Page 3 of 5

Posted: Mon Feb 16, 2009 6:48 pm
by liquidacid
Just because someone wants to "hack" into a system doesnt make them a cracker! What they do while inside said system and the reason behind them defines weither they are a hacker or a cracker. Along time ago when baud rate mattered people hacked into unix systems just so they could use and play with unix. and they werent called crackers.

Posted: Mon Feb 16, 2009 9:11 pm
by S3th
Yes, but times have changed, and most people these days are like "hurr durrr I w@nt to h4ck in2 teh system and get free moniez for teh lulz."

Posted: Mon Feb 16, 2009 11:01 pm
by plope0726
S3th wrote:Yes, but times have changed, and most people these days are like "hurr durrr I w@nt to h4ck in2 teh system and get free moniez for teh lulz."
Exactly. Its usually easy to wean out the bad apples when they type like a four year old. And especially when they want to hack into an ATM machine. What other purpose would they have to hack an ATM machine. Granted one may try to hack the machine to find flaws in the system for security benefits, but if that what they are doing they likely won't need help to do it. If they are testing security then they should already know how to do it.

Posted: Tue Feb 17, 2009 11:05 pm
by theStack
If someone like S3th is effective in weaning out these trouble makers by flaming them and cause them to not return, then great because it not only reduces the ammount of negative attention we might get, it also lets observers know that we do not tolerate stupid, foolish behavior and that this site's intent is not to have a bunch of idiots running around causing problems, Thus keeping this site from potentially being shutdown.
Why the hell should this site be shut down? Only because someone is _asking_ a question that *could* have something to do with illegal actions? That's ridiculous, not to say paranoid. And it should be more the concern of an administrator, not yours. As long as the site is about Puzzles and Bot Wars (as it can be clearly seen on the entry page) a shutdown won't happen.

Why are you registered here anyway? I don't know how you ranting guys see it but I think hacker.org is nearly all about the challenges and the AI programming. I have never seen any intelligent discussion going on here in "The Hacker's Server" subforum where you could learn something from.

And observer's will see that you don't tolerate stupid behavior, I agree, but they will also think that Hackers are extremely unfriendly people who can't discuss (social) problems in a normal polite way, but instead only shout and rant around. War is not the answer.

Would be nice to see you guys in the challenges and botpuzzles forums more often :wink:

Posted: Tue Feb 17, 2009 11:41 pm
by plope0726
theStack wrote:
If someone like S3th is effective in weaning out these trouble makers by flaming them and cause them to not return, then great because it not only reduces the ammount of negative attention we might get, it also lets observers know that we do not tolerate stupid, foolish behavior and that this site's intent is not to have a bunch of idiots running around causing problems, Thus keeping this site from potentially being shutdown.
Why the hell should this site be shut down? Only because someone is _asking_ a question that *could* have something to do with illegal actions? That's ridiculous, not to say paranoid. And it should be more the concern of an administrator, not yours. As long as the site is about Puzzles and Bot Wars (as it can be clearly seen on the entry page) a shutdown won't happen.

Why are you registered here anyway? I don't know how you ranting guys see it but I think hacker.org is nearly all about the challenges and the AI programming. I have never seen any intelligent discussion going on here in "The Hacker's Server" subforum where you could learn something from.

And observer's will see that you don't tolerate stupid behavior, I agree, but they will also think that Hackers are extremely unfriendly people who can't discuss (social) problems in a normal polite way, but instead only shout and rant around. War is not the answer.

Would be nice to see you guys in the challenges and botpuzzles forums more often :wink:
Concerning the possibility of the site being shut down...lets look at a scenario, Some comes and asks "Hey can i lrn to make virus?" then someone like the user "a" says "ya man here a prog for powerful virus" ....soon a new virus alert is out and the search is on for where it originated... they track it to the first users computer, from there they see that he is a member of hacker.org. after searching the site for evidence, they find the post about making a virus and the post giving him the virus. This likely would lead to further investigation of the hacker.org website. If you know anything about the PATRIOT act you will know that under it the Fed can do just about anything they want. Even if they find no further evidence on the site that may pose a risk of further problems from it, they can still opt to shut the shut the site down, atleast in the US because someone has already used this site to cause problems. Further more if this were too occur it would likely lead to an investigation of members of the site, and with records that the site contains, believe me they could find most of us. Now, this scenario may not be likely but could happen. Just like the odds of a person breaking into your home in an upper-scale neighborhood may not be likely, that doesn't mean you don;t take the precautions to reduce the risk of your home being broken into. I'm not so much concerned with the site being shutdown as i am with the possibility of being investigated for stupid nonsense.

