We're Hacked... But it's a secret....

[mohaughn]

Originally posted here by Tiger Shark
mohaughn:

And what percentage of the installed base this company has do you think will use it in the utopian manner you describe?

They have to.. It WILL NOT work with dynamic data. So there is nothing utopian about what I posted.

In order for a signature to be issued a publisher has to authorize the signature. So there is no way for a signature to be issued for automatically generated data such as that from PHP or database queries. You could digitally sign a form and then make sure the right form is used before populating it with data, but you can't check the data. The only way to do that would be to come up with an algorithm that would combine all of the data into some type of hash and then get a checksum on that hash. But this particular application doesn't do that. There are applications out there that do it, but doing that for PHP would be overkill.

I think if you look into it you will find that major news outlets are already using this type of technology. Signing web pages and then having the web server authenticate the signature before serving the page is nothing new. I think the more common implementation of this type of technology is to have a running process that checks the signature of a page at a given interval. This way if a page is changed it will automatically be changed back within a minute or two.

In many ways this is exactly what all the current DRM technologies are striving to do. Make sure the content that an end user sees is exactly how the publisher wanted it to be seen. It's another piece in the security armor. I'm amazed that people are bashing this when in other threads tell the virtues of security in layers.

[Tiger Shark]

mohaughn:

My point is more that there will be a high percentage of admins/small ISP's that will see this as a way of paying no attention to security whatsoever. Picture this scenario:-

Small mom & pop ISP with 200 small time customers that provide static content, (their family website, whoo-hoo). The ISP itself is really a side job for "pin-money" and they know little to nothing about security as witnessed by the fact that each time they get the web sites defaced they simply put back the original content, do an automatic update and hope for the best.... of course, they have real jobs too so they allow their users to update their own web pages through some FTP system, (that doesn't get updated by the automatic updates), to save their own time and effort. Now, before you fall over laughing at the scenario I can tell you I see this almost monthly and when I help out I find unfirewalled servers, improperly firewalled servers, unpatched OS's, original installs of FTP servers that are 3 years old, etc. etc. etc. So, here's Bloggs the ISP looking at this product... Lightbulb comes on.... Have the users sign the content and "away we go"... No more hacked servers... I can sit back and the money will roll in.....

Believe me, that isn't far from the truth of an awful lot of little ISP's out there..... That's why this product sucks. The server is compromised and no-one knows or cares.... Security just became irrelevant to them - their users sites can't be defaced no matter how hard the uber leet skiddie tries.

I can see what you were saying but the scenario you allude to isn't that relevant, IMO. The Bloggs ISP has no penalty for downtime so it's not a factor. The people you were talking about are much bigger and have more to lose. So they already take security more seriously. They also have the technical ability to allow their users to provide dynamic content, (which Bloggs ISP usually doesn't), and therefore would find this product to be of only limited use.

With regard to the News Agencies you referred to.. Yes, you are probably right.... but then again we are back to the "big guy" with a lot to lose, (credibility at a minimum).

My objection to this product is not for it's potential _proper_ use.... It's the fact that it's _actual_ use is much more likely to be an abuse of it's ability and will be snapped up by the lame admins/ISP's to hide their own incompetence/laziness.....

Gore: You are a gem..... Too funny.... Was that your school bus.....

[gore]

I meant it to be the bus these people who do this **** come off of but some people just don't seem to realise that. Heh, I haven't been negged in a long time and for all the reaons, a picture making fun of the **** ups who actually use these kinds of things. The example you gave, well, maybe it's only in Southeast Michigan? You and me can see this is a shitty idea, we live here, and see it a lot.

I upload a pic making fun of that and I guess the person didn't understand it was meant to be a reply to this thread, not random posting just because I wanted too.

Now when are you giving me root on that poor box of yours so I can fix it up?

[Vorlin]

Hmmm, I'm now actually wondering if I could write an apache module that inspects the content before displaying it to the end-user and if so, if I could make a db of md5 hash strings on all my static pages...while I'm at it, I'll rename all the binaries for postgresql to something else, compile a new pg_ctl so that the -v shows I'm running SQL 2000 or something on an MS-DOS 1.0 shell, hehe...trojan my own ps/ls/etc so that a haxx0r can't see my db, forget my login after I change it to something that sounds like vaguely pronounceable line-noise, send my syslogs to a remote location where I can watch the attempts...wow, what a lot of work!

Just a what-if kinda thing, ya know?

EDIT ADDITION:

Believe me, that isn't far from the truth of an awful lot of little ISP's out there..... That's why this product sucks. The server is compromised and no-one knows or cares.... Security just became irrelevant to them - their users sites can't be defaced no matter how hard the uber leet skiddie tries.

True, it did become irrelevant to those who know little nor care and are using a single product (or a myriad of crappy ones) as their "shield". And nobody would know until the ISP shuts down the account because three boxes at an IP address got backdoored 5 months ago and bandwidth has been increasing with those anonymous ftp porn servers and spiked to 10gb overnight because said servers got advertised on www.warez.com as "Member spotlight of the day!"...or because the ISP got shut down because these servers, being on the phat OC-192s (and all that) were DDOSing the white house...hehe!

gore: I laughed out loud at that picture...it's now my background!

[Tiger Shark]

Gore:

I saw the humor perfectly well..... I have no idea why you got negged for it.... it was funny...

As to giving you root on this box..... Yeah.... Right.... It's not that I don't trust you..... I just don't trust human beings..... If you were a German Shepherd as opposed to simply a German you might have a chance.... They are loyal, honest and faithful.... Humans aren't

PS: I was born in Munich.....

