Re: Who Are These Jerks, Anyway?

[Johnathan Meehan <jmeehan () EASYNET CO UK>]

Hi Mixter,

who said...
> I disagree. What is the difference between posting ready-to-use Denial Of
> Service programs and posting ready-to-use security vulnerability exploits?
> Both of them can and often will be (ab)used, but people need them as a
proof
> that an attack is feasible. Tons of exploits are being posted on full
> disclosure sites and lists such as Bugtraq - would you disagree to their
> philosophy of combating security through obscurity by providing them?

I have talked this point with other people recently. The difference is quite
clear: one allows an idiot to screw you over; the other allows and
intelligent person with some knowledge to make a point. Take the average
user of a DoS exploit. Do you really believe that these people are capable
of taking basic information and turning it into a tool to use? If a while
ago, I were to have explained a weakness in the TCP/IP stack on certain
systems, continued to discuss it at length, but offered no tool or completed
code to perform the task, that the average person gleaning pleasure from
using these tools could have sat down and written it? If so, Mixter, I have
to disagree with you on that. Take also, the recently CERT recognised
problem with passing scripts. Age old, and www.coolchat.com suffered badly
from it. Who do you think enjoyed using it? The people who understood what
was going on and time after time reported the problem, or the people who
picked up a new bit of "kung-foo" to impress their friends, and ruin the
chat for everybody else? So then, who uses these tools?

I think that you are quite right in mentioning the idea of "security through
obscurity". Then again, ask yourself, who needs to know the information?
Sysadmin or kids? Sure, sysadmin may not do anything about it, as evidence
would suggest, but the problem would not be the same if tools to automate it
all were not released. Releasing tools with moderated functionality is no
get out of jail clause, either. The point comes down to information and
tools, I feel. Provide the information, but do not provide the tools. The
more you come to feed the lowest common denominator, the more problems
arise. If I say, IIS will go down under roughly described circumstances,
that is not the same as saying "Type this and have phun, k1ddee5!", which I
may as well do if I describe it in too much detail.

Just because lazy sysadmin will not take the appropriate action does not
mean that the rest of us should suffer. Or would you disagree with that? As
I've said before, when you are capable of perpatrating attacks of your own
back, you should have no interest in hurting people. You've learnt. Learn
something new. If I released exact information on crippling the emergency
line here in Germany, would that fit in with the goals of "combating
security through obscurity"? Must people suffer to understand what is
happening? This moves on to your well made second point on how things should
be done.

and then continued...
> Correct. These sites are in fact one of the most responsible party. I do
> not suggest in any way that they should be persecuted, because it is hard
> enough for them to understand what is going on. My proposal is to solve
the
> whole problem like netscan.org and other organisations did successfully
> while defeating the "smurf" attack. Form an organization who scans the
> complete Internet - non-intrusively - against vulnerable versions of
> server software on publically reachable hosts. Contact the administrators
> systematically and urge them to update their software. Something like this
> has already been attempted by Liraz Siri and the Internet Auditing Project
> (search securityfocus for BASS). That way, we had a chance of eliminating
> security through obscurity on the Internet, systematically.

Thanks for the info., I'll certainly look them up later this evening.

Regards,

Johnathan Meehan

ISN is sponsored by Security-Focus.COM