Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The post started very well but with the first screen shot, my mind started tingling: What the heck a security engineer is doing in a root shell? An unknown binary sent via an email is run in a root shell. There is also no mention of email source tracking.

Hey you are a security engineer you know about weakness of smtp right?

Even if this is a virtual machine, I would really reconsider employment of him or sit down and do a serious talking about this blog post if I were the employer.

I could not continue reading the post before ranting about it.



Is it really that probable that an email was sent to him from the company he is applying to and someone spoofed that to send him malware?

I agree with the root point only because the company could have easily done something like `echo "I just rm -rf'ed your / because you ran me as root"` as part of the test.

Why would you consider it still an issue if it was a VM he used only for this purpose?


Well, email is the primary threat distribution medium right now. So If a security engineer do not show scepticism about an unsigned, unencrypted email from an unverified source, I get picky.

Looking from probability perspective, yes you are right, this is a low threat vector.

Also I consider working root in a vm an issue because security 101 lesson 1 is "avoid privileged accounts as much as possible". Why not work in a unprivileged shell account and use sudo whenever needed? VMs are not bullet proof and they can leak memory, can make host machine unstable or even crash it. There are hardly any poc's out there but VM's may be exploited to switch context to host machine. Aside from these low probable threats, while working with unknown originated binaries, losing your whole work is a big probability. In this case it would not matter if you are inside a vm or not. VM's can be recovered but lost time can not be.


"Security 101" isn't all that relevant when you actually understand the threat vectors. If you can't create a clean, isolated, snapshot'd VM for this sort of playing, you have no business applying for this sort of job.


You are absolutely right.

But what about screw up vectors or being careless stack up in this?

People are sloppy. It's easy to do mistakes and loose everything. Working with crackme binaries needs more attention.


First, you don't know if he downloaded the file from this machine. It could even be networkless.

Second, instead of a VM, it could be a livecd with no permanent storage attached. That's what I'd do if I had to debug potentially malicious binaries.

It's fine to ask, but it's wrong to assume.


Old school virii that could burn your display card comes to my mind. Working with root is always a threat. A livecd is consience but still does not make it fully secure.

I told I am being picky. Most of my concerns may be handled but their are not shown to be.


Umm.. virii is not a word.


Most pentesting distros run as root by default, check out Kali Linux which is the industry standard. It makes it a lot easier to run all the strange applications we use. As long as you keep it in a VM you'll be pretty solid.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: