Re: new iss stuff

[adam () bwh harvard edu (Adam Shostack)]

Pat Myrto said:

| "In the previous message, Dan said..."

| Its a good example of Security Thru Obscurity being alive and well.
| It makes these people more a part of the problem than a part of the
| solution.

| >                    INTERNET SECURITY SCANNER 2.0
| 
| [ ... ]
| 
| >         ISS 2.0 will not be distributed to the public directly because
| of the > following reasons:
| 
| Since site admins are members of the 'public' (at least when I last
| checked), this suggests that only 'correct' sites (read: those on the
| largest sites only, or with the 'right' connections) net.legends will
| be able to get this package?  Those without the 'right' connections are
| those who are newly assigned admins, and problably most in need of such
| a package, as they are more or less working in a vacuum.

        No, it means that the package is for sale, not public domain.

| > in control of what network addresses can be scanned and probed so that an
| > organization's copy can not be used to attack other networks.
| 
| I take it that this means its a binary distribution only?  How else
| do they enforce control what addresses are scanned?  Source could
| have those controls altered...  Ug.

        Binary is the prime means of distribution, source is also
available.  Source is pricy ($1900) as the guy who wrote it
understands that his attempts to force the code to scan only a certain
set of addresses could easily be bypassed with source.

        Its my feeling that the target IP restrictions will not be
particularly daunting to the bad guys, and the binraies will be
floated as part of the crackers toolkit, along with instructions for
scanning the addresses you want scanned.

| > 2)  It ensures that crackers (intruders) are no longer getting new security
| 
| It ensures that new site admins and smaller little known sites are no longer
| getting new security ...

        The package doesn't (from what I've seen) offer much "new
security;" it checks for known holes.  A good firewall will protect
you from much of what it does, as will tight configuration of your
system.

| Yeh, right.  In other words, if one is not a net.legend, working for
| CERT, knows a lot of the 'right' people, or running some site that is
| on the Fortune 500, etc, one is out of luck.  But sooner or later, the
| cracker crowd will get a copy if its any good.
| 
| We have an example of EXACTLY the same mentality as the 'fix crime by
| banning inantimate objects' crowd.  Of course, those who are the problem
| will not be affected by such bans - only those that follow the rules.
| They tell you "call 911, thats good enough for you".  We are being
| told "call CERT, its good enough for you".
| 
| Same principle here.  Wunnerful.
| 
| Yes, this kind of "security update" leaves a rotton taste in my mouth.

        I don't like it much either, but for a different reason.  The
high cost of source compared to binaries at an educational site will
cause most sites to end up with binaries.  This leads to a black box
way of thinking about security.  If ISS has bugs that cause it to
seriously misrepresent your situation, you may end up trusting a
product you shouldn't.  If it was available as source for the same
price, those bugs would be found and patched sooner.


Adam

-- 
Adam Shostack                                  adam () bwh harvard edu

Politics.  From the greek "poly," meaning many, and ticks, a small,
annoying bloodsucker.