Re: Call to arms - INFORMATION ANARCHY

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 11/03/01


Message-ID:  <E9A01F52DC939448BBDE44ED2E1C468F23C9F9@muskie.rc.on.ca>
Date:         Fri, 2 Nov 2001 21:40:26 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
Subject:      Re: Call to arms - INFORMATION ANARCHY
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Edward Livengood suggested that disclosure is needed due to IDS products.
Let's get something straight, IDS and disclosures are chicken and the egg.
IDS didn't exist until full disclosure was popular, and can't exist without
it, but the benefits of IDS haven't been proven to be worthy of forcing the
continued support of full disclosure.

Many in the Anti-Virus community (Nick Fiztgerald for one) insist that
signature-based detection is the totally wrong approach. IDS is
signature-based detection (for the most part).

George Carlson and Rick Schneider suggested that there's a truism, "if I
know lots of others do also". Wrong assumption. Consider that most Vendors
do "extensive" testing prior to releasing a new product. The testing usually
involves smart users, stupid users, doing things the way they're supposed to
work, and doing things in a way not described. Despite this, lots of people
find problems never seen before.

Besides, there's no proof to this urban legend, nor is there likely ever to
be.

Rick made another point, black hats, not script kiddiez, are our major
problem. While this is true, the directed attack is always going to be more
damaging than the scatter attack, the fact is that our security is more
focused to the en-masse attack scenario. Who's worried about getting a new
virus from a black hat, or are we more worried about someone bringing it in
from their home DSL-connected machine? We've more parameters in NT/W2K to
handle syn-floods than we do to handle protecting any given service. Our IDS
logs are filled to the brim with scatter attacks, so much so that finding
the concerted effort amongst the duhs is near impossible.

So why can't we focus on our biggest threat? Its not due to the skill of the
noise, but the noise itself. Should give pause to think about new solutions.

Then there's Carter Mobley's suggestion of a Netscape-like Bug Bounty
program out of Microsoft. And the silence would be enforced how Carter? By
contract? You think you couldn't make more money by being sued by Microsoft
for disclosing a security issue to the public? Not going to happen.
Microsoft have long offered a bounty, its just not cash, people are more
inclined to be wooed by the media than by Microsoft. Besides, what's the
best thing that came out of Netscape's Bug Bounty program...Georgi Guninski?

Cheers,
Russ

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a
ntivirus.com/smex2000_rebate



Relevant Pages

  • Re: Legal problem - IDS - Commercial Vs Open Source.
    ... Microsoft OS EULA, GNU, or homegrown, NO company is ... > If we have a breaking and are using a commercial IDS ... Great stuff seeking new owners in Yahoo! ...
    (Security-Basics)
  • Re: branding debian releases
    ... I worked at Microsoft for 3 years. ... IDS Builds ... Daily Builds are expected to fail. ... Eventually an RC is selected to go Gold, ...
    (Debian-User)
  • RE: Bug? When I open my file, the tasks are renumbered and out of
    ... Here is the link to the Microsoft Bug report on their feedback site: ... about Microsoft Project ... also point out, that while some IDs and information is still there, certain ... Might I suggest examination of the WBS numbering since you may want to sort ...
    (microsoft.public.project)
  • How to register product IDs and Audio FormatTags with Microsoft?
    ... need to register 2 new Product IDs and 2 new FormatTag IDs. ... I used the Windows Driver Development Kit to do the development and in ... // contact Microsoft and get the Multimedia Developer Registration Kit: ...
    (microsoft.public.win32.programmer.directx.audio)
  • RE: [Full-disclosure] Suggestion for IDS
    ... I value your opinion on this subject as my knowledge about IDS is slim. ... ::::> no need to make changes in our firewall. ... What's your suggestion. ... ::::free with snort. ...
    (Full-Disclosure)