From: "Rich" 

This is a multi-part message in MIME format.

------=_NextPart_000_0111_01C2C530.6BCCEF50
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

   In the case of the slammer worm, the responsible component is SQL =
Server or MSDE.  Now you raise the subject of what you tell your =
management when you are infected.  That's a different issue.  That's due =
to irresponsibility not vulnerability.

   In example #2, if someone sent to an email instructing you to go =
against your interest and open malicious web page, that would be the =
start as that is the first step that involves the person being attacked.

   I think you are taking a silly position by trying to identify a start =
of a "hack process".  It really depends on how this supposed hack
= process is defined.  Taking it literally I guess it would start when the
= attacker decides to start on an attack.  So?  Do you want to discuss the
= psychology of what makes people malicious, the technical issues of what =
makes software vulnerable, the psychology of what makes people take =
actions against their own interests, or debate what is or is not safe?  =
Each of these can be interesting but usually orthogonal to the others.

Rich

  "Geo."  wrote in message
news:3e342359{at}w3.nls.net...
  "Rich"  wrote in message news:3e335e3e{at}w3.nls.net...
  >>   I also responded in part to what I believe to be a silly position =
you
  have taken that if a complex process has an undesirable result that =
you can
  claim any of the many steps or components in the complex process is
  responsible for the undesirable result on the premise that removing =
that
  step or component stops the complex process from completing.  It is =
this
  poor logic that allows one to blame you as the user as being =
responsible
  because you are a component in every such example.  You can also use =
the
  same logic to blame the warming of the Earth by the Sun since without =
this
  none of the undesirable results would be possible.  It's simply bad =
logic
  and I called you on it not because I took any offence.<<

  [selective editing to separate into a new thread]

  Well certainly computing is a complex process that starts with the =
user
  turning on the computer. I agree with that. But being hacked is a =
subset of
  that process that begins at the point where the hacker first gains =
some
  level of control over the situation. However the definition of =
"situation"
  in the context of the discussion is important.

  Where that point is can be a matter of perspective. I'll explain a bit =
using
  two examples.

  Example 1: the recent slammer worm. Was the beginning of this hack =
when the
  first packet from the worm reached an unpatched server? Or was the =
beginning
  of this hack when the hacker infected the first server? Kinda depends =
on
  whether you are talking about hacking the internet or hacking a =
specific
  server. If you are talking about how the worm spread across the net =
then
  obviously the release of the worm is the beginning of the hacking =
process.
  If you are reporting to management about how your sql server got =
infected
  then obviously it started when that 376B packet that hit your server =
was
  sent. How the server that sent it to you got infected doesn't need to =
be
  viewed as part of the process.

  Example 2: the media player/IE thing we were discussing. Was the =
beginning
  when the hacker sent you an email with a link to a web page or was it =
when
  media player fired up IE or was it when IE went to a page of the =
hackers
  choosing or was it when IE executed that page? Certainly from the =
hackers
  point of view you were targetted by the email so that was part of the
  process but from the users point of view emails are received all the =
time so
  was it when they clicked on the link or was it at the last point where =
input
  from the user was required?

  Because this is all so dependent on POV, I tend to try to define the =
start
  of the hack process as the point where the hacker gains some level of
  control over the machine instead of over the situation. That makes it =
much
  easier from my pov because I can't patch users but I can patch =
machines. I
  also try to separate the process of social engineering from the =
process of
  hacking, being that they are both used but clearly they are both =
separate
  processes that from a security standpoint need to be addressed =
differently.

  So no, I don't think my position on where the hacking process begins =
is
  silly and no I don't think it started with the big bang either. Since =
we
  were discussing the exploit described at
  http://lists.insecure.org/lists/bugtraq/2002/Aug/0316.html and since =
that
  page describes the hack as

  "Combing the Jelmer codebase, the Sandblad dot bug and the 1 year old
  wimpy'flication of the media player"

  and also since step 1 is to create the asx file (which contains an
  executable), then it's my position that the hack begins with the last =
action
  of the user prior to the running of that asx file since that is the =
point
  where no further action on the part of the user is required (the =
process is
  now fully automated), the hacker gains some level of control over the
  machine.

  I'd be interested to understand you pov on this, as my position is not
  something that is rock solid and unchanging, I've never really tried =
to
  define this clearly before so I'm open to suggestion.

  Geo.


------=_NextPart_000_0111_01C2C530.6BCCEF50
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








   In the
case of the slammer =
worm, the=20
responsible component is SQL Server or MSDE.  Now you raise the =
subject of=20
what you tell your management when you are infected.  That's a =
different=20
issue.  That's due to irresponsibility not =
vulnerability.
 
   In
example #2, if someone =
sent to an=20
email instructing you to go against your interest and open malicious web = page,=20
that would be the start as that is the first step that involves the = person being=20
attacked.
 
   I think
you are taking a =
silly=20
position by trying to identify a start of a "hack
process".  It=20 really depends on how this supposed
hack process is defined.  = Taking=20
it literally I guess it would start when the attacker decides to start = on an=20
attack.  So?  Do you want to discuss the psychology of
what = makes=20
people malicious, the technical issues of what makes software = vulnerable, the=20
psychology of what makes people take actions against their own = interests, or=20
debate what is or is not safe?  Each of these can be interesting = but=20
usually orthogonal to the others.
 
Rich
 

  "Geo." <georger{at}nls.net>">mailto:georger{at}nls.net">georger{at}nls.net>
wrote=20
  in message news:3e342359{at}w3.nls.net..."R=
ich"=20
  <{at}> wrote in message news:3e335e3e{at}w3.nls.net...>=
>  =20
  I also responded in part to what I believe to be a silly position =
youhave=20
  taken that if a complex process has an undesirable result that you=20
  canclaim any of the many steps or components in the complex =
process=20
  isresponsible for the undesirable result on the premise that =
removing=20
  thatstep or component stops the complex process from =
completing.  It=20
  is thispoor logic that allows one to blame you as the user as =
being=20
  responsiblebecause you are a component in every such =
example.  You=20
  can also use thesame logic to blame the warming of the Earth by =
the Sun=20
  since without thisnone of the undesirable results would be =
possible. =20
  It's simply bad logicand I called you on it not because I took any =

  offence.<<[selective editing to
separate into a new=20
  thread]Well certainly computing is a complex process that =
starts with=20
  the userturning on the computer. I agree with that. But being =
hacked is a=20
  subset ofthat process that begins at the point where the hacker =
first=20
  gains somelevel of control over the situation. However the =
definition of=20
  "situation"in the context of the discussion is =
important.Where=20
  that point is can be a matter of perspective. I'll explain a bit =
usingtwo=20
  examples.Example 1: the recent slammer worm. Was the
beginning =
of this=20
  hack when thefirst packet from the worm reached an unpatched =
server? Or=20
  was the beginningof this hack when the hacker infected the first =
server?=20
  Kinda depends onwhether you are talking about hacking the internet =
or=20
  hacking a specificserver. If you are talking about how the worm =
spread=20
  across the net thenobviously the release of the worm is the =
beginning of=20
  the hacking process.If you are reporting to management about how =
your sql=20
  server got infectedthen obviously it started when that 376B packet =
that=20
  hit your server wassent. How the server that sent it to you got =
infected=20
  doesn't need to beviewed as part of the
process.Example 2: =
the=20
  media player/IE thing we were discussing. Was the beginningwhen =
the hacker=20
  sent you an email with a link to a web page or was it whenmedia =
player=20
  fired up IE or was it when IE went to a page of the =
hackerschoosing or was=20
  it when IE executed that page? Certainly from the hackerspoint of =
view you=20
  were targetted by the email so that was part of theprocess but =
from the=20
  users point of view emails are received all the time sowas it when =
they=20
  clicked on the link or was it at the last point where inputfrom =
the user=20
  was required?Because this is all so dependent on POV, I tend =
to try to=20
  define the startof the hack process as the point where the hacker =
gains=20
  some level ofcontrol over the machine instead of over the =
situation. That=20
  makes it mucheasier from my pov because I can't patch users but I =
can=20
  patch machines. Ialso try to separate the process of social =
engineering=20
  from the process ofhacking, being that they are both used but =
clearly they=20
  are both separateprocesses that from a security standpoint need to =
be=20
  addressed differently.So no, I don't think my position on =
where the=20
  hacking process begins issilly and no I don't think it started =
with the=20
  big bang either. Since wewere discussing the exploit described =
athttp:=">http://lists.insecure.org/lists/bugtraq/2002/Aug/0316.html">http:=
//lists.insecure.org/lists/bugtraq/2002/Aug/0316.html=20
  and since thatpage describes the hack
as"Combing the =
Jelmer=20
  codebase, the Sandblad dot bug and the 1 year oldwimpy'flication =
of the=20
  media player"and also since step 1 is to create
the asx file =
(which=20
  contains anexecutable), then it's my position that the hack begins =
with=20
  the last actionof the user prior to the running of that asx file =
since=20
  that is the pointwhere no further action on the part of the user =
is=20
  required (the process isnow fully automated), the hacker gains =
some level=20
  of control over themachine.I'd be
interested to understand =
you pov=20
  on this, as my position is notsomething that is rock solid and =
unchanging,=20
  I've never really tried todefine this clearly before so I'm open =
to=20
 
suggestion.Geo.

------=_NextPart_000_0111_01C2C530.6BCCEF50--

--- BBBS/NT v4.01 Flag-4