Please create an account to participate in the Slashdot moderation system


Forgot your password?
Security The Internet

Ask Fyodor Your Network Security Questions 274

Fyodor is the driving force behind and the top-rated Nmap network exploration and security auditing tool. He's also involved in The Honeynet Project (and is a coauthor of the project's book, Honeynet: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community). One question per post, please. We'll run Fyodor's answers to 10 of the highest-moderated questions as soon as he gets them back to us.
This discussion has been archived. No new comments can be posted.

Ask Fyodor Your Network Security Questions

Comments Filter:
  • My Question... (Score:5, Interesting)

    by tx_kanuck ( 667833 ) on Monday May 12, 2003 @12:07PM (#5936991)
    As networks become more complex, and hackers become more sophisticated, how do you see the use of honeypots evolving? Do you think they will have to become mini-networks that can actually be used in-order to prevent them from being detected as honeypots? Or do you think the use of honeypots will just be phased out like many other security tools in the past?
  • Work guidelines? (Score:3, Interesting)

    by eaddict ( 148006 ) on Monday May 12, 2003 @12:07PM (#5936996)
    How do you find what you do surviving the likes of DCMA/Patriot Act II/etc???
  • by Neck_of_the_Woods ( 305788 ) * on Monday May 12, 2003 @12:07PM (#5936997) Journal
    If you could get the computer world to agree to change one fundamental thing in computer security on all OSs across the board what would it be?

  • by Noryungi ( 70322 ) on Monday May 12, 2003 @12:08PM (#5937002) Homepage Journal
    I have just read your top 75 security tools [] list. Thank you for posting all this information, which I am going to study very carefully.

    One question though: in all these tools, which one is your personal favourite? (This excludes Nmap, of course).

    Thanks in advance!
    • by Anonymous Coward
      In that list only two "information management" or "intrusion management" applications are listed. GFI Languard (actually mentions lanscan but calls it Languard) and possibly etherape. There is no mention of any commercial products (Contego [] NetIQ [] Tivoli Risk Manager [] ArcSight [] NeuSecure []) or free (ACID [] SnortSAM []) products.

      What is your opinion of this class of products in their ability to allow a network admin to be knowledgable about the security of their own network and respond to threats?
  • DMCA? (Score:5, Interesting)

    by Anonymous Coward on Monday May 12, 2003 @12:09PM (#5937006)
    Has the DMCA hindered your company in any way, do you see it as working against security professionals around the US or helping those of us who are interested in security as a career path?
  • libnet (Score:3, Interesting)

    by sfraggle ( 212671 ) on Monday May 12, 2003 @12:09PM (#5937011)
    Why doesnt nmap use libnet []?
  • by lewp ( 95638 ) on Monday May 12, 2003 @12:10PM (#5937019) Journal
    On any project like this where there's potentially evil uses mixed in amongst the various good ones, you're bound to get a few angry people who don't understand how helpful your work is to the community at large.

    How much criticism do you have to deal with? And how does it compare to the kudos you receive, quantity-wise? Has it ever made you doubt what you're doing?

    PS- Thanks. nmap proves its usefulness to me every day.
  • by Anonymous Coward on Monday May 12, 2003 @12:11PM (#5937023)
    What's your account name and password? I'll trade you a two color, ballpoint pen with a logo on it for it.
  • by TedCheshireAcad ( 311748 ) <> on Monday May 12, 2003 @12:11PM (#5937028) Homepage
    I keep getting connections to my box from this bastard, at all sorts of ports. What can I do to find out where he is?

    His IP address is

    Any advice from Fyodor or the Slashdot community?
  • Security Updates (Score:5, Interesting)

    by rf0 ( 159958 ) <> on Monday May 12, 2003 @12:12PM (#5937033) Homepage
    It seems that the numbre of security exploits and updates seems to be growing as more people start experimenting with trying the break systems. Now I'm subscribe to BugTraq et all but find it hard to keep on top of what is going on and what I need to update. What would you say are good tools for keeping up to date across multiple systems and platforms?

  • There's been a marked increase in system administrators thinking that anything even remotely resembling a network scan is eeeeevil (case in point, last year I almost got kick out of college for scanning port 80 on my dorm subnet looking for interesting websites to read)...

    What do you think can be done to make scanning IP addresses/ports have less of a negative stigma? This is in the same sort of category as legit vs. illegit uses of anything else (P2P, whatever)--what's the rationale for punishing something that could maybe lead to criminal activity, and how can we make network scanning tools have practical uses again?
    • This is interesting. I hate it when people put a computer on the internet, but freaks out when harmless packets reach it's network interface.