As far as being on the botpuzzles and challenge forum...well the botpuzzles don;t interest me much and ifI'm having trouble with a challenge I usually turn to my trusty friend Google, from there I tend to find the answer. As far as completion of the challenges, i do them when I can, I go to school (University) full time and work so unlike many of the kids on here, I do not have a lot of liesure time to work on that stuff.
Only because someone is _asking_ a question that *could* have something to do with illegal actions?
If someone is posting a question saying "How do i hack ATM machines" , that IS illegal , not maybe. If someone is asking how to crack a facebook. myspace, or other web account, that is illegal. If someone is asking to be shown how to make and spread a virus, that IS illegal. there is no maybe here with these questions, they are all asking to be shown how to perform an illegal act.
If someone gives them that information and they go out and do it, that IS illegal, and they can be held responsible for the actions of the person they gave the information to.

As far as intelligent conversations in here...There might be more if people weren't here asking "how i hack ATM" . It's also hard to have an "intelligent" conversation with someone who does not know how to speak.

Posted: Wed Feb 18, 2009 12:26 am
by PaRaDoX
theStack wrote:
S3th wrote:Whoa, what the fuck. He really was talking about ATM's.
You there, daengpalopo.
You sir, can FUCK OFF.
We do not want your faggatory filling these forums, with your cracking and script kiddie wannabe bullshit.
Just get a life, and earn money yourself, instead of trying to leech off some poor guy. Oh, but wait. You're a faggot that will never amount to anything other then dog shit that I wipe off my shoe, and forget about for the rest of eternity. Seriously, get the fuck off hacker.org, and find an illegal cracker site, and enjoy being ass raped in prison, you sick mother fucker.
You know it's really not professional what you do here, this text looks more like a weirdo with tourette syndrome than words from a mature person. It's actually quite funny that nearly all those extreme "cracker-haters" haven't even solved more than 15 to 20 challenges themselves but they just feel as real hackers :lol:

But well, it's always very much fun to be so cool and bear hatred against an other group, isn't it?
well sorry for not liking certain people. if part of this was targeted at me or any group affiliated with me, read all my posts, seriously, EVERY LAST ONE EVER. did you ever see me claim to be an experienced hacker? no. also, challenges can not be a measure of skill either way, (eg: look at tails. he solved, like, EVERY LAST ONE (or most of em) but what if he never bothered? does that mean he's inexperienced? i wouldn't think so.)

besides, just because we don't happen to like assholes and general morons mucking up our forums,
that doesn't mean we're trying to do some whole "omfg im accepted because i have hatred in common" thing here. what DO we have in common? I'll give you 3 guesses.


but the one thing i DO agree on is that there's not enough actual talk of programming / other computer affiliated things on this forum, too much flame. that's why i left a bit back, I only posted this since your post stuck out at me when i came to check back on wtf was going on.

