Vulnerability Development mailing list archives
[no subject]
From: sp00n <sp00n () APOLLO GTI NET>
Date: Thu, 20 Jul 2000 21:44:41 -0400
J. Oquendo writes:<note="reread2x"> Actually I left out a slew of options on packet information for the sake
of avoiding being as hated as >>TFreak must've been when he released Smurf.
</note>
****not trying to flame here, just encourage***** **** need food and drink so my thoughts might be little disorganized**** Why would anyone hate TFreak? Why not be mad at the people that used it? Or the vendor? or the Admin who leaves his net open? All TFreak did was take a known bug(it says in ping.c by [i am paraphrasing here]"pinging the broadcast adress you can generate a lot of traffic" and the ping code is circa 1983-4). It's like being pissed someone broke in your house becasue you had no locks, knowing full well there are burglars in the world(and being mad at the guy who invented the crowbar). I mean people should have had ingress filtering way before smurfing saw the light of day, a lot of people got cought with their pants down. And the vendors? Why would your OS respond to a ping adressed to a broadcast, it is such a little used(i've never had a legit need for it,others might) feature that if you need it, you know enough about it to figure out where to turn it on. It's like who needs echo and chargen? and if you do need it you know where to turn it on, as well as the risks it carrys. I think getting pissed at Tfreak is silly and illogical, the bug existed prior to him. It was well known before him, he just made the skill level required to launch an attack like that very low. The fix was relativly simple too.............. Three years later you can still launch the same type of DoS. Who's to blame now? And what good is finger pointing, it dosent solve the problem. Talking about problems in the open gets them resolved(sometimes ;) So I think you should talk about your protocol bugs. Hell, the whole point of these mail lists,etc... it's to talk about them.... You minimize your exposure, make your network and programs robust. By doing that you increase the skill level required to attack your net or program, beyond the script kiddie level. And to do this, bugs and exploits and potential ones need to be talked about. I dont know a lot of things that others may know and vice versa. Thats is why certain .org's , vendors as well as the users are ineffective. When you say OS XYZ has a remote root hole in it, and thats it and give some bandaid of a fix or a convoluted explination how good does that do anyone? You have to talk about it all not only to educate the user, but sometimes to force them to become more technical. This stuff ain't always easy or straightforward, nor is the answer or the solution. A lot of times people want an easy fix.. sometimes that fix makes things worse or you are where you started from. If you talked about the bug and fix in the open people review it. So the uneducated users get mad at people for discussing bugs, not realizing sometimes that is the only way to get everyone to take notice. You cant keep secrets forever. Matt
Current thread:
- [no subject] sp00n (Jul 24)