On Wed, 22 Mar 1995, Dr. Frederick B. Cohen wrote:
> > > > Dr. Frederick B. Cohen wrote:
> > > > >
> > > > > The real question is whether the good guys will get the release before
> > > > > the bad guys and how you tell them apart.
>
[Snip Snip]
> My decision in 1983 was to release pseudo-code so that anyone could
> understand how things worked but I was not directly causing harm. Of
> course lots of attackers easily implemented attacks, while most
> defenders couldn't reduce this pseudo-code down to anything of practical
> value. So much for that idea.
This is a risk you take whenever you publish detailed info about a
security. Even when you publish any info about a risk. And even when you
say that there is a risk. And sometimes even when you don't say anything
at all (in the last case, no one can blame you for helping the 'bad' guys.
But, you can be accused of not helping the good guys .... )
I am *NOT* saying it was a bad idea, but I am advocating for releasing as
much info as one can to help out other good guys.
This is ____NOT____ meant to start a flame war, but it leads to my next
argument.
[Snip]
> Provide a means for people to test for the vlnerability without giving
> them the ability to launch against others. I really like this approach
> because it places the trust firmly where it belongs - with the person
> who posesses the attack code. Since they could use it in a clandestine
> fashion without permission, little is lost by them using it with
> permission. Ignoring, for the moment, the technical issues of how to
> make such a service reliable and relatively safe, it seems like a good
> compromise for today.
This might not be an good idea for a number of reasons. First, you can
easily monitor your network and log all intrusion attempts. Granted, this
only tells a bad guy what to do, not how. But the same skilled hacker
could pick it up from there and implement some tricks of his own. Second,
it puts detailed info about your vulnerabilities into the hands of a
third person. Third, it places the responsibilitites of trying out new
threats on the same third person, and you have to put a lot of trust into
him keeping up to date with all new threats. And if info about new means
of attacking are not published, each and every security consultant have
to either develop his own tools or be placed into a 'web of trust', thus
receiving code for new tools. And who guarantees that this 'web of trust'
will be good guys only.
No, keep on working and publishing, new tools like SATAN.
---------------------------------------------+---------------------------------
Goran Svensson ! I can speak for myself, and I do
BTJ System AB +---------------------------------
Email: goran @
btj .
se ! This is my opinion. I reserve
Snail: Box 4066, S-227 21 Lund, Sweden ! the right to change it, doubt it
Phone: +46 46 180 000, Fax: +46 46 180 333 ! or deny it at any time.
---------------------------------------------+---------------------------------
Believe nothing, no matter where you read it, or who said it, no matter
if I have said it, unless it agrees with your own reason and your own
common sense.
--Buddha
Follow-Ups:
-
Re: SATAN
From: "-= () Bart () =-" <bthate @
xs4all .
nl>
References:
-
Re: SATAN
From: fc @
all .
net (Dr. Frederick B. Cohen)
|
|
