> a) Mr. Gibson has made publicly available a scanning > tool that can serve > as an anonymous scanning tool against any potential > hosts. At the end of the day, all it is is a port scan. So far no one has presented any information that shows that Gibson's site can be used to take advantage of the port scanning information and conduct a direct attack against the target system. It's a port scan...so what? Also, I have not seen anything more than claims regarding the DoS issue. > b) Mr. Gibson has been VERY vocal about his security > skills and views on > several subjects including the snafu with M$'s TCP > stack. Several people > have observed the irony of someone that seems like a > security expert to > post a program on his site that is vulnerable to > some kind of exploit. Like that never happens? So where's Magni's advisory on the uses of NetCraft? And where's the advisory regarding the content of the Incident's list on SF? After all, it wasn't so long ago that some admin got on the list and posted pretty explicit info regarding the structure of his DMZ...obviating the need for Gibson's site all together. Attacking anyone, regardless of whether they are wrong or right, simply b/c they are vocal serves no purpose. > c) There have been statements from Mr. Gibson that > 1) the problem has > been existent for at least two years and 2) he does > not find it > significant enough based on other factors (how many > checks you can > spawn, only 200 bytes/sec) to deal with it quite > yet. To be correct, Gibson's statement was 400 bytes, not 200. But that isn't the point at all. Someone posted that an attack could be scripted to perform a DoS attack...Gibson said that wasn't true. > d) People have taken sides on this issue. One sides > views this as equal > as "hacking the Gibson" (sorry, I couldn't resist > ;)) while the other > finds it quite insignificant and not even worth > making an advisory about. Your breakdown is a little too simplistic. For example, I have no problem with an advisory being posted. I do have questions regarding the content of the advisory...my initial queries to Magni about vendor contact didn't reveal anything about Gibson knowing about this issue for two years. In fact, another member of HoG was the first to inform me of this. > Was the finding significant enough for an advisory? > Hell yes. While > ironic it also provided us with an issue that's hot > enough to generate > discussion amongst ourselves. And that is the > reprecautions one should > take before posting the latest "cool" security tool > on his/her site > without first investigating all the angles. Or posting an advisory without following any of the various processes out there. > And as security experts we > are all kinda blown away that once a flaw is found > the author does not take steps to fix this. Not at all. As "security experts" (I hesitate to use that term, as I consider myself more of a professional than expert, and all that word entails), we are also familiar with a wide variety of other issues. For example, consider Code Red. How many web sites do you know of that actually need the functionality provided by the ida/idq script mappings? As of yet, I haven't seen any...that doesn't mean that there aren't any. So, if the functionality isn't needed, why not simply disable the script mapping? Do that at install, and the system wouldn't have been infected by Code Red. The same holds for sadmin/IIS (poisonbox)...the patch necessary was about 7 months old when the worm hit. The point is...we have all seen how people either make a decision (or fail to do so) to NOT fix something. Gibson evidently (based on his comments that I've seen on DSLReports) decided that the issue didn't merit attention. After all, it's just another port scanner. > Top that is the irony of the > individual creating > the flawed software and you got a nifty advisory. I > seriously see > nothing wrong with that. Nor do I. However, the advisory wasn't a very good example of responsible disclosure. > And to touch briefly about port scanning: While it's > true it's not > illegal, there is nothing that stops you, the > network engineers from > taking any action necessary to protect your network > from scans. Sure. There's no problem with that. And if everyone took the necessary steps to protect their networks, there wouldn't be a problem at all. In fact, there are even Registry entries that can mitigate the effects of SYN floods, assuming that the packets aren't already blocked by routers and firewalls before they reach a target host. Therefore, this issue of using Gibson's site to conduct DoS attacks (again, so far it's only a claim, I haven't seen it actually work, nor am I aware of anyone suffering from such an attack) is a non-issue, as well. __________________________________________________ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1
This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 13:41:50 PST