Pat Myrto said: | "In the previous message, Dan said..." | Its a good example of Security Thru Obscurity being alive and well. | It makes these people more a part of the problem than a part of the | solution. | > INTERNET SECURITY SCANNER 2.0 | | [ ... ] | | > ISS 2.0 will not be distributed to the public directly because | of the > following reasons: | | Since site admins are members of the 'public' (at least when I last | checked), this suggests that only 'correct' sites (read: those on the | largest sites only, or with the 'right' connections) net.legends will | be able to get this package? Those without the 'right' connections are | those who are newly assigned admins, and problably most in need of such | a package, as they are more or less working in a vacuum. No, it means that the package is for sale, not public domain. | > in control of what network addresses can be scanned and probed so that an | > organization's copy can not be used to attack other networks. | | I take it that this means its a binary distribution only? How else | do they enforce control what addresses are scanned? Source could | have those controls altered... Ug. Binary is the prime means of distribution, source is also available. Source is pricy ($1900) as the guy who wrote it understands that his attempts to force the code to scan only a certain set of addresses could easily be bypassed with source. Its my feeling that the target IP restrictions will not be particularly daunting to the bad guys, and the binraies will be floated as part of the crackers toolkit, along with instructions for scanning the addresses you want scanned. | > 2) It ensures that crackers (intruders) are no longer getting new security | | It ensures that new site admins and smaller little known sites are no longer | getting new security ... The package doesn't (from what I've seen) offer much "new security;" it checks for known holes. A good firewall will protect you from much of what it does, as will tight configuration of your system. | Yeh, right. In other words, if one is not a net.legend, working for | CERT, knows a lot of the 'right' people, or running some site that is | on the Fortune 500, etc, one is out of luck. But sooner or later, the | cracker crowd will get a copy if its any good. | | We have an example of EXACTLY the same mentality as the 'fix crime by | banning inantimate objects' crowd. Of course, those who are the problem | will not be affected by such bans - only those that follow the rules. | They tell you "call 911, thats good enough for you". We are being | told "call CERT, its good enough for you". | | Same principle here. Wunnerful. | | Yes, this kind of "security update" leaves a rotton taste in my mouth. I don't like it much either, but for a different reason. The high cost of source compared to binaries at an educational site will cause most sites to end up with binaries. This leads to a black box way of thinking about security. If ISS has bugs that cause it to seriously misrepresent your situation, you may end up trusting a product you shouldn't. If it was available as source for the same price, those bugs would be found and patched sooner. Adam -- Adam Shostack adam@bwh.harvard.edu Politics. From the greek "poly," meaning many, and ticks, a small, annoying bloodsucker.