CSI blows us away
-
@Lingerance said:
@brazzy said:
If a firewall blocks everything, you might as well disconnect the two network segments physically and not have to worry about vulnerabilities in the firewall itself, or someone misconfiguring it.
A firewall blocks everything by _default_. You then open the ports one by one only as necessary, this is called security by design.The very concept of port-oriented firewalls is flawed, since the correspondence between ports and applications is pure convention. You think you've decreased your vulnerability to attacks 10,000fold by opening only 6 carefully chosen ports rather than 2^16. But you haven't because everyone else does the same, and now those 6 ports are used by all kinds of applications with all kinds of vulnerabilities.
@Lingerance said:
@brazzy said:
If it does not block everything, the port(s) it does not block is an open door to an attacker if there's a vulnerability in an app operating on that port or someone running (deliberately or inadvertedly [sic]) a trojan inside, and of course there's tunnelling [sic] and socks proxies that can make that door as big as the wall.
A firewall is a tool like any other, you do not build a house using only a hammer, how will the measure? It is the firewall's sole responsibility to control and monitor traffic that passes through it, if it was configured to allow a tunnel then so be it.I'm going to assume from that statement you have no idea what a tunnel is. It's a way to transport data of one protocol wrapped in a completely different protocol, and not necessarily distinguishable from the normal operation of that protocol. You can tunnel pretty much anything through anything, like hiding an SSH connection inside perfectly legitimate DNS requsts. Tunnels are another reason why firewalls are increasingly pointless - Web services are basically a big fat tunnel for arbitrary protocols through HTTP, intended (among other things) for circumventing firewalls.
@Lingerance said:
In a high security environment each host should have its own firewall on top of the firewall on the perimeter and internal networks anyways. The trojan thing is anti-virus' problem, the tunnel is IDS' and the network admin's for not locking the station down enough.
This is called patchwork security. Yes, it's pretty much state of the art and works well most of the time for most people if they have competent admins that make no mistakes, but it's still a sorry excuse for real security and tolerated only because real security is too damn inconvenient.
Bruce Schneer agrees with me: http://archive.salon.com/tech/review/2000/08/31/schneier/index.html
-
@brazzy said:
My point is that network security is easier to get wrong and flaws in it are cheaper and less risky to exploit.
And my point is that you clearly have no understanding of anything you are talking about.
Everyone else can see that. You are the only one who agrees with your drivel.
Please. For the sake of all that is holy: DO NOT EVER TRY AND SECURE A NETWORK FOR ANYONE. Hire someone who actually knows what they are doing and understands what a firewall is.
-
@brazzy said:
Bruce Schneer agrees with me: http://archive.salon.com/tech/review/2000/08/31/schneier/index.html
If Bruce heard you using his name to support your arguments he would probably kill you and himself.
-
@brazzy said:
The very concept of port-oriented firewalls is flawed
Which is why stateful packet inspection exists.
@brazzy said:I'm going to assume from that statement you have no idea what a tunnel is. It's a way to transport data of one protocol wrapped in a completely different protocol, and not necessarily distinguishable from the normal operation of that protocol. You can tunnel pretty much anything through anything, like hiding an SSH connection inside perfectly legitimate DNS requsts. Tunnels are another reason why firewalls are increasingly pointless - Web services are basically a big fat tunnel for arbitrary protocols through HTTP, intended (among other things) for circumventing firewalls.
Yes an interested fact that I already knew, however you appear to have not listening to what I said about the right tool, yes a firewall does not normally hinder tunnels, however I believe I dealt with that when I said:
@Lingerance said:In a high security environment each host should have its own firewall on top of the firewall on the perimeter and internal networks anyways. The trojan thing is anti-virus' problem, the tunnel is IDS' and the network admin's for not locking the station down enough.
@brazzy said:This is called patchwork security. Yes, it's pretty much state of the art and works well most of the time for most people if they have competent admins that make no mistakes, but it's still a sorry excuse for real security and tolerated only because real security is too damn inconvenient.
