Information Security News mailing list archives
Re: Who Are These Jerks, Anyway?
From: Mixter <mixter () NEWYORKOFFICE COM>
Date: Fri, 11 Feb 2000 20:53:53 +0100
A few thoughts on this subject... On Fri, 11 Feb 2000, Johnathan Meehan wrote:
* 2600, "The Hacker Quarterly", can in no way act disgusted by these attacks and hold insult for being linked to them. When I was a teenager, sitting around with an all powerul 96 modem (speed!) the magazine was a good read. Informative, and fun. Now however, it panders to nothing more than the scr1p7 k1d33. Disseminating information is one thing - tell me how to propogate an attack in rough technical terms, and I would be able to work it out, probably learning a lot on the way. It is doubtful that I would take the attack beyond my own network and my friends, though. However, 2600 is guilty of providing source code directly and/or direct links in several cases. This is not passing the information under the ideal of "free speech". This is passing the gun to a teenage idiot with a seriously bad attitude.
I disagree. What is the difference between posting ready-to-use Denial Of Service programs and posting ready-to-use security vulnerability exploits? Both of them can and often will be (ab)used, but people need them as a proof that an attack is feasible. Tons of exploits are being posted on full disclosure sites and lists such as Bugtraq - would you disagree to their philosophy of combating security through obscurity by providing them?
* Innocent is in one way correct, William, but in another I think not. DoS attacks are older than my cleanest pair of socks, and this particular type is not new. The information pertaining to it, and ensuring that your system is not amongst those compromised is freely and easily available. Steps should have been taken by now to ensure that your machine is not one of those used. Whether it be a home box or not - people need to act in a responsible way. You would lock your guns in a cabinet, rahter than leave them outside on the window ledge, wouldn't you? What I'm saying is that security is only as good as the next weak machine, and we should not tolerate weak machines.
Correct. These sites are in fact one of the most responsible party. I do not suggest in any way that they should be persecuted, because it is hard enough for them to understand what is going on. My proposal is to solve the whole problem like netscan.org and other organisations did successfully while defeating the "smurf" attack. Form an organization who scans the complete Internet - non-intrusively - against vulnerable versions of server software on publically reachable hosts. Contact the administrators systematically and urge them to update their software. Something like this has already been attempted by Liraz Siri and the Internet Auditing Project (search securityfocus for BASS). That way, we had a chance of eliminating security through obscurity on the Internet, systematically. Regards, Mixter ISN is sponsored by Security-Focus.COM
Current thread:
- Who Are These Jerks, Anyway? William Knowles (Feb 11)
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 11)
- Message not available
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 14)
- Message not available
- Re: Who Are These Jerks, Anyway? Mixter (Feb 14)
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 14)
- Re: Who Are These Jerks, Anyway? Reverend Jain T. Resin (Feb 16)
- Re: Who Are These Jerks, Anyway? whitvamp (Feb 16)
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 16)
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 11)