Re: new iss stuff

der Mouse (mouse@collatz.mcrcim.mcgill.edu)
Tue, 10 May 1994 17:56:12 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: jallen@nersc.gov: "Re: new iss stuff"
Previous message: root@maths.su.oz.au: "Re: new iss stuff"
Maybe in reply to: Dan: "new iss stuff"
Next in thread: Timothy Newsham: "Re: new iss stuff"

>>         Announcing
>>                    INTERNET SECURITY SCANNER 2.0
[...80+-line ad mostly deleted...]

Is bugtraq a place for ads?  If you want to mention it, put in a
pointer to where to find more info (even if just "mail me for more"),
fine...but an ad for a for-fee binary-only product, that's well over
half content-free hype, is IMO inappropriate for bugtraq.

>> ISS 2.0 will not be distributed to the public directly because of
>> the following reasons:
> Since site admins are members of the 'public' (at least when I last
> checked), this suggests that only 'correct' sites (read: those on the
> largest sites only, or with the 'right' connections) net.legends will
> be able to get this package?

After reading the rest of it, I suspect it's more likely those that
execute a license agreement and pay a fee.

>> 1) There were complaints that networks were being scanned by sites
>>    from other organizations.  To reduce the liability of this kind
>>    problem, ISS 2.0 has built in control of what network addresses
>>    can be scanned and probed so that an organization's copy can not
>>    be used to attack other networks.
> I take it that this means its a binary distribution only?  How else
> do they enforce control what addresses are scanned?

I assumed so too, and wrote to the address given in the announcement,
pointing out that no properly security-paranoid admin will let a
binary-only program anywhere _near_ hir machine, especially when (as I
assume is the case here) it is to be run as root.  That part of my
letter was not reponded to.

>> 2) It ensures that crackers (intruders) are no longer getting new
>>    security vulnerabilities to check for as these checks are place
>>    into ISS.

I remarked (to this person) that he surely didn't think the cracker
community wouldn't get hold of ISS, and he indicated this was not a
concern to him - he didn't think it would happen soon.  IMO this
indicates enough ignorance of security realities that I doubly shun any
code from that source.

I also remarked that it was trivial to sic a syscall tracer on ISS to
see what vulnerabilities it checks for, in response to the part about
not letting everyone know about vulnerabilities as soon as they went
into ISS.  That part of my letter also was not replied to.

> Yes, this kind of "security update" leaves a rotton taste in my
> mouth.

Amen.

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu

Next message: jallen@nersc.gov: "Re: new iss stuff"
Previous message: root@maths.su.oz.au: "Re: new iss stuff"
Maybe in reply to: Dan: "new iss stuff"
Next in thread: Timothy Newsham: "Re: new iss stuff"