Frackin script kiddies!!
Jarod Wilson
jarod-ajLrJawYSntWk0Htik3J/w at public.gmane.org
Tue Aug 3 01:18:32 EDT 2010
On Tue, Aug 3, 2010 at 12:46 AM, David Kramer <david-8uUts6sDVDvs2Lz0fTdYFQ at public.gmane.org> wrote:
> Jarod Wilson wrote:
>> On Mon, Aug 2, 2010 at 11:55 PM, Richard Pieri <richard.pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
>>> Wrapping HTTP in SSL offers no protection to your server. None. Zilch. Nada. It protects the end to end traffic. An attacker still has access to your authentication mechanism and can just as easily launch a brute force or exploit attack against it as he could if the traffic were clear instead of encrypted.
>>
>> They can launch the same brute force attack and/or go for exploits
>> against ssh. Or an ipsec vpn. Or anything public-facing. But
>> seriously, who is going to expend the effort brute-force attacking my
>> mythtv box to delete some recordings?
>
> Who would expend ANY effort attacking my machine and deleting the
> recordings? Apparently several people. What did they gain? They got
> to show off their super-duper mad skills (i.e. running a script they
> found on the internet) to cause someone else pain.
>
> Keep in mind it's the computer doing the brute forcing, not the person.
> It's no skin off of their back if it takes their script a few minutes
> or hours to do it. They can be out tripping old ladies or selling
> drugs while my machine is decimated.
Sure, I suppose. A brute-force attack with a solid password takes more
than a few hours though. These idiots are probably much more the
instant-gratification and no actual skill type.
Adding SSL and a password most certainly *does* provide added
protection. I know *I* feel like my car is less likely to be stolen if
I lock the doors, roll up the windows and take the key with me,
anyway. Sure, it can still happen, but its a lot less likely.
--
Jarod Wilson
jarod-ajLrJawYSntWk0Htik3J/w at public.gmane.org
More information about the Discuss
mailing list