On Sun, 4 Jul 1999, Darren Reed wrote: |In some mail from Vanja Hrustic, sie said: |> |> I haven't seen this on the Bugtraq, but it's very interesting... |[...] |> So, if I have my custom-developed IDS running, I won't be able to implement |> a pattern for this, because I am not a member of 'Intrusion Detection |> Consortium'? |> |> Note the words... |> |> "This will allow security vendors to have access to the information..." - |> why only security vendors? What better they are than Bugtraq folks? | |bugtraq is not _only_ for security vendors. It's open to the unwashed |masses, if you get my drift. I'm sure the ICSA IDS vendors are quite |happy with this approach :) Yes, however the unwashed masses are keeping the IDS vendors and other vendors for that matter on their toes. If there was no large scale review and disclose forum like bugtraq -- I fear the thought. In the current software system, which allows the vendors to shoot products through testing and development into the market full disclosure is the only way to have them face up -- not telling the vendor and hoping they do something. This is like telling a food processor their product is poisoning people without telling the consumer. And in this example who figures out the people are being poisoned? The institution that sees the effects, the hospital. I remember seeing all kinds of login attempts to a certain piece of equipment all using the same password. Two weeks pass and what do you know? Vendor built in a default backdoor username and password. And don't think these login attempts were the vendor trying to be helpful. | |> "Security through obscurity" comes to mind... | Today, some companies house data that could be dangerous (Los Alamos NL), or contain health care infomation which could ruin lives in the wrong hands. If a automobile manufacturer fails to take proper care in designing a car, they issue a recall and essentially save lives . When are we going to stop the allowing software companies off the hook with the EULA and hold them responsible? Tell them, "no further releases until you secure this one." We are building our future and running our economy on software analogous to a stick house. You read the Three Little Pigs, you put it together. |I would hazard a guess that the number of custom IDS systems in place is |a small number, so if you compare the number of hackers who would gain |information on how to exploit this feature and otherwise wouldn't (i.e. |script kiddies) and weigh that against those that run custom IDS solutions, |I think the scales will tip in favour of the script kiddies. I say that |because if you have your own IDS system, chances are you've built it on |a Unix system and hence run Unix elsewhere through your firewall, etc, |and wouldn't need to worry about this threat because you don't have IIS4.0 |on any critical systems. Does that make some sense ? | |Darren | Don't guess about hazards, Mike http://www.networkcommand.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:40 PDT