    • by Anonymous Coward

      • scanning your own network/network you are authorized to administer: legit
      • scanning other peoples networks just looking for "interesting stuff": not legit

      • Well, why not legit? If I scan all of my dorm's IP range (well-documented) on port 80 (the offense that nearly got me in trouble except for knoweldgeable judicial affairs types in the office), there are three possible results for any given IP address.

        People who have a webserver on port 80, which is out and open to the public because they had something to say. (unless they password it)

        People who have a default web server install with a default page (the most common in those days of (not necessarily legal

      • This is exactly the kind of anal-retentiveness he is commenting on. If you put a box on the internet, it will receive packets. As long as it isn't flooding the network, nor tries to exploit anything - shut up about it.
      • Hint: Scanning other people's networks for interesting stuff: Legit.

        There are plenty of reasons that are perfectly legitimate to run a port scan on someone's network. it's no different from a search engine running bots. When you connect a computer to any network, it is understood that your computer can be scanned and possibly services will be used such as HTTP or open FTP ports. How, I ask you, is the parent of parent's port 80 scan any different from a windows box doing a NetBIOS scan, or for that mat
    • What do you think can be done to make scanning IP addresses/ports have less of a negative stigma

      Get root, use -sS TCP SYN stealth port scan (best all-around TCP scan).

      While money can't buy happiness, it certainly lets you choose your own form of misery.
      • I HAD root (at least on the machine I was scanning from =P).

        As I recall, I'd elected to use a less stealthy TCP scan because I wanted to be as aboveboard as possible, sorta like the LAN equivalent of yelling "Hey, anyone home?" from the sidewalk as opposed sneaking up and trying the doorknobs with a stealth SYN scan. =P
        • As I recall, I'd elected to use a less stealthy TCP scan because I wanted to be as aboveboard as possible, sorta like the LAN equivalent of yelling "Hey, anyone home?" from the sidewalk as opposed sneaking up and trying the doorknobs with a stealth SYN scan. =P

          But it's better to not be detected at all. Plus with a SYN scan you have deniability. The source address can be spoofed (even nmap will do it -- see decoy scan). Thus, it wasn't necessarily you that sent the packets.
  • RTFM (Score:5, Interesting)

    by smittyoneeach ( 243267 ) on Monday May 12, 2003 @12:13PM (#5937042) Homepage Journal
    What are 'good' dead-tree references for the following categories:
    FNG--Fscking New Guy
    -Terminology, broad-brush concepts, checklists, good reference list
    -Management concerns, planning
    -Detail, performance considerations

    Categories are arbitrary; others will segment the market differently. Mainly seeking recommended authors/titles. Full-on reviews too space consumptive.
  • The human element (Score:5, Interesting)

    by mental_telepathy ( 564156 ) on Monday May 12, 2003 @12:14PM (#5937045)
    The Honeynet project seems to focus a significant amount of attention to the culture of the attackers (extensive logs of IRC chats, for instance.) Do you think the research the honeynet project is doing might make some headway in preventing social engineering attacks (The only hole nmap can't tell you about)?
  • by adturner ( 6453 ) on Monday May 12, 2003 @12:14PM (#5937046) Homepage
    I saw the Top 75 Security Tools survey you did. Lots of great tools there. But I can't help but think that the security community still has plenty of tools that need to be written. So I'm curious what kind of new tools would you like to see written , re-written from scratch, or merged together to create a better tool? Basically, where do you see the missing pieces in the security community toolkit? What kinds or pieces of software would you encourage people in the slashdot community to write?
  • Super-DMCA (Score:5, Interesting)

    by ziggy_zero ( 462010 ) on Monday May 12, 2003 @12:17PM (#5937067)
    What is your opinion on the proposed "Super-DMCA" acts being proposed in several states, which would make honeypots illegal?

    Here's [] the article on it that ran in Slashdot awhile ago.

    Basically, the law says you can't "assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise" any device or software that conceals "the existence or place of origin or destination of any telecommunications service." - thus making honeypots, even when used to thwart illegal computer activity, are illegal.

