Re: Evil bit now official?

[Jim Duncan <jduncan () juniper net>]

Rob, grandpa of Ryan, Trevor, Devon & Hannah wrote:
> A few days ago I was looking at some vendor material and noticed that
> the "evil bit" was identified in the IP header ...

Alex Eckelberry wrote:
> Which begs the question: What vendor?

Yes, which vendor?

I wrote a security advisory for use in the original Cyber Storm
exercise a few years ago, and intentionally used the evil bit to make
sure that no one could possibly believe it was a real advisory.  I had
great concerns about the advisory leaking outside the exercise, and 
having folks believe it was real.  I consulted with Steve on it.

It turned out to have marvelous side effects all through the exercise,
but that's a long story for another time.

I also use the same material in a hands-on workshop I developed for
FIRST Technical Colloquia for writing security advisories, in which
the participants take a hypothetical evil-bit scenario and figure out
how to tell people about it in a sane and effective way.

In both cases, there's a risk that someone who's not knowledgeable 
might take away the material and think that it's "real".

I've also found the results to be amusing when knowledgeable people
take the info and "run with it", turning it into even funnier stuff.

Hence my interest.  Which vendor?

Thanks.

        Jim

-- 
James N. Duncan, CISSP
Manager, Juniper Networks Security Incident Response Team (Juniper SIRT)
E-mail: jduncan () juniper net  Mobile: +1 919 608 0748
PGP key fingerprint:  E09E EA55 DA28 1399 75EB  D6A2 7092 9A9C 6DC3 1821

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.