Elias Levy, SecurityFocus 2000-05-01
Security companies can make headlines by using the right jargon, even when it's wrong.
Colapse all |
Post comment
A couple of comments
2000-05-01
Anonymous (3 replies)
Anonymous (3 replies)
Re: A couple of comments
2000-05-01
Elias Levy <aleph1 (at) securityfocus (dot) com [email concealed]> (1 replies)
Elias Levy <aleph1 (at) securityfocus (dot) com [email concealed]> (1 replies)
Its very simple. The Cart32 backdoor was specifically put in place and hidden by the developers so they could access the systemwhen even the cart's operators could not (for example when they forgot their password). The RedHat case is nothing more than a default password, no different than hundred of...
[ more ] [ reply ]
[ more ] [ reply ]
Re: A couple of comments
2000-05-01
Anonymous (1 replies)
Anonymous (1 replies)
This is a password that all of the RedHat developers knew. It allows them to access the system, whereas the system administrators could not. Legitimate system administrators couldn't even set the password as described in the documentation. Most of them probably thought this to be secure and inacc...
[ more ] [ reply ]
[ more ] [ reply ]
Re: A couple of comments
2000-05-01
Elias Levy <aleph1 (at) securityfocus (dot) com [email concealed]> (3 replies)
Elias Levy <aleph1 (at) securityfocus (dot) com [email concealed]> (3 replies)
You are still missing the essence of a backdoor. One, it is deliberate. Two, its intended to be used without the users knowledge. Now obviously its difficult to determine intent but it more clear in some cases than others. And if we are to follow your logic then we would deem any default password a ...
[ more ] [ reply ]
[ more ] [ reply ]
Re: A couple of comments
2000-05-02
Anonymous (1 replies)
Anonymous (1 replies)
I posted the original post regarding "a couple of comments" and this is my follow-up...I didn't post the second "Anonymous" post...
I suppose Mr Levy is correct, though...I just don't see the difference between a default password that was "accidently" left in place, and one that was purposely put...
[ more ] [ reply ]
I suppose Mr Levy is correct, though...I just don't see the difference between a default password that was "accidently" left in place, and one that was purposely put...
[ more ] [ reply ]
Re: A couple of comments
2000-05-02
Elias Levy <aleph1 (at) securityfocus (dot) com [email concealed]>
Elias Levy <aleph1 (at) securityfocus (dot) com [email concealed]>
Re: A couple of comments
2000-05-02
Anonymous (2 replies)
Anonymous (2 replies)
No, you are missing the point. A backdoor does not have to be intentional, nor does it have to be hidden. Where are you assuming these qualities from? Let's face it, Elias, the extent of your security knowledge is encompassed in one sentence "Do I either (A)ccept this post or (R)eject this post?"...
[ more ] [ reply ]
[ more ] [ reply ]
Re: A couple of comments
2000-05-02
Elias Levy <aleph1 (at) securityfocus (dot) com [email concealed]> (1 replies)
Elias Levy <aleph1 (at) securityfocus (dot) com [email concealed]> (1 replies)
Maybe then you would like to provide us all with your definition of a backdoor seem you believe yourself to be so highly qualified? Hmm....
[ more ] [ reply ]
[ more ] [ reply ]
Re: A couple of comments
2000-05-02
Anonymous (1 replies)
Anonymous (1 replies)
Mr. Levy:
I am sorry to say that I am disappointed that you permitted yourself to be drawn in by the snarky comments of the other writer. His personal attacks against you not only demonstrate his lack of professionalism, but detract from an otherwise useful discussion. Nonetheless, you should ...
[ more ] [ reply ]
I am sorry to say that I am disappointed that you permitted yourself to be drawn in by the snarky comments of the other writer. His personal attacks against you not only demonstrate his lack of professionalism, but detract from an otherwise useful discussion. Nonetheless, you should ...