    • Re:Super-DMCA (Score:3, Informative)

      by greyfeld ( 521548 )
      These laws are not just "proposed", but a reality in Delaware, Illinois, Michigan, Oregon, Pennsylvania, Wyoming and by now is law in Arkansas (it was sitting on the governor's desk two weeks ago and he hadn't signed it, but becomes law after so many days anyway). Coming soon to a state near you - Colorado, Florida, Georgia, Massachusetts, Tennessee and Texas! You can throw your Nat'ing firewalls, Honey Pots, routers and internet connection sharing out the window folks! Act now in those states before it
    • Basically, the law says you can't "assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise" any device or software that conceals "the existence or place of origin or destination of any telecommunications service."

      Good heavens, that would even make every bog standard NAT and Proxy illegal!

      Who writes these laws?

    • Re:Super-DMCA (Score:4, Insightful)

      by Doug Neal ( 195160 ) on Monday May 12, 2003 @01:59PM (#5937783)
      What do you think his opinion is? That it's a super great idea?

      FFS, what a stupid question ;)

  • Curious Yellow? (Score:5, Interesting)

    by griffjon ( 14945 ) <GriffJon @ g m a> on Monday May 12, 2003 @12:19PM (#5937091) Homepage Journal
    Do you think that Brandon Wiley's thought-design of "Curious Yellow" (paper at: or PY.html) will come about as he's laid out? It seems like not an unlikely scenario once someone puts some effort into actually designing it. What are your thoughts about the evolution of 'smart' worm attacks balanced agains thre need of good network security scanners?
  • IPv6 (Score:5, Interesting)

    by binaryDigit ( 557647 ) on Monday May 12, 2003 @12:22PM (#5937112)
    Since ipv6 is supposed to address many of the security issues inherent in ipv4, should there be more of an industry push to adopt it quicker? OR having many years now since ipv6 was drafted, have we learned more about the types of attacks/tactics, and therefore should ipv6 be updated. Seems like now would be the time to do it since ipv6 still has not been adopted and changes could be made without too much disruption or cost (time or money).
    • Re:IPv6 (Score:3, Insightful)

      by Zathrus ( 232140 )
      since ipv6 still has not been adopted

      Not been adopted by whom?

      No, most companies/endpoints haven't adopted it, but most of the major equipment manufacturers (Cisco, Lucent, etc) have and have equipment available for it. It's in use by the University/Research-only "Internet2" currently. The major backbone providers are in the process of slowly switching to it.

      Sure, it'd be cheaper to invent another standard now and move to that on a widescale basis than to adopt IPv6, switch to it, and then adopt a new s
      • by miu ( 626917 )
        Develop IPv10 right now (yes, v7, v8, and v9 are already in development)

        These are all trolls from the infamous Jim Fleming (resident of killfiles round the world).

  • by Anonymous Coward
    I've heard that using "exotic" OSs for network security like OpenBSD on SPARC, NetBSD on SuperH, and Windows NT on Alpha will help increasing my security. Could you verify this?

  • by Hulver ( 5850 ) on Monday May 12, 2003 @12:26PM (#5937141) Homepage
    During your time running Honeypots, you'll have seen a lot of compromised systems. Is there any incident that's really stuck in your mind because of the audacity of the attempt, or the stupidity of the person attempting the breakin.
  • by Simon ( 815 ) * <simon@simonzone. c o m> on Monday May 12, 2003 @12:26PM (#5937145) Homepage
    "Given the choice between dancing pigs and security, users will pick dancing pigs every time." -- Ed Felten


    * "SSH shows a warning that the host key has changed. The user ignores it and continues on."

    * "The browser warns the a SSL certificate doesn't match the host IP. The user ignores it and continues on."

    * "The browser asks if you trust the signer before running some piece of ActiveX. The user ignores it and continues on."

    * "The sysadmin warns not to share passwords. The users ignore that too."

    Now the question. It seems to me that despite all the work being done in the security field, back in reality things have gone from bad to worse. People constantly sidestep the very systems that are put in place to protect them. Is anything being done in the computer security field to address this important "Human Factors" aspect?


    • by JoeBuck ( 7947 ) on Monday May 12, 2003 @01:16PM (#5937518) Homepage

      Users tend to ignore such warnings because similar warnings appear far too often for invalid reasons. This is not a new problem; Aesop wrote about the boy who cried wolf.

