Dan,
I understood your original email, and I stand by my comment.
"How To's" are commonly discussed on many mailing lists with
security and network professionals and, yes, no doubt some
unscrupulous people are lurking on these lists. There is no way
around this and shutting down web sites, even if it were legal which
it's not, is not going to solve anything.
You cannot explain to someone how to defend against a particular
attack without explaining how the attack works. Try explaining to
someone what a buffer overflow is without describing how one goes
about overflowing a buffer. Or describe a smurf attack without
explaining how it happens and why.
The US govt, and many other govt's and orgs, are concerned about
many things related to security, but other than keeping national
security secrets, keeping exploits secret has little to do with
information warfare. Many attackers have very closed peer groups
where they learn their trade, they don't need web sites and public
mailing lists. Trying to censor the open exchange of information is
like trying to put the genie back in the bottle, i.e. an exercise in
futility and frustration.
The real answer is to make everyone who manages
systems/networks aware of the issues, secure what can be
secured, be vigilant regarding new exploits and push vendors for
better code. There may come a day when security issues are rare
and the need for discussion minimal, but I fail to see how
attempting to keep relevant information from the people who
manage systems will achieve this.
Will there be lurkers who use this information for evil? Probably,
but believing that non-disclosure will keep the information from
those that will use it for evil is wishful thinking. If this were true, no
exploits would occur before public disclosure, which is obviously
not the case. While some script kiddies may not know about
particular exploits until after disclosure, its far more common for
the attacks to be prevalant in the "hacker" community prior to
public release.
Regards,
Kent
On 9 May 2001, at 15:20, ccnawan wrote:
> Kent,
>
> If you look at my original message you will see that it says about How
> tos, which means Not to give away information that would help
> dishonest people.
>
> Discussion among Security, and IS professionals, I agree with. But
> that is what CERN, ISS, Bugtraq etc are for. I should have been more
> clear, but I was studying at 3AM last night. Do you know what Social
> Engineering means.
>
> I believe the U.S. Gov. was trying to shut down, these Security sites
> that give away information on how to do things that compromise
> networks.
>
> They are very concerned about Information warfare, and rightly so.
>
> Dan Evensen
>
> ccnawan wrote:
> >
> > In my experience I have been taught, it not a good idea to write
> > about How tos in regards to security in a open forum like this?
> ----- Original Message -----
> From:
> To:
> Sent: Wednesday, May 09, 2001 7:38 AM
> Subject: Re: security opinions please [7:3666]
>
>
> > Believing that keeping security questions in the dark increases
> > security is commonly referred to as "security through obscurity" and
> > is generally viewed as a bad idea by nearly everyone in the security
> > field.
> >
> > Attackers already know the exploits, not informing your peers
> > doesn't prevent attacks, it only assists the attackers.
> >
> > What you shouldn't do is provide unneeded information about ones
> > particular organization that might assist an attacker in attacking
> > your organization.
> >
> > Regards,
> > Kent
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On 9 May 2001, at 5:55, ccnawan wrote:
> >
> > > In my experience I have been taught, it