[ale] Sunday 05-22-05 6PM RUN-AS-ROOT CHALLENGE

Michael B. Trausch fd0man at gmail.com
Thu May 19 19:15:17 EDT 2005


George Carless wrote:
> 
> I really don't think this has anything to do with "l33t s41lz".  It has to do with 
> established best standards, worked out over a great period of time by people 
> better-experienced than you or me.  There's enough documentation out there to support the 
> stance of those of us (really, everyone but you and Drew) who hold that running as root is 
> significantly more risky than running as non-root.  That you want to ignore it really 
> leaves us with nowhere to turn, but you might as well argue that the world is flat, that 
> the world was created by a giant bunny, that people should never take medicine when they 
> are sick or that jumping off tall buildings is a good idea because we could get hit by a 
> bus if we don't.
> 

Agreed.  There's no point to demonstrating the many ways that a
partition table can become screwed, a filesystem can take a dump, a
hardware flaw can be taken advantage of, or worse, be exploited
unknowingly resulting in a crash, or any number of other things.

I think what would really be amusing is for a private net to be set up
and have someone crack a *real* box, not one already rooted.  Without
any crutches such as getting even a username and password.

A truly insecure box requires no user account to bring it down.  It
requires someone who can find a way into it, assuming that the SA isn't
terribly smart and also assuming that the cracker is smarter then the
person running it.

An SA that isn't proactive, will lose, quickly.

-- 
Michael B. Trausch                               <fd0man at gmail.com>
Website: http://fd0man.chadeux.net/     Jabber: mtrausch at jabber.com
Phone: +1-(678)-522-7934              FAX (US Only): 1-866-806-4647
===================================================================
Do you have PGP or GPG?  Key at pgp.mit.edu, Please Encrypt E-Mail!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature




More information about the Ale mailing list