Shocked from a tranformer

[giftiger_wunsch]

An auto-immune system allows 'germs' to attack the host, so that the adaptive immune system learns.

Actually, the adaptive immune system is activated by macrophages and dendritic cells as they destroy the pathogen. The innate immune system starts attacking immediately, as well as activating the more effective specific immune system via T-Lymphocyte activation. Except in an individual with compromised immune system, a pathogen is never left to invade unhindered.

As for allowing hackers to penetrate security systems, that's not the case either. People caught hacking into a system without permissions are put in prison. They may hire professional hackers to attempt to gain access to their system and report the result to them, but I hardly think that compares to exposing the system to an actual attack.

 

[marcbarker]

As for allowing hackers to penetrate security systems, that's not the case either.

Sorry to bear bad news but in the real world, that is exactly the case.

Just like the fictional concept of the Borg in Star Trek NG, who become strengthened in response to attack. Hackers are allowed to penetrate, perhaps into a 'walled garden', under the watchful eye of system adminstrators, who respond by strengthening as required, and no more, probably also because if it was perfect they would be doing themselves out of a job. The 'hackers' you hear of on the news are people that had been made an example of, while the vast majority are anonymous, just like the majority of people exceeding the speed limit are doing so between speed cameras.

 

[giftiger_wunsch]

Just like the fictional concept of the Borg in Star Trek NG, who become strengthened in response to attack. Hackers are allowed to penetrate, under the watchful eye of system adminstrators, who respond by strengthening as required, and no more, probably also because if it was perfect they would be doing themselves out of a job. The 'hackers' you hear of on the news are people that had been made an example of, while the vast majority are anonymous, just like the majority of people exceed the speed limit are doing so between speed cameras.

Return to the real world for a moment. No responsible system administrator would intentionally allow an unknown hacker to breach their network. Penetration testing is a useful tool for testing security, and it is used to attempt to prevent real attacks succeeding.

Monitoring how hackers are attempting to gain access and correcting the potential flaw they are attempting to exploit certainly takes place, but you don't just open the doors for hackers. Casing point, I noticed repeated failed attempts in my server logs from script kiddies attempting to dictionary-attack administrator passwords using a list of common usernames for FTP and SSH. I responded by installing fail2ban, which temporarily bans an IP after a specific number of failed attempts. Ergo I have removed a security issue without having to learn about it the hard way

**broken link removed**


Anyway this discussion is becoming less and less relevant so let's just agree that our approaches to minimising electric shock risk are different but both may have their merits

PS. Sorry about the picture, it just seemed far too appropriate to pass up on

 

[marcbarker]

It's very relavent to the point I was making.

As you just indicated, responsible and smart admins are learning the risks all the time, it's an ongoing process, and as you desribed, you yourself allowed a degree of penetration into your defences first.

If you had the monetary resources, you can buy and add on every available security product to address every 'threat' and not trust anyone or anything (perhaps only trust the 'reputation' of the security product suppliers), or.... you compromise, like you did. Even if you could afford all the security, would you play all your cards in one go?

I'm sure you realise that believing your security system is "perfect" and that it no longer requires any improvement, paves a clear path for a painful denial when a major security breach (electric shock) occurs. The old saying... pride comes before a fall.

 

[giftiger_wunsch]

you yourself allowed a degree of penetration into your defences first.

They didn't manage to penetrate, they never even managed to guess any of the usernames right, let alone passwords and I certainly didn't 'allow' them to do so, I took immediate action to prevent their attempts.

I'm sure you realise that believing your security system is "perfect" and that it no longer requires any improvement, paves a clear path for a painful denial when a major security breach (electric shock) occurs. The old saying... pride comes before a fall.

