On Mon, 27 Mar 1995, Goran Svensson wrote:
> On Wed, 22 Mar 1995, Dr. Frederick B. Cohen wrote:
>
> > > > > Dr. Frederick B. Cohen wrote:
> > > > > >
> > > > > > The real question is whether the good guys will get the release before
> > > > > > the bad guys and how you tell them apart.
> >
>
> [Snip Snip]
>
> > My decision in 1983 was to release pseudo-code so that anyone could
> > understand how things worked but I was not directly causing harm. Of
> > course lots of attackers easily implemented attacks, while most
> > defenders couldn't reduce this pseudo-code down to anything of practical
> > value. So much for that idea.
>
> This is a risk you take whenever you publish detailed info about a
> security. Even when you publish any info about a risk. And even when you
> say that there is a risk. And sometimes even when you don't say anything
> at all (in the last case, no one can blame you for helping the 'bad' guys.
> But, you can be accused of not helping the good guys .... )
>
> I am *NOT* saying it was a bad idea, but I am advocating for releasing as
> much info as one can to help out other good guys.
>
> This is ____NOT____ meant to start a flame war, but it leads to my next
> argument.
>
> [Snip]
>
> > Provide a means for people to test for the vlnerability without giving
> > them the ability to launch against others. I really like this approach
> > because it places the trust firmly where it belongs - with the person
> > who posesses the attack code. Since they could use it in a clandestine
> > fashion without permission, little is lost by them using it with
> > permission. Ignoring, for the moment, the technical issues of how to
> > make such a service reliable and relatively safe, it seems like a good
> > compromise for today.
>
> This might not be an good idea for a number of reasons. First, you can
> easily monitor your network and log all intrusion attempts. Granted, this
> only tells a bad guy what to do, not how. But the same skilled hacker
> could pick it up from there and implement some tricks of his own. Second,
> it puts detailed info about your vulnerabilities into the hands of a
> third person. Third, it places the responsibilitites of trying out new
> threats on the same third person, and you have to put a lot of trust into
> him keeping up to date with all new threats. And if info about new means
> of attacking are not published, each and every security consultant have
> to either develop his own tools or be placed into a 'web of trust', thus
> receiving code for new tools. And who guarantees that this 'web of trust'
> will be good guys only.
>
> No, keep on working and publishing, new tools like SATAN.
>
> ---------------------------------------------+---------------------------------
> Goran Svensson ! I can speak for myself, and I do
> BTJ System AB +---------------------------------
> Email: goran @
btj .
se ! This is my opinion. I reserve
> Snail: Box 4066, S-227 21 Lund, Sweden ! the right to change it, doubt it
> Phone: +46 46 180 000, Fax: +46 46 180 333 ! or deny it at any time.
> ---------------------------------------------+---------------------------------
> Believe nothing, no matter where you read it, or who said it, no matter
> if I have said it, unless it agrees with your own reason and your own
> common sense.
> --Buddha
>
>
>
Finally one man who 'greps' what's it is all about
A - men
Bart
bthate @
xs4all .
nl finger bthate @
xs4all .
nl for PGP
bart @
1stone .
xs4all .
nl (I'm about to disclaim. )
References:
-
Re: SATAN
From: Goran Svensson <goran @
btj .
se>
|
|