Posted: Wed Feb 18, 2009 5:58 am
by theStack
plope0726 wrote:Concerning the possibility of the site being shut down...lets look at a scenario, Some comes and asks "Hey can i lrn to make virus?" then someone like the user "a" says "ya man here a prog for powerful virus" ....soon a new virus alert is out and the search is on for where it originated... they track it to the first users computer, from there they see that he is a member of hacker.org. after searching the site for evidence, they find the post about making a virus and the post giving him the virus. This likely would lead to further investigation of the hacker.org website. If you know anything about the PATRIOT act you will know that under it the Fed can do just about anything they want. Even if they find no further evidence on the site that may pose a risk of further problems from it, they can still opt to shut the shut the site down, atleast in the US because someone has already used this site to cause problems. Further more if this were too occur it would likely lead to an investigation of members of the site, and with records that the site contains, believe me they could find most of us. Now, this scenario may not be likely but could happen. Just like the odds of a person breaking into your home in an upper-scale neighborhood may not be likely, that doesn't mean you don;t take the precautions to reduce the risk of your home being broken into. I'm not so much concerned with the site being shutdown as i am with the possibility of being investigated for stupid nonsense.
Well I can partially understand your concerns about the site being shut down (again I think this should the admins problem and newbie cracker posts should either be responded with just a single link to a Hacker HOWTO or they should be deleted immediately), but what I wonder about is your paranoia of getting problems and arrested. You know you have not done anything illegal. Thus, you simply can't get arrested. How you should, when there is nothing in the law against you? "Being active on the same platform than a criminal person" - is that a reason for getting in jail? Hell no.
Even if the utopic and paranoid scenario happened and they would search ALL the members here in hacker.org. Well fine, they should have fun while doing it. They can do what they want they just can't punish people for something they haven't done. I have to say I don't live in the US but if the law is *really* that bad that people will get arrested for doing nothing against the law then you people living there are really poor - I would move to another country as soon as possible :lol:
plope0726 wrote:As far as being on the botpuzzles and challenge forum...well the botpuzzles don;t interest me much and ifI'm having trouble with a challenge I usually turn to my trusty friend Google, from there I tend to find the answer.
Google? GOOGLE? Dude, are you really serious? I talk about challenges, not quizzes about simple facts you can lookup in a encyclopedia - challenges where you invest much time, think about efficient algorithms and write complex programs to solve your problems. There are indeed certain challenges which *can* be solved alone by research in the internet, but what's the point in that? That's absolutely boring, those "challenges" are more like a test if there is no bot is behind the account.
Maybe that is the reason why you're not that interested in challenges, they've just been to easy and you couldn't improve your skills. You should definitely give them a try again! There will come more interesting ones (keyword: HVM) which are really exciting.
plope0726 wrote:As far as completion of the challenges, i do them when I can, I go to school (University) full time and work so unlike many of the kids on here, I do not have a lot of liesure time to work on that stuff.
It's very strange then that you DO have the time to write dozens of posts in this subforum, most by responding to crackers. That's really the point where I wonder what are your motivations are to be around here, if neither the challenges nor the botpuzzles are interesting for you. So the only interesting subforum left is full of crackers and your only activity here is to fight against the black-hats, which doesn't improve any skill.
plope0726 wrote:If someone is posting a question saying "How do i hack ATM machines" , that IS illegal , not maybe. If someone is asking how to crack a facebook. myspace, or other web account, that is illegal. If someone is asking to be shown how to make and spread a virus, that IS illegal. there is no maybe here with these questions, they are all asking to be shown how to perform an illegal act.
Pure Bullshit. Just by asking/speaking about a criminal act you can't get punished. Just one example - you maybe have heard of a famous port scanning tool called nmap and it's author Fyodor (if not, take a look at insecure.org). This guy's written a book with all the details about this port scanner, including some example attacks and explaining all the details. That's definitely knowledge you could use to be criminal. Now tell me why he is still not in jail?
Show me one single case where a person was just arrested by asking how to do something criminal. Good luck on searching - I'm very curious what your friend google says this time.
You see that there's a huge difference between saying and doing, don't you?

Besides that, I have to admit I'm technically interested in hacking ATMs too. Why not, how should it ever be wrong wanting to know something? Even when you learn about cryptography it is actually knowledge to something evil if you want so because it gives you unterstanding how it works.

And going to university you should know that "security by obscurity" is always a bad thing. Instead of fearing some bad guys doing criminal acts people should better learn from these bad guys and think about how security can be improved!
Again you're claiming that people can be punished for something they haven't done - very strange sense of justice :roll:
If someone gives them that information and they go out and do it, that IS illegal, and they can be held responsible for the actions of the person they gave the information to.
In THAT point I agree, of course. But again, if any other idiot on the board gave a newbie information, you won't get punished.
plope0726 wrote:As far as intelligent conversations in here...There might be more if people weren't here asking "how i hack ATM" . It's also hard to have an "intelligent" conversation with someone who does not know how to speak.
I agree here, too. There should be more admins here deleting senseless newbie posts regularly.

