-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 10:09 AM 11/27/2001 -0800, H C wrote: > From several of the other posts that have talked about >this issue...identification of the issue by another >party in Sept '01, as well as words on Gibson's own >site stating that there is an issue...it seems that >the only "immediacy" was the race to malign Gibson, >something which hardly serves a purpose. First let me say that just because I am a member of Hammer of God, that I do not, by default, agree with all things from all members. However, in this case, I do not find fault with Magni. I have some insight into this advisory, and would like to comment on at least what my personal feelings are regarding it. Gibson knew about this 2 years ago, has stated as much, and has said he will not fix it. He is not concerned with the security community, he is concerned with the GRC community. That is his right. The format of the 'advisory' probably could have mentioned that, but I do not see it as a necessity; in hindsight, I can see how it would have obviated some assumptions though. The propensity of the site's use as a DoS tool is somewhat dubious. I know that some of the membership (mostly playing around since we all know that the severity of this issue is minimal) were able to perform multiple scans against a single target by employing different means of calling the engine. Gibson, of course, flatly denies that this has ever been possible, but the reports I received contradict this. However, it seems to have been fixed now; To that end, the means is justified. Did he quietly fix a problem and pretend it never existed? My information says yes. Does it matter now? No, other than the implications it has on the perception of Gibson personally, which many of us could care less about. Some consider Magni's personal statement at the end of the advisory a "rant." That may be so, but it most certainly rings of truth. I won't make personal statements regarding Mr. Gibson, as I don't know him. However, I know what he has said: "Port scans can not be spoofed Ben. They require an authentic IP else the returning packet won't ever come back and report upon the port's status. Furthermore, many other national ISP's and responsible security testing services *ARE* excluding my IP ranges from their reports" and "You, I, and our mutual customers all know that packets from GRC are never attacks or intrusion attempts, so its deliberate generation of such reports - -- which you have admitted, and we both know, could be easily blocked -- is irresponsible and represents defective operation from your product. Your utilities are broken since they are deliberately reporting known non-attacks. " Yet he says in interviews that he has known about this for years, knows that others can and do indeed perform unsolicited scans against innocent boxes, and that he is not going to do anything about it. These statements directly contradict each other, leaving us without really knowing the full story. This is a valid use of full disclosure: you have a vendor who on the one hand says it is something that cannot ever be done, yet on the other hand says he has known about it all along and will never fix it. You, as intelligent security professionals, can take a look at it and decide the best course of action on your own, based on the simple information included. It doesn't matter how we each individually assess the potential danger of this issue; what matters is that we have the information we need in order to make a decision for ourselves. As I said in a recent article, I would rather have the information and not need it than need the information and not have it. AD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPAP6L4hsmyD15h5gEQLaQQCgjXtFhdhswKLhtsyxkege73iKg6UAnRU9 xDUIsyfS5/AY02vZZyYkDAqX =GzNE -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Tue Nov 27 2001 - 13:01:40 PST