RE: FAX a virus - Rhetorical and logical Fallacies

["Steven Hess" <shess () myrapidsys com>]

Pardon me for intruding - I may be able to contribute some information. 

This is not a zero day vulnerability - just a possible approach. 

If you assume that the receiver is a computer fax system, like Symantec's
WinFax running on Windows, there is a possible opening. 

I have set up fax servers for paperless fax and workgroup distribution in my
workplace. The components are a server with a fax modem, the Windows OS, and
the WinFax application. 

First, a fax transmission uses a handshake, and agrees on a data rate. The
application takes over. The next thing sent is the Huffman encoding table
for the message. Then the numerical entries of the Huffman table, that
represent the image data of the fax. 

My point is that buffer overflow exploits, that were not caught by testing
the validity of the data, abound. Whether this is possible, depends on the
bounds checking of the application, and the vulnerability of the OS. 

Just a thought. 

Steven Hess



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Craig Wright
Sent: Wednesday, March 07, 2007 4:28 AM
To: security-basics () securityfocus com
Cc: nduda () vistaprint com; dtndan () gmail com
Subject: FAX a virus - Rhetorical and logical Fallacies


Hi,

First, the attacks stating that I am a lawyer, that I am ranting etc, are
rhetorical fallacies of the order "Ad hominem". This is an attack on the
character of a person rather than their opinions or arguments. This does
nothing to prove a case or an opinion.

 
A few "Red Herrings" - or diversionary tactics that avoids the key issues,
often by avoiding opposing arguments rather than addressing them - have also
been put in. Such as stating that Faxes can use VoIP. VoIP is invisible from
the purpose of a fax based attack and thus irrelevant. 
 
The arguments that there must be some attack over fax because email has
become a means of attacking are "Begging the Claim". This is where the
conclusion you should prove is validated within the claim.

 
The few emails I have received stating that the idea must be wrong as I am
not technical enough (which also mis a fallacy) is a "Genetic Fallacy". This
is a conclusion is based on an argument that the origins of a person, idea,
institute, or theory determine its character, nature, or worth.

 
The "Circular Arguments" or restating the argument rather than actually
proving it are not even close to finishing.

 
The "Post hoc ergo propter hoc" fallacy, that a conclusion that assumes that
if 'A' occurred after 'B' then 'B' must have caused 'A.' has been made.

 
In assuming that there must be some attack against a fax server as there is
an image based attack, fuzzing on some Windows systems is a "Hasty
Generalization".  This is a conclusion based on insufficient or biased
evidence.

 
Together they make a "Slippery slope". This is the logically fallacy where a
conclusion based on the premise that if A happens, then eventually through a
series of small steps, through B, C,..., X, Y, Z will happen, too, basically
equating A and Z.

 
I think that the "Ad populum" (an emotional appeal that speaks to
positive/negative; such as patriotism, religion, democracy) logical fallacy
has not been used as yet? If it was I missed it, sorry.

 
These are common errors in reasoning, but they do nothing to prove anything.
In fact they make your argument weaker. 
 
I reiterate. Please prove that a fax system can transmit a virus, trojan or
ANY of YOUR choice of malware through the sending/receiving process. I will
happily recant - if and when you prove me wrong. Until then, and if it is
not proven, the case is that it is NOT possible.

 
Null Hypothesis (Ho): It is not possible to send malware using a fax in ANY
event, ever. No way, no chance, never. (make this easier for you?)

 
Alternate Hypothesis (Ha): It is possible to send malware using a fax
service (any one of any that may exist - just one instance.

 
Scientific reasoning states that the null hypothesis stands until and unless
you can prove otherwise. No arguments that it is likely, that it is similar
to something on a web server etc. Proof. Please even supply a valid thought
experiment to test a logical possibility - even a REALLY remote one

 
Regards,

Craig


Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential.
If you are not the intended recipient, you must not use or disclose the
information. If you have received this email in error, please inform us
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the
email and destroy any printed copy.  
Any views expressed in this message are those of the individual sender. You
may not rely on this message as advice unless it has been electronically
signed by a Partner of BDO or it is subsequently confirmed by letter or fax
signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its
attachments due to viruses, interference, interception, corruption or
unauthorised access.