@paradox: I definitely won't read all your posts because I've got better things to do, but of course I believe you. That "feeling like an experienced hacker" was just an assumption of me because I really wonder what's the sense in being here on hacker.org when neither challenges nor board puzzles are interesting. This seems so absurd to me that the only thing I can think of which is motivating is strengthening the ego by ranting with newbies and felling proud to be something like a hacker. Sorry but I can't see any other reason. Have you REALLY learned something useful so far in this forum here? I doubt it.
"What DO we have in common?" You maybe await a highly complex definition including all possible stuff, but I keep it simple: curiosity, fun to explore technical stuff related to computers, being fascinated by mathematical/logical problems and being even more fascinated by solving them (either by hand or by a computer program).

Posted: Wed Feb 18, 2009 6:57 am
by S3th
I got piss bored half way through reading theStacks post. :/

I was just thinking how we need proper topics, I have posted a few, for example, viruses topic, to learn about some other viruses, in order to help my friends, ect.

I will probably make a few soon.

Posted: Wed Feb 18, 2009 7:45 am
by plope0726
One more long boring post before bed...
Well I can partially understand your concerns about the site being shut down (again I think this should the admins problem and newbie cracker posts should either be responded with just a single link to a Hacker HOWTO or they should be deleted immediately), but what I wonder about is your paranoia of getting problems and arrested. You know you have not done anything illegal. Thus, you simply can't get arrested. How you should, when there is nothing in the law against you? "Being active on the same platform than a criminal person" - is that a reason for getting in jail? Hell no.
Even if the utopic and paranoid scenario happened and they would search ALL the members here in hacker.org. Well fine, they should have fun while doing it. They can do what they want they just can't punish people for something they haven't done. I have to say I don't live in the US but if the law is *really* that bad that people will get arrested for doing nothing against the law then you people living there are really poor - I would move to another country as soon as possible
I don;t have a paranoia of being arrested. But in the event that an investigation were to take place, there is the liklihood that users of the site would be investigated as well. It doesnt matter if your innocent, the whole process of it is something I would prefer to avoid. Also, If you are at a house party, and the party gets busted because underage drinking is occuring, and you are of legal age to drink and buy alcohol, regardless of your involvement in supplier the booze, you are still likely to be investigated and can face prosecution and fines. The same principal can be applied here. As far as the laws of the US, well a lot has changed since Bush got into office. He sucked, hopefully some things he implemented will be reversed soon.