PPS: I'll try to fix another "wrong" that occured in my threads today....

[Edit]

Sorry... Tried to fix.... No go... It's the thought that counts...

[/Edit]

[zencoder]

I think this product has some minimal amount of potential value, but only as one piece of a comprehensive Risk Management policy. They are hyping this because they know it will sell licensing to clueless managers without addressing the REAL issue, of effectively managing their risk on all levels.

I think its a good idea to be able to verify (and correct) outbound content. But that should only be an automated footnote in an incident response to the penetration and subsequent rapage of webserver(s), so the SOC or security manager can deal with the intrusion and defacement, but the PR officer can sleep easier knowing that their prized URL won't be serving up kangaroo porn or anything else.

I think the general negative attitude from members comes from reading the obvious hype and buzz words in the advert. and recognizing the hand of a moron^H^H^H^H^Hmarketing agent editing the product description. I know I feel it too. Fool me once, shame on you. Fool me twice...

[Soda_Popinsky]

Sitegrity intercepts all content traveling to and from the Web server, verifying its authenticity with digital signatures. Only approved content is allowed out.

I really don't see what the big deal is... when something goes wrong, you can put up a "Technical Difficulty" page instead of serving a defacement full of content you don't want to be responsible for... it limits damages. If unsigned content tries to get out, I bet you get notified... Thats a pretty good way to be informed of a defacement, instead of angry customers. Scob worm anyone?

How It Works: Authorized publishers of a Web site's content create digital signatures for all new or revised Web objects--such as HTML pages, GIF files, or JPEG files--and store these on Sitegrity.

So obviously this idea is still in it's infancy... anything out there that will work w/ a database and scripts?

If you ask me, it's not meant to hide the fact that you are attacked, it is to prevent content from reaching the public that you don't want to be responsible for. IE a defacement with a Scob script, among any of the IE exploits or w/e... all prevented with a product like this.

[mohaughn]

Soda- This has been around for years. Maybe not this particular piece of software, but the general idea.. It works for dynamic data, but there are some interesting issues. Mainly, when are the digital signatures generated and how do you confirm that the data is valid before creating a new signature. You have to take into consideration how valid changes are made and changes have to somehow be validated as being good changes as opposed to changes by an attacker.

It gets pretty complicated pretty quickly. You have to start keeping multiple database to be able to make comparisons of data, and if the data has been changed you need a trusted database that you can use in order to confirm how the change was made. Using encrypted connections between a database, a transaction server, and the destination web server is far more effective and efficient. The more dynamic the data is, the harder it becomes to validate it.

It's definitely overkill for a PHP bulletin board. Mainly because if your information is that important, you would use something more secure than PHP. There is also no real way to make sure what is submitted is actually valid.. You would have to treat each poster as a trusted poster, but what kind of security policy is that.

As for the problems with their marketing.. I tend not to judge the quality of a product based on the marketing that goes along with it. I didn't even look at the adds for this product, I just read the technical literature. If marketing hype was true hardware and software firewalls would have solved everybodies security woes. And who is going to argue that firewalls are not an effective piece in a comprehensive security strategy?

[nightcat]

I agree with those that say that this product could be dangerous as a tool for lazy or unprofecional webadmins. But there is not much we can do about it except may be actualy help the poor bugers . Unfortunately helping usualy takes more time then arguing, or does it? If people feel so strongly about this product, they can do one simple thing.

Write a well argumented article about pros and cons of the product. Make sure it takes the hipe out of the product and send it to the magazines. Hopefuly it will get published.

One: You will help others. This is good.
Two: You might even get paid. That's even better

I'm sure it won't take any of the people more time then they usualy spend around here.

[Tiger Shark]

Unfortunately helping usualy takes more time then arguing, or does it?

Not usually.... There are two kinds of people seeking help.... Those that are really seeking help and those that are asking for the answer they want to hear. Those who want help ask good questions, get good answers and act upon them. Those that are asking for the answers they want to hear usually ask "wishy-washy" questions and then degenerate the resulting answers into an argument.

Then there's those who just want an argument..... Nothing to do about them really... It's the internet.

Write a well argumented article about pros and cons of the product. Make sure it takes the hipe out of the product and send it to the magazines. Hopefuly it will get published.

There's a couple of problems with this statement.

1. It's really difficult to "document" human nature, (lazy admins), without it becoming an opinion piece that has it's inherent difficulties when it comes to the saleability of the finished product.

2. Writing a piece for a magazine today means that, if you are _really_ lucky it will be published in 3 months time, the norm is closer to 6 months... (Yep, I have had a few articles published to magazines of various disciplines and the time from submission to publication is usually in the 3-6 month period). Most magazines are pretty much finalized 2-3 months prior to their dated issue. By this time the company in question will have sold their product to the lame and the lazy and won't care about further sales because they know they already reached most of their intended audience and have collected most of the money they ever will through it.

Two: You might even get paid. That's even better

Lastly, unless you are a "valued contributor", (you contribute something of value every issue), your standard recompense will be in the region of $150-200.... Considering the amount of time required to properly research, document and write such an article, (that probably won't be published because it is either not of interest or no longer of use, (remeber the 3-6 month issue)), I have better things to do with my time for a gamble of being published for such a pittance..... You may not consider it a pittance... that's ok.... but you need to understand that submitting articles to magazines can be a fruitless and frustrating exercise unless you are aleady known within the industry the magazine serves.....

That's experience talking.....