Not very security board?

logic1 · 23-02-2001 12:13pm #1

Well guys with the recent UBB board password stealing script I thought this would be the very place people could be educated and learn more about common security. Instead theres not a word mentioned. I know it's very critical to this board as well as hundreds of others and details should not be discussed but at least people should be warned that this is prevalent and happening at the moment. Again this reminds me of the notion of security through obscurity. If this is the case then why the need for a security board?

.logic.

ecksor · 23-02-2001 5:09pm

Hi logic1.

When I learned of the problems with UBB, I mailed someone who could do something about it straight away (well, in theory I could do something about it, but I don't run boards.ie). I should probably have sent a heads up here also to warn users to be careful once a workaround had been implemented. Security through obscurity is not something I believe in and was not my intent.

As for learning more about common security, I don't see a problem with this. In fact, it would be a very good thing and should be one of the main uses of this board. I check this board on an almost daily basis, and as a moderator I will try to answer any questions that have not been previously answered if I feel I can give a good answer. If I can't, well I know a lot of very clued in guys who do check this board regularly also

logic1 · 23-02-2001 5:17pm

Thanks for the reply X_OR.
I was just unsure as to the position of this board in particular with regard to new holes with various systems.
It seems that because the boards are constantly so quiet that people refrain from discussing issues which may be "hot" at the time simply because of fear of educating script kiddies. Personally I think this board could be hugely useful in educating most if not all of us to current issues particularly people who may administer or have some critical role in systems and yet not have time to keep fully up to date on issues as they happen.

.logic.

ecksor · 23-02-2001 10:31pm

There's no problem with publicising and discussing security issues that are already in the public domain.

How many people would find it helpful if this were to happen? I'm on about 10 security lists, but I realise that not everyone has the luxury of spending that much time trawling through mails dealing with security every day.

Doing something like this on boards.ie has the weakness that we can't really post every little thing to the board, or else we'd just be a poor version of packetstorm or securityfocus etc, so we could not offer a complete service to someone who doesn't have other resources for alerting them to this kind of thing. An example would be a frontpage exploit. I might come across that and have no interest in it, as it doesn't affect any systems that I'm involved with, but it might be an issue for many people who would read here.

I think it could work reasonably well though. If people become aware of issues that concern them then there is a very good chance that they will concern other boards readers. If enough people make a habit of passing on relevant info then it would be useful. (example, I skip a frontpage exploit, but someone else reads it, sees that it's serious and posts it). Basically, people shouldn't be afraid to post (although, the boards' strength is the community and the regular posters, so I don't see a problem here

)

If nothing else, it should generate posts and discussion, which is always a good thing

Fidelis · 23-02-2001 10:51pm

Ah, so that's why the code was turned off.
Nice to know that the boys are 'on their toes' so to speak.

Nil Desperandum

Hobbes · 23-02-2001 11:28pm

Only exploit I found was a meta tag exploit in UBB and was found exactly one year ago from yesterday and fixed shortly afterwards.

But then I didn't really look hard.

ecksor · 24-02-2001 1:06am

http://www.securityfocus.com/templates/archive.pike?list=1&mid=164583

Hobbes · 24-02-2001 1:16am

ooh nasty.

ecksor · 26-02-2001 9:37pm

Depends on what you mean by "hacking" I guess. Not sure what the best advice is, but all I can say is read lots.

SantaHoe · 26-02-2001 10:08pm

Verb, check out:
http://www.networkmagazine.com/static/tutorial/index.html
There are some nice intro docs there [networking & security], I'm reading through them at the moment. (A few days worth of reading at least)

Gavin · 27-02-2001 1:06am

Whilst on the topic. I am doing a computer course and am interested in learning more of computer security. At the moment, the best way i see of learning this, is obviously to learn how to hack.

Is this the only way ? Is it the best way ?
Any opinions in general, I'd appreciate.

Gav

Gavin · 27-02-2001 10:56am

OK, yeah i should have been a bit more specific.

Security in relation to securing dedicated servers. Specificaly Linux/Unix machines running as webservers and/or running firewalls to secure internal networks. By 'hacking' I mean breaking into/disabling the server/firewall and gaining access to internal network traffic. Most of the information I have found is relating to this sort of attack.

Gav

ecksor · 27-02-2001 12:07pm

This is worth a read, Rain Forest Puppy rocks ... <insert rfp hero worship here>.

http://www.wiretrip.net/rfp/p/doc.asp?id=31&iface=7

Gavin · 27-02-2001 12:56pm

Thanks for that. quite interesting !

Gav

---

(screw u ken

Finglas Incubus · 27-02-2001 3:01pm

Verb, get yourself a copy of 'Hacking Exposed'; its a good reference for some of the more well known exploits and shows you how to undertake specific hacks, as well as secure your systems against them

http://www.amazon.com/exec/obidos/ASIN/0072127481/o/qid=983282231/sr=8-1/ref=aps_sr_b_1_1/104-6355912-4872705

satchmo · 27-02-2001 8:56pm

If you want some hands-on learning, www.pulltheplug.com have a network of a few different types of machines which you can log into and try to root to your hearts content without getting into trouble.

Not very security board?

Comments