Posted by Jochem Maas on 02/08/05 12:05

Marek Kilimajer wrote:
> Greg Donald wrote:
>
>> On Mon, 07 Feb 2005 22:25:46 -0500, trlists@clayst.com
>> <trlists@clayst.com> wrote:
>>
>>> I think this is an extraordinary (and unjustified) level of paranoia.
>>

This was aimed at me. I personally wouldn't touch a CCN with a barge pole,
I did say it was 'best' not to accept them at all, although accepting them and
immediately passing them on via an SSL link (e.g. with cURL) is probably
'good enough' - at least, apparently, 10,000s of merchant seem to think so.

>>
>>
>> cat /dev/mem | strings | egrep "^[0-9]+$"
>>

nice bit of magic tho, Greg :-)

>>
>
> cat: /dev/mem: Permission denied
>
> :)
>
> You need root access. If anyone gains root on your providers server, he
> has simpler ways to find the CCNs
>

getting root is often quite trivial for anyone with a fair bit of knowledge & determination,
mostly because for alot of vulnerabilities there are 'make'n'run' exploits which
any numpty can use.

besides which anyone ever here of 'an inside job' - i.e. when the CCNs go wandering from
your DB/encrypted zipfile/index.html, its the sysadmin who you should be looking at first
(e.g. its often alot easier to bribe a sysadmin than it is to hack into a server).

[Back to original message]