Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [No Subject]

From: "J. Oquendo" <intrusion () ENGINEER COM>
Date: Tue, 25 Jul 2000 02:42:41 -0400


Why would anyone hate TFreak? Why not be mad at the people that
used it? Or the vendor? or the Admin who leaves his net open? All TFreak
did was take a known bug(it says in ping.c by [i am paraphrasing
here]"pinging the broadcast adress you can generate a lot of traffic" and
the ping code is circa 1983-4). It's like being pissed someone broke in
your house becasue you had no locks, knowing full well there are burglars
in the world(and being mad at the guy who invented the crowbar). I mean
people should have had ingress filtering way before smurfing saw the light
of day, a lot of people got cought with their pants down.




Again seems people are missing the point of the original post I sent.

1. WAS NOT A RELEASE OF ANY FLAWS IN SOFTWARE
2. WAS MEANT TO GETS THOUGHTS FLOWING ON A WHAT-IF SCENARIO OCCURANCE ON DIFFERENT NETWORK LEVELED ATTACKS

The document was concocted on a notion that:

1. Some Admins rarely implement security on their networks and for those that do.. Hey heres what I've been thinking 
could happen. Try it out fsck around and see if you can do this on your network and if so find a way to implement 
"PREVENTIVE" measures against it.

2. I needed to keep a security frame of mind while studying since I am employed as a Security Engineer.

3. Some of the findings even though the writing is a bit obscured (which I will soon fix) are interesting and I haven't 
seen much information regarding some of the protocols included in the document. eg., OSPF, BGP, RIP.

4. Its nice to get feedback from smarter people and point out any errors in which they find.

5. Assists me in the Security Field provided that I find malicious issues on the networks which I preside over and 
quickly fix them.




        And the vendors? Why would your OS  respond to a ping adressed to
a broadcast, it is such a little used(i've never had a legit need for
it,others might) feature that if you need it, you know enough about it to
figure out where to turn it on.  It's like who needs echo and chargen? and
if you do need it you know where to turn it on, as well as the risks it
carrys. I think getting pissed at Tfreak is silly and illogical, the bug
existed prior to him. It was well known before him, he just made the skill
level required to launch an attack like that very low.




Again this wasn't OS related nor platform, nor router related. In fact while I'm study Cisco stuff I'm using Bay 
routers. If you want to complain about a platform in regards to what it allows and disallows then take it off this list 
and rant on to them.




The fix was relativly simple too..............




<sigh>
Did I post something so blatantly out of the ordinary?
</sigh>





        Three years later you can still launch the same type of DoS. Who's
to blame now? And what good is finger pointing, it dosent solve the
problem. Talking about problems in the open gets them resolved(sometimes
;) So I think you should talk about your protocol bugs. Hell, the whole
point of these mail lists,etc... it's to talk about them.... You minimize
your exposure, make your network and programs robust. By doing that you
increase the skill level required to attack your net or program, beyond
the script kiddie level.




Hrmmm No one has pointed fingers at anyone and the mere mention of TFreak's name in this was only because smurf was so 
popular amongst those who used it to accomplish what it was made for a Denial of Service attack. It doesn't take any 
skills to gcc f00shit.c -o f00shit ;./f00shit




And to do this, bugs and exploits and potential
ones need to be talked about. I dont know a lot of things that others may
know and vice versa.




Again see reason's 1-5


  

        Thats is why certain .org's , vendors as well as the users are
ineffective.  When you say OS XYZ has a remote root hole in it, and thats
it and give some bandaid of a fix or a convoluted explination how good
does that do anyone? You have to talk about it all not only to educate the
user, but sometimes to force them to become more technical. This stuff
ain't always easy or straightforward, nor is the answer or the solution. A
lot of times people want an easy fix.. sometimes that fix makes things
worse or you are where you started from. If you talked about the bug and
fix in the open people review it.




<NOTE="READ-UNTIL-IT-SINKS-IN">
This is a vulnerability development list not a full disclosure Bugtraq issue...

/*
 * NOTE
 * THIS WAS RELEASE TO VULN-DEV () SECURITYFOCUS COM
 * THE AUTHOR EXPRESSES HIS WISH TO STATE THIS WAS
 * INTENDED TO BE LOOKED UPON AS A DEVELOPMENTAL
 * DOCUMENT AND NOT A FULL-BLOWN SECURITY ISSUE
 * THE AUTHOR WILL SHOOT THE NEXT PERSON WHO SENDS
 * AN E-MAIL CRYING FOUL WITH TONES OF BITCHING
 * WHY ISN'T THIS A FULL DISCLOSURE OR A "WE WANT
 * SCRIPTS" E-MAIL WILL BE SHOT...
 */
</NOTE>




        So the uneducated users get mad at people for discussing bugs, not
realizing sometimes that is the only way to get everyone to take notice.
You cant keep secrets forever.




Re-read <NOTE>

sil () deficiency org

______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup
Previous By Date Next
Previous By Thread Next

Current thread: