RE: Malicious use of grc.com

[H C <keydet89 () yahoo com>]

> a) Mr. Gibson has made publicly available a scanning
> tool that can serve
> as an anonymous scanning tool against any potential
> hosts. 

At the end of the day, all it is is a port scan.  So
far no one has presented any information that shows
that Gibson's site can be used to take advantage of
the port scanning information and conduct a direct
attack against the target system.  

It's a port scan...so what?

Also, I have not seen anything more than claims
regarding the DoS issue.

> b) Mr. Gibson has been VERY vocal about his security
> skills and views on
> several subjects including the snafu with M$'s TCP
> stack. Several people
> have observed the irony of someone that seems like a
> security expert to
> post a program on his site that is vulnerable to
> some kind of exploit.

Like that never happens?  So where's Magni's advisory
on the uses of NetCraft?  And where's the advisory
regarding the content of the Incident's list on SF? 
After all, it wasn't so long ago that some admin got
on the list and posted pretty explicit info regarding
the structure of his DMZ...obviating the need for
Gibson's site all together.

Attacking anyone, regardless of whether they are wrong
or right, simply b/c they are vocal serves no purpose.
 
> c) There have been statements from Mr. Gibson that
> 1) the problem has
> been existent for at least two years and 2) he does
> not find it
> significant enough based on other factors (how many
> checks you can
> spawn, only 200 bytes/sec) to deal with it quite
> yet.

To be correct, Gibson's statement was 400 bytes, not
200.  But that isn't the point at all.  Someone posted
that an attack could be scripted to perform a DoS
attack...Gibson said that wasn't true.  

> d) People have taken sides on this issue. One sides
> views this as equal
> as "hacking the Gibson" (sorry, I couldn't resist
> ;)) while the other
> finds it quite insignificant and not even worth
> making an advisory about.

Your breakdown is a little too simplistic.  For
example, I have no problem with an advisory being
posted.  I do have questions regarding the content of
the advisory...my initial queries to Magni about
vendor contact didn't reveal anything about Gibson
knowing about this issue for two years.  In fact,
another member of HoG was the first to inform me of
this.
 
> Was the finding significant enough for an advisory?
> Hell yes. While
> ironic it also provided us with an issue that's hot
> enough to generate
> discussion amongst ourselves. And that is the
> reprecautions one should
> take before posting the latest "cool" security tool
> on his/her site
> without first investigating all the angles. 

Or posting an advisory without following any of the
various processes out there.

> And as security experts we
> are all kinda blown away that once a flaw is found
> the author does not take steps to fix this. 

Not at all.  As "security experts" (I hesitate to use
that term, as I consider myself more of a professional
than expert, and all that word entails), we are also
familiar with a wide variety of other issues.  

For example, consider Code Red.  How many web sites do
you know of that actually need the functionality
provided by the ida/idq script mappings?  As of yet, I
haven't seen any...that doesn't mean that there aren't
any.  So, if the functionality isn't needed, why not
simply disable the script mapping?  Do that at
install, and the system wouldn't have been infected by
Code Red.   The same holds for sadmin/IIS
(poisonbox)...the patch necessary was about 7 months
old when the worm hit.

The point is...we have all seen how people either make
a decision (or fail to do so) to NOT fix something. 
Gibson evidently (based on his comments that I've seen
on DSLReports) decided that the issue didn't merit
attention.  After all, it's just another port scanner.

> Top that is the irony of the
> individual creating
> the flawed software and you got a nifty advisory. I
> seriously see
> nothing wrong with that.

Nor do I.  However, the advisory wasn't a very good
example of responsible disclosure.

> And to touch briefly about port scanning: While it's
> true it's not
> illegal, there is nothing that stops you, the
> network engineers from
> taking any action necessary to protect your network
> from scans. 

Sure.  There's no problem with that.  And if everyone
took the necessary steps to protect their networks,
there wouldn't be a problem at all.  In fact, there
are even Registry entries that can mitigate the
effects of SYN floods, assuming that the packets
aren't already blocked by routers and firewalls before
they reach a target host.  Therefore, this issue of
using Gibson's site to conduct DoS attacks (again, so
far it's only a claim, I haven't seen it actually
work, nor am I aware of anyone suffering from such an
attack) is a non-issue, as well.




__________________________________________________
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1