Re: A good laugh

[Julian Macassey]

On Wed, 16 May 2012 16:36:16 +0200, Gallian <gal...@linuxmail.org> wrote:
> $SECURITY_CONSULTANT: "This PGP plugin does not work, I can't decrypt
> sent messages".
>
> My flabber is gasted. *This* is the star consultant we send out to
> customers?

Why am I not suprised?

I have mentioned in the past that most "Computer
Security" people are chancers just doing a shuck and jive.


--
I like being able to fire people who provide services to me. - Willard
Mitt Romney January 2012

[Koos van den Hout]

Gallian <gal...@linuxmail.org> wrote in <86d364w...@gaheris.avalon.lan>:

> $SECURITY_CONSULTANT: "This PGP plugin does not work, I can't decrypt
> sent messages".

So the equivalent option "encrypt to sender" isn't ticked. "Add my own key
to the recipients list" in Enigmail. I don't know if it is on by default, I
have switched it on in Enigmail.

It can be done, but you have to understand bits of how public key crypto is
implemented.

Koos

--
Koos van den Hout Homepage: http://idefix.net/
PGP keyid DSS/1024 0xF0D7C263
Webprojects: Camp Wireless http://www.camp-wireless.org/
The Virtual Bookcase http://www.virtualbookcase.com/

[David Scheidt]

Lee Ann Goldstein <lee...@pir.net> wrote:
:On 05/22/12 09:18, E.P.Sporgersi wrote:
:> On Wed, 16 May 2012 16:36:16 +0200, Gallian wrote:
:>
:>> My flabber is gasted. *This* is the star consultant we send out to
:>> customers?
:>
:> Of course. The key skill for a security consultant is convincing the
:> local BOFHen to run his crummy little shell script as root on their
:> system, so he can have it generate the appropriate document.

:Some years ago the Cevpr Jngreubhfr guys came here with such a script.
:I of course looked the thing over first, said, "This won't give you
:the information you want," and rewrote it. Cleanly.

I had an interaction like that with some morons from a different large
consulting firm, which has since changed its name, in an attempt to fool
people into thinking they're not all felons. I ran the script on the aba
cranygl raivebazrag (about the only thing I miss from that job), and sent
them the output. Since the output was '/bin/bash: no such file', this
was considered Not Helpful. By the security conslutants, at least; my
manager thought it was very instructive.

--
There's a rather large difference between pissing on a 600V third rail
and a 33 kV power line.

[Niklas Karlsson]

On 2012-05-22, E.P.Sporgersi <E.P.Sporgersi> wrote:
> Of course. The key skill for a security consultant is convincing the
> local BOFHen to run his crummy little shell script as root on their
> system, so he can have it generate the appropriate document.

The one I was exposed to didn't push a crummy shell script, instead
giving some individual commands to run (various finds, among other
things) and asking for the output to be sent back to him.

Then came back referring to a symlink as "a world-writable
world-executable setuid file".

Niklas
--
Dark chocolate and stem ginger--though tasty--are probably sub-optimal
materials for constructing FTL-capable spaceships. --Tanuki

[Paul]

Niklas Karlsson <ank...@yahoo.se> wrote in
news:a24kim...@mid.individual.net:

> On 2012-05-22, E.P.Sporgersi <E.P.Sporgersi> wrote:
>> Of course. The key skill for a security consultant is convincing
>> the local BOFHen to run his crummy little shell script as root on
>> their system, so he can have it generate the appropriate
>> document.
>
> The one I was exposed to didn't push a crummy shell script,
> instead giving some individual commands to run (various finds,
> among other things) and asking for the output to be sent back to
> him.
>
> Then came back referring to a symlink as "a world-writable
> world-executable setuid file".

A little learning is a dangerous thing...

--
Paul the Legacy Server
Full Recovery reached May 30, 2008
"People can be educated beyond their intelligence"
-- Marilyn vos Savant

[John Burnham]

On Tue, 22 May 2012 13:19:05 -0700, Lee Ann Goldstein wrote:

> Some years ago the Cevpr Jngreubhfr guys came here with such a script. I
> of course looked the thing over first, said, "This won't give you the
> information you want," and rewrote it. Cleanly.

My response was to a similar request was "You want me to run an unknown
script as root on one of my servers ? No."

