Gibson here is not running scans that have been spoofed; his system might be, but under control of someone who is using it, again presuming this works. Same principle as those whose machines get infected with DoS programs and are used as zombie attackers. This machine is after all offered as a free service for people to use to check their OWN systems. If you abuse his box to scan someone else, YOU are the party doing the abuse. This is not to say that the known flaw should have been there to begin with. Let us all remove systems that have such flaws and are not developed to the best of standards. As a side effect it will rid the Internet of a vast number of users who won't act as adults and remove a number of nasty software vendors. Should leave about three OSs standing whose users on the whole also tend to be more security conscious. Bwahahahaha... :-) -----Original Message----- From: Aussie [mailto:aussieat_private] Sent: Wednesday, November 28, 2001 7:57 AM To: vuln-devat_private Subject: Re: Malicious use of grc.com On 27 Nov 2001, at 12:40, Thorat_private wrote: <SNIPPED> > Some consider Magni's personal statement at the end of the advisory a > "rant." That may be so, but it most certainly rings of truth. I > won't make personal statements regarding Mr. Gibson, as I don't know > him. However, I know what he has said: > > "Port scans can not be spoofed Ben. They require an authentic IP else > the returning packet won't ever come back and report upon the port's > status. Furthermore, many other national ISP's and responsible > security testing services *ARE* excluding my IP ranges from their > reports" > > and > > "You, I, and our mutual customers all know that packets from GRC are > never attacks or intrusion attempts, so its deliberate generation of > such reports - -- which you have admitted, and we both know, could be > easily blocked -- is irresponsible and represents defective operation > from your product. Your utilities are broken since they are > deliberately reporting known non-attacks. " Is it my ignorance, or does Gibson seem to not really understand that the port scans in question HAVE a valid IP...his systems and therefore are being returned, via his systems, to the attacker who has just effectively hidden his (her?) real IP by using Gibson's IP range instead. Is this not a form of spoofing? Is Gibson suggesting that his unauthorised (by me) and unwanted (by me) checks of certain ports on MY system should not be defined by me as attacks or intrusion attempts? Further, by what right does Gibson determine that MY firewall/IDS is faulty because it deliberately generates reports to indicate that someone port scanned me without my authorisation? If someone scans the 10 ports or so that Gibson's Shield- Up product scans, I like to think that I have every right to determine that the person has attacked and possibly attempted an intrusion on my private systems. Maybe I'm completely wrong, after all, IANAL. To me, Gibson's response smells like "I can do what I want, if you don't like it, you're wrong". Gnuthad ********************************************************************** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you **********************************************************************
This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 10:47:36 PST