Wait, so a network consisting of (I stated these all in my previous post):
A: locked down systems
B: Every host has its own firewall
C: Dedicated firewalls on the edge of the subnets
D: An IDS system in place
Is patch work security?
-
@Lingerance said:
network consisting of
Nope. That is the funny part. The original argument (that Brazzy riled everyone into straying from) was that two computers that are 'networked' are no less secure than a sneakernet.
That point stands, Brazzy fails, and everyone who has continued to derail the topic needs to learn reading comprehension, and not reply/flame the very last post with their interpretation.
Brazzy: NOWHERE did anyone in the original argument imply any connection to the outside world or anything else. Two computers joined together in a network are no less secure than a sneakernet.
-
@MasterPlanSoftware said:
@Lingerance said:
network consisting of
Nope. That is the funny part. The original argument (that Brazzy riled everyone into straying from) was that two computers that are 'networked' are no less secure than a sneakernet.
That point stands, Brazzy fails, and everyone who has continued to derail the topic needs to learn reading comprehension, and not reply/flame the very last post with their interpretation.
Brazzy: NOWHERE did anyone in the original argument imply any connection to the outside world or anything else. Two computers joined together in a network are no less secure than a sneakernet.
Have to second this. Any data that could 'creep' from one system to another via a network that shouldn't be there, could also be transferred by sneakernet - along with any amount of data from external sources. Its much easier to get data in/out via physical medium than it is to get out of between a couple networked computers with no network access to the outside world.
-
@brazzy said:
This is called patchwork security. Yes, it's pretty much state of the art and works well most of the time for most people if they have competent admins that make no mistakes, but it's still a sorry excuse for real security and tolerated only because real security is too damn inconvenient.
Look, chief, the only way to guarantee perfect security is to not exist. Unfortunately, most people do find that a touch inconvenient. So we make compromises. You can lock a computer a hundred different ways, but what Bruce actually points out is that somebody is always going to find way #101. That's what you need to prepare for. Don't think just turning off the network is good enough, though.
-
@MasterPlanSoftware said:
(desperate ad hominem attacks)
You keep proving your complete ignorance and inability to argue quite effectively.
@Lingerance said:
Wait, so a network consisting of (I stated these all in my previous post):
A: locked down systems
B: Every host has its own firewall
C: Dedicated firewalls on the edge of the subnets
D: An IDS system in place
Is patch work security?Yes. The lack of dependable overall security measures is patched up with a slew of disparate tools intended to cover each other's weaknesses. BTW, real state of the art would be an additional IPS (Intrusion Prevention System), which is like an IDS except it's less sensitive but automatically blocks the attacks it recognizes, because IDSs cause too many false positives. Yes, these are recommended as separate systems for banks. If that's not patchwork, I don't know what is. As for tunnels, an IDS can really only detect them if it's a known technique which causes unusual behaviour in the protocol being tunneled through, such as abnormally intensive DNS traffic when tunneling large data transfers through it.
@MasterPlanSoftware said:
Brazzy: NOWHERE did anyone in the original argument imply any connection to the outside world or anything else.
Which one is the "original argument"? I was replying to a movie scenario posted by bstorer which implied he thought the lack of a network stupid without specifying what kind of network. In his first reply to my posting, he then said "Really? Do firewalls mean nothing to you?" which to me clearly implies connections to the outside world.
@BeenThere said:
Have to second this. Any data that could 'creep' from one system to another via a network that shouldn't be there, could also be transferred by sneakernet - along with any amount of data from external sources. Its much easier to get data in/out via physical medium than it is to get out of between a couple networked computers with no network access to the outside world.
And my original posting only said "for a high security environment, it can make sense to disallow networks". I thought it would be obvious that this would not be the only security measure and complemented by stuff like not allowing removable media and, most importantly, thoroughly controlling who is allowed on site.
