Re: concerning ~el8 / project mayhem

[Dave Piscitello <dave () corecom com>]

At 02:22 PM 8/22/2002 -0400, you wrote:
> Indeed.  So what you are saying is that the scanners are a crutch that
> lets you avoid raising your competency.

Not at all, and in fact, quite the opposite. Not certain if you're trying 
to bait me here, but of course, there's a "let the tool help the lazy avoid 
improving himself" aspect to scanners, but lazy is as lazy does. I'm not 
lazy, and I find them useful.

They are tools. People with experience in one OS can get a jumpstart on 
appreciating and learning the vulnerabilities of others.

The more useful ones not only identify vulnerabilities, but they provide an 
explanation of the vulnerability. Many offer URLs to online documentation 
explaining the risk, the nature of the vulnerability, exploits associated 
with the vulnerability, locations where the vendor has posted the security 
fix, service pack, whatever. I gather you've not used any of these?

> Perhaps you could compare it to
>  - reading books with the term "hack" or "hackers" in the title
>    (search amazon.com for examples...)

Personally, I think these books tell you more about how to be as clever as 
the kiddies that attack systems than they do about improving security of 
systems. I prefer the "securing foo" titles. But quality scanners educate 
you in similar ways to such books, if you take the time to do more than 
"recommended action: change registry value X to Y".

>  - reading the vuln-dev mailing list

This is a good resource and very helpful when a scanner doesn't tell me 
enough about the vulnerability to help me understand.

>  - reading the LINUX source code

Oh, come down from the lofty perch...this is an entirely elitist 
perspective. The ratio of people who must be engaged in securing systems 
vs. those capable of evaluating whether source correctly bounds data 
structures approaches infinity.

>  - Following up on the Linux vendor advisories to see what changes they
>    made to the source to overcome the problems mentioned in the
>    advisories.
>  - Trying to fix the problems in the advisories yourself then comparing
>    with the published solutions

Begs the issue of having the skill to do this absent some additional 
guidelines that some scanners do provide in a kinder, gentler step by step 
manner than "read the F'in advisory and patch the source, or aren't you the 
manly 'I grok Linux and C' type?"

>  - Reading the CVE database

If the CVE entry is referenced in the scanner, is this sufficient?

>  - Reading papers by Bhoem, Parnas, Hansen and the like (or perhaps
>    "Software Tools") on good technique and comparing it with some
>     published code.
>    (Some of the 'open source' code is exemplary in its grotty-ness)

This is unfortunately a luxury for many daily ops folks. Have you run or 
worked in a NOC?

> I don't drink beer, and besides, it doesn't pay the mortgage.

No, but I am guilty of frequently doing work out of friendship and I have a 
charitable nature.


David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave () corecom com
843.689.5595
www.corecom.com



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards