Bugtraq mailing list archives
Re: new iss stuff
From: newsham () wiliki eng hawaii edu (Timothy Newsham)
Date: Tue, 10 May 1994 17:40:41 -1000 (HST)
Is bugtraq a place for ads? If you want to mention it, put in a pointer to where to find more info (even if just "mail me for more"), fine...but an ad for a for-fee binary-only product, that's well over half content-free hype, is IMO inappropriate for bugtraq.
Chris did not post this announcement to the list. Someone else posted it as something they saw and thought was interesting. Chris did post to a number of lists where he thought it was appropriate. I guess he didnt feel it appropriate to advertise his own product here.
I assumed so too, and wrote to the address given in the announcement, pointing out that no properly security-paranoid admin will let a binary-only program anywhere _near_ hir machine, especially when (as I assume is the case here) it is to be run as root. That part of my letter was not reponded to.
Many people do run binary only distributions. Those who wish not to need not. They can either not use ISS or pay for a source license. Any properly security-paranoid admin probably knows what he should be checking for on his system and will find ISS only minimally helpful.
I remarked (to this person) that he surely didn't think the cracker community wouldn't get hold of ISS, and he indicated this was not a concern to him - he didn't think it would happen soon. IMO this indicates enough ignorance of security realities that I doubly shun any code from that source.
some quick points here. Many of the holes looked for by ISS are not top-secret holes that nobody has heard of. Then what good is ISS? It does alot of checking, it does it thoroghly and it does it relatively quickly. For a large net of machines its not uncommon to have several well secured hosts and some hosts with well known holes. Its also not uncommon to have overlooked some old hole. As an automated scanner ISS will try everything it knows about on your net. Sure sooner or later it will get out. Crackers can already get the old versions of ISS and expand on that or even write their own. Many have their own scanners already. Hopefully by the time ISS is being traded on "underground" bbs's many people will have scanned their own nets and fixed up the problems. The protections in ISS are minimal security. They're better than no protections, and a very good protection scheme would be only mildly harder to crack by someone who knows what they are doing.
I also remarked that it was trivial to sic a syscall tracer on ISS to see what vulnerabilities it checks for, in response to the part about not letting everyone know about vulnerabilities as soon as they went into ISS. That part of my letter also was not replied to.
Again these holes aren't huge secrets.
der Mouse mouse () collatz mcrcim mcgill edu
I'm sorry this product makes you lose your appetite. I hope many people find it useful. Tim N.
Current thread:
- Source vs. binary for tools, (continued)
- Source vs. binary for tools Jeremy Epstein -C2 PROJECT (May 12)
- runaway lockd problems (SunOS 4.1.3) Pat Myrto (May 12)
- [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 [8LGM] Security Team (May 12)
- Re: [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 Pat Myrto (May 13)
- Re: [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 Gene Spafford (May 13)
- Re: Time For New Security Package? (was Re: new iss stuff) Mark (May 10)
- Selling binaries Karyn Pichnarczyk (May 10)
- Re: new iss stuff Timothy Newsham (May 10)
- Re: new iss stuff Pat Myrto (May 10)
- Re: new iss stuff Andrew Watts (May 10)
- Re: new iss stuff Pat Myrto (May 10)
- Re: new iss stuff Steven C. Blair (May 10)
- iss: _my_ last two cents der Mouse (May 11)
- Re: passwd -F Pat Myrto (May 10)
- Re: passwd -F Daniel Azuelos (May 11)
- Re: passwd -F Casper Dik (May 11)