Re: Who Are These Jerks, Anyway?

[Mixter <mixter () NEWYORKOFFICE COM>]

A few thoughts on this subject...

On Fri, 11 Feb 2000, Johnathan Meehan wrote:

> * 2600, "The Hacker Quarterly", can in no way act disgusted by these attacks
> and hold insult for being linked to them. When I was a teenager, sitting
> around with an all powerul 96 modem (speed!) the magazine was a good read.
> Informative, and fun. Now however, it panders to nothing more than the
> scr1p7 k1d33. Disseminating information is one thing - tell me how to
> propogate an attack in rough technical terms, and I would be able to work it
> out, probably learning a lot on the way. It is doubtful that I would take
> the attack beyond my own network and my friends, though. However, 2600 is
> guilty of providing source code directly and/or direct links in several
> cases. This is not passing the information under the ideal of "free speech".
> This is passing the gun to a teenage idiot with a seriously bad attitude.

I disagree. What is the difference between posting ready-to-use Denial Of
Service programs and posting ready-to-use security vulnerability exploits?
Both of them can and often will be (ab)used, but people need them as a proof
that an attack is feasible. Tons of exploits are being posted on full
disclosure sites and lists such as Bugtraq - would you disagree to their
philosophy of combating security through obscurity by providing them?

> * Innocent is in one way correct, William, but in another I think not. DoS
> attacks are older than my cleanest pair of socks, and this particular type
> is not new. The information pertaining to it, and ensuring that your system
> is not amongst those compromised is freely and easily available. Steps
> should have been taken by now to ensure that your machine is not one of
> those used. Whether it be a home box or not - people need to act in a
> responsible way. You would lock your guns in a cabinet, rahter than leave
> them outside on the window ledge, wouldn't you? What I'm saying is that
> security is only as good as the next weak machine, and we should not
> tolerate weak machines.

Correct. These sites are in fact one of the most responsible party. I do
not suggest in any way that they should be persecuted, because it is hard
enough for them to understand what is going on. My proposal is to solve the
whole problem like netscan.org and other organisations did successfully
while defeating the "smurf" attack. Form an organization who scans the
complete Internet - non-intrusively - against vulnerable versions of
server software on publically reachable hosts. Contact the administrators
systematically and urge them to update their software. Something like this
has already been attempted by Liraz Siri and the Internet Auditing Project
(search securityfocus for BASS). That way, we had a chance of eliminating
security through obscurity on the Internet, systematically.


Regards,

Mixter

ISN is sponsored by Security-Focus.COM