Re: [fw-wiz] A fun smackdown...

From: Chuck Swiger (chuck_at_codefab.com)
Date: 05/21/05

  • Next message: Ryan McBride: "Re: [fw-wiz] A fun smackdown..." 
    To: "Marcus J. Ranum" <mjr@ranum.com>
Date: Sat, 21 May 2005 16:15:16 -0400

    On May 21, 2005, at 3:55 PM, Marcus J. Ranum wrote:
    > Chuck Swiger wrote:
    >> You've asserted that all standards are useless. You've asserted that
    >> standards which do not take security into account are not
    >> internet-worthy. You seem to believe that no Internet standard is
    >> legitimate and all traffic must be considered dangerous.
    >
    > OK. Why don't you list for us, real quickly, the internet application
    > protocols that haven't had a security vulnerability so far.
    >
    > I'm all ears. Start your engines. Go!

    You're all ears because you're trolling! :-)

    There's a difference between a protocol and the implementation of a
    protocol. Most software has bugs, and it's hard to write provably
    correct software even for limited cases. This doesn't stop people from
    writing useful software or new protocols in the meantime.

    It doesn't seem useful to point to ICMP DoS attacks or forged TCP
    resets aiming to zap persistent connections as being a technical flaw
    with the protocols themselves. The fact that someone can misuse ICMP
    or TCP is somewhat like blaming the highway because it allows drivers
    to speed. Abusive use of network resources is a social issue that can
    be helped by technical countermeasures, such as tuning the network
    stack, changing the protocol spec, adding resource limiters and better
    timeout management, as well as by firewalls and other security tools.

    > mjr.
    > (PS - chargen?)

    Makes an infinite generator if you can connect it to a socket on some
    host you are trying to DoS. 

    -- 
-Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Ryan McBride: "Re: [fw-wiz] A fun smackdown..."

    Relevant Pages

    • Re: OBJECT Bugs or Features
      ... Sure, and I know "http-equiv" understands the following, but lest ... what "compliant" implementations should do when faced with non- ... Especially in the case of RFC'ed protocols, ... the "standards" _AND_ refuse to implement any support for the "so badly ...
      (Bugtraq)
    • Re: What Protocols for TDD are used in Holland and Switzerland?
      ... Baudot is a common protocol in the US. ... different states use different protocols. ... What protocols for TDD are used in Switzerland and Holland? ... standards, though I don't know if TDD used the exact same standards. ...
      (sci.electronics.basics)
    • Re: What Protocols for TDD are used in Holland and Switzerland?
      ... Baudot is a common protocol in the US. ... different states use different protocols. ... What protocols for TDD are used in Switzerland and Holland? ... standards, though I don't know if TDD used the exact same standards. ...
      (sci.electronics.basics)
    • Re: linux-flashplugin7
      ... No the telcos do not own the standards and protocols that make it ... computer network as a means of publishing and interlinking documents. ... Flash OTOH is a closed proprietary protocol the details of which ...
      (comp.unix.bsd.freebsd.misc)
    • [NEWS] Downgrading the Oracle Native Authentication
      ... Get your security news from a reliable source. ... Oracle native authentication protocols are typical challenge-response ... After some negotiation the client sends the username. ... calls it packet version ...
      (Securiteam)