OK, I will attempt (probably poorly) to sum everything up here: a) Mr. Gibson has made publicly available a scanning tool that can serve as an anonymous scanning tool against any potential hosts. I am not sure I remember mentioning of a potential DoS attack from the advisory. There was only caution that this host allows information to get to a potential attacker in a completely undetectable manner thus leading to a potential intrusion. b) Mr. Gibson has been VERY vocal about his security skills and views on several subjects including the snafu with M$'s TCP stack. Several people have observed the irony of someone that seems like a security expert to post a program on his site that is vulnerable to some kind of exploit. c) There have been statements from Mr. Gibson that 1) the problem has been existent for at least two years and 2) he does not find it significant enough based on other factors (how many checks you can spawn, only 200 bytes/sec) to deal with it quite yet. d) People have taken sides on this issue. One sides views this as equal as "hacking the Gibson" (sorry, I couldn't resist ;)) while the other finds it quite insignificant and not even worth making an advisory about. So while all this is going on there are several simple solutions. Since the scan is limited to certain ports then a security expert would know how not to report those ports as wide open. I mean we're all security engineers here, right? Also since Mr. Gibson is blessed with static ip's we could easily block traffic from his network thus eliminating potential scans from his hosts. Was the finding significant enough for an advisory? Hell yes. While ironic it also provided us with an issue that's hot enough to generate discussion amongst ourselves. And that is the reprecautions one should take before posting the latest "cool" security tool on his/her site without first investigating all the angles. And as security experts we are all kinda blown away that once a flaw is found the author does not take steps to fix this. Top that is the irony of the individual creating the flawed software and you got a nifty advisory. I seriously see nothing wrong with that. And to touch briefly about port scanning: While it's true it's not illegal, there is nothing that stops you, the network engineers from taking any action necessary to protect your network from scans. Just because someone can see in your house that does not give him the right to take a peak and you have every reason to pull the blinds if you chose to. Now if a certain someone had created a tool that allowed him to look in your house from farther away while undetected it would be up to the commonality/society/community to scrutinize the inventor of the tool and it's usefulness. It is fortunate that while the tool has been created we also have the tools from blocking it. So while we may all have our individual feelings about the person that created this tool or the people that wrote the advisories in this case we are fortunate enough to be able to assess the threat individually and take any action that we see necessary regardless of the parties' involved actions. Nicko Demeter Systems Engineering Siterra Corp. -----Original Message----- From: H C [mailto:keydet89at_private] Sent: Wednesday, November 28, 2001 10:54 AM To: Aussie Cc: vuln-devat_private Subject: Re: Malicious use of grc.com > Is it my ignorance, or does Gibson seem to not > really understand that the > port scans in question HAVE a valid IP...his systems > and therefore are > being returned, via his systems, to the attacker who > has just effectively > hidden his (her?) real IP by using Gibson's IP range > instead. Is this not > a form of spoofing? I think Gibson fully understands this...and he also understands that in the US, port scanning is not illegal. Therefore, no one can come to him and take an legal action against him if someone else scans his site. After all, even if someone does use the information returned from a port scan to then attack and compromise a site, once they start to do so, they no longer can use Gibson's site (at this point, anyway). Once they get the port scan data back, they have to either attack the target site directly, or launch their attacks through some other proxy or port-redirection mechanism. > Is Gibson suggesting that his unauthorised (by me) > and unwanted (by me) > checks of certain ports on MY system should not be > defined by me as attacks or intrusion attempts? They aren't. Regardless of what you may think or feel about the subject, the US legal system (and several European ones that I'm aware of) do not consider port scanning illegal. > Further, by what right does Gibson > determine that MY firewall/IDS is faulty because it > deliberately > generates reports to indicate that someone port > scanned me without my > authorisation? If someone scans the 10 ports or so > that Gibson's Shield- > Up product scans, I like to think that I have every > right to determine > that the person has attacked and possibly attempted > an intrusion on my > private systems. Maybe I'm completely wrong, after > all, IANAL. To be completely honest, your above statement doesn't make any sense to me...but maybe it's just me. I've handled "abuse@" emails for a large telecomm/ISP, and I've seen threats of legal action for single ICMP packets. "I like to think that I have every right to determine that the person has attacked and possibly attempted an intrusion on my private systems." Well, of course you do. You have every right to NOT believe what Gibson says. But I fail to see how a couple of SYN packets, most of which are most likely dropped by the firewall or responded to as closed ports anyway, constitutes an "attack" or "possible attempted intrusion". __________________________________________________ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1
This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 12:44:09 PST