For the record: Given the three security policies- No network at all
- Internal network, physically separated
- Traffic between internal and external networks policed by firewall, IDS, etc.
I don't personally believe that 1. is useful compared to 2. (at most marginally more secure, much less convenient), but I can see military types adopting 1. for simplicity's sake. I do personally believe that 2 is considerably more secure than 3 if accompanied by tight physical security.
-
@bstorer said:
Look, chief, the only way to guarantee perfect security is to not exist. Unfortunately, most people do find that a touch inconvenient. So we make compromises. You can lock a computer a hundred different ways, but what Bruce actually points out is that somebody is always going to find way #101. That's what you need to prepare for. Don't think just turning off the network is good enough, though.
I agree completely. My only point is that in computer networks, there are more additional ways which are harder to prepare for than in physical security.
-
@brazzy said:
I agree completely. My only point is that in computer networks, there are more additional ways which are harder to prepare for than in physical security.
I disagree; physical security is just as hard. The point of both network and physical security is to make it too hard to bother breaking in, because you can never make it impossible.
-
@brazzy said:
@MasterPlanSoftware said:
(desperate ad hominem attacks)
You keep proving your complete ignorance and inability to argue quite effectively.
Or maybe, everyone here has read your replies and thought "holy shit, he is fucking stupid" and decided to not put a whole lot of effort into arguing with a troll.
You are quickly becoming our new running joke on the IRC channel. So... thanks for the material.
-
@MasterPlanSoftware said:
Or maybe, everyone here has read your replies and thought "holy shit, he is fucking stupid" and decided to not put a whole lot of effort into arguing with a troll.
You are quickly becoming our new running joke on the IRC channel. So... thanks for the material.
Yeah, whatever. Enjoy your ignorance, little man.
-
@brazzy said:
Enjoy your ignorance
Alright, I will be the ignorant one, And you keep up the good work of not understanding security, networking, or damn near anything else.
Seems people like you forget everyone can see what you are writing, and we all know you are full of shit.
-
@brazzy said:
Yeah, whatever. Enjoy your ignorance, little man.
You know, with your endless knowledge of network insecurity, you should really invest your energy into convincing the government to shut down all of their internal networks and shuttle data using thumb drives or DVDs. I'm sure they won't mind pushing terabytes of data around that way. After all, the inconvenience is nothing compared to the extreme risk of an internal hacker stealing top secret data.
-
@AbbydonKrafts said:
I'm sure they won't mind pushing terabytes of data around that way. After all, the inconvenience is nothing compared to the extreme risk of an internal hacker stealing top secret data.
And nobody ever loses a disc or thumb drive. And because physical security is oh-so easy, it's impossible to walk out with one.
-
@bstorer said:
And nobody ever loses a disc or thumb drive. And because physical security is oh-so easy, it's impossible to walk out with one.
@brazzy said:
But it works at my mom's house!
-
@brazzy said:
Yeah, whatever. Enjoy your ignorance, little man.
OMG brazzy got sk00led!(assuming he was talking to himself as he's clearly the ignorant one).
-
@belgariontheking said:
@brazzy said:
Yeah, whatever. Enjoy your ignorance, little man.
OMG brazzy got sk00led!(assuming he was talking to himself as he's clearly the ignorant one).
And what an ego on him too, Amazing: @brazzy said:
little man.
He believes he is right, kind of reminds me of a young Doug Pederson. *sniffle*
I think I miss that bearded freak. Was certainly a lot more entertaining than this troll.
-
@bstorer said:
And because physical security is oh-so easy, it's impossible to walk out with one.
Absolutely. It's really easy to mandate that all employees undergo a strip+cavity search upon entering and exiting. Those pesky network packets, though, can slip right through.
-
@AbbydonKrafts said:
@bstorer said:
And because physical security is oh-so easy, it's impossible to walk out with one.
Absolutely. It's really easy to mandate that all employees undergo a strip+cavity search upon entering and exiting. Those pesky network packets, though, can slip right through.