Google? GOOGLE? Dude, are you really serious? I talk about challenges, not quizzes about simple facts you can lookup in a encyclopedia - challenges where you invest much time, think about efficient algorithms and write complex programs to solve your problems. There are indeed certain challenges which *can* be solved alone by research in the internet, but what's the point in that? That's absolutely boring, those "challenges" are more like a test if there is no bot is behind the account.
Maybe that is the reason why you're not that interested in challenges, they've just been to easy and you couldn't improve your skills. You should definitely give them a try again! There will come more interesting ones (keyword: HVM) which are really exciting.
Google is quite an effective tool to look up information on topics you are unfamiliar with. That along with prior knowledge and the ability to put 2 and 2 together are how I perfer to complete the challenges. Not but posting to a forum with "Hey guys plz tell me how to solve this challenge." Also, I never said i wasn't that interested in the challenges, i said, and you quoted me "...the botpuzzles don't interest me much and if I'm having touble with a challenge I usually turn to my trusty friend Google..." The simple statement about turning to Google about challenges should have tipped you off that I do try the challenges. And actually I have learned a good bit between the challenges and google searches for further understanding on unfamiliar topics. All of the posts during the time frame of when I replied to you original post were within about an hour period....I do have some liesure time. As far as my fight against the black-hats...Im a Security Major.
Pure Bullshit. Just by asking/speaking about a criminal act you can't get punished. Just one example - you maybe have heard of a famous port scanning tool called nmap and it's author Fyodor (if not, take a look at insecure.org). This guy's written a book with all the details about this port scanner, including some example attacks and explaining all the details. That's definitely knowledge you could use to be criminal. Now tell me why he is still not in jail?
Show me one single case where a person was just arrested by asking how to do something criminal. Good luck on searching - I'm very curious what your friend google says this time.
You see that there's a huge difference between saying and doing, don't you?
First of all port scanning is not an illegal act. Second the book is based on vulnerabilities that are already know and is for the purpose of research. You can not compare that to some one coming in a public forum and saying, "how do make a virus to spread" and another giving them a virus script and telling them how to use it... It's not the same. Now granted I should have worded my statement differently, I didn't mean the asking the question was illegal I meant the act of which they are asking how to perform was illegel.
Besides that, I have to admit I'm technically interested in hacking ATMs too. Why not, how should it ever be wrong wanting to know something? Even when you learn about cryptography it is actually knowledge to something evil if you want so because it gives you unterstanding how it works.
If you want to learn how something works you do research on it. You dont jump in a forum and say, "tell me how to hack ATM." What do you learn from this...nothing except how to use a process someone else came up with. Now if you wanted to learn how an ATM machine worked, one could poiint you to a link to read up on. Then you learn something...But if someone just tell you hey do this this and this...with no understanding of whats going on when you perform the steps, you have learned nothing.
And going to university you should know that "security by obscurity" is always a bad thing. Instead of fearing some bad guys doing criminal acts people should better learn from these bad guys and think about how security can be improved!
Again you're claiming that people can be punished for something they haven't done - very strange sense of justice
Security by obscurity a bad thing...where did you learn this...There are 5 fundemental security principles my friend, layering, limiting, diversity, obscurity, and simplicity. "Obscuring what goes on inside a system or organization and avoiding clear patterns of behavior make attacks from the outside diffucult." Security + Guide to Network Fundamentals, CH 3, page 76. Ofcourse I think what you are think of would be Fear Tactics...either way neither of these have anything to do with your assumption that I said people could be punished for something they havent done.
In THAT point I agree, of course. But again, if any other idiot on the board gave a newbie information, you won't get punished.
Again, I shall go back to my analogy about the house party and underage drinking.
I agree here, too. There should be more admins here deleting senseless newbie posts regularly.
Yes there should be more administrative action in these forums...In the meantime it kinda fun to pick on people like that "a" character who claims he is some great hacker with "powerful virus".



Yes, relevant topics would be nice...

Posted: Wed Feb 18, 2009 3:16 pm
by theStack
@S3th: It's a good idea to tag the topics that are not completely senseless, it's a step to raise the quality of this subforum, great! (Though I have always wondered why so many here are fixated on viruses. For me, there's nothing more boring than stupid malware whose only purpose is to destroy.)

@plope0726: As I'm in lack of time I have to keep my answer short. Again, I DO not think that people who tend to ask questions about illegal actions should be supported. The only thing which was bothering me (and which caused the wohle discussion here) is the way you guys speak with them. That extreme ranting looks so immature that people watching the discussions think of young kids who have too much time when they read this and get a completely wrong picture of the hacker community.
Well, maybe I'm a bit too optimistic, but I'm convinced that people can change. And that maybe someone who seems to a bad-bad cracker at first can change to a better person by reading good HOWTOs. Who knows... I've always been an oponent of arrogant ignorant people who just have a limited black and white thinking, a thinking that there are the good ones and the bad ones and there's nothing in between.

How can Security by Obscurity be a good thing? When most of the security of an ecryption algorithm is based on the fact that it is hidden and nobody knows about it, it's just a matter of time until somebody finds out about the algorithm and the "security" level is gone to zero.
You surely know Kerckhoffs' principle, that's exactly what I meant (though this is more based on cryptography, not general security).
Obscurity can maybe be a small security add-on to hold the complete idiots off, but it can never be seen as a serious security action. For example, if you change the port a daemon is running away from the standard port it is a bit of a security addon and more idiots who just scan for standard ports will be held off, but has this really something to do with securing a system? No, definitely not.
It's the same if you would hide your key under your doormat and would say it's a good thing and is secure enough.
So you have misunterstood me, "Security by obscurity" does mean that a system is MOSTLY based on obscurity, which is always bad. As an addition to a proper secured system, like already said, it can of course never hurt. All that obscured things can easily be found out by social engineering, so I really don't see any serious security in that.

