SSH hank attempts bad?
mike at halcrow.us
Wed Apr 12 09:56:00 MDT 2006
On Wed, Apr 12, 2006 at 08:22:16AM -0600, Chris Carey wrote:
> Though, you could spend your whole life fighting this losing battle.
> My opinion is to set your security in place, and forget about it.
Some of the tactics suggested in this thread *are* setting security in
place. And you should *never* just forget about it, because more
likely than not, your adversaries are cleverer than you are. Good
attacks are rarely conventional; if history has taught us anything,
attackers will always ``cheat.'' Security is a hard problem -- in
fact, it reduces to the same problem as the correctness problem, which
any CS student knows is intractable.
When it comes to system security, what we have to rely on is basic
economics. If someone wants to ``get to'' your system, and if they
have the willpower and enough resources to do it, you're screwed.
So what you need to do is make it *more costly* for an attacker to get
to your resources than whatever benefits the attacker would obtain by
compromising your resources. For most run-of-the-mill systems on the
Internet, the ``low-hanging'' fruit principle applies, just as it
applies to the security tactics of home burglar alarm signs, walking
down the sidewalk with confidence, and so forth. Criminals also
understand the concept of opportunity cost.
The moral of the story is to employ as many (layered) security
mechanisms as you can while minimizing the inconvenience to the
legitimate users. There are no one-shot silver bullets (although SE
Linux comes close), and so you should be using a wide variety of
tactics -- the more unique the approach, the less likely they will be
compromised via a ``class break.''
Michael A. Halcrow
Security Software Engineer, IBM Linux Technology Center
GnuPG Fingerprint: 419C 5B1E 948A FA73 A54C 20F5 DB40 8531 6DCA 8769
Natural selection is a theory, just like gravity. If you don't
believe it, go jump off a bridge!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 481 bytes
Desc: Digital signature
Url : http://plug.org/pipermail/plug/attachments/20060412/e3436c91/attachment.bin
More information about the PLUG