Re: A question of Security

Michael H. Warfield (mhw@wittsend.com)
Tue, 21 Dec 1999 16:17:12 -0500


On Tue, Dec 21, 1999 at 09:52:23PM +0100, jt@npdaxp.fuw.edu.pl wrote:
> >Date: Thu, 16 Dec 1999 14:58:27 -0500
> >From: "Michael H. Warfield" <mhw@wittsend.com>
>
> > Intuition, in this case is wrong. The intruders (hackers, crackers,
> >script kiddies, bozos, if you want) have got better debugging tools and
> >reverse engineering tools than most developers I know and they know how
> >to use them and what to look for. You think the recent buffer overflows
> >found in Solaris snoop was from looking at the sources? I think not. You

> I suppose it is unlikely they use reverse engineering tools.

No, it is very likely they use reverse engineering tools. They
use (and develop their own) very good reverse engineering tools. I know
some of these guys. The good ones are VERY GOOD at what they do. You
would think they had the C code sitting in front of them. They play with
soft ice like it was a musical instrument. They read binary hex dumps
like a comic book. They're better at reverse engineering than engineers
are because that's what they DO and what most engineers don't have to do.

> More likely they just have similar system, and try sending
> illegal packets to them. When some server program crashes
> they look at crash dump, register contents, etc - whatever
> is available - and try guess what such an illegal packet
> has to contain for it to allow getting control, and give
> any signal that this happened. When succeed, next step is
> putting there a code which adds an user to /etc/passwd...

Cracking the CSS encryption algorithm was not done by
throwing packets at it. The MS-RPC algorithms were not done
by throwing packets at it (and we now can document those protocols
better than Microsoft's own internal documents - book on the way).
These were done by skilled people who were not interesting in breaking
into systems. The guys that are interested in breaking into systems
are just as skillfull.

> > Had one break a crypto algorithm by using a debugger to disassemble
> > it and cut and past it into his own C code with an escape to assembler.

> Fact, it is possible. I myself wrote own password crypt
> in C for Novell's NetWare this way (we planned writing
> NetWare client for VMS here, but never had enough time;
> and the client library we bought was almost all in source
> except few function which used password crypt). Few days,
> significant part of the time used to make the code better.

> Jerzy

Mike

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.rutgers.edu