Not good enough. Full-body X-rays for every employee each time they enter and exit the building, with daily surprise X-ray scans.
-
@bstorer said:
And nobody ever loses a disc or thumb drive. And because physical security is oh-so easy, it's impossible to walk out with one.
Did anyone else feel like pesto was channelling Dr. Cox from Scrubs when he made that post?
-
Last one to post wins the argument.
-
@DOA said:
The natural enemy of the "first post" race: The "last post" race.Last one to post wins the argument.
-
@belgariontheking said:
@DOA said:
The natural enemy of the "first post" race: The "last post" race.Last one to post wins the argument.
I win!
-
@AbbydonKrafts said:
Absolutely. It's really easy to mandate that all employees undergo a strip+cavity search upon entering and exiting. Those pesky network packets, though, can slip right through.
Once I flew from Mexico City to Chicago with a condom full of network packets in my stomach. I made it through security just fine but made the mistake of eating White Castle after I landed. The explosive diarrhea ruptured the condom and I was shitting network packets for the next three weeks.
-
@morbiuswilters said:
@AbbydonKrafts said:
Absolutely. It's really easy to mandate that all employees undergo a strip+cavity search upon entering and exiting. Those pesky network packets, though, can slip right through.
Once I flew from Mexico City to Chicago with a condom full of network packets in my stomach. I made it through security just fine but made the mistake of eating White Castle after I landed. The explosive diarrhea ruptured the condom and I was shitting network packets for the next three weeks.
String.Replace("network patches", "The Cure sperm");
-
@MasterPlanSoftware said:
String.Replace("network patches", "The Cure sperm");
Well, since I said "network packets" and not "network patches" I suppose I'm safe. You'd think that after obtaining the highest post count on the forums you would have this trolling thing down. Maybe after the next 3000 useless posts!
lern2troll
-
@morbiuswilters said:
lern2troll
Too bad you aren't an admin here so you can't just censor everyone like you do on IRC...
-
@MasterPlanSoftware said:
String.Replace("network patches", "The Cure sperm");
No matches found.
-
@morbiuswilters said:
I made the mistake of eating White Castle.
I did that once. I got a really good look of the hotel room bathroom afterwards.
@morbiuswilters said:
I was shitting network packets for the next three weeks.
That concept is hilarious.
-
@bstorer said:
@MasterPlanSoftware said:
String.Replace("network patches", "The Cure sperm");
*No matches found.*I get paid by the hour, now I can submit my patch:
String.Replace("network packets", "Robert Smith's sperm");
Ahhhh sweet monies.
-
@MasterPlanSoftware said:
@brazzy said:
I don't know the movie, but for a high security environment, it can make sense to disallow networks.
Yes, because instead of allowing people to transfer files over a network, where I can do all sorts of snazzy encryption and monitoring, I would much rather they put it on a physical medium they can walk out of the building with.
Possibly. But the threat of hacking by remote access is significantly reduced and can be (completely) negated by jamming the wireless frequencies used by COTS communication gear (CDMA, GSM, WiFi, Bluetooth) and (computer) monitors.
You also have no server room to secure and distributed network closets to secure - on that front you may still have to worry about traditional wired phones and wiretapping (against which there are very mature hardware encryption and scrambling approaches and/or tamper"proof" cabling) but again the threat is basically reduced thus that physical security can be very effiently employed to secure at the facility level.
You still need to secure against eaves-dropping and remote image surveillance but this again physical stuff: erecting securing the perimete, commo wiring inside sealed non-magnetic ducts, covered walkways, parking lots and outside facilities, secure windows, migitation or remote ir surveillance, CCTV, access control. Well known and mature methodologies and technologies all with most of them being pretty low-tech.
After you have done all this to secure your facility now you need to secure the personnel/staff who is (to be) working there. That is the hardest as you cannot see inside people's heads (yet - I should say - MRI and computer-evaluated EEG may change that in the mid- to long-term time frame). Again, securing against spy/traitors who need to physically carry something outside the secured facility is well-known methodology.