Five fundamental security principles... according to THIS author maybe, yes.
An other author would define other principles. I'm generally not a fan of just citing books, it is more fun to use the own brain instead of just citing and memorize words some guru said sometimes, isn't it? For example, in one of our courses to security "Open Design" (the contrary to "Security by Obscurity") was one of those principles. Now who is right? It's just a defining matter and I think it's generally not the best idea to see some book like the holy bibly and say that's THE truth.
When you read e.g. general books about operating systems you will also see that the fundamental principles of an OS aren't always exactly the same, it depends on the author.

Posted: Wed Feb 18, 2009 4:22 pm
by plope0726
When you read e.g. general books about operating systems you will also see that the fundamental principles of an OS aren't always exactly the same, it depends on the author
Simple short response and this will be the end of my conversation to you on this topic....First, It's clear that you don't understand what security by obscurity means. Second, The Security + Guide to Network Security Fundamentals is not a book on an authors opinion. It is a CompTIA (Vendor Neutral) certified Textbook to prepare for the Security + Certification Exam (also vendor neutral) These arent opinions of a particular author...second textbooks don't generally have one particular author, third these are the These are the Industry Standards. Before you make a statement about a book, look into what you are talking about, as it is clear you hav no clue what your talking about. for mor information on CompTIA, go to http://www.comptia.org

Read the book (or just chapter 3) and you might actually understand what I'm talking about rather than making your gerneral assumptions. Also know your background information when trying to pose an argument as obscurty in this case has little to do with encryption, and nothing to do with our original discussion.

I never said anything about using obscurity and only obscurity.
The security fundamentals once more,

Layering
Limiting
Diversity
Obscurity
Simplicity

I will no longer respond on this topic since you clearly don;t take the time to think about what your argument before you post it. Good Day

Posted: Wed Feb 18, 2009 5:15 pm
by theStack
Well plope, godmaster of security, tell me your personal definition of "Security by obscurity" and tell me how your definition collides with mine and what I've not unterstood about that at all.
The lectors at the university I go to must all be stupid and don't unterstand anything according to your words. I'm very curious :P

Well even if the textbook is certified and some more people agreed upon that 5 points, does that mean that this is the universal and only truth? Just a small hint: there are maybe even *other* certified textbooks out here and there are *other* providers for certifications of computer technology. They must have brainwashed you when you really believe all that you've learned is the only truth and everybody listing other points on "principles of security" is a complete idiot who has no clue. It's always on how you look at the subject - another possibility to list "principles of security" are, for example:
- Confidentiality
- Integrity
- Availability
I never said anything about using obscurity and only obscurity.
But I said, since I started with "security by obscurity". And you of course mistook that and showed up your certificate knowledge.

Posted: Wed Feb 18, 2009 5:46 pm
by plope0726
Where are you from?

let me just guess I could be way off though... Austria?

Posted: Thu Feb 19, 2009 4:35 am
by plope0726
And going to university you should know that "security by obscurity" is always a bad thing. Instead of fearing some bad guys doing criminal acts people should better learn from these bad guys and think about how security can be improved!
This is where YOU went off track...And where you are incorrect. Security by obscurity does not mean having people fear some bad guys...this would be referred to as fear tactics, which should not be used. Security by obscurity on the other hand means avoiding clear patterns of behavior, such as the shift change of security guards (ie: not having a shift change at the same time every day). Also by not advertising your system information on a logon window is an example of obscurity. Its interesting that you throw out these ridiculous arguments and yet give no outside information to back up what you are saying.
How can Security by Obscurity be a good thing? When most of the security of an ecryption algorithm is based on the fact that it is hidden and nobody knows about it, it's just a matter of time until somebody finds out about the algorithm and the "security" level is gone to zero.
How about the word encrypt essentially means to hide there for, Captain Obvious, Ofcourse "the security of an encryption algorithm is based on the fact that it is hidden." And I never said that Obscurity alone was a good thing. merely pointing out that your satement about security by obscurity always being bad is, well, stupid and that you clearly don't understand what security by obscurity is.
They must have brainwashed you when you really believe all that you've learned is the only truth and everybody listing other points on "principles of security" is a complete idiot who has no clue. It's always on how you look at the subject - another possibility to list "principles of security" are, for example:
- Confidentiality
- Integrity
- Availability

once again you prove my point that you have know idea what you are talking about. perhaps you should get some after class tutoring from your lectors so they can better explain to you what they are teaching.