That's more or less exactly my point - I take perhaps more precautions than strictly necessary when dealing with potentially harmful voltage to prevent it occuring. I recognise that the internal insulation could never be perfect so I add redundancy to doubly protect users. (Or with the transformer I was testing, I recognise that although my knowledge of transformers leads me to believe that the core should not be have any charge and should not be able to shock me, the fact that a small short-circuit between the primary (mains) winding and the core would happily make me fizzle if I touched it)

Anyway, as I said, I don't think this debate is going to come to an easy resolution so let it be known that we have differing opinions and the OP can decide for himself what's appropriate for his device

 

[marcbarker]

People caught hacking into a system without permissions are put in prison.

How many years did your hackers get for attempting to breach your FTP server security?

Sorry, but by your own admission you effectively gave your hackers permission to try, because you responded afterwards, and not before!

Like you say: "a pathogen is never left to invade unhindered", just like police will allow a crime to be committed first before arresting, the pathogen needs to be recognised doing its job.

I recognise that the internal insulation could never be perfect so I add redundancy

What if there was an unknown chemical defect in the material each insulation is made with?

By the way, the caretaker (tough as old boots he was) in my old school used to test light sockets by touching to feel if they are live. It was a trick he picked up that was popular when an Avometer cost the equivalent of a month's wages. And when cable was being tested a century ago, they used to employ a boy to guide the live cable onto the drum, who would let go if he got a shock!

 

[Torben]

Return to the real world for a moment. No responsible system administrator would intentionally allow an unknown hacker to breach their network. Penetration testing is a useful tool for testing security, and it is used to attempt to prevent real attacks succeeding.

Monitoring how hackers are attempting to gain access and correcting the potential flaw they are attempting to exploit certainly takes place, but you don't just open the doors for hackers. Casing point, I noticed repeated failed attempts in my server logs from script kiddies attempting to dictionary-attack administrator passwords using a list of common usernames for FTP and SSH. I responded by installing fail2ban, which temporarily bans an IP after a specific number of failed attempts. Ergo I have removed a security issue without having to learn about it the hard way

I know I'm wading in when the discussion is pretty much over but I'd have to say that IMHO you're both right. Responsible admins don't just let attackers in to watch what they're doing, but it's not that uncommon to set up a honeynet or honeypot to do exactly that--or rather, to *appear* to do exactly that. The honey(net|pot) is intended to make the attacker think they're in, and gives them something to chew on while the admins watch. It lets the admins study the techniques being used and, if there are new techniques being used, hopefully helps with the design of better countermeasures.

As Giftig notes (am I getting that name right?) this isn't quite the same as just letting the attacker in--although if done right, that's what it looks like from where the attacker is sitting.

I suspect that's what Marc was getting at and that Giftig also knows this--just thought I'd give the technique its name for anybody else who stumbles across the thread later on.


Cheers!

Torben

 

[marcbarker]

set up a honeynet or honeypot to do exactly that--or rather, to *appear* to do exactly that. The honey(net|pot) is intended to make the attacker think they're in, and gives them something to chew on while the admins watch. It lets the admins study the techniques being used

Yes that's what part of I was trying to say. A honey pot trap is a bit like "Thirteenth Floor".

But contemporary security is like a strategic conflict, the admins don't implement everything (like DEFCON1) all in one go. That would be like macaffee and norton releasing too much security too quickly which would kill off their market dependency, if they did that, they would have to resort to scaremongering to sell their product instead.

 

[be80be]

Go figure Macaffee and Norton would not be if not for hackers who would you want to keep working??????? LOL

 

[marcbarker]

The way that NAV and Macafee slooooooooooooooowwwwww down workstations with memory leaks and bandwidth hogging updates, it's as though it's doing the work of the viruses for them!

 

[giftiger_wunsch]

How many years did your hackers get for attempting to breach your FTP server security?

Do try not to be so literal I did, however, contact the server administrators for the origins of the attacks (which were mainly cheap web hosts) and in a couple of cases I was informed the user responsible had been banned from using their service. So that was a bit of a win

And I fail to see how you can call it 'giving hackers permission to try'. That's like saying that building a wall out of wood instead of stone is giving vandals permission to burn it down.

