Re: Recent Attacks

From: Claudio Telmon (claudioat_private)
Date: Wed Feb 23 2000 - 10:47:42 PST

Next message: Crispin Cowan: "Re: Recent Attacks"

Previous message: Justin Backman: "Voice over IP and security"
Maybe in reply to: andrew.c.howardat_private: "Recent Attacks"
Next in thread: Crispin Cowan: "Re: Recent Attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Marcus J. Ranum" wrote:
> 
> Darren Reed writes:
> >So are you suggesting that perhaps it is time software such as ISS, etc,
> >to not only be made available with strict controls over which targets
> >they can be used against (article about this went to bugtraq some time
> >ago) but also be required for those buying the product/license keys
> >in order to undertake such work ?  I think this is almost a inevitable.
> 
> So do I. Indeed, I think that it may boil down to some kind of
> professional certification being necessary. There are analogs
> to this - locksmithing certification, federal firearms license, etc.
> That's part of what I meant about how that grey area is going to
> get real thin, soon.
> 

I don't understand. So I need to be "certified" to write a tool like
ISS. And if i write a single exploit? It's hard to make a difference
when talking about laws. So only some "professionals" could publish
exploits, while hacker would continue to write them. This means that
"full disclosure" would die, but exploits would survive. As you know,
many companies denied the existence of vulnerabilities, even when
published, until an exploit was published too. Do you think that those
few "certified" companies and professionals would work against
Microsoft's interest just to add or publish vulnerabilities that nobody
cares about becouse Microsoft says they don't exist? IMHO this is
straight Security Through Obscurity. Easy-to-use hacker tools is the
price we must pay for better overall security. Nobody said "we need a
certification" when somebody was hacked because of an old senmail; just
said "update your server". So let's find a solution to DDOS, and a lot
of other problems, that it's really a solution (or part of it). Like
removing ISP's from BGP if they don't use ingress filtering, without
asking them about performance problems. We are trying to deal with spam
without law enforcement: black lists and Acceptable Use Policies. IMHO
DDOS are not whorse.

ciao

- Claudio

-- 
Claudio Telmon
claudioat_private
http://www.telmon.org

Next message: Crispin Cowan: "Re: Recent Attacks"
Previous message: Justin Backman: "Voice over IP and security"
Maybe in reply to: andrew.c.howardat_private: "Recent Attacks"
Next in thread: Crispin Cowan: "Re: Recent Attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:08:03 PDT