Vulnerability Development mailing list archives
Re: [No Subject]
From: "J. Oquendo" <intrusion () ENGINEER COM>
Date: Tue, 25 Jul 2000 02:42:41 -0400
Why would anyone hate TFreak? Why not be mad at the people that used it? Or the vendor? or the Admin who leaves his net open? All TFreak did was take a known bug(it says in ping.c by [i am paraphrasing here]"pinging the broadcast adress you can generate a lot of traffic" and the ping code is circa 1983-4). It's like being pissed someone broke in your house becasue you had no locks, knowing full well there are burglars in the world(and being mad at the guy who invented the crowbar). I mean people should have had ingress filtering way before smurfing saw the light of day, a lot of people got cought with their pants down.
Again seems people are missing the point of the original post I sent. 1. WAS NOT A RELEASE OF ANY FLAWS IN SOFTWARE 2. WAS MEANT TO GETS THOUGHTS FLOWING ON A WHAT-IF SCENARIO OCCURANCE ON DIFFERENT NETWORK LEVELED ATTACKS The document was concocted on a notion that: 1. Some Admins rarely implement security on their networks and for those that do.. Hey heres what I've been thinking could happen. Try it out fsck around and see if you can do this on your network and if so find a way to implement "PREVENTIVE" measures against it. 2. I needed to keep a security frame of mind while studying since I am employed as a Security Engineer. 3. Some of the findings even though the writing is a bit obscured (which I will soon fix) are interesting and I haven't seen much information regarding some of the protocols included in the document. eg., OSPF, BGP, RIP. 4. Its nice to get feedback from smarter people and point out any errors in which they find. 5. Assists me in the Security Field provided that I find malicious issues on the networks which I preside over and quickly fix them.
And the vendors? Why would your OS respond to a ping adressed to a broadcast, it is such a little used(i've never had a legit need for it,others might) feature that if you need it, you know enough about it to figure out where to turn it on. It's like who needs echo and chargen? and if you do need it you know where to turn it on, as well as the risks it carrys. I think getting pissed at Tfreak is silly and illogical, the bug existed prior to him. It was well known before him, he just made the skill level required to launch an attack like that very low.
Again this wasn't OS related nor platform, nor router related. In fact while I'm study Cisco stuff I'm using Bay routers. If you want to complain about a platform in regards to what it allows and disallows then take it off this list and rant on to them.
The fix was relativly simple too..............
<sigh> Did I post something so blatantly out of the ordinary? </sigh>
Three years later you can still launch the same type of DoS. Who's to blame now? And what good is finger pointing, it dosent solve the problem. Talking about problems in the open gets them resolved(sometimes ;) So I think you should talk about your protocol bugs. Hell, the whole point of these mail lists,etc... it's to talk about them.... You minimize your exposure, make your network and programs robust. By doing that you increase the skill level required to attack your net or program, beyond the script kiddie level.
Hrmmm No one has pointed fingers at anyone and the mere mention of TFreak's name in this was only because smurf was so popular amongst those who used it to accomplish what it was made for a Denial of Service attack. It doesn't take any skills to gcc f00shit.c -o f00shit ;./f00shit
And to do this, bugs and exploits and potential ones need to be talked about. I dont know a lot of things that others may know and vice versa.
Again see reason's 1-5
Thats is why certain .org's , vendors as well as the users are ineffective. When you say OS XYZ has a remote root hole in it, and thats it and give some bandaid of a fix or a convoluted explination how good does that do anyone? You have to talk about it all not only to educate the user, but sometimes to force them to become more technical. This stuff ain't always easy or straightforward, nor is the answer or the solution. A lot of times people want an easy fix.. sometimes that fix makes things worse or you are where you started from. If you talked about the bug and fix in the open people review it.
<NOTE="READ-UNTIL-IT-SINKS-IN"> This is a vulnerability development list not a full disclosure Bugtraq issue... /* * NOTE * THIS WAS RELEASE TO VULN-DEV () SECURITYFOCUS COM * THE AUTHOR EXPRESSES HIS WISH TO STATE THIS WAS * INTENDED TO BE LOOKED UPON AS A DEVELOPMENTAL * DOCUMENT AND NOT A FULL-BLOWN SECURITY ISSUE * THE AUTHOR WILL SHOOT THE NEXT PERSON WHO SENDS * AN E-MAIL CRYING FOUL WITH TONES OF BITCHING * WHY ISN'T THIS A FULL DISCLOSURE OR A "WE WANT * SCRIPTS" E-MAIL WILL BE SHOT... */ </NOTE>
So the uneducated users get mad at people for discussing bugs, not realizing sometimes that is the only way to get everyone to take notice. You cant keep secrets forever.
Re-read <NOTE> sil () deficiency org ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup
Current thread:
- Re: [No Subject] J. Oquendo (Jul 27)