    • In response to your question Simon I would recommend the new book, "The Art of Deception", by Kevin D. Mitnick, which addresses various security scenarios and events, both real and fictional, which include the human element of security. In addition to the scenarios presented, which include transcripts of phone conversations and descriptions of actual attacks, Kevin presents several chapters on good user policies for personnel ranging from the system administrator to the secretary working at the front desk f
      • Thanks for the tip, but I'm not really asking a question about Social Engineering, although it is an important aspect of security. My point is really that most security software has such bad usability that people can't even use it and hence ignore it or try to work around it. You can have the strongest encryption in the world, but it doesn't matter if it can't be used correctly... Some thing for most security software.


  • by Anonymous Coward on Monday May 12, 2003 @12:33PM (#5937186)
    I'll be graduating this month with a shiny new BS in Computer Science. I've done plenty of Unix sysadmin work througout college and even deployed some high-interaction honeynets. I'm very interested in network security and systems programming. Do you have any advice for people in my situation who want to head into a career in network security?
    • by Anonymous Coward
      >I'll be graduating this month with a shiny new BS in Computer
      >Science. I've done plenty of Unix sysadmin work througout college and
      >even deployed some high-interaction honeynets. I'm very interested in
      >network security and systems programming. Do you have any advice for
      >people in my situation who want to head into a career in network

      I've recently landed my first job as a pen-tester. To get here I spent the last eight years reading everything I could get my hands on regardin
  • As more and more applications are written from a standard base (servlets on a J2EE server, PHP under Apache interfaced via HTTP instead of a proprietary protocol, etc.), how relevant are low-level tools? The proliferation of high-level applications means that that OS becomes almost irrelevant--the firewall only allows HTTP through, and a load balancer tosses requests to different servers that might very well be hetrogenous insofar as operating systems and other low-level implementation details are concerned.

    Given all of this, what motivation is there for a modern CS student to learn things like the 3-way TCP handshake, or the differences in implementations in various TCP/IP stacks, when the base level of the equation is irrelevant from a security standpoint? How can I convince our network administrators that it's worthwhile to learn something other than JNDI when it comes to network protocols; that for security and network troubleshooting, nothing will ever top a simple Ethereal packet trace?

  • Perception of Access (Score:4, Interesting)

    by Lieutenant_Dan ( 583843 ) on Monday May 12, 2003 @12:37PM (#5937212) Homepage Journal
    What would you say is the line where someone's activity could be considered "unauthorized access"?

  • by swordgeek ( 112599 ) on Monday May 12, 2003 @12:37PM (#5937214) Journal
    Given that effectively ANY tool can be used for good or evil, and also given that we can't completely eliminate risk...

    How can we develop and promote the state-of-the-art in security (tools, understanding, knowledge) while giving as few gems as possible to the criminal wannabes of the world? In other words, how can we bias the work and research towards the defensive, rather than progress that's either neutral or preferentially offensive?
  • by Frater 219 ( 1455 ) on Monday May 12, 2003 @12:37PM (#5937215) Journal
    It seems to me that security efforts have focused too strongly on detecting and blocking known categories of attacks, rather than on creating systems which are secure against innovative future attacks. There are projects for which this isn't the case, such as OpenSSH (and OpenBSD in general), but the preponderance of security work seems to be profoundly backward-looking.

    Naturally, fighting in the dirt with the black hats is a lot "sexier" and more entertaining than building highly robust and reliable systems which will guarantee future security. The popularity of honeypots with security hobbyists (as opposed to researchers) seems to be a result of this: people enjoy seeing the attacker flummoxed, feeling superior to him, defeating him. Yet this doesn't really result in the improvement of security against new attacks, and it arguably distracts from that purpose.

    I'm interested to know where you see progress in security assurance, as opposed to scanning or blocking of old, known attacks. Who else, besides OpenBSD, is in the camp of improving the guarantees that systems provide their users: guarantees such as W^X, packet normalization, and so forth?

  • Legal implications (Score:5, Interesting)

    by paranode ( 671698 ) on Monday May 12, 2003 @12:39PM (#5937234)
    A recent SecurityFocus article talks about possible legal implications for people who administer honeypots (here []). Do you feel that this is a legitimate concern, and have you or your colleagues run into any legal issues with honeypots or the use of Nmap and similar tools? Thank you.
  • by Neologic ( 48268 ) on Monday May 12, 2003 @12:40PM (#5937240)
    nmap has obviously become a huge success in the *nix world. I would wager that practically all sysadmins and security folk use nmap. With this sort of use by such creative and lazy people, there must have been some interesting stories involving nmap, perhaps unusual uses of it, or funny anecdotes. Are there any you would like to share?
  • Currently attempts to secure networks depend on "band-aids" over inherent problems in the design of protocols and protocol implementations (software.) Relatively little effort has gone into solving security problems before they are created. I know IPv6 has taken some steps in the right direction - where would you start?
  • by Anonymous Coward
    Why do you think system administrators (more so NT) do not have the ability to figure out what program/daemon is keeping the port open on their systems?

