I'd prefer not to share the details of my firewall with those I meet on the interweb. It would seem similar to flaunting your earnings statements in front of the irs....just not a good idea.
Printable View
I'd prefer not to share the details of my firewall with those I meet on the interweb. It would seem similar to flaunting your earnings statements in front of the irs....just not a good idea.
If your security system is effected even by complete disclosure... it isn't very good.
cheers,
catch
I never said it was effected. I simply said I don't believe it's a good idea. =p
Bah... make something up then. ;)
"I run a hacked up Zone Alarm via WABI on my NetBSD powered microwave oven."
cheers,
catch
I use ipsec as a port filter. =)
The rules were to compromise the web server. Thats what they did, fair and square.Quote:
To be fair LSD did not win by the rules they had specified
Great! So even an unskilled lazy attacker can compromise a machine protected by PitBull, sounds like an amazing product, how much does that cost?Quote:
Also to be fair, it isn't like LSD did some super amazing hacking or anything like that. The vulnerability had been known for some time. Sun failed to patch it, and Argus failed to consider it.
The exploit was known in the underground but was not posted on any buqtracking nor was a patch available.
-Maestr0
Wait, so "LSD" got nothing out of it?!
Maestr0... now you're just being ignorant and argumentative.
The rules of the contest were not to just compromise the webserver, otherwise the system would have been open to physical attack. The rules were actually quite clear. The Pitbull system needed to be compromised, it was not. (They still should have paid out... and they did, just not the full amount, which was legal, because technically he didn't win)
Seriously... go read the details of the system. The used a beta product configured in a totally unrealistic manner. (effectively giving everyone root access)Quote:
Great! So even an unskilled lazy attacker can compromise a machine protected by PitBull, sounds like an amazing product, how much does that cost?
It is really silly of you to judge the product based on that contest alone... you should prolly look at all the contests before that one, when the system was managed in a sane way and an actual production level system was used. Pitbull is unquestionably the best security package for Linux and Solaris
The hole had been published on x86 Solaris lists, it was known by Sun and their reply was basically "That isn't really a product we care all that much about supporting." Had the people at Argus not been a bunch of jackasses (all the new people were in at that point) and just followed their own TFM, the bug in question would not have been exploitable.Quote:
The exploit was known in the underground but was not posted on any buqtracking nor was a patch available.
This is the kind of stupid **** people do on here all the time, I guess it is just because you don't know any better... but anecdotal evidence about system security is completely and utterly meaningless. Counting vulnerabilities or exposed systems? Capture the flag and openhack contests? It's all media bullshit and nothing more. Had Pitbull survived a billion attacks and was never compromised during 10 years of openhacking... would that prove it was secure? Nope. Just like this instance of being compromised (the system was configured in a manner that would be considered compromised out of the gate for a normal system) doesn't prove the system is insecure.
So stop being so obtuse.
catch
Oh,come on... catch, you're peddling the same bullshit you tell everyone to watch out for. I've seen the papers, but like a previous conversation we had, I dont believe in paying to build a castle on a swamp. I am being argumentative but not ignorant, because what you're saying is dumb. First you say how sweet it is, and when I mention LSD hacking it, you say it was no big deal and it was an easy hack. What?????
What?????They used their product, configured and setup by THEM, they only make **** for Linux and Solaris, the platform was x86 Solaris, if the company that builds it and a team of engineers can't configure it correctly IN A RIGGED SETTING, what the hell do I want to buy it for?Quote:
The used a beta product configured in a totally unrealistic manner.
Like the one before where Bladez hacked it but also wasnt paid (Face you can trust, huh) because he was four hours late? How much does this cost again?Quote:
you should prolly look at all the contests before that one
And read LSD's paper. Hell, read Argus's statements after the contest.
"We did manage to find such a vulnerability and additionally to find a bug in Pitbull itself. In result we were able not only to modify one of the virtual websites (what was required according to the challenge rules) but also to completely bypass Pitbull's access control mechanisms and even to turn off the protection system completely."Quote:
The Pitbull system needed to be compromised, it was not.
"Our successful performance was officially accepted and announced by the Challenge committee, consisting of Argus and sponsor representatives (Fujitsu-Siemens)." -LSD
Wait, so the Pitbull Secure Web Appliance doesnt prevent the website from being defaced or prevent Pitbull itself from being disabled, since it wasnt compromised.WHAT???? What the **** does it do then?
You would be able to read the announcments and the rules Argus made except Argus, the face you can trust, seems to have misplaced all that stuff. Get real catch dont say I'm being ignorant just cause you bought into the Trusted OS of the month. I got some **** I'll sell you, you'll never get compromised, promise.
-Maestr0
The Pitbull system in question was not configured to be secure.... well not as secure as it could be. They dilberately gave attackers WAY more access than would ever been seen on a live system just to make a point. This of course backfired on them... but on a normal website, you don't allow users to telnet in and provide the root password. (which was what the Argus team did) It isn't like they were too dumb to configure it.
Had they used normal Solaris the system would have remained secure.
The point is, it wasn't a real world situation... they just got big heads.
The vulnerability was NOT in Pitbull... it was in x86 Solaris, the Argus team allowed attackers access to the OS without being confined to its type enforcement as would normally happen. This of course allowed the attacker to disable Pitbull. Pitbull however worked well within its design and again the Argus team was just a little too full of themselves to allow such a path. The same type of vulnerability coupled with the same type of configuration and every single Trusted extension would fail in the same manner... including SE Linux, LIDS, and Trusted BSD. A real TOS wouldn't have this issues, because its controls cannot be toggled.
The Trusted OS of the month? Pitbull isn't a Trusted OS... it merely adds some trusted functionality to normal systems. This is the same thing people believe about SE Linux and so forth... MAC doesn't make it trusted, you need a reference monitor at the very least.
And again, had they configured the system to be secure and not to make a point ("we can give away root and you still can't hack us! nah nah nu nah nah") the system would not have been defaced as there exist no vulnerabilities (still) that could bypass it.
You are making the grave mistake of assuming that the Pitbull product, which was made by the old Argus team is bad, just because the people who bought the company are a bunch of dicks. Unfortunately this is very flawed logic.
cheers,
catch
PS. Pitbull isn't an appliance. From your posts, it is clear that you are not familair with Pitbull at all... so why don't you either educate yourself or let it drop... arguing with hearsay is really silly.