Granted, transferring ever larger amounts of data of electronic data on ever smaller storage devices clandistinely has never been easier. But there are eually high-tech approaches to counter that (Tera-Hertz Imaging) and/or low-tech approaches (everybody going out has to pass though an ultra-sentive metal detector, gets cleared of any metal and then has to pass a strong magnetc field which will corrupt all magnetc storage media which may concealed on a person. No laptops get taken in or out. You need to take data in: go to a special data reception facility IT copies the data to a storage media, vets it against software intrusion agents, archives it and then has it couriered inside the facility to the intended destination. Laptops stay there until being picked up on the way out. Cellphones, Flash memory, cameras, photographic film - all gets treated in the same way. Outgoing electronic data the other way around. And only with sufficient authorization The only way that data can get out are then: (micro)film (dots), paper documents and what is inside in people's heads. The first is (impossibly) cumbersome to produce clandistenely inside the facility, the second is easy to secure against and the third - see above.
This all will are result in a security bureaucracy monster which has to have security as its core values, goals and mission. But it can be done, At a Great Cost with (sometimes severe) effiency penalties. It is not impossible - just very hard to achieve and maintain. Happy people will not work there.
-
@cklam said:
...3000-word spell of resurrection...
Other than mentioning some problems which only characters in a science fiction novel need to worry about, you have added nothing to this debate. Networks are not impossible to secure to the same degree as physical access and the poster who made the claim is still an idiot.
Also: Firewalls still don't work because you can tunnel through them... unlike, say, The Soil.
The Soil is keeper of all knowledge and none shall pass through its loamy grasp....
-
@brazzy said:
<Banter about firewalls being weak>
Erm... Don't ACLs mean anything to you?-- At point A you simply deny the rest of the world access (ala dropping the packets, not allowing ANY response back to probes) and specifically allow the IP ranges of point B, then do the same with B, allowing A. Firewalls are NOT just your "Zonealarm" or "Norton Internet Security" -- Hell, if you're paranoid, you can set the firewals to disallow the machines themselves that are communciating to talk with the rest of the world.
@brazzy said:
As I like to say, if it's manmade, it has flaws. but that's besides the point. This is why you test your setup, you don't just throw systems out on the public internet with some firewall which config was rushed/incompetently done and expect security. Security is a journey, not a destination.<physical security versus network security arguement>
-
@vt_mruhlin said:
@DOA said:
In any case our VB-writting CSI is not a complete novice. She manages to narrow down the killer's location. How does she manage that you ask? Well, the GUI must have got part of the IP and since IP addresses (like telephone numbers) are assigned geographically she finally discovers that "he is blogging somewhere in midtown."
TRWTF is that you think IPs aren't assigned geographically. How do you think those adultfriendfinder.com ads always show you girls in "your area".
Oh you mean ads like classmates.com? They insist that I live in Distrito Federal, UNITED STATES. Yeah, right!!! I didn't know Mexico City was in the USA!!!
Anyway, geolocation isn't that hot, it basically pinpoints up to the second-to-last hop, which could be anywhere. If you were to trust my geolocation, you might think I'm posting from the Vallejo industrial area ... which is roughly 30 kms. from where I really am. The kicker is that most of Mexico City's addys might give you the same geolocation. Go ahead find me, you've got 22 million people and something like a 50 kilometer radius (maybe more) from that area to search about!
TRWTF anyway is that anyone would use VB for serious work.
-
@vt_mruhlin said:
TRWTF is that you think IPs aren't assigned geographically.
You give the impression that you think that something useful can always be gained from the IP address. It can't, nor can you ever be certain whether or not the information you're getting is correct.For example Google (much to my annoyance) currently thinks I'm in Sweeden (217.28.34.132) - I'm currently travelling at 100+mph up the east coast of England.