    After a user uses nmap to enumerate open ports on their systems, what tools should they use to determine what prgram is keeping that port open?
  • by Tim_F ( 12524 ) on Monday May 12, 2003 @12:46PM (#5937287)
    in a negative manner?

    Have you ever hacked into someone else's computer? Have you ever considered it? What would cause you to think of doing this? Would your tools (nmap, etc.) be enough to allow you to do this?

    And if you haven't, why is that the case?
    • by Anonymous Coward
      This is a moot question. In 2002, Fyodor was the victim of an impersonation attack by a Slashdot user who was posing as a woman. Fyodor sent an email to the fake "woman" in an attempt to solicit further conversation and a possible meeting. When the hoax was revealed, the hoaxer insulted fyodor (I believe the word was "wanker").

      Fyodor responded by using information disclosure vulnerabilities in yahoo email to find the originating IP address of the Slashdot prankster (SumDeusExMachine) who was at the time a
      • All these claims are uncorroberated, and conflict with other accounts of the incident in subtle ways.

        For example: the method AC claims was used to get the "victim's" IP address is different from that claimed in a different post.

        I smell trolls.
  • by Jouster ( 144775 ) * <[moc.qaflegna] [ta] [todhsals]> on Monday May 12, 2003 @12:49PM (#5937306) Homepage Journal
    A modern firewall administrator has a very easy job, it seems--all her users care about is their DNS service and their Web access (and, with a good Web proxy, you don't even really need to have an inward-facing Internet-recursive DNS). Indeed, most users blithely assume that "The Internet" and "The Web" are the same entity.

    A modern protocol designer has to choose between efficient data representation and firewall penetration. She will almost always choose the latter. Thus we have a thousand X-over-HTTP protocols, most of which are replicating services (like RPC) that are exactly what the firewall administrator was trying to block.

    As everything becomes X-over-HTTP, how long will it be before we see stateful HTTP firewalls to block malicious kinds of data flowing over HTTP? And when firewall administrators again take the easy way out, blocking everything but "plain" HTTP, how do vendors send their data? Are we, in fact, turning the Internet into the Web? Eventually, it seems that application communication will just be a special case of a Web browser fetching a URL. By tunneling everything over HTTP, and eventually dropping even the tunneling, is the Internet in danger of becoming nothing but the Web--sure, there are other services running, but nobody but the occasional network admin on an un-firewalled network can reach them?

  • Feature for nmap (Score:5, Interesting)

    by CausticWindow ( 632215 ) on Monday May 12, 2003 @01:11PM (#5937474)

    I've been using nmap for quite some time now, and it's an excellent tool by all accounts.

    My question is, do you plan to implement firewall discovery? Instead of just reporting what ports are open, you could report:

    - closed
    - opened
    - filtered (no reply)
    - firewalled (firewall reply)

    Like suggested in the latest phrack.

  • by Krieger ( 7750 ) on Monday May 12, 2003 @01:14PM (#5937498) Homepage
    I've been doing network security for a while now, but I still have yet to find a nice single sentence summary for why security is necessary, that is easily understood by everyone who hears it from the techie to the manager.

    Do you have any suggestions?
    • "I still have yet to find a nice single sentence summary for why security is necessary"

      Have you tried this one:

      Please give me your name, SSN, address, mother's maiden name credit card numbers/expiration dates and the keys to your home.

      If that one doesn't work then try this: Please point a gun to your head and pull the trigger.
  • by cornice ( 9801 ) on Monday May 12, 2003 @01:17PM (#5937523)
    It seems that many of the honey nets that the average hobbyist would run are built to attract a lesser cracker. What I mean is that ports are left open that normally would not be left open. Services are running that normally should not, etc. I that that a really smart fish would see this as nothing but a cheap lure and refuse the bait. Do you think it's possible to fool the really smart fish? Is is possible to bait with something enticing enough without tipping off the big fish? Does publication of your work make this task more difficult?
  • ipv6 support in nmap (Score:2, Interesting)

