Its usually easier to gain access to a resource by exploiting those who have the perms you seek.
On Aug 10, 2013 1:37 PM, "Sean Alexandre" <sean@alexan.org> wrote:
>
> On Sat, Aug 10, 2013 at 12:42:16PM +0200, Lodewijk andré de la porte wrote:
> > 2013/8/9 Sean Alexandre <sean@alexan.org>
> >
> > > Or, maybe it was cover-up, to get the information "legally." But I'm
> > > guessing
> > > they really couldn't get what they wanted.
> > >
> >
> > This. They don't want to show people what power they have. So they use the
> > "most public method", letters. They are very, very, very aware of what you
> > might guess. You have to remember they could legally prevent him from
> > saying he even received letters, they have done so in the past.
> >
> > Why haven't they now? Might it have to do with you assumptions? Or is it as
> > innocent as genuinely not wanting to cause more harm than needed?
> >
> > Do you think the NSA is innocent?
>
> I can't really argue with that. I think it's very possible this is just
> "parallel contruction" where they want to cover their tracks and say they got
> things "legally."
>
> Still, I have to hope it's possible to run a service such as Lavabit and have
> it be so locked down that it can't be backdoored. Nothing can be 100% secure,
> but secure enough that it's very, very unlikely.
>
> I'd like to see a github project that has scripts (puppet?) to take a fresh Debian
> box and lock it down as much as possible, running only ssh.
>
> Those scripts could be used to create a CTF box sitting out on the open
> Internet, for others to try and hack into. Pen test it to death. Update the
> scripts. Make the config as perfect as possible.
>
> Then others could take those scripts and add more modules to them, for other
> services: exim, dovecot, apache, roundcube. People could pick and choose which
> they want to run.
>
> Put different boxes out there, as other CTF machines to pentest.
>
> Make it fun. Give people rewards, or some kind of recognition, if they can break
> into the box.
>
> "Encryption works," we know. End-point security's the weak link. This could be
> a way to shore that up.
>
> Thoughts?
>
Its usually easier to gain access to a resource by exploiting those who have the perms you seek.

These types of competitions are neat; skilled attackers aren't really incentivized to sink 0days on CTF games when there's a huge payoff for responsibly disclosing / not to mention the potential payoff of malicious use of an Apache code exec.

Your best bet is relying on operating systems with a good track record, using a capabilities based security model (pax + grsec on nix). Routine administrative bits: least privileges, patches, hardened binaries, isolation.