But that's a WTF all of its own.
-
@PJH said:
217.28.34.132
GASP AND HORROR! You gave out your IP address on the Internets! Didn't you see those ads telling you that they're a security vulnerability?!?
-
@PJH said:
Where's that quote about the one eyed gopher and the moo juice when you need it?For example Google (much to my annoyance) currently thinks I'm in Sweeden (217.28.34.132) - I'm currently travelling at 100+mph up the east coast of England.
But that's a WTF all of its own.
-
@morbiuswilters said:
morbish fun
I'm so glad I didn't read cklam's post. It's always better to wait for the real posters to respond and just read that.
-
@Welbog said:
Didn't you see those ads telling you that they're a security vulnerability?!?
That's OK - it's only mine for another hour, assuming this train arrives on time....
-
@belgariontheking said:
Where's that quote...
Not an eighteen wheeler sadly.
-
@Welbog said:
@PJH said:
127.0.0.1
GASP AND HORROR! You gave out your IP address on the Internets! Didn't you see those ads telling you that they're a security vulnerability?!?There ya go. Lets watch them try hack that address. Its hackerproof!!
-
@PJH said:
Not an eighteen wheeler sadly.
It doesn't say what type of vehicle. I'm sure an eighteen-wheeler would make it more of a challenge, too.
-
@danixdefcon5 said:
@Welbog said:
@PJH said:
There ya go. Lets watch them try hack that address. Its hackerproof!!127.0.0.1
GASP AND HORROR! You gave out your IP address on the Internets! Didn't you see those ads telling you that they're a security vulnerability?!?I started a DOS attack on that IP. Ha! that'll show him!
-
@AbbydonKrafts said:
It doesn't say what type of vehicle.
Since I'd not seen a reference to it before, the first google result was an Urban Dictionary entry which did state the vehicle. I would assume that that entry dated 2006 predates (what I've subsequently discovered to be) the one in your signature.Not that I'd accuse the person quoted of being unoriginal.
-
@PJH said:
@AbbydonKrafts said:
It doesn't say what type of vehicle.
Since I'd not seen a reference to it before, the first google result was an Urban Dictionary entry which did state the vehicle. I would assume that that entry dated 2006 predates (what I've subsequently discovered to be) the one in your signature.Not that I'd accuse the person quoted of being unoriginal.
It is from a Bloodhound Gang song: 'A Lap Dance is So Much Better when the Stripper is Crying'.
@TheSong said:
"Day or so had passed when I popped the clutch, gave the tranny a spin and slid on into The Stinky Pinky Gulp N' Guzzle Big Rig Snooze-A-Stop.
There I was browsin' through the latest issue of "Throb", when I saw Bambi starin' at me from the back of a milk carton. Well, my heart just dropped.
So, I decided to do what any good Christian would. You can not imagine how difficult it is to hold a half gallon of moo juice and polish the one-eyed gopher when your doin' seventy-five in an eighteen-wheeler.I never thought missing children could be so sexy. Did I say that out loud?"
-
@belgariontheking said:
@morbiuswilters said:
morbish fun
I'm so glad I didn't read cklam's post. It's always better to wait for the real posters to respond and just read that.I am so not sad.
And the short version is: With Network bad. No network low-tech PITA.
-
@cklam said:
And the short version is: With Network bad. No network low-tech PITA.
I'm so glad you laid it out in such simple, honest, direct, WTF language for us.
-
@cklam said:
@belgariontheking said:
@morbiuswilters said:
morbish fun
I'm so glad I didn't read cklam's post. It's always better to wait for the real posters to respond and just read that.I am so not sad.
And the short version is: With Network bad. No network low-tech PITA.
Wow. Uninformative and slow to respond. You really can do it all, huh?
-
@cklam said:
With Network bad. No network low-tech PITA.
Plz sir, can u e-mail me the codez to this algorithm. i need to make my bot srmater and oviousy ur algorithm is the best
