Full Disclosure mailing list archives
Re: Any thoughts on War-Googling? (long and inflammatory)
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Sun, 18 Apr 2004 20:00:06 +0200 (CEST)
On Sun, 18 Apr 2004, Aschwin Wesselius wrote:
Is there anybody who is common with the technique described in this article? [ http://www.ebcvg.com/articles.php?id=207 ] It says something about using Google to target servers by searching paths to vulnerabilities.
I read the paper when it was first posted to SECPAPERS; although it is good to see the subject surface, I believe this particular write-up is largely disappointing, and does not demonstrate a threat nearly as serious as the author wants it to appear. The basic concept discussed in the paper relies on rehashing some fairly old ideas, such as passive infection techniques (I described those ages ago in a sci-fi-esque article in Phrack years ago), or locating vulnerabilities using search engines (the latter dating back to the ages when Altavista ruled the market) - quite notably, there are virtually no attributions or useful references in the article, which makes me a tad suspicious. Naturally, there is nothing wrong in building on these foundations, but to make the research interesting, one must provide somthing more than just wishful thinking, for example a good feasibility analysis (based either on theoretical models, or actual lab testing) to provide some foundations to better understand, assess and mitigate the threat; or a balanced discussion of implementation and deployment scenarios AND pitfalls or mitigating factors. Despite of claiming the research is based on actual feasibility study, it fails to provide any factual, verifiable, or believable information that would make it easy to accept author's claims of a possible deadly impact of such a super-worm. Statements such as: "It will show that such attacks are not only feasible but that their theoretical success rate is far greater than worms targeting commercial infrastructure." ...are completely groundless, as there is nothing that even resembles a useful estimation of the success rate or propagation scenarios (theoretical or not). The paper is notably one-sided, and may appear merely as an attempt at spreading FUD and promoting company's or author's name as the one discovering a major threat to the infrastructure. In reality, however, these claims are hard to believe: many omitted failure scenarios and easy-to-break dependencies make such a worm quite easy to stop and eradicate (single choke points and the ease of elliminating a particular worm by search engine operators makes it quite unlikely for the worm to succeed at flash propagation). To summarize: although I am not against self-promotion through disclosure (quite frankly, it would be quite a hypocrisy), I do believe that you only deserve a credit and should be taken seriously if you either offer an unique or novel insight, discuss a new theory or technique; or if you write about a known subject, but with much needed objective and exhaustive approach, offering valuable analysis of the subject and a great learning material. In this particular case, neither is the case (and some aspects of it - such as the form of the announcement on SECPROGS or lack of attributions - make it appear even more as a mere company name plug), and the paper does not seem to warrant any serious attention, not really. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2004-04-18 19:30 -- http://lcamtuf.coredump.cx/photo/current/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Any thoughts on War-Googling? Aschwin Wesselius (Apr 18)
- Re: Any thoughts on War-Googling? IndianZ (Apr 18)
- ReportingWebService.asmx - message.real.com fd (Apr 30)
- Re: Any thoughts on War-Googling? yossarian (Apr 18)
- Re: Any thoughts on War-Googling? (long and inflammatory) Michal Zalewski (Apr 18)
- Re: Any thoughts on War-Googling? Gregory A. Gilliss (Apr 18)
- Re: Any thoughts on War-Googling? Aschwin Wesselius (Apr 18)
- Re: Any thoughts on War-Googling? Aschwin Wesselius (Apr 18)
- RE: Any thoughts on War-Googling? Jeremiah Cornelius (Apr 18)
- Re: Any thoughts on War-Googling? Mark Fagan (Apr 18)
- Re: Any thoughts on War-Googling? Tyler Thomson (Apr 19)
- <Possible follow-ups>
- Re: Any thoughts on War-Googling? Fabio Weissert (Apr 18)
- RE: Any thoughts on War-Googling? jay jay (Apr 19)
- Re: Any thoughts on War-Googling? J.J. (Apr 19)
- Re: Any thoughts on War-Googling? IndianZ (Apr 18)