Ask Fyodor Your Network Security Questions

Fyodor is the driving force behind Insecure.org and the top-rated Nmap network exploration and security auditing tool. He's also involved in The Honeynet Project (and is a coauthor of the project's book, Honeynet: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community). One question per post, please. We'll run Fyodor's answers to 10 of the highest-moderated questions as soon as he gets them back to us.

Assurance, not blocking attacks

[Frater 219]

It seems to me that security efforts have focused too strongly on detecting and blocking known categories of attacks, rather than on creating systems which are secure against innovative future attacks. There are projects for which this isn't the case, such as OpenSSH (and OpenBSD in general), but the preponderance of security work seems to be profoundly backward-looking.

Naturally, fighting in the dirt with the black hats is a lot "sexier" and more entertaining than building highly robust and reliable systems which will guarantee future security. The popularity of honeypots with security hobbyists (as opposed to researchers) seems to be a result of this: people enjoy seeing the attacker flummoxed, feeling superior to him, defeating him. Yet this doesn't really result in the improvement of security against new attacks, and it arguably distracts from that purpose.

I'm interested to know where you see progress in security assurance, as opposed to scanning or blocking of old, known attacks. Who else, besides OpenBSD, is in the camp of improving the guarantees that systems provide their users: guarantees such as W^X, packet normalization, and so forth?

Re:Weakest link: Between systems and people

[Simon]

Don't confuse the issue of computer security and usability with the issue of TCPA and 'securing' digital content from customers. By doing so you are being fooled by Microsoft and the media companies.

It ain't the same thing...

--
Simon

Re:Weakest link: Between systems and people

[JoeBuck]

Users tend to ignore such warnings because similar warnings appear far too often for invalid reasons. This is not a new problem; Aesop wrote about the boy who cried wolf.

Re:Recent increases in anal-retentiveness...

[Anonymous Coward]

hint:

• scanning your own network/network you are authorized to administer: legit
• scanning other peoples networks just looking for "interesting stuff": not legit

HTH.

Re:IPv6

[Zathrus]

since ipv6 still has not been adopted

Not been adopted by whom?

No, most companies/endpoints haven't adopted it, but most of the major equipment manufacturers (Cisco, Lucent, etc) have and have equipment available for it. It's in use by the University/Research-only "Internet2" currently. The major backbone providers are in the process of slowly switching to it.

Sure, it'd be cheaper to invent another standard now and move to that on a widescale basis than to adopt IPv6, switch to it, and then adopt a new standard and switch to THAT, but you're talking about another decade at this point, minimum.

Developing new standards takes awhile, and having people actually implement them in a non-buggy fashion takes even longer. Develop IPv10 right now (yes, v7, v8, and v9 are already in development) and you're probably talking about implementation in 20 years. By which time we'll know enough about what's broken with it to make the same argument about implementation.

Re:Super-DMCA

[Doug Neal]

What do you think his opinion is? That it's a super great idea?

FFS, what a stupid question ;)

Re:Have you ever been tempted to use your gifts

[Anonymous Coward]

This is a moot question. In 2002, Fyodor was the victim of an impersonation attack by a Slashdot user who was posing as a woman. Fyodor sent an email to the fake "woman" in an attempt to solicit further conversation and a possible meeting. When the hoax was revealed, the hoaxer insulted fyodor (I believe the word was "wanker").

Fyodor responded by using information disclosure vulnerabilities in yahoo email to find the originating IP address of the Slashdot prankster (SumDeusExMachine) who was at the time a college student based on the Pacific coast. SDEM was using an open X server for windows, MI/X, with no security enabled. Fyodor quickly scanned SDEM's box, found the open X server, and attached to it, monitoring SDEM's life for nine hours. He took many screen shots of SDEM's machine and posted them to his web site, insecure.org.

A lot of personal information was revealed in these screenshots, including the existence and ip address of a "secret troll irc server", which was running an irc bot capable of tracking and posting new stories. Jamie McCarthy used the information disclosed by Fyodor's attack to log onto this server, discover the new-story-bot, and modify Slashdot to break the troll's new-story-robot.

So in short, Fyodor has an open record of malicious entry, and Slashdot's admins have used the information he has gleaned to combat Slashdot trolling.

What you have to understand is that illegal and malicious hacking won't land you in jail. The FBI won't prosecute interstate computer hacking unless there are $5000 or more in damages. In this case, there were no damages, rending the "crime" unprosecuteable. Whether this makes the perpetrator a whitehat, greyhat, or blackhat is an exercise for the reader.