Full Disclosure mailing list archives
Re: New Security News Website
From: "Gregory A. Gilliss" <ggilliss () netpublishing com>
Date: Mon, 16 Feb 2004 16:36:31 -0800
Hey Paul, Two questions ... One, why make assumptions about someone you don't know? Two, why answer in an antagonistic tone (minus smileys)? AFAIK the original post was an ad for a new list. First thing I'm going to look for is whether the machine hosting the list *appears* secure. Yeah, they can have a loud nmap response and it can be bogus, no duh! The machine in question may be running honeypot/masquerading/whatever. I don't care. Scan any of my IPs and you get RSTs back. That's *my* version of secure. Attackers get diddly. Notice that I am not saying that *my* version of secure has to be *yours*. <sigh> I miss the good old BBS days when people who had a clue would *help* each other instead of making every f**king post into a pissing contest. Posts like this one are why I have a blacklist for FD. G On or about 2004.02.16 17:28:15 +0000, Paul Schmehl (pauls () utdallas edu) said:
So you think a simple nmap scan is sufficient to determine if a host is insecure? Interesting. If you scanned my Windows XP boxes, you'd find a bunch of juicy ports open. What you wouldn't find is a hackable daemon. All the open ports feed a program that captures the packets for analysis later. The boxes are running no Internet-addressable services. Yet, from an nmap scan you might (wrongly) assume that those boxes were grossly insecure. This is the Internet. Things are not always what they seem. And open ports don't always mean negligence. For example: bash-2.05b# telnet www.hackerintel.com 113 Trying 216.92.170.7... Connected to hackerintel.com. Escape character is '^]'. Connection closed by foreign host. bash-2.05b# telnet www.hackerintel.com 543 Trying 216.92.170.7... Connected to hackerintel.com. Escape character is '^]'. Connection closed by foreign host. bash-2.05b# telnet www.hackerintel.com 544 Trying 216.92.170.7... Connected to hackerintel.com. Escape character is '^]'. Connection closed by foreign host. Looks suspiciously like tcpwrappers to me. And just because you *can* get a login prompt or banner on a particular port, *even if* it appears to be a "normal" service for that port, does not necessarily mean you are addressing that actual service. (The program I refer to would make you *think* you were talking to a compromised machine running NetBus, for example - as well as MyDoom, Slammer and a few other nasties, if all you did was telnet to that port.)
-- Gregory A. Gilliss, CISSP E-mail: greg () gilliss com Computer Security WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- New Security News Website Pr0 Curve (Feb 16)
- Re: New Security News Website Gregory A. Gilliss (Feb 16)
- Re: New Security News Website Paul Schmehl (Feb 16)
- Re: New Security News Website Gregory A. Gilliss (Feb 16)
- Re: New Security News Website Valdis . Kletnieks (Feb 16)
- Re: New Security News Website Paul Schmehl (Feb 16)
- Re: New Security News Website Paul Schmehl (Feb 16)
- Re: New Security News Website Paul Schmehl (Feb 16)
- Re: New Security News Website g0d (Feb 16)
- Re: New Security News Website Benjamin Meade (Feb 16)
- Re: New Security News Website Ron DuFresne (Feb 16)
- Re: New Security News Website Paul Schmehl (Feb 17)
- Re: New Security News Website Gregory A. Gilliss (Feb 16)
- Re: New Security News Website Paul Schmehl (Feb 16)