Forwarded from: "Jay D. Dyson" <jdysonat_private> -----BEGIN PGP SIGNED MESSAGE----- On Wed, 15 Aug 2001, InfoSec News wrote: Bruce Schneier (in Crypto-Gram) wrote: > We shouldn't lose sight of who is really to blame for this problem. > It's not the system administrators who didn't install the patch in time, > or the firewall and IDS vendors whose products didn't catch the problem. > It's the authors of the worm and its variants, eEye for publicizing the > vulnerability, and especially Microsoft for selling a product with this > security problem. This stunned me. If memory serves, Counterpane's staff was quite pleased about receiving full details of the worm from eEye staff. This afforded Counterpane the ability to accurately update their IDS and related. As much as I respect Bruce Schneier's work, I have to say that this stance smacks of a double-standard: "Full disclosure for me, but not for thee." Why is it *NOT* noted that eEye worked closely with Microsoft and delayed release of the advisory until Microsoft had a patch? (Microsoft went so far as to *thank* eEye for their assistance when they released the patch. You think that comes easy?) Why is *NOT* noted that the Code Red worm utilized a different attack method than eEye originally identified? And finally, why is it *NOT* noted that eEye went out of its way to break down the worm that *someone else* released into the wild so that other parties could better defend themselves? The omission of these very crucial aspects of the ongoing Code Red incident invalidates Schneier's critique of eEye's full disclosure practices. > You can argue that eEye did the right thing by publicizing this > vulnerability, but I personally am getting a little tired of them adding > weapons to hackers' arsenals. I personally hope that eEye and other firms continue such full disclosure practices because their tools are as amoral as cryptography. Like cryptography, hacking tools can be used by people of dishonorable intent...and like cryptography, hacking tools can be used by honorable people as a means to defend the assets for which they are responsible. To suggest that release of such tools be curtailed (or prohibited) is to suggest that the populace at large be left totally at the mercy of Those Who Do Not Play By The Rules solely for the benefit of the unthinking and uncaring (and quite possibly incompetent) admin. I've long since tired of the argument that everything has the potential for misuse should be rendered to the impact of a Nerf ball. Malcontents will always be with us...and limiting the liberties of the well-adjusted based on the shortcomings of the maladjusted is little but another step into an Orwellian future wherein War is Peace, Freedom is Slavery, and Ignorance is POLICY. > There are two other lessons of Code Red that I haven't seen talked > about. One: Code Red's infection mechanism causes insecure computers to > identify themselves to the Internet, and this feature can be profitably > exploited. Actually, I addressed this facet when I authored and released Early Bird (http://www.treachery.net/~jdyson/earlybird/). Several others have mentioned it as well (such as Weld Pond of @Stake), though I don't know how far or wide their observations were disseminated. > How many hackers are piggybacking on Code Red in this manner? Just as many as there are responsible admins who notify the admins of the affected networks, I imagine. And not to belabor the point, but piggybacking has been done for *ages*. As evidence, I need only point to: http://attrition.org/mirror/attrition/lamer.html The above page is a listing of *re-defacements* of sites that were listed on the Attrition Mirror. Those re-defacements were not listed on the Mirror, but they were kept for statistical purposes. This may be the first time this information has been made publicly known, but it pretty much proves the point that intruders have been piggybacking on previously breached systems long before Code Red. Indeed, one of the systems in that list has been re-defaced over 40 (!!) times. Furthermore, I'm less than half-way through a personal project (one that I started in late February of this year) which involves a longitudinal study of the state of [in]security of systems that scan servers I maintain. Were I of an unethical mindset, I could have just as readily piggybacked onto the breached systems that scanned the systems over which I have charge. Given that I've been doing such longitudinal studies on systems that scan mine, I have every reason to believe that others have been doing as much as well...and their motives may or may not be as purely academic as my own. > Two: Code Red's collateral damage illustrates the dangers of relying on > HTTP as the Internet's communications medium. <snip> > This is a large single-point-of-failure that Code Red has illustrated, > and no one seems to be talking about. No argument there. All told, I think people have become desensitized to DoS attacks. Further, I think the lack of discussion regarding this very real problem hinges solely on the preference for convenience being weighed more heavily than the necessities of security. Most users don't just want to have their cake and eat it...they want to put it on display as well. A lot of these problems could have been avoided by simple use of IP filtering. Instead, the port is open and will listen intently to anyone that yells at it. Small wonder it goes deaf when the volume reaches a crescendo. > Code Red ushers in a new form of attack: a preprogrammed worm that > unleashes a distributed attack against a predetermined target. How is that different than the Morris worm of the '80s? It too had predetermined targets and exploited known vulnerabilities. And that worm, like Code Red, suffered from its own programmatic mistakes. - -Jay Thanks to Jericho <jerichoat_private> and Aj Reznor <ajat_private> for their comments and suggestions on this response. ( ( _______ )) )) .--"There's always time for a good cup of coffee"--. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- jdysonat_private ------<) | = |-' `--' `--' `-------- Real men prefer full disclosure. --------' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBO3rqerlDRyqRQ2a9AQHDJwP/a+eBq5UMf4Z7tiKBp9Ik1O6ytwMTX9uV 3ujcJZp+Xs0D3nR4/8rCKEvKrKKGUk1k0ls2KwdeDxng6QsPmbgaxrdCgwCgbSSo oUb8QJ3sxhCnCyGBSzE2mBMwwasSvcflBbkejxZsAirlo/m9C0FguRjcacFz5Sax JEL2dhljf0k= =mnEJ -----END PGP SIGNATURE----- - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Aug 16 2001 - 01:19:47 PDT