I think you are a bit extreme in your suggestion.  While syslog doesn't necessarily show all the warnings/errors, it is one of the common practices to check for errors.  Criticizing people using syslog is like laughing at people who use door lock and tell them the door lock is useless because the burglar will eventually break into your house no matter how secure the door lock is.

I suspect the exploit you showed in the video has been well identified and patched.  So, instead of telling people what they have written is a joke, you can kindly suggest them, or even better, edit the wiki yourself, to mention about the importance of updating software to the newest version periodically.

TOP

Actually, they already have a section about "security updates".

Unless you have identified some exploits that nobody knows and you are holding that information to yourself, I don't think what they are suggesting is flawed.

TOP

No proof no talk.

講得好, 好多人都只係識話人地寫啲嘢, 做啲嘢冇用, 自己又做唔到咩嘢出嚟幫到人.

TOP

本帖最後由 samiux 於 2013-1-9 00:58 編輯
I think you are a bit extreme in your suggestion.  While syslog doesn't necessarily show all the war ...
muteki 發表於 2013-1-8 17:10


I am not saying that reading logs is wrong or useless, but I pointed out that some exploits will not be logged.  I just said that the said wiki is just a joke that only asking you to read  logs but not mention about some of them will not be logged.  The information is incorrect and misleading.  It will mislead others that it should be logged.  

If you read all my messages, you will find out that.  I can do nothing on it since their COMMON SENSE/PROFESSIONAL telling them that I am wrong (may be including you).  In addition, the only thing I can do is to alert them even they do not or unwilling to listen.

In the real world, there are a very little number of exploit activities can be logged.  Even it is logged, the attackers can clean it out with a method that you will not notice or at least you are not very easy to note.

I think we are facing skilled attackers but not only script kiddies, do you agree?  So, why not we are being more professional?

Thank you for watching the demo video (seldom people do it, but I don't know why).  The said "vuln-server_static" is an exercise in which source code you can download it at here or here.  The code do nothing but only listening on a port and waiting for user's input and then echo back.  Basically, it is a vulnerability echo server, that's all.

You compile it and develop your exploit code and conduct the exploitation.  As a result, you will get a shell.  The demo video showing my developed exploit code namely "exploit.py".  If you are interested in or know how to do exploit writing, you can try yourself.

By the way, you cannot find the solution in the internet about this exercise at the moment.  However, it will be available soon when I release it.  I delay the release due to some personal matter.

If you understand what is an exploit and exploit writing, you will understand what I am saying.

Samiux

Update reason : fix the link

TOP

No proof no talk.

講得好, 好多人都只係識話人地寫啲嘢, 做啲嘢冇用, 自己又做唔到咩嘢出嚟幫到人. ...
lazyfai 發表於 2013-1-8 22:35


I don't think clever and eager to learn people are required to be fed.  A hint is enough.

Samiux

TOP

I just said that the said wiki is just a joke that only asking you to read  logs but not mention about some of them will not be logged.  The information is incorrect and misleading.


I don't get the idea they are telling people to only look for logs and do nothing else.  Indeed, they are pretty clear on the article where the guide complements the basic security measures outlined in the Basic Security Wiki.  And the basic security wiki makes it very clear in the very first paragraph -- they do not claim doing everything listed will reduce the risk of being compromised to zero.

I understand what you want to suggest, but I don't think what you have suggested is anything new.  It is pretty obvious one can never do enough for security.  It almost sounds like what you want them to do is to say something like:  Do A, but A cannot guarantee you from being hacked.  Do B, but B cannot guarantee you from being hacked.  Do C, but C cannot guarantee you from being hacked...

A simple disclaimer like what they did should suffice and I see nothing incorrect and misleading in doing so.

TOP

I don't get the idea they are telling people to only look for logs and do nothing else.  Indeed, t ...
muteki 發表於 2013-1-9 02:00


I am targeted to the wiki about the article "DidIJustGetOwned" but not the other articles at "BasicSecurity".  Please don't get me too far.

The title of "Did I Just Get Owned" is telling you to inspect your box to see if you have just been owned/compromised.  Is it clear?

Samiux

TOP

I am targeted to the wiki about the article "DidIJustGetOwned" but not the other articles at "BasicSecurity".  Please don't get me too far.


I understand what you are focusing on.  And that's why I quoted "This guide will complement the basic security measures outlined in the Basic Security Wiki", in the exact article you are talking about, hence leading to the simple disclaimer. If one didn't read both and try to judge the quality of one article, it sounds more like an user error to me.

The title of "Did I Just Get Owned" is telling you to inspect your box to see if you have just been owned/compromised.  Is it clear?


It's clear you have the logic wrong.  An inverse of a condition is not always true.  (i.e. If A then B doesn't imply if not A then not B)  They are telling you if you find something suspicious in the log, you _may_ get owned.  It doesn't tell you that if you don't see anything suspicious in logs, then you are not owned.  The contrapositive, however, _is_ always true.

TOP

本帖最後由 samiux 於 2013-1-9 11:36 編輯
I understand what you are focusing on.  And that's why I quoted "This guide will complement the ba ...
muteki 發表於 2013-1-9 02:49


What if you did not see my demo or message?  

If nobody see my message and demo, when they see there is no suspicious activities found in the log, what will they think and do?  They properly will think that their boxes are safe and they can go for coffee and relax.

The other articles in "BasicSecurity" are almost talking about how to hardening your Linux box only and nothing about how to identify if your box is compromised or not.  The "DidIJustGetOwned" is the only article that telling you all to identify if your box is compromised or not.

I am not logically wrong.  If I am logically wrong, I cannot found out the vulnerability of the said software and develop a logically exploit program to exploit it.  I just thinking in a very difference way that different than you all, that is, I am thinking like a criminal.  My quote - Think like a criminal and act as professional.

I have no more word to say but just say if no suspicious activities in the log does not indicate that your box is safe.  That's all.

It is my point of view, I accept others point of view.  We are seeing the thing in the different angles and targeted in the different scopes.  I think there is no room for us to argue further.  There is nothing new to argue or discuss further.
  
Samiux

Update reason : fix typo

TOP

What if you did not see my demo or message?

I have looked at your demo and downloaded the code.  It's simply a badly written c program with buffer overrun vulnerability.  (dest[] can be overrun)  Like I said, I understand you are trying to make a point about not every exploit results in logging activities.  But I think this is well understood and no one is suggesting the opposite.  (other than you keep claiming others do)

I just thinking in a very difference way that different than you all...

I don't know how "different" it requires to see that bug other than some experience in c programming and basic understanding on how to exploit buffer overrun bug.  (phrack.org comes to my mind if anyone wants great examples)

I have no more word to say but just say if no suspicious activities in the log does not indicate that your box is safe.  That's all.

I 100% agree with what you said.  And I don't think anyone is claiming "no suspicious logs = not being hacked" either.  I think this is the part you are failing to understand.  You keep asserting others are thinking it this way due to your incorrect logic.  Again, an inverse of a conditional statement is not always true.  Let me know if you have any difficulty in understanding this.

It is my point of view...

I am not trying to argue anything.  Indeed, it requires two different ideas to begin with in order to argue.  I am just trying to understand if I am missing any points from you.  But based on our conversation so far, you are clearly thinking you are the only one seeing things differently.  However, in my mind, you are just pointing out the obvious...  There aren't any conflicting ideas to argue about.

TOP