Re: new iss stuff

[newsham () wiliki eng hawaii edu (Timothy Newsham)]

> Is bugtraq a place for ads?  If you want to mention it, put in a
> pointer to where to find more info (even if just "mail me for more"),
> fine...but an ad for a for-fee binary-only product, that's well over
> half content-free hype, is IMO inappropriate for bugtraq.

Chris did not post this announcement to the list.  Someone else
posted it as something they saw and thought was interesting.
Chris did post to a number of lists where he thought it was
appropriate.  I guess he didnt feel it appropriate to advertise
his own product here.

> I assumed so too, and wrote to the address given in the announcement,
> pointing out that no properly security-paranoid admin will let a
> binary-only program anywhere _near_ hir machine, especially when (as I
> assume is the case here) it is to be run as root.  That part of my
> letter was not reponded to.

Many people do run binary only distributions.  Those who wish not
to need not.  They can either not use ISS or pay for a source
license.  Any properly security-paranoid admin probably knows what
he should be checking for on his system and will find ISS only
minimally helpful.

> I remarked (to this person) that he surely didn't think the cracker
> community wouldn't get hold of ISS, and he indicated this was not a
> concern to him - he didn't think it would happen soon.  IMO this
> indicates enough ignorance of security realities that I doubly shun any
> code from that source.

some quick points here.  Many of the holes looked for by ISS are
not top-secret holes that nobody has heard of.  Then what good is
ISS?  It does alot of checking, it does it thoroghly and it does
it relatively quickly.  For a large net of machines its not uncommon
to have several well secured hosts and some hosts with well known
holes.  Its also not uncommon to have overlooked some old hole.
As an automated scanner ISS will try everything it knows about on
your net.  

Sure sooner or later it will get out.  Crackers can already get
the old versions of ISS and expand on that or even write their
own.  Many have their own scanners already.  Hopefully by the
time ISS is being traded on "underground" bbs's many people
will have scanned their own nets and fixed up the problems.
The protections in ISS are minimal security.  They're better
than no protections, and a very good protection scheme would
be only mildly harder to crack by someone who knows what
they are doing.

> I also remarked that it was trivial to sic a syscall tracer on ISS to
> see what vulnerabilities it checks for, in response to the part about
> not letting everyone know about vulnerabilities as soon as they went
> into ISS.  That part of my letter also was not replied to.

Again these holes aren't huge secrets.

>                                       der Mouse
>                           mouse () collatz mcrcim mcgill edu

I'm sorry this product makes you lose your appetite.  I hope
many people find it useful.

                                Tim N.