now and RTFM, spend some time in the security community, and learn something because that's a foolish point to try to prove. It flies in the face of all reason.


Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]