Re: New Security News Website

["Gregory A. Gilliss" <ggilliss () netpublishing com>]

Hey Paul,

Two questions ...

One, why make assumptions about someone you don't know?

Two, why answer in an antagonistic tone (minus smileys)?

AFAIK the original post was an ad for a new list. First thing I'm going
to look for is whether the machine hosting the list *appears* secure.
Yeah, they can have a loud nmap response and it can be bogus, no duh!
The machine in question may be running honeypot/masquerading/whatever.
I don't care. Scan any of my IPs and you get RSTs back. That's *my* 
version of secure. Attackers get diddly.

Notice that I am not saying that *my* version of secure has to be *yours*.

<sigh> I miss the good old BBS days when people who had a clue would
*help* each other instead of making every f**king post into a pissing
contest. Posts like this one are why I have a blacklist for FD.

G

On or about 2004.02.16 17:28:15 +0000, Paul Schmehl (pauls () utdallas edu) said:

> So you think a simple nmap scan is sufficient to determine if a host is 
> insecure?  Interesting.
>
> If you scanned my Windows XP boxes, you'd find a bunch of juicy ports open. 
> What you wouldn't find is a hackable daemon.  All the open ports feed a 
> program that captures the packets for analysis later.  The boxes are 
> running no Internet-addressable services.  Yet, from an nmap scan you might 
> (wrongly) assume that those boxes were grossly insecure.
>
> This is the Internet.  Things are not always what they seem.  And open 
> ports don't always mean negligence.
>
> For example:
>
> bash-2.05b# telnet www.hackerintel.com 113
> Trying 216.92.170.7...
> Connected to hackerintel.com.
> Escape character is '^]'.
> Connection closed by foreign host.
> bash-2.05b# telnet www.hackerintel.com 543
> Trying 216.92.170.7...
> Connected to hackerintel.com.
> Escape character is '^]'.
> Connection closed by foreign host.
> bash-2.05b# telnet www.hackerintel.com 544
> Trying 216.92.170.7...
> Connected to hackerintel.com.
> Escape character is '^]'.
> Connection closed by foreign host.
>
> Looks suspiciously like tcpwrappers to me.
>
> And just because you *can* get a login prompt or banner on a particular 
> port, *even if* it appears to be a "normal" service for that port,  does 
> not necessarily mean you are addressing that actual service.  (The program 
> I refer to would make you *think* you were talking to a compromised machine 
> running NetBus, for example - as well as MyDoom, Slammer and a few other 
> nasties, if all you did was telnet to that port.)

-- 
Gregory A. Gilliss, CISSP                              E-mail: greg () gilliss com
Computer Security                             WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html