[Beowulf] Re: "hobbyists"es

Robert G. Brown rgb at phy.duke.edu
Sun Jun 22 08:02:44 PDT 2008


On Sat, 21 Jun 2008, Perry E. Metzger wrote:

>> It's really, really hard to crack a site invisibly when every IP number
>> that talks to it or that it talks to is isolated in real time and
>> compared to a list you set up and control and sets off all sorts of
>> alarms if any sort of anomalous or unapproved pattern occurs.
>
> There are some really, really clever exploits out there. If you want
> to terrify yourself, start reading up on ethernet card firmware
> exploits. You can do astonishing things once you own the ethernet card
> on a modern machine -- you have a real processor with DMA access to
> the whole of main memory at your disposal. If you want to get even
> worse, here is the paper from a month ago about designing exploits in
> to microprocessors directly...


No, no, no.  If I went and read all of that, I'd have to start adding
lexipro to my morning orange juice, and it makes the vodka taste
horrible.

Pardon me, I have to go pull the plug on my home DSL modem now, install
dual-isolation on my system power supply, stop using wireless
altogether, and install a self-destruct circuit on the USB fob I use to
boot my working system...;-)

Seriously, you've convinced me that it is time to revising the secureid
issue, although to me the PITA isn't the pain of typing it in, it is the
pain of carrying it and having to have it with you in order to access
"the network".  And possibly the PITA of having to install it on an
enterprise basis in a complex and heterogeneous environment so one
doesn't end up having to carry a dozen of the damn things.  I will
dutifully mention it to the powers at Duke.  If we can architect it so
that just one central auth system works for the entire campus and
medical center (which is as much a POLITICAL problem as it is a
technical problem) without altering the balance of power as it were, and
it weren't horribly expensive, maybe it might fly.  Alas, though, I'm no
longer good buddies with the security czar.  In fact, I'm not sure we
have a security czar at all at this moment.

I'm now abandoning the thread, BTW, in deference to your being on
vacation and my having an insane amount of work to do before leaving on
my, um, "teach at the beach" summer that will mix vacation and work in
equal measure, I hope.  It has been very interesting.  And useful.

    rgb

-- 
Robert G. Brown                            Phone(cell): 1-919-280-8443
Duke University Physics Dept, Box 90305
Durham, N.C. 27708-0305
Web: http://www.phy.duke.edu/~rgb
Book of Lilith Website: http://www.phy.duke.edu/~rgb/Lilith/Lilith.php
Lulu Bookstore: http://stores.lulu.com/store.php?fAcctID=877977



More information about the Beowulf mailing list