-Confidentiality, Integrity, and Availability, are your goals for information through security. These are not principles of security rather these are the characteristics of the information that information security is intended to protect. "Informatin security protects the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit that information through products, people, and procedures."

Now onto the security principles (a different topic from the information characteristics of which you referred). I will quote the book again because it states it better than I can...

"Although you need many defenses to withstand attacks, you base these defenses on a few fundamental security principles: protecting systems by layering, limiting, diversity, obscurity, and simplicity."

-Layering - "creates a barrier of multiple defenses that can be coordinated to thwart a variety of attacks."

-Limiting - "Only those who must use data should have access to it. In information security terminology, for a subject (such as a person or a computer program running on a system) to interact with an object (such as a computer or a database stored on a server), the access must be limited. In addition, the amount of access granted to someone should be limited to what that person needs to know or do."

-Diversity - "Just as you should protect data with layers of security, so too must the layers be different (diverse) so that if attackers penetrate one layer, they cannot use the same techniques to break through all other layers." ..... "Using diverse layers of defense means that breaching one security layer does not compromise the whole system."

-Obscurity - "Obscurring what goes on inside a system or organization and avoiding clear patterns of behavior make attacks from the outside difficult." ... "A company should not advertise what security plan they have in place, the vendor of their equipment, or any other seemingly harmless information that could be used in an attack." ... "While obscurity by itself is a poor type of defense, it can confuse would-be attackers if it is used with other diverse layers of defense."

-Simplicity - "A secure system should be simple for those on the inside to understand and use. Complex security schemes are often compromised to make the,m easier for trusted users to work with -- but this can also make it easier for the attackers as well. The challenge is to make the system simple from the inside but complex from the outside."


Now since clearly you need to go back a learn your shit before you try to argue about it, why dont you go do that. And maybe have you lectors review the material with you so you can better understand what the hell you are talking about. Have a good day.

Posted: Thu Feb 19, 2009 5:47 pm
by theStack
I have written a longer post but unfortunately my firefox fucked up (well I have to learn that having 20 tabs opened is not good with an amount of only 128 MB RAM :lol: ), so again I keep it short:

- I'm always ready to be taught otherwise (to err is human, isn't it?), but not if the only arguments for that are "I can cite textbooks" and "I have passed that security certificate, so I *must* know better"
- Yes, those points I listed were goals/issues of security instead of principles, however it is not rare that goals and principles are used interchargable here in university, so I don't see it as too bad - but if it strenghtens your ego that much to say I have absolutely no clue, you can do it whenever you want, sweet boy, I only want your best :)
- Again I have to say that you are obsessed with your holy book. Search for "security principles" in google, first hit, in that HOWTO there's a link to a pdf from NIST, and there are 33 (!) principles listed. Are you still convinced that your source of security principles is the only truth and all other documents describing principles are shit?
- There's a difference between Obscurity alone and "Security by Obscurity", the latter is a term by it's own (look up in wikipedia if you don't believe me). And that "Security by Obscurity" actually *is* a bad thing in most cases should tell the common sense. It's actually on of the first things we learnt in university and it's just obvious if you think about it. Wanna have an example? Here we go: http://slashdot.org/features/980720/0819202.shtml
Even if "obscurity" IS a security principle in your holy book, that has absolutely nothing to do with "security by obscurity" because systems being secured by that policy are *mostly* using secrecy for that, and that can't be a good thing, so your "prove" was wrong.
- Yes, having fear does not have much to do directly with "Security by Obscurity". What I wanted to say is that you should use all bad guys as a chance to improve security of systems. As long as even the bad guys (who are not that intelligent in most cases) are able to break into a system, it is clearly a sign that the security of the system lacks.