On Fri, 12 Feb 1999, Kragen Sitaker wrote: > Once you'd found infected machines, you could exert complete control > over them. A particularly obnoxious possibility: you could insert > "logic bombs" into the disk firmware that would activate only when > certain (long and rather improbable, perhaps a few hundred bytes) were > read from the disk. Then spam people with a .gif containing that > sequence, along with steganographically-encoded machine code. They > extract the .gif onto their disk, nicely aligned with the beginning of > a sector, and load it up with Netscape. I think it's important to keep this particular exploit in perspective; an admin who didn't secure the network the filer was connected to is probably going to get hit with a much more prevalent DoS or exploit before someone goes to the trouble of rewriting their firmware. The amount of information you'd need to do that is just slightly above writing root shell exploits when you don't know the architecture you're trying to attack. The point on firmware does hold true though. I think that what we're seeing here (and will likely continue to see as more appliances hit the market) is easier administration at the cost of security. I'll grant that that is a sweeping statement, but anytime you reduce the core functionality of a machine to do "just one thing", you lose out on the flexibiltiy side, and that often includes security. What NetApp admin wouldn't like to compile up a copy of SSH for their filer and turn off telnet ? If the NFS server was a full unix server, that's a 10 minute task. With NetApp, the crypto-export laws make it a two-year plus 10 minute task. I guess it all comes down to the individual admin. Do you want a box that you plug in, configure and leave alone even if it costs you on security, or do you want a full *nix box that will be very secure, but that you'll have to keep tabs on every day ? -- j. James FitzGibbon jamesat_private System Engineer, ACC Global Net Voice/Fax (416)207-7171/7610
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:35:10 PDT