RE: Malicious use of grc.com

["Everhart, Glenn (FUSA)" <GlennEverhart () FirstUSA com>]

Gibson here is not running scans that have been spoofed; his system might
be, but under control of someone who is using it, again presuming this
works. Same principle as those whose machines get infected with DoS
programs and are used as zombie attackers. This machine is after all
offered as a free service for people to use to check their OWN systems.

If you abuse his box to scan someone else, YOU are the party doing the
abuse.

This is not to say that the known flaw should have been there to begin
with. Let us all remove systems that have such flaws and are not developed
to the best of standards. As a side effect it will rid the Internet of
a vast number of users who won't act as adults and remove a number of
nasty software vendors. Should leave about three OSs standing whose users
on the whole also tend to be more security conscious.

Bwahahahaha...

:-)


-----Original Message-----
From: Aussie [mailto:aussie () aussie mine nu]
Sent: Wednesday, November 28, 2001 7:57 AM
To: vuln-dev () securityfocus com
Subject: Re: Malicious use of grc.com


On 27 Nov 2001, at 12:40, Thor () HammerofGod com wrote:

<SNIPPED>
> Some consider Magni's personal statement at the end of the advisory a
> "rant."  That may be so, but it most certainly rings of truth.  I
> won't make personal statements regarding Mr. Gibson, as I don't know
> him.  However, I know what he has said:
>
> "Port scans can not be spoofed Ben. They require an authentic IP else
> the returning packet won't ever come back and report upon the port's
> status. Furthermore, many other national ISP's and responsible
> security testing services *ARE* excluding my IP ranges from their
> reports"
>
> and
>
> "You, I, and our mutual customers all know that packets from GRC are
> never attacks or intrusion attempts, so its deliberate generation of
> such reports - -- which you have admitted, and we both know, could be
> easily blocked -- is irresponsible and represents defective operation
> from your product. Your utilities are broken since they are
> deliberately reporting known non-attacks. "


Is it my ignorance, or does Gibson seem to not really understand that the 
port scans in question HAVE a valid IP...his systems and therefore are 
being returned, via his systems, to the attacker who has just effectively 
hidden his (her?) real IP by using Gibson's IP range instead. Is this not 
a form of spoofing?

Is Gibson suggesting that his unauthorised (by me) and unwanted (by me) 
checks of certain ports on MY system should not be defined by me as 
attacks or intrusion attempts? Further, by what right does Gibson 
determine that MY firewall/IDS is faulty because it deliberately 
generates reports to indicate that someone port scanned me without my 
authorisation? If someone scans the 10 ports or so that Gibson's Shield-
Up product scans, I like to think that I have every right to determine 
that the person has attacked and possibly attempted an intrusion on my 
private systems. Maybe I'm completely wrong, after all, IANAL.

To me, Gibson's response smells like "I can do what I want, if you don't 
like it, you're wrong".

Gnuthad


**********************************************************************
This transmission may contain information that is privileged, confidential and/or exempt from disclosure under 
applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, 
distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If 
you received this transmission in error, please immediately contact the sender and destroy the material in its 
entirety, whether in electronic or hard copy format. Thank you
**********************************************************************