Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: No shell => secure?
From: daniel uriah clemens <daniel_clemens () autism birmingham-infragard org>
Date: Fri, 9 Jul 2004 14:29:56 +0000 (GMT)

This is not security through obscurity. This is security through
incompatibility. The point of the idea is to make it necessary for an
attacker to rewrite an exploit for my system specifically. This is
something that over 99% of the potential attackers would not do, because
they don't care about my system. When you have an exploit that works
against all the RedHat boxes on the Internet, would you bother to
customize it so that it works against one single server of one single
random weirdo? It's not worth it.

Of course its worth it if your box IS the target!

Think about it this way. I create my own operating system. It's based on
the Linux kernel and common Unix programs, but it uses different paths for
everything. This operating system is only used by a single person on this
planet. Will anyone bother to rewrite exploits to work against this

Once again... if your the target - yes.

And I repeat that I'm NOT talking about people who want to attack this
system specifically. I'm talking about people/worms that scan IP ranges
for vulnerable systems to run standard exploits against.

But 3 paragraphs above you state the opposite twice.
As for standard exploits, there are no standard exploits. Each exploit
writer is going to write his/her exploits a bit differently.

There are people who argue that the reason why there are fewer worms that
target Linux than Windows is not Linux's superior security but it's lower
popularity compared to Windows. If all you care about is to get a huge
bot-net with minimum effort or maximum damage with minimum effort, you
target the most popular systems only.

I tell you now that I've been running a Linux server for the past 5 years,
which I have set up so that all of my paths start with /root, i.e.
/root/bin, /root/usr/bin, /root/etc,...
Although I've been DOSed and some services have been crashed, I have not
been rooted a single time during those 5 years.

That you know of. Why don't you tell us that you aren't running any
services on the box also. How many shell accounts have you given out on
your linux box in the last 5 years?

Its far easier to lock down an linux/unix box via login.conf your
partitions and simply some gosh darn good admining of the box than to say
since i run linux and haven't been owned its a better box. The statement
to state that may or would more accurately paint the picture of what
threats you have been stepping away from by using linux might be 'i have
been running linux for 5 years, with 5000 shell accounts on the box and
since im worried about the threat of a localhost compromise i locked down
users to a particular partition and locked down what libraries those users
can use..and this makes linux better than xyz because its way easier to do

I claim that the reason why I was never rooted is my special setup. It has
made all of the exploits against Linux boxes that were used in the past 5
years non-functional against my system (aside from the DOS/crash aspect).

I would say that is a pretty arrogent statement. If I am a hacker and want
to hack your box with popping a shell from a buffer overflow its just as
easy to try /weirdopath/bin/sh as it is to try /bin/sh.

To prove that my claim is incorrect you'll have to point me to an ACTUAL
EXPLOIT/WORM/VIRUS (or report about such an exploit) ACTUALLY USED during
the past 5 years that would have worked WITHOUT CUSTOMIZATION against my

I can hear happy gilmore now... SHAMPOO IS BETTA!

Fortunately this will not happen. The standards you mentioned protect me
against this. RedHat, SuSE,... can not implement this method, because they
can not break standards. This is a method that can only be implemented by
random weird individuals such as myself.

Yeah try using your weird operating system on an enterprise network and
see how usefull it is when you have to apply a patch.

-Daniel Uriah Clemens

Esse quam videra
                (to be, rather than to appear)
                     -Moments of Sorrow are Moments of Sobriety
                      { o)2059686335             c)2055676850 }

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]