Re: SATAN ATTACKS EVERYWHERE

[ley () cert dfn de (Wolfgang Ley)]

> Hey, are we still here?? Looks like we survived the numerous attacks 
> from hordes of hackers armed with SATAN with the only desire
> to pillage and pilfer everyone's networks.  The Internet has survived
> another mega hype negative story!  
>
> For some reason, I really can't see tons of hackers using SATAN for several
> reasons:

0. SATAN was never designed to be a tool to exploit security problems
   on other sites.

> 1. It is HUGE.  It eats up tons of disk and ram space.  When I tried to 
> load up SATAN's demo information on a 16 meg machine here, it crashed
> from not having enough RAM.  It requires 32 megs .  (And I thought
> Windows was a memory hog).  Like the administrator won't notice he only
> has 1 meg of ram left.

I have never seen a "real" Unix system with 16 meg total memory (phys.
memory and swap space). I'm not talking about your poor PC running
linux or something like that...

SATAN itself is not "HUGE". Maybe you are talking about an interactive
session using an X11-html-viewer and you are including perl5 into your 
count? The memory SATAN needs depends on the size of your network.
If you have a network with several thousand computers you will have
at least one with more than 16 meg total memory (including swap)
and a free disk space of a few (lets say 50) megs - don't you?

> 2. It requires installing other packages like perl.  Most hackers aren't
> able to run anything unless it's a no brainer script.  "Gee the bad thing
> is we've been hacked and someone used SATAN, the good thing is that we
> got perl5 and a web browser installed." 

Perhaps you are talking about wannbe-hackers that are trying to break
into other systems (crackers). Hackers (in the original term people
with deep knowledge about computers) won't have problems installing
perl... Every normal sys-admin is able to install perl - it's one
of the easiest to install packages that are available.

> 3. Since you have to use a web browser, you have to either run SATAN from
> the console (umm, really stupid hacker scanning from his own machine) or
> redirect the X Display to his own machine (still really stupid).  Who knows,
> I wouldn't be suprised if some hacker wanna-be does use SATAN.  Maybe
> CERT can tell us if they have seen a dramatic increase in breakins now
> that SATAN is released?

Have you ever tried to read the documentation? Ever used SATAN?
Of course you can use satan as a shell-command to collect the data.
There are also HTML-viewers that do not need X (like lynx) and work
very well together with satan.

> Hey, I am glad that SATAN really isn't the ideal hacker tool, but I wanted
> to point out (contrary to News Media) that SATAN is not the tool that
> will shut down the Internet.

Hmm. My very personal opinion is that you not tried to be objective
nor did you read the full documentation and understood the principles of
SATAN.

But now we are comming to the real reason of your posting:

> On a side note,  I have released ISS 1.3 which is available on ftp.iss.net
> /pub/iss/iss13.tar.gz which includes many more checks than what SATAN
> has specified.  Also, it doesn't require installing any other 
> outside packages, is in C, and doesn't require large amounts of ram 
> nor disk space. 

Ok. Let's check.

1. Includes more checks?
   This is not a problem. The main goal of the current release of
   SATAN was to bring out the package right now so it can't be stopped,
   to get feedback for bug-fixes and (later) add more tests.

   It would be interesting to see new versions of ISS as soon as new
   checks are being shipped with SATAN. So why haven't you released
   this iss version with more tests before?

2. Doesn't require installing other packages?
   Oh - nice. How will it work on my Solaris 2.x machine (out of the box)
   that has no C-compiler?

SATAN also includes another very important part (missing in ISS):
the "web of trust". By using this you can "get the whole picture" instead
of highliting only single problems. This part isn't yet powerful enough
but the authors are still working especially on this topic.

Another point: You first said that satan is huge, requires additional
packages, etc. and than said that your product is better in this
categories. Also you said because of the disadvantages of SATAN in
this points crackers won't use it. Later on you are advertising your
tool... Who should use it? The crackers or the sysadmins?

You completly ignored the very good documentation of SATAN! Also
compare the data presentation of ISS and SATAN and the user interface...

Also I don't think that Dan and Wietse are those guys who are
thinking: first we release a small package for public use and than
(after getting feedback and imporving the product) don't give the
results of the feedback back to the community but instead sell
the product as binary only for a very high price...

Bye,
  Wolfgang Ley.
--
----------------------------------------------------------------------
Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg,    Germany
Email: ley () cert dfn de
Phone: +49 40 54715-262                          Fax: +49 40 54715-241
PGP-Key available via finger ley () concert cert dfn de or any key-server