Re: whitehat

To: alex black <enigma@turingstudio.com>
Cc: debian-security@lists.debian.org
Subject: Re: whitehat
From: Alvin Oga <aoga@mail.Linux-Consulting.com>
Date: Wed, 2 Nov 2005 17:33:54 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1051102171729.17312A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] acc00db322d20e0d74c8f088b903c97e@turingstudio.com>

hi ya alex

- lots of options .. too too too many ...
  but bottom line ... you have to do the work .. not the 
  outside white-hat you're looking for

On Wed, 2 Nov 2005, alex black wrote:

> Not much, frankly. The idea here is to have someone that is not 
> malicious, but is skilled, to attempt to crack the box. If they can, 
> I'd like to know how. The box is not running a full production 
> application at the moment, there is zero valuable data on it. Also, see 
> below...

"skilled [cr|h]ackers will probably be working at corps that
has job descriptions that prevent them from free-lancing
for liability reasons if they like their current job status

> You are free to contact both me (by phone or email), and my provider, 
> Aktiom Networks: info@aktiom.net and ask them about me. I have provided 
> a complete sig with an address, phone number, business name, etc. Do a 
> search for my name and 'binarycloud', I appear a lot. Uhm, come to my 
> office and meet me if you're in the bay area, CA :)

all that is good and dandy, however, it won't hold up in court
unless its in writting etc, etc, etc

where in the bay area .. it'd be at least fun to ramble and rumble :-)
 
> Security by obscurity has never proven very useful, and if I was a 
> wannabe-skriptkiddie

you'd be very surprized how useful it is to stop script kiddies
for the simplest "5 seconds" of work ... to tweek a few trinkets
here and there to stop them ... assuming that they even manage
to get in in the first place, which would in turn amplify you
have a major problem anyway

- limit the damage of what they can do once they are inside
  and ALWAYS assume that a malicious [cr|h]acker is already inside
  but you haven't found them yet, as it will in fact also take
  time to do so, at which point it is too late that you found them

> one would think I wouldn't post here claiming to 
> be who I am, provide a phone number, and... there are a lot better 
> places for me to look if I was interested in that.

- ahh .. you haven't been burnt before  :-) ...

> I will ask them to sign a contractor agreement with my company, which 
> requires a fax. I will ask for references, which are hard to construct 
> from nothing. I will offer payment, which requires details of an 
> address, phone number, and social security number. It's really not that 
> hard.

see the above, about "things that should hold up in court"
and all else is not worth a penny ...  the "pink hats" will be
looking for "get out of jail" cards or total avoidance of it
as their first and foremost issues

	- breaking in to them might be easy whereas, getting
	good docs, specifications and expectations is not as
	easily defined ..
 
> Yes. Also the idea is not to offer the machine as a honeypot. I want an 
> individual or preferably an individual associated with an organization 
> to attempt to crack a box with my permission under the terms of a 
> contract. So the idea is not to crack a box and then see if they can 
> launch a DDos with it - just to see if they can get in.

just because xxx at white-hat-inc cannot get in, but another 
more experienced "pink hat" (yyy) at the same white-hat-inc probably can

more even white-hat-inc competitors 

- there are lots of these professional "pin-hat-inc" that provide
  varing degree of "security tests"
	- security assessment
	- risk analysiss
	- loss analysis
	- probability analysis
	- security prevention/hardening
	- security process and proceedure
	- netork topology for security purposes
	- pen-test ..
	- security audits
	- on-n-on ...

- in order to "crack the box" ..
	- it may take 10 minutes ... it may take 10hrs ... it may take 10
	days or 10 weeks

	- if someone wanted to get in, i assume, with 99% certainty
	that they will get in 

	- the question is what do they get for spending their
	time, energy, efforts and resources and what do i/we have that
	they want it so badly

> The whole point of the test will be for me to monitor what's happening 

that you should already be seeing all the attacks you are already
getitng just by the generic background white-noise-attacks
	- and its free ... and doesn't take any time/energy/effort
	other than to watch and see what they did and how they're
	trying to get in

c ya
alvin

Reply to:

Follow-Ups:
- Re: whitehat
  - From: alex black <enigma@turingstudio.com>
- Re: whitehat
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

References:
- Re: whitehat
  - From: alex black <enigma@turingstudio.com>

Prev by Date: Re: whitehat to test a security config
Next by Date: Re: whitehat
Previous by thread: Re: whitehat
Next by thread: Re: whitehat
Index(es):
- Date
- Thread