[ more ] [ reply ]
Re: A couple of comments
2000-05-02
Elias Levy <aleph1 (at) securityfocus (dot) com [email concealed]>
Elias Levy <aleph1 (at) securityfocus (dot) com [email concealed]>
There is no "dising contest". I am truly interested in what his definition of a backdoor. Unless he can provide a sound definition of it his attack on my definition of the phrase is meaningless. Of curse its somewhat difficult to have a conversation with someone that is anonymous as there is no proo...
[ more ] [ reply ]
[ more ] [ reply ]
Re: A definition from an observer
2000-05-03
Anonymous (1 replies)
Anonymous (1 replies)
Seeing your little debate on what a Back Door actually is I decided to look elsewhere...
The Jargon File (http://www.tuxedo.org/~esr/jargon/html/index.html) defines a backdoor as:
"[common] A hole in the security of a system deliberately left in place by designers or maintainers. The motivation ...
[ more ] [ reply ]
The Jargon File (http://www.tuxedo.org/~esr/jargon/html/index.html) defines a backdoor as:
"[common] A hole in the security of a system deliberately left in place by designers or maintainers. The motivation ...
[ more ] [ reply ]
Re: A definition from an observer
2000-05-05
Anonymous
The Jargon file definition seems very right. A back-door is a way in that is not suspected by the owner, regardless of motivation.
I have written a number of web administration packages. And even though I am not super-security conscious, I have them all programmed so that the package *will no...
[ more ] [ reply ]
Anonymous
The Jargon file definition seems very right. A back-door is a way in that is not suspected by the owner, regardless of motivation.
I have written a number of web administration packages. And even though I am not super-security conscious, I have them all programmed so that the package *will no...
[ more ] [ reply ]
Re: A couple of comments
2000-05-02
Anonymous (1 replies)
Anonymous (1 replies)
I would tend to agree with Mr. Levy, in that the traditional meaning of a "backdoor" implies both intent and subterfuge, among other things. This is not the equivalent of a "default password", even though the potential outcome of exploiting either vulnerability is roughly the same.
What we are l...
[ more ] [ reply ]
What we are l...
[ more ] [ reply ]
Re: A couple of comments
2000-05-03
Anonymous
Anonymous
There is a document released by the national security agency that provides definitions for many security terms it's centered on intrusion detection but "backdoor" is a pretty non-descripte term that could mean many things the mit jargon file or the "hackers dictionary" (I think thats what it's calle...
[ more ] [ reply ]
[ more ] [ reply ]
A couple of comments
2000-05-02
Matthew Pemble <matthew (at) idrach (dot) com [email concealed]>
Matthew Pemble <matthew (at) idrach (dot) com [email concealed]>
Anybody who leaves the default passwords set on any kit (hardware or software) they install is asking for trouble. If it is true that Red Hat did not document the default password properly, that is bad news, but does not constitute a "backdoor". To be honest, they have left the front door open an...
[ more ] [ reply ]
[ more ] [ reply ]
Glad to see this...
2000-05-01
Anonymous
Anonymous
I agree with the idea here. Those headlines for both the Pirhana and IIS 'backdoors' sent me scrambling to get more information, only to discover that neither is truly a hole in the software. But in the interest of getting all the news I suppose it will always be up to the reader to decide what is...
[ more ] [ reply ]
[ more ] [ reply ]
Simple solution.
2000-05-04
Anonymous
Anonymous
Keep the media out of Securtity, we don't need the mainstream hype here.
I think SF should start adressing the mainstream with clearly written articles without hype or the "OH MY GOD - THEY'VE KILLED WWW.KENNY.COM"- and "WERE ALL GONNA DIE!!!"-like journalism offered by other media, even if the e...
[ more ] [ reply ]
I think SF should start adressing the mainstream with clearly written articles without hype or the "OH MY GOD - THEY'VE KILLED WWW.KENNY.COM"- and "WERE ALL GONNA DIE!!!"-like journalism offered by other media, even if the e...
[ more ] [ reply ]
"A backdoor is normally understood in computer security circles to refer to a system vulnerability
deliberately put in place by system designers or operators such that it would allow them to bypass
normal security checks. The "wemilo" password discovered in the C...
[ more ] [ reply ]