Re: [ISN] Security Firm Blamed For Code Red Costs

From: InfoSec News (isnat_private)
Date: Mon Aug 13 2001 - 01:09:58 PDT

  • Next message: InfoSec News: "RE: [ISN] Security Firm Blamed For Code Red Costs"

    Forwarded from: Aj Effin Reznor <ajat_private>
    "InfoSec News was known to say....."
    > By Brian McWilliams, Newsbytes
    > 10 Aug 2001, 5:11 PM CST
    > The damage toll from the Code Red worm has sparked a new debate
    > over what security experts call "full disclosure."
    > Richard M. Smith, chief technology officer for the Privacy
    > Foundation, today criticized the company that found and publicized
    > the glitch in Microsoft's Internet Information Server (IIS) which
    > led to the creation of the malicious worm and a copy-cat.
    Am thinking Mr. Smith's head has either swollen in size due to his
    self-professed track record (as he posted to BugTraq at Date: Fri, 10
    Aug 2001 15:32:53 -0400: "I've probably found a dozen or so security
    holes in Microsoft products.  Many of these problems were reported on
    BugTraq list without full disclosure.  How come so few people have
    ever approached me for the full details?") or he is feel a bit of a
    deficit of attention lately, but this is fucking ridiculous.
    > Eeye published a detailed advisory about the new IIS flaw on June
    > 18, the same day that Microsoft released its own bulletin and a
    > patch to correct the problem. In its description of the problem,
    > Microsoft thanked eEye for working with the company "to protect
    > customers."
    Good to see the truth shine through (for once).
    > "One thing is now crystal clear with Code Red: full-disclosure
    > comes with one of hell of a price tag. There has to be a better
    > way," said Smith.
    A single case example doesn't make for good modelling.  Mr. Smith
    should be well aware of this.
    I am posting this to ISN as I wasn't able to get in on the BugTraq
    thread before Aleph1 killed it off.  I know that the more technical
    minds on this list will yawn over my rantings, but I know there are
    many here who are openly not the most proficient people in the world,
    and while the article points a good defense to eEye, I really am
    rather pissed at Mr. Smith's allegations.  His way or the highway?  
    The following is an email I sent early today to journo at the Register
    UK.  The article, while being well written, I felt was off base on the
    attacks on eEye.
    The article was posted to ISN, it's located at This mail relates
    more to the Reg's article than the issues Mr. Smith brings up (worm
    hype as marketing vs.  "it's their fault").
    My mail (in part) to the author:
    Regarding your article located at:
    I have always enjoyed the reporting that The Register UK has to offer,
    by far superior to the piddly OC Register that I have local to me.  
    Beyond the local cage-liner, the Reg/UK's tongue in cheek humour and
    dry wit has always appealed to me, I find myself often possessing
    similar qualities, much to the dismay of coworkers and superiors :)
    Anyways...  I do take issue with one point that you make, that being
    about Marc@eEye.
    I know that line alone is going to put you on the defensive, and for
    once, I am *not* out to flame the living shit out of someone just
    because their views are contrary to mine (if you knew me, you'd be
    shocked over this, really).
    The points you make are all valid and intelligent, and I respect you
    for that.  However, I do see things a bit differently than you do, and
    I hope that, despite differing, possibly drastically, you can respect
    my thoughts equally, or at least a close approximation of such.
    eEye has multiple products other than SecureIIS, which I will assume
    that you have performed some mild dilligence and are aware of.  Based
    off their security scanner, Retina, and the ongoing signature
    development that they are constantly undergoing, "new" vulnerabilities
    are found.  The .ida bug is of course one of these.
    eEye has discovered multiple bugs over the last couple of years.  
    This has multiple effects.  One, they have a signature in their
    database which can give their product a competitive edge, which is of
    course good in a free market economy such as we have here.  Be mindful
    that there are bugs in existance which "the underground" (lordy, I
    hate that phrase, but it's convenient enough for this correspondace)
    is aware of, and security vendors and practitioners are not privy to.  
    eEye may be discovering *completely* new bugs, or they may be
    discovering something which the underground has known about.  Either
    way, through their findings, administrators can attempt to tighten up
    their systems a little more.
    SecureIIS is a marvelous product both in theory, and largely in
    operation.  For being first generation, the tweaks and adjustments
    that it'll be getting for the next rev are really relatively minor.  
    And yes, it would have protected any non-patched system from .ida
    attempts.  Being the only product I know of that doesn't rely on a
    signature database, and is flexable enough to handle unseen attacks is
    pretty friggin cool.  Let them brag! ISS, NFR (Network Flight
    Recorder), no one comes to mind with a product that can compete with
    it.  I also have yet to see a filter set for any commercial firewall
    (Check Point, Raptor, Gauntlet) that can block Code Reds. If there is
    one that I've missed, I humbly accept correction.  But, SecureIIS is
    unique and well thought out. Deal.
    Microsoft admitted that eEye had been fundamental in working with them
    on the bug, the exploit, and the patch development.  eEye, in a
    gentleman's agreement with MS, didn't release the exploit until the
    patch was prepared and available.  Hardly the maneuvering of a company
    that is using the bug as a fundamental sales tool.  Yes, they've
    pointed out time and time again that SecureIIS is the only product
    that would prevent infection on an unpatched server.  While this may