    by nnet ( 20306 )
    At present, nmap has limited ipv6 capabilities, are you going to add more ipv6 functionality in the near future?
  • Trusted Computing (Score:3, Interesting)

    by Anonymous Coward on Monday May 12, 2003 @01:25PM (#5937583)
    All security experts have opinions on Trusted Computing, which goes under various names such as TCPA, Palladium, NGSCB, TCG, DRM,... The Slashdot community tends to say that this is security at the cost of freedom, and disapproves it. But not all rolemodels in the world of computers seem to agree with this. Linus Torvalds, who gave Linux its name, for example, openly blesses DRM. What do you think about Trusted Computing? Do you see it as an additional value to computers, or more as an erosion of our freedom? And even more important, why do you think so?

    Background info: Linus Torvalds blesses DRM []
  • End User Training (Score:5, Interesting)

    by truffle pig ( 555677 ) on Monday May 12, 2003 @01:27PM (#5937596)
    I spend a lot of time reading and training myself on how to prepare myself and the systems I manage against attacks and other hostile acts. I find much of this to be a fairly linear technical task.

    I often find myself at a loss as to how to help train the end users at my company on how they can help insure the security of their systems and help prevent things like social engineering attacks and what good password practices are.

    I usually run into problems of user apathy, training materials or discussions being too technical, or trying to apply to technical training techniques to sometimes non techncial problems such as the aforementioned social engineering attack.

    Have you found a good way to educate largely non technical end users on ways that they can help contribute to the overall security of the systems of the company they work for. What should be included in the training? What should be left out?

  • OS fingerprinting (Score:5, Interesting)

    by neoThoth ( 125081 ) on Monday May 12, 2003 @01:34PM (#5937640) Homepage
    What are the latest advances in fingerprinting networked devices that seem most promising to you?
    I have started reading papers on HTTP fingerprinting and such and wonder how these will figure into the NMAP architecture.

    What are the most elusive OS's that aren't on the NMAP OS fingerprint database?
  • by Triode ( 127874 ) on Monday May 12, 2003 @01:58PM (#5937782) Homepage
    Given the many ways in which I can make a machine
    a passive listening device on the LAN to gather information (even in a switched environment), do you
    see future security focusing on authentication mechanisims on the LAN, even for the simplest of things (e.g. to get connected to a switch, to allow a MAC address, etc)? Going to a larger scale, do you see something like this taking place on the WAN? Lets say (putting on my lets get nasty hat) Microsoft Palladium (.net, NM$FPSG, whatever they call it now) authentication + your MAC addres s just to get connected to the net?

  • Wheee!!! (Score:2, Interesting)

    by TyrranzzX ( 617713 )
    Obviously, as time goes on we'll be getting new technologies such as self-configuring networks and networks with some level of conscienceness capable of detecting and stopping break-ins as well as doing a number of mundain things such as patching automatically and updating software. The current nearly 20 year old approach to compromising these networks through software exploit or social engineering will be nearly impossible to do from right off of the bat as we've all seen them before; what kinds of attack
  • by Anonymous Coward on Monday May 12, 2003 @02:22PM (#5937938)
    I host a domain on my Linux server at home with a DSL line. I do this because I'm interested in underdtanding how everything works.

    The problem is that between keeping the server up to date, learning PHP, learning Postgres and developing the content I really don't have the time to be an expert in security in the same way as someone who focuses solely on security. What kind of advice would you give to someone in my situation?
  • by zogger ( 617870 ) on Monday May 12, 2003 @02:30PM (#5937978) Homepage Journal
    --it seems like most of the emphasis is on enterprise networks, but that still leaves millions and millions of home machines and small home networks just stuck. What do you see as some of the trends and solutions for those people? Their data and system integrity is just as important to them as any corporations is, and usually not having the appropriate skill set, is even harder to implement.
  • by pitr256 ( 201315 ) on Monday May 12, 2003 @02:48PM (#5938158) Homepage
    We've made a lot of progress with open source intrusion detection devices (IDS) in the last few years, with SNORT many times beating out similar offerings from commercial companies.

    But so far, we have only been attempting to detect and report possible intrusions into private networks or studying attack vectors using Honeypots.

    There has been a lot of talk lately about the possibility of using independent worms that fix vulnerabilities in network hosts so that those hosts aren't used as an attack vectors to compromise/disable other hosts.

    Instead of just detecting and reporting intrusions or active worms fixing vulnerabilites, how do you feel about having IDS systems reporting to a host/daemon that would then launch protective countermeasures against the possible detected intrusion?

