Brent Chapman says:
> "Perry E. Metzger" <pmetzger @
lehman .
com> writes:
> # "John B. Brown" says:
> # > You must recall that Brent only means an anecdotal hour.
> #
> # I was also pleased to hear that CERT possesses monitoring equipment
> # worldwide to record the number of incidents/minute, thus providing us
> # with the capacity to measure the number of incidents rising
> # dramatically after the post of the code fragment.
>
> Read what I said again (from <9311090729 .
AA26447 @
mycroft .
GreatCircle .
COM>):
>
> At the Firewalls BOF at LISA, Ed DeHart of CERT stated publicly that
> there had been a big jump in the number of sites reporting breakins
> due to the Sendmail bug, beginning an HOUR after the sample code was
> posted. That seems to indicate a pretty clear relationship to me.
>
> The jump was in SITES REPORTING BREAKINS. Nothing nefarious there,
> despite anybody's paranoia about government snooping.
I'd say no credulous observer would believe that Ed DeHart's statement
could be correct.
1) Usenet and E-Mail propagation are too slow. I could believe a jump
within a day -- a jump within an hour would require that hundreds
of crackers be getting direct feeds of information and doing
nothing but waiting for the stuff to come down the line. Its not
believable by any stretch of the imagination.
2) The bulk of sites do not contact CERT within minutes of being
attacked. Indeed, the bulk of sites do not even know within an hour
that they have been attacked. So we are expected to believe that
lots of sites were not merely broken into within an hour of the
posting, but that the sysadmins recognized the breakin, found CERTs
number, and spent time calling CERT. I know that if I got broken
into, first I'd tell my peers who I'd need to help me containing
the problem, then I'd tell my boss. Maybe the next day if I
happened to see CERTs number I'd call them. Of course, all this
assumes that I'd have an opportunity to even find the breakin
immediately. At most sites where people run without even sending
all bounces to postmaster this would be incredibly unlikely.
3) CERT has a very vested interest in keeping its style of information
spread. After all, if people widely shared such information, CERT
wouldn't be needed.
Overall, I'd say that statement is not credible. I'd need to see solid
evidence in the form of verifyable phone logs before I'd believe it.
This is not to say that the scripts posted would not be exploited by
crackers. OF COURSE they'd be exploited. This is to say that the
specific statements being made do not have the ring of truth.
Perry
Follow-Ups:
References:
|
|