    be ego and posturing, this is also the truth.  As a company, marketing
    is important, and pointing this fact out is worthwhile.
    Marc and the crew at eEye are similar to myself in regards to having
    at least been greyish in our hats before making the transition to
    "professional".  I was speaking with a local FBI Field Agent
    yesterday, and was telling him why I thought the NIPC was a joke, and
    it's because, for the most part, the people that comprise it aren't
    technophiles by nature.  They're textbook.  It's not in their blood,
    in their heads, in their lungs.  For Marc, Ryan, Riley, and others at
    eEye, for myself and for associates with whom I have collaborated on
    large contracts, it is.
    As such, it's frustrating for ALL of us to have to see the net
    congested as fuck because a known bug, with a known and *well
    documented* patch, is causing headaches for many people.
    My cable modem segement at home is slammed with v2 requests.  A 10
    second timeframe at any given point shows 55-70 arp requests.  Last
    saturday I was receiving 75-85.  At the same time, I was talking to an
    associated in Los Angeles.  His cable segement was showing 650-800 arp
    requests.  Sorry, that's unreasonable and unreal, both. The father of
    the CTO for my current empoyer uses Time/Warner's Road Runner service,
    and was down for two days while they (Road Runner) tried to figure out
    what to do.
    Not sure how aware you are, but the AUP (Acceptable Use Policy) one
    signs when getting a cable modem specifies that you are not to run any
    services from your machine.  There is no reason for all these machines
    to be running IIS at all.  The fact that they are, unpatched, points
    not only to user ignorance, but to how this ignorance is coddled by
    As I write this (~ 1:45 PM PST), my web server Code Red stats (since
    Aug 01) look like this: Summary findings -- CRv1: 140 CRv2: 438
    My firewall on my @home cable modem?  From 2am Saturday August 4th:
    Summary findings -- CRv1: 26 CRv2: 1699
    So yes, Marc rants about it.  So do I.  So do a lot of people.
    (I'm nearing conclusion, hang with me a bit longer, yeah?)
    As for your assertion that eEye's publicizing of this vulnerability
    being somewhat responsible for the authoring of the worm....
    What hole, and what publicizing led to the the Melissa virus?  Fun
    None, really.  As I stated earlier, the underground has tools for
    holes that corporate America isn't even aware of.  Obviously, not all
    of these have a specific worm written for them (some aren't even
    worm-able), but at some point, someone could write a worm for one.
    If eEye had found the hole, if MS had issued a patch, and if it were
    done with little fanfare, some sociopathic 16 year old would be
    trolling MS's site looking for patches, finding holes, and possibly
    coding a worm or a virus or even a basic non-worm, manually run
    exploit for said hole.  Familiar at all with FTP daemon exploits?
    WU-FTP 2.4.2 ?  2.6.0 ?  Nothing like remote root-access exploits
    found far before a patch was available!  This is the nature of the
    net, of tech-heads, and malicious crackers.  That this .ida bug
    affects the flagship web server for argueably the largest corporation
    known to mankind makes it stand out a bit more than full-bore root
    compromises for free, open source ftp servers which actually have a
    larger install base than IIS does.
    It is also worth pointing out that, unlike most crackers, among
    others, when eEye does find a vulnerability, they don't release
    exploit code, which also differs from the typical routine found not
    only against MS but also in the open source community.  If they
    *really* sought to profit from their findings, they're release exploit
    code, thereby compelling corporations to purchase an eEye product to
    secure themselves against a bug written by eEye itself.  It'd almost
    be aking to MS charging for security patches :)  It should be duly
    noted that eEye does *not* do this.
    This was played out by the media.  Ya can't blame Marc for saying to
    the media what he'd say on BugTraq.  Ya can't blame the media for
    listening.  Ya can't blame any company for pointing out that their
    product could avoid certain types of catastrophe, either.
    Why am I even bothering to write this?  I like eEye.  Retina is not
    only more cost effective than competing products (notably the
    "industry standard" ISS), but also works faster, and requires less
    hardware to run on. When I servered as a mobile consultant, finding a
    laptop with enough horsepower to run ISS was either impossible to
    find, or cost prohibitive.  I also like the Retina because it makes it
    easy to correct registries on a large number of machines from a single
    point, rather than having to touch every desktop in a large
    I like the fact that they are driven through desire, not compensation,
    to pursue bugs, worms, and development. I like Marc's title as Chief
    Hacking Officer.  It's what he is, it's what he does.  I don't like
    ISS's "X-Force".  Their constant claims that they "won't hire hackers"
    is utter crap.  They do have members of the underground on staff, and
    a small percentage of them don't always behave in legal manners.  Not
    a company I'd want to pass my duckets off to.
    I'd be intereted in any reply you have, at your leisure.
    So, in closing, to any journo's or PHB's or other managerial types who
    don't have half the clue you should, the dissemination of knowledge
    isn't a bad thing.  On the net, ignorance most certainly is NOT bliss,
    and I would personally like to be the first to knock half the smiles
    off the ignorami out there.  If you're scratching your head right now
    wondering what all the ranting is about, what "full disclosure means",
    among other things, consider resigning post haste.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Aug 13 2001 - 03:26:23 PDT