Archive: http://msgs.securepoint.com/ids FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html HELP: Having problems... email questions to ids-ownerat_private NOTE: Remove this section from reply msgs otherwise the msg will bounce. SPAM: DO NOT send unsolicted mail to this list. UNSUBSCRIBE: email "unsubscribe ids" to majordomoat_private ----------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marc Maiffret wrote: Keith McCammon wrote: Eric Hacker wrote: (a lot of good stuff) 8) What I take from this discussion is reinforcement of something I think about a lot: Where is "The Line"? Which raises the question, "What is The Line?" ..and that is like pornography - you can't define it, but you damn sure know it when you see it. All of us, or those who have been in this business for a while, have, at one time or another, danced right up to the edge of it. C'mon, fess up - you know what I mean. It's at this point we can freeze the image because everything hangs on what happens next. The content of a person's/company's/etc character gets a real big test, right now. Some give out a big "Whoa!", back away a bit to look things over. Some surf the edge, taking pictures of the other side. Some see how far over they can go without getting punished. Some don't even see it. There are security companies out there that routinely dance on the other side of The Line, thinking the fake camera around their neck will fool people. Others dance on the edge - it's seductive alright, but sometimes they learn the cost of slipping and how sharp the edge can be...and sometimes they don't. I'd like to think people would do security for the good reasons rather than the bad, and handle things responsibly...but in the competition for market share, press (ego share), and survival, a lot of them don't. Those are the ones I stay well away from. On vulnerabilities and whatnot: Full-disclosure information on vulnerabilities is in itself a good thing, even if it's only a preliminary "heads-up". The trick is in how it is presented. This takes us back to where "the line" is - rinse, repeat. As for encoding attacks and such, I always go back to the old maxim "Defense always lags Offense". It's the law. ;) But new offense generates new defense, which generates new offense....see "recursive". The trick is closing the gap between Offense and Defense as tightly as possible...without going over the line. At the moment, some encoding attacks can be effectively (I didn't say completely) modeled now (RPC and DNS for instance), others are problematic, and there are probably more that haven't been discovered. "...never completely emulate..." is too strong for me. Modeling boils down to "How many cycles you wanna throw at it?" vs performance issues vs risk/reward. If analysis is done correctly, you don't necessarily have to get complete modeling to get a positive detection. Best regards, Randy - ----- "Sesame Street called. The letter E would like to withdraw its sponsorship of Internet cliches, and assert full rights to the use of its image and trademark sound." -- Anatoly Delm 13 Sep 2000 --- -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.1 iQA/AwUBO7yh0O5yl3TXUvYdEQKafwCgw9OteK29qyCN0wROJl9KofYSoDIAoKsT ar3gxUKych28d4jmsOniJ3sc =CKD8 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 18:28:39 PDT