Nmap Development mailing list archives
Re: Socat
From: Andreas Ericsson <ae () op5 se>
Date: Fri, 17 Jun 2005 00:06:35 +0200
Fyodor wrote:
On Thu, Jun 16, 2005 at 08:17:54PM +0200, Andreas Ericsson wrote:More like sitting in a wheelchair and building surfboards for no-one in particular. True. Student projects tend to lean somewhat toward intellectual masturbation. Let's just hope they don't get carried away with their own cleverness.Just because you don't like to surf, doesn't make surfboards useless. Sorry for continuing the bad analogy, but the programs are _at least_ ones that *I* would like to use, if no one else. I spent the summer of 1997 at Johns Hopkins University, and gave myself a summer project: write a new and improved port scanner to extend and reinterpret the excellent but aging and barely maintained strobe. You may call that intellectual masturbation or getting carried away with my own cleverness if you like, but I think the Nmap project has turned out pretty well.
Yup. Works like a charm. :) netcat has several (maintained) incarnations though, and part of its charm is that it keeps everything so absolutely super-simple (the original netcat actually only had "main()" which consisted of some 2000 lines of code and still managed to be somewhat elegant). Adding certificate logons, 2048-bit encryption, cryptographically sound hashing and public-key authentication will just make it messy without accomplishing all that much. Do we really need to re-invent ssh?
I wrote Nmap to suit my own needs, and was glad that other people found it useful as well. In the same way, my proposals for the Nmap SoC projects are what I would like to see and use. And judging by the hundreds of applications for 5-10 sponsorship slots, many other people are excited about the prospect as well. Just because a project doesn't push all of your buttons, doesn't make it useless.Something worth while would be write a testing engine for vulnerabilities to serially try various exploits on a wide range of hosts.And you were so worried that the revised Netcat would be abused by script kiddies??! You declared that "spending quality coding time so that juvenile idiots ... have a means of quickly doing something non-constructive and possibly illegal is not my idea of fun."
Yes, I did. That was because the original poster proposed so adamantly that the code must be portable to windows, since it was often needed as a backdoor program there. Implementing all the features (cryptohashing, keys, yada yada) and still keeping it portable to windows will be a maintainer night-mare. Living that nightmare for the benefit of script-kiddies is something I don't wish upon my worst enemy. The exploit testing engine would not only work for the shy side of the community but would also have a very wide legitimate use, and would put a hefty amount of pressure on the large software companies and distributors to release patches quickly when security weaknesses are found. Once the exploit is in the fingerprint database their customers will suffer. Suffering customers are fairly often a bit miffed about the whole thing, and tend to take such things in a thoroughly non-philosophical way.
But seriously -- student absolutely do not need to go by my proposals. They can (and some have) propose something totally new or a major modification of one of these proposals. And if I think the proposal rocks, I'll try to get it sponsored. You need to be a student for this particular opportunity, and the app deadline has passed, but if there is something someone really wants to see ... send me (or nmap-dev) a detailed proposal! If it looks good, I'll run it by the applicants and see if any are interested. I probably will add at least a couple more projects, if I can think them up. But it will have to be in the next few days, as the acceptance deadline is next Friday.
Unfortunately I put the scholars' world behind me nine years ago, and as I've already stated in a reply to madhat I'm bound by contract not to publish code or designs which can be used for anything nasty.
Remember the major limitations though: it has to be doable by 1 talented student in 2 months. And I try to propose things that can be mostly done outside of Nmap's core source code, 'cause having 10 people all trying to hack the Nmap innards would be a mess. Yet it still has to be somewhat Nmap related.
I'm strongly in favour of the capability to demand-load modules, but I guess I've communicated that at least twice already (in other postings), so I'll just shut up now and go about starting my vacation. Don't be terribly offended if I don't reply for the next two weeks. -- Andreas Ericsson andreas.ericsson () op5 se OP5 AB www.op5.se Lead Developer _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Re: What would we want in a new Netcat/Hping?, (continued)
- Re: What would we want in a new Netcat/Hping? Fyodor (Jun 15)
- Re: What would we want in a new Netcat/Hping? Chuck (Jun 15)
- Re: What would we want in a new Netcat/Hping? Fyodor (Jun 15)
- Re: What would we want in a new Netcat/Hping? Martin Mačok (Jun 16)
- Re: Socat Martin Mačok (Jun 17)