Re: whitehat

[alex black <enigma@turingstudio.com>]

--- Alvin Oga <aoga@mail.Linux-Consulting.com> wrote:
> questions for you
> - what else is in the goals for the security test,
> where i'm not
>   using audit, pen-test, assessments and other
> "security words"

Just to see if you can get in, that's all.

> - what is the consequence if some
> whitehat/grayhat/blackhat/malicioushat
>   does get into the box, what is the
> process/proceedure/consequences
>   and follow up costs to cleanup vs shutdown/change
> the product line

Not much, frankly. The idea here is to have someone that is not 
malicious, but is skilled, to attempt to crack the box. If they can, 
I'd like to know how. The box is not running a full production 
application at the moment, there is zero valuable data on it. Also, see 
below...

> 1. How do we know know Mr Black is who he says he is?

You are free to contact both me (by phone or email), and my provider, 
Aktiom Networks: info@aktiom.net and ask them about me. I have provided 
a complete sig with an address, phone number, business name, etc. Do a 
search for my name and 'binarycloud', I appear a lot. Uhm, come to my 
office and meet me if you're in the bay area, CA :)

> 2. How can we confirm the machine details he supplies
> are actually details of a machine that he owns?

See response to #1

> 3. How can I prove that he is not actually a skid
> trying to learn how to crack a debian box (which he
> has set up) so that he can then go on to crack some he
> has ssh passwords to after successfully brute forcing
> some on a network somewhere.

Security by obscurity has never proven very useful, and if I was a 
wannabe-skriptkiddie, one would think I wouldn't post here claiming to 
be who I am, provide a phone number, and... there are a lot better 
places for me to look if I was interested in that.

> 1. How will you know that whoever replies to your
> email isn't a lurking cracker. I am sure there are
> plenty on this list considering the topic.

I will ask them to sign a contractor agreement with my company, which 
requires a fax. I will ask for references, which are hard to construct 
from nothing. I will offer payment, which requires details of an 
address, phone number, and social security number. It's really not that 
hard.

> 2. In the event that they are is the machine
> sufficiently isolated that it being compromised will
> not affect the rest of your or anyone elses network.

Yes. Also the idea is not to offer the machine as a honeypot. I want an 
individual or preferably an individual associated with an organization 
to attempt to crack a box with my permission under the terms of a 
contract. So the idea is not to crack a box and then see if they can 
launch a DDos with it - just to see if they can get in.

> 3. Do you have a procedure to wipe the machine after
> the tests are done in a timely fashion. You asked for
> a summary of what took place on the machine, perhaps
> you should be monitoring the activity on the machine
> yourself.

No, DUH really? I thought I would just have someone do the test and not 
bother to login to the machine and watch what's happening. I'm a total 
n00b idiot and I'm looking for a l33t haxx0r to teach me evv43t1ng I 
nned to kn0.

The whole point of the test will be for me to monitor what's happening 
in cooperation with the whitehat, but not offer any resistance to the 
attack. My threshold for success is that the config is not crackable by 
itself, without any defense or assistance from me as root during an 
attack, even though in a "real" attack I would act as such.

I think i've sealed the config so tight that it is not vulnerable to 
any known/public exploits, and besides all the happy scanning tools and 
all that, I'd like to have the opinion or someone with excellent 
knowledge of debian security.


*** Please cc me on any responses.  ***

thanks,

_alex


--
alex black, founder
the turing studio, inc.

510.666.0074
root@turingstudio.com
http://www.turingstudio.com

2600 10th street, suite 635
berkeley, ca 94710