Vulnerability Development mailing list archives
Re: Denials of Service Attacks
From: intrusion () ENGINEER COM (J. Oquendo)
Date: Thu, 20 Jul 2000 18:56:23 -0400
My only real comment is against the recent trend of releasing 'broken' exploits, as being against the spirit of "full disclosure." I would hasten to say that a large number of people using publish 'cracker' tools are professionals, as opposed to script kids.
I beg to differ on a non-flamish note... This wasn't a release of any specific program so I figured I would post it in hopes people would toss around ideas and get back to me and post relevant information on the subject.
Most of us are pretty busy, too. While the error intentionally introduced may be a small one, it frequently interferes with the flow of work - ie, testing the tool on your OWN hardware in order to develop defenses against similar attacks.
Some of the ideas thrown on the document can be used by router administrators, network administrators, and firewall adminstrators to avoid having to post on the incidents list since "if" tested, most admins could get an idea of checksums or related networking information (packet sniffers) and re-post on the subjects. So it'd definitely be a "Test on Your Own hardware" scenarion. Again things were left out for the time being while I re-word and re-code some of the issues I've found and hope to publish.
While I appreciate the sentiment in trying to limit malicious use... the argument for full disclosure is about the same argument against gun control, here in the US... The bad guys won't be deterred, and will still get their hands on powerful weapons. Also, "who can debug some c code" isn't exactly a good litmus test, to determine who is 'responsible' enough to get their hands on working tools. Plenty of great network guys aren't c coders, and plenty of malicious kids are.
Correct me if I'm wrong but this is a security related list and I sent this in hopes that what you call network guys would have enough sense to understand what I was trying to convey. Aside from the codes the actual Theories in DoS text file is filled with networking information which you might have seen if you would have looked.
While I haven't yet looked at your code (for all I know, you just commented out a critical line or something), I wanted to address this issue from a more... philisophical approach, in an attempt to head off this disturbing trend that I think doesn't jive with the purpose of a full-disclosure list.
<note="reread2x"> Actually I left out a slew of options on packet information for the sake of avoiding being as hated as TFreak must've been when he released Smurf. </note> <snicker> When I'm 100% comfortable with other findings and have found a way to address more issues then I'll post to Bugtraq as opposed to the Vuln-Dev list since afterall I may forgotten this was for developmental issues... </snicker> J. Oquendo // sil () antioffline com ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup
Current thread:
- Re: Denials of Service Attacks J. Oquendo (Jul 20)