The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

An old canard reappears (sort of)

Share:

I have a set of keywords registered with Google Alerts that result in a notification whenever they show up in a new posting. This helps me keep track of some particular topics of interest.

One of them popped up recently with a link to a review and some comments about a book I co-authored (Practical Unix & Internet Security, 3rd Edition). The latest revision is over 6 years old, but still seems to be popular with many security professionals; some of the specific material is out of date, but much of the general material is still applicable and is likely to be applicable for many years yet to come. At the time we wrote the first edition of the book there were only one or two books on computer security, so we included more material to make this a useful text and reference.

In general, I don't respond to reviews of my work unless there is an error of fact, and not always even then. If people like the book, great. If they don't, well, they're entitled to their opinions -- no matter how ignorant and ill-informed they may be. grin   

This particular posting included reviews from Amazon that must have been posted about the 2nd edition of the book, nearly a decade old, although their dates as listed on this site make it look like they are recent. I don't recall seeing all of the reviews before this.

One of the responses in this case was somewhat critical of me rather than the book: the text by James Rothschadl. I'm not bothered by his criticism of my knowledge of security issues. Generally, hackers who specialize in the latest attacks dismiss anyone not versed in their tools as ignorant, so I have heard this kind of criticism before. It is still the case that the "elite" hackers who specialize in the latest penetration tools think that they are the most informed about all things security. Sadly, some decision-makers believe this too, much to their later regret, usually because they depend on penetration analysis as their primary security mechanism.

What triggered this blog posting was when I read the comments that included the repetition of erroneous information originally in the book Underground by Suelette Dreyfus. In that book, Ms. Dreyfus recounted the exploits of various hackers and miscreants -- according to them. One such claim, made by a couple of hackers, was that they had broken into my account circa 1990. I do not think Ms. Dreyfus sought independent verification of this, because the story is not completely correct. Despite this, some people have gleefully pointed this out as "Spaf got hacked."

There are two problems with this tale. First, the computer account they broke into was on the CS department machines at Purdue. It was not a machine I administered (and for which I did not have administrator rights) -- it was on shared a shared faculty machine. Thus, the perps succeeded in getting into a machine run by university staff that happened to have my account name but which I did not maintain. That particular instance came about because of a machine crash, and the staff restored the system from an older backup tape. There had been a security patch applied between the backup and the crash, and the staff didn't realize that the patch needed to be reapplied after the backup.

But that isn't the main problem with this story: rather, the account they broke into wasn't my real account! My real account was on another machine that they didn't find. Instead, the account they penetrated was a public "decoy" account that was instrumented to detect such behavior, and that contained "bait" files. For instance, the perps downloaded a copy of what they thought was the Internet Worm source code. It was actually a copy of the code with key parts missing, and some key variables and algorithms changed such that it would partially compile but not run correctly. No big deal.

Actually, I got log information on the whole event. It was duly provided to law enforcement authorities, and I seem to recall that it helped lead to the arrest of one of them (but I don't recall the details about whether there was a prosecution -- it was 20 years ago, after all).

At least 3 penetrations of the decoy account in the early 1990s provided information to law enforcement agencies, as well as inspired my design of Tripwire. I ran decoys for several years (and may be doing so to this day grin. I always had a separate, locked down account for personal use, and even now keep certain sensitive files encrypted on removable media that is only mounted when the underlying host is offline. I understand the use of defense-in-depth, and the use of different levels of protection for different kinds of information. I have great confidence in the skills of our current system admins. Still, I administer a second set of controls on some systems. But i also realize that those defenses may not be enough against really determined, resourced attacks. So, if someone wants to spend the time and effort to get in, fine, but they won't find much of interest -- and they may be providing data for my own research in the process!

Comments

Posted by David Forer
on Saturday, December 12, 2009 at 01:38 PM

My takeaways:

First thing we all must be aware of in this day and age is reputation management. With Google using real time search it is very easy for this type of malicious information just show up. Kudos to you for using Google Alerts and following it. Secondly this post is actually a great outline on how to set up security measures. I realize it was not your intent but it really does lay out a way for companies to set up great security. Great Post

Posted by Clive Robinson
on Sunday, December 13, 2009 at 07:06 AM

Spaf,

You have my sympathies.

Many Many years ago I was on the edge of the “HRH Prince Phillip” cracker incident (which is almost as old as some of his jokes wink

The story was involved and complicated and resulted in the Robert Schifren and Steve Gold trial for fraud.

The story has developed a life of it’s own and several different incidents appear to have been rolled into one by various authors.

Not to name names but I was working at a UK Uni at the end of the last century and one of the senior accademics in one of the business related Depts. Wrote a book with the story so changed and mangaled It was barely recognisable and read like one of those “Flying Fortress found on the moon” stories.

I poped along to see the author and asked if he would like all the relevant facts to the story. Where upon I was informed very curtly that he had done his research and how dare I suggest otherwise…

As has often been observed “you can lead a horse to water but you can’t make it drink”...

Posted by Tom
on Thursday, December 17, 2009 at 05:41 PM

that is a pretty good way to use google alerts.  I am amazed at how many useful utilities google has come out with recently.

Posted by Tim Edwards
on Wednesday, January 27, 2010 at 11:43 PM

Wow, it has been awhile since I heard Tripwire mentioned.  I always wondered why this never got the traction mainstream that it deserved.  Back in the day, PGP, Tripwire and Network Flight Recorder were some of the favorite toys to play around with.  Miss those days.

Posted by Gareth Hughes
on Saturday, March 13, 2010 at 05:35 PM

Having also read Underground, I would say Dreyfus could be better equipped to writing engaging fiction. I think there are quite a few claims within that point where she didn’t obtain indepedent verification.

Leave a comment

Commenting is not available in this section entry.