 

[marcbarker]

And I fail to see how you can call it 'giving hackers permission to try'. That's like saying that building a wall out of wood instead of stone is giving vandals permission to burn it down.

Each and every time The Three Little Pigs tell their story, they give the Wolf permission to blow both their straw and their wooden house down. This validates the Wolf as a threat.

One of the fundemental things about Design, is that a good design is the one that does the job and no more. Any more is a waste of resource.

One day the little pigs story may evolve into wood/bricks/TitaniumAlloy

 

[giftiger_wunsch]

Each and every time The Three Little Pigs tell their story, they give the Wolf permission to blow both their straw and their wooden house down.

Good thing I'm not a pig; not anticipating an attack doesn't mean you're giving it the go-ahead. Besides which, thanks to the use of non-standard usernames and strong passwords, the attacks would never have achieved anything anyway; I just wanted to a) make sure of that and b) stop my logwatch notifications being >1MB in size

To continue the metaphor, they tried to burn down my 3ft-thick steel wall with a box of matches and I sucked out all the oxygen from around the wall.

 

[marcbarker]

If despite all the security you had in place, an attacker had still got through somewhere else that you'd missed, what would it take for you to believe it?

 

[giftiger_wunsch]

If despite all the security you had in place, an attacker had still got through somewhere else that you'd missed, what would it take for you to believe it?

I would find evidence that it had occured, find out how it occured, and think up an ingenious way of patching the hack

It's not an issue of whether it would be possible for someone to penetrate my server, I'm saying not being prepared for every possible eventuality isn't 'inviting' an attack. If my server was hacked, I would certainly learn from it but that doesn't mean I would intentionally expose my system to attack in order to produce counter measures, that couldn't provide any insight if they were deliberately allowed to 'hack' the system.

Applying this back to the actual matter at hand, why fail to implement safety protocols in order to learn how best to implement safety protocols? If you use a particular method to attempt to minimise the risk of shock, and it doesn't work, then you consider what went wrong and come up with a new way of dealing with that specific problem. The metaphor holds.

What you seem to be saying is that there's no point in trying to protect yourself from shock because you might get shocked anyway. Well that's a risk that will always be present but can be minimised by taking safety precautions.

 

[marcbarker]

I would find evidence that it had occured, find out how it occured, and think up an ingenious way of patching the hack

There you are then, that proves what I'm saying. Because you're talking in past tense....

What you seem to be saying is that there's no point in trying to protect yourself from shock because you might get shocked anyway.

Are you sure that's what you think I'm saying? To go right back to the beginning, remeber I said:

I think a few occasional mild electric shocks are good for your survival, and creates a healthy sense of respect.

Well that's a risk that will always be present but can be minimised by taking safety precautions.

But beware of 'over-reaction' Remember, I said:

The trouble is that if everyone does their best to eliminate all risk and increase 'health & safety' in every aspect of life, we lose any judgment of risk.
Then one day when the 'completely de-skilled and over-protected' End User does "everything they are supposed to do to the letter", in a world of health and safety gone crazy,grabs hold of a live fridge door handle, we are then all in disbelief!

Talking of H&S... I think it was year before last, somewhere in UK, a city council decided after nearly a century (apart from wartime), it would no longer install Annual Christmas Illuminations.... because of "Health and Safety"

 

[kchriste]

There are two types of risk. Stupid risk and smart risk. The choice should be obvious. If not, Darwin wins again.

 

[be80be]

There are two types of risk. Stupid risk and smart risk. The choice should be obvious. If not, Darwin wins again.

That's good to remember when going in to businesses
Smart risk they put in the money
Stupid risk You put in the money

 

[giftiger_wunsch]

it would no longer install Annual Christmas Illuminations.... because of "Health and Safety"

Explain?

 

[Hero999]

I don't know maybe:

The Christmas tree lights might overhead and burn down London.

Some of the heavy decorations my fall and injure someone.

Thieves might be electrocuted if try to steal the lights.