[TriLUG] ethical hacking?

[rpjday]

On Mon, 27 May 2002, Greg Brown wrote:

> I've been reading about system security (one of my most favorite subjects 
> here  on trilug) and I'm wondering if there should be some kind of ethical 
> hacking group established.  The reason for this is some of us think we have a 
> more or less secure system attached to TWC or DSL and it would be nice to 
> know if there are any holes in our systems that allow access.
> 
> I think it would be a good idea to come up with a common filename, such as 
> trilug.readme (or whatever) containing a unique text string.  If someone on 
> trilug hacks our system and e-mails back the text string we know we have a 
> security hole - and the person that finds the hole MUST say how they were 
> able to compromise the security of the system (so we can fix it).
> 
> Does anyone else think this is a good idea?

i think there might be some logistical problems and consequences
with something like this.

first, it's fair to assume that part of the rules is that the
"hacker" couldn't actually damage or modify the target machine
in any way.  but a lot of hacks involve just that -- making
modifications to the target host in order to gain access.
if you're not allowed to change anything, you're already defining
a particularly weak attack that makes it unrealistically simple
and easy to defend against.

second, any kind of attack might set off intrusion detection (ID)
alarms on the target host that might cause it to tighten security
automatically (think portsentry).  this might be more than a bit
inconvenient for the target, who suddenly finds his/her access to
the net restricted.  (i don't know if this constitutes a real issue --
i'm still thinking about that.)

third, even if this is a "friendly" hack, there might be intermediate
nodes -- perhaps someone's ISP -- that takes the evidence of a "hack"
very seriously, and someone could get in major trouble.

finally, it adds uncertainty into how seriously you might take
being probed or port-scanned.  is it a real hack?  or just one of
your buddies testing things out?  i would not want to make that
kind of judgment call.  better, in my opinion, to treat every
probe or your host as malicious and take it seriously.

rather than get others to hack your host, i think there can be
a discussion of how to harden your *own* host.  you can't always
get a friend to try to attack you from the outside, but everyone
can test their own host, which makes that a more useful exercise.
testing your own security could involve discussing things like
the bastille hardening scripts, running "netstat" to see which
ports on your hosts are listening, "nmap"ing yourself, and so
on.

bob toxen's book "real world linux security" has chapters along
these lines, like "hardening your system", "scanning your own
system," and so on.  anyway, just some random thoughts.

rday