Information Security News mailing list archives
Re: Who Are These Jerks, Anyway?
From: Johnathan Meehan <jmeehan () EASYNET CO UK>
Date: Fri, 11 Feb 2000 21:29:36 +0100
Hi Mixter, who said...
I disagree. What is the difference between posting ready-to-use Denial Of Service programs and posting ready-to-use security vulnerability exploits? Both of them can and often will be (ab)used, but people need them as a
proof
that an attack is feasible. Tons of exploits are being posted on full disclosure sites and lists such as Bugtraq - would you disagree to their philosophy of combating security through obscurity by providing them?
I have talked this point with other people recently. The difference is quite clear: one allows an idiot to screw you over; the other allows and intelligent person with some knowledge to make a point. Take the average user of a DoS exploit. Do you really believe that these people are capable of taking basic information and turning it into a tool to use? If a while ago, I were to have explained a weakness in the TCP/IP stack on certain systems, continued to discuss it at length, but offered no tool or completed code to perform the task, that the average person gleaning pleasure from using these tools could have sat down and written it? If so, Mixter, I have to disagree with you on that. Take also, the recently CERT recognised problem with passing scripts. Age old, and www.coolchat.com suffered badly from it. Who do you think enjoyed using it? The people who understood what was going on and time after time reported the problem, or the people who picked up a new bit of "kung-foo" to impress their friends, and ruin the chat for everybody else? So then, who uses these tools? I think that you are quite right in mentioning the idea of "security through obscurity". Then again, ask yourself, who needs to know the information? Sysadmin or kids? Sure, sysadmin may not do anything about it, as evidence would suggest, but the problem would not be the same if tools to automate it all were not released. Releasing tools with moderated functionality is no get out of jail clause, either. The point comes down to information and tools, I feel. Provide the information, but do not provide the tools. The more you come to feed the lowest common denominator, the more problems arise. If I say, IIS will go down under roughly described circumstances, that is not the same as saying "Type this and have phun, k1ddee5!", which I may as well do if I describe it in too much detail. Just because lazy sysadmin will not take the appropriate action does not mean that the rest of us should suffer. Or would you disagree with that? As I've said before, when you are capable of perpatrating attacks of your own back, you should have no interest in hurting people. You've learnt. Learn something new. If I released exact information on crippling the emergency line here in Germany, would that fit in with the goals of "combating security through obscurity"? Must people suffer to understand what is happening? This moves on to your well made second point on how things should be done. and then continued...
Correct. These sites are in fact one of the most responsible party. I do not suggest in any way that they should be persecuted, because it is hard enough for them to understand what is going on. My proposal is to solve
the
whole problem like netscan.org and other organisations did successfully while defeating the "smurf" attack. Form an organization who scans the complete Internet - non-intrusively - against vulnerable versions of server software on publically reachable hosts. Contact the administrators systematically and urge them to update their software. Something like this has already been attempted by Liraz Siri and the Internet Auditing Project (search securityfocus for BASS). That way, we had a chance of eliminating security through obscurity on the Internet, systematically.
Thanks for the info., I'll certainly look them up later this evening. Regards, Johnathan Meehan ISN is sponsored by Security-Focus.COM
Current thread:
- Who Are These Jerks, Anyway? William Knowles (Feb 11)
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 11)
- Message not available
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 14)
- Message not available
- Re: Who Are These Jerks, Anyway? Mixter (Feb 14)
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 14)
- Re: Who Are These Jerks, Anyway? Reverend Jain T. Resin (Feb 16)
- Re: Who Are These Jerks, Anyway? whitvamp (Feb 16)
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 16)
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 11)