Re: Fwd: Information on MS99-022

[avalon () COOMBS ANU EDU AU (Darren Reed)]

In some mail from Renaud Deraison, sie said:
> On Mon, 5 Jul 1999, Darren Reed wrote:
>
> > > What comes to my mind, is that the Microsoft is giving the scoop of the
> > > test of the vulnerability to the ISCA's IDC members.
> >
> > And the problem with that is?  What should be important is that the
> > information about the problem became public, allowing people to become
> > aware of the problem and how to fix it.
>
> But as somone else pointed out in this very same list, it's not always
> possible to determine whether there is a problem or not in another way
> than actually testing the flaw (intusion tests are an exemple)

So everyone who has IIS4.0 should test the for the flaw first before
installing the patch?  I don't think that's the right methodology.
When I apply patches, security or otherwise, I don't necessarily want
to test the problem first and nor should I need to.  I should get all
the information I need to correctly apply the patch with the patch
itself.

Intrusion tests should not be the basis for applying patches.  If that
is actually the case then procedures which involve the administration
of the machine(s) need to be re-examined.  That said, I'd argue that
keeping a machine up to date with patches is just as, if not more important
than running intrusion tests.  Those tests should be the mechanism by
which you go from a state of having a collection of hosts about which
you know nothing about to a state where you know what needs to be done
(if anything) in order to minimise the risk of an intrusion and from
there can implement a plan of action that keeps them in a state of
minimal risk.

[...]
> but the domain microsoft.com has been number one in terms of download and
> site frequentation at nessus.org :) During a time,  they were downloading
> each new version of the product and coming back very frequently. Now, I
> can not say whether they were actually using Nessus or not, but well, I
> think that they were not storing their downloads in /dev/null ;))

You're assuming that suck access is in-line with a policy of "do not use
the internet for non-work related things", which I'm sure is enforced the
same everywhere :)

I know of people who work at Microsoft who do so only as their `day job'.

Or maybe what they saw in Nessus was enough to persuade them that going
to ICSA was the right thing to do?

[...]
> > > This attitude shows the lack of ethic of several companies which claim
> > > they are interested in security. Because no matter how knowledgeable you
> > > are, you will have to pay to determine if you are vulnerable or not.
> >
> > Now you're catching on.  Security is a market of some value, today, not
> > like it was back in the early 90's when things like FWTK/Satan were written
> > and given away.
>
> I disagree with that too. I'm not the only weirdo on this planet who is
> giving away security tools. Just think about Nmap, Trinux, SAINT, ipchains
> and many more.

I give one away too, in case you weren't aware of that.  But I'm not
arguing that there isn't any free security software or new projects
don't happen, just that there is an increased value on such knowledge
(of bugs and processes) today and hence less incentive to give such
knowledge away.

I'd like to point out that your list does not mention any free knowledge
bases or data wharehouses which contain information on security
vulnerabilities.  Sure there are web sites with exploits for many
different security holes but that's not quite the same sort of
resource that some will provide for a fee.

Darren