    Thanks. BTW, Nmap ROCKS!
  • by HidingMyName ( 669183 ) on Monday May 12, 2003 @02:53PM (#5938192)
    Informed design decisions in classical engineering use estimates of cost, correctness and performance to pick the best solution. In security, much of the selection seems to be "a matter of taste", but perhaps it shouldn't be. Given two competing solutions to security problems, how do you propose that the user measure the solutions fitness to make an informed design decision?
  • by egg troll ( 515396 ) on Monday May 12, 2003 @03:12PM (#5938340) Homepage Journal

    Thank you for taking the time to answer questions from the Slashdot community. A while back a Slashbot named Sub Duex Ex Machina (aka Sdem) created an account in the persona of a very attractive Linux booth babe. Apparently at some point there was some serious flirtation between you and this booth babe.

    Once the truth was revealed, you were understandably angry at Sdem, and you proceeded to hack into his poorly secured W2K box. Although you did nothing malicious to it, you did post screenshots of his various goings-on to your website.

    My question for you is this: Although Sdem's actions were rather sleazy, I'm wondering how far you can go to retaliate. Do you have a moral and ethical priviledge to access another persons computer? If so, how far can you go in your actions once you've accessed it? While meer screenshots are fairly harmless, would you have been justified in deleting his hard drive?


  • IPv6 (Score:5, Interesting)

    by caluml ( 551744 ) <> on Monday May 12, 2003 @03:32PM (#5938516) Homepage
    Do you think that with the very large address space of IPv6 that random scanning for a certain port will die off? (I notice nmap doesn't support random IPv6 address scanning - maybe you've already come to the same conclusion?) Simply put, the chances of finding a machine if it's not advertised anywhere will be very much reduced. Will this make people lazy and complacent, trusting on the large numbers involved to protect them?
  • On your 'myworld' page, you have a couple of paragraphs about "some aspects of the hacker community that disgust me", things like arrogance, information leeching & crime. Since Slashdot may have a slightly larger reader base than, this could be your bully pulpit to expound a little more on that theme. Care to take a moment & tell us all how to "shape up or ship out?" :-)

    P.S. For everyone else, I've had the privilege to work in a small way on an information sharing project to build on

  • Nmap delays (Score:2, Interesting)

    by Old Wolf ( 56093 )
    I think I speak for many people here: why is Nmap 3.0 so much slower than 2.53 ?
    For example, I use it to ping-sweep my local /24 network. 2.53 would take about 1.5 seconds, but 3.0 takes up to 3 minutes to complete. Even using the -T switch it's still much slower.
  • by Nevyn ( 5505 ) on Monday May 12, 2003 @07:02PM (#5940522) Homepage Journal

    As an author of a security book and of a well known security application, how much do you feel code cleanliness/quality affects security of products? ... Or do you feel that only a very few products should worry about security?

    For instance from looking at nmap-3 it's, ignoring the style, littered with magic numbers _esp_ for things like size of an array of char (which is the only concept like a "string" that nmap has) and also more than a few obvious misuses of strncpy() etc. to go along with it.

    Contrast this with other security concious programs, like vsftpd and postfix, and it's like the difference between night and day.

    Obviously anyone putting nmap at the end of a CGI is just asking for pain, but one traditional view is that this isn't wouldn't be the problem of nmap ... but of whoever decided that it was security concious, not just a "security" application.

  • Fyodor - do you have any thoughts about our truly anonymous UDPP2P project []? We are using spoofed UDP packets in a broadcast type of mechanism as this is the only truely anonymous way of P2P that we can see.

    Apart from the obvious, such as ISPs filtering UDP packets that don't match their network ranges, and broadcast mechanisms having problems scaling, do you have any other insights to offer us?

  • (Note: For those of you that haven't seen the movie, do NOT mod this down. For those of you that have and were paying attention, you'll know what I'm talking about.)

    Did you at least get some free movie tickets? :)





    I saw The Matrix Reloaded yesterday and, at that pivitol moment, yelled "Holy SHIT! Trinity's using nmap!".

    Other's in the theater were less than pleased.

    In this message [], you say you did the "r00t dance". Can you please demonstrate the r00t dance for the Slashdot audience?

  • Your real name is not Fyodor.

    Why did you choose this particular pseudonym?

In less than a century, computers will be making substantial progress on ... the overriding problem of war and peace. -- James Slagle