J

[Mike Andrews]

John Burnham <jo...@jaka.demon.co.uk> wrote in <p7h*Qn...@news.chiark.greenend.org.uk>:

Obviously it was a test; running it would have caused you to fail the audit.

--
I see that your skrode is not running current-level code for one
or more functions. Just a minute. There! Now, go update the code
of every skrode you happen upon. Welcome to our Brave New Bligh^W
Universe. And don't feel compelled to do any of this. Just do it.

[David Cameron Staples]

On 25/05/12 1:16 AM, Mike Andrews wrote:
> John Burnham <jo...@jaka.demon.co.uk> wrote in <p7h*Qn...@news.chiark.greenend.org.uk>:
>
>> On Tue, 22 May 2012 13:19:05 -0700, Lee Ann Goldstein wrote:
>>
>>> Some years ago the Cevpr Jngreubhfr guys came here with such a script. I
>>> of course looked the thing over first, said, "This won't give you the
>>> information you want," and rewrote it. Cleanly.
>>
>> My response was to a similar request was "You want me to run an unknown
>> script as root on one of my servers ? No."
>
> Obviously it was a test; running it would have caused you to fail the audit.
>

That was my interpretation of the script they wanted us to run as root
on our servers. Especially the part where it wanted to snarf a copy of
/etc/shadow.

I said exactly that to the people making the request: If I were running
a security audit of you, and I asked for /etc/shadow, and you *gave* it
to me, then you would fail. If you gave it to me without even asking
questions about it, you would fail twice.

I also fixed the script so that it didn't try to run any of the global
finds over the AFS mounts. They still, as far as I know, haven't fixed
their upstream script.

Don't even ask about the java binary they wanted us to run as root.
Just... don't.

--
David Cameron Staples | staples AT unimelb DOT edu DOT au
Melbourne University | ITS | Hosting | Unix Operations
gravity is a resource hog. -- bash.org/?243112

[Peter H. Coffin]

On Fri, 25 May 2012 00:08:16 GMT, David Cameron Staples wrote:

> On 25/05/12 1:16 AM, Mike Andrews wrote:
>
>> John Burnham <jo...@jaka.demon.co.uk> wrote in
>> <p7h*Qn...@news.chiark.greenend.org.uk>:
>>
>>> On Tue, 22 May 2012 13:19:05 -0700, Lee Ann Goldstein wrote:
>>>
>>>> Some years ago the Cevpr Jngreubhfr guys came here with such a
>>>> script. I of course looked the thing over first, said, "This won't
>>>> give you the information you want," and rewrote it. Cleanly.
>>>
>>> My response was to a similar request was "You want me to run an
>>> unknown script as root on one of my servers ? No."
>>
>> Obviously it was a test; running it would have caused you to fail the
>> audit.
>
>
> That was my interpretation of the script they wanted us to run as root
> on our servers. Especially the part where it wanted to snarf a copy of
> /etc/shadow.

I keep wanting to respond to such things with "If you think my security
is that crap, you can get that stuff without my help. If you can't, it's
secure enough."

--
12. One of my advisors will be an average five-year-old child. Any
flaws in my plan that he is able to spot will be corrected before
implementation.
--Peter Anspach's list of things to do as an Evil Overlord

[Shmuel Metz]

In <4fbecd6e$1...@news.unimelb.edu.au>, on 05/25/2012
at 12:08 AM, David Cameron Staples <sta...@unimelb.edu.au.NOSPAM>
said:

>Don't even ask about the java binary they wanted us to run as root.

The smart money says that we (TINW) would run screaming from the room
if you told us (TINU), so there is no risk that we will ask you to
tell us, although we might ask you to tell some disliked third party.

--
Shmuel (Seymour J.) Metz <http://patriot.net/~shmuel> ISO position
Reply to domain Patriot dot net user shmuel+bspfh to contact me.
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

[David Cameron Staples]

On Sat, 26 May 2012 20:15:45 -0400, AdB wrote:

> David Cameron Staples posted thus:

>>Don't even ask about the java binary they wanted us to run as root.
>>Just... don't.
>

> $JRE: Not found.

Sun JRE was installed, because this webserver is running Tomcat.
Oh, if only their scripts to analyse the security of a web server knew of
the existence of such a thing as Tomcat.

Strangely, their scans didn't tell them much.

And let us not get into the Perl scripts they wanted us to run, which
required us to install modules into the system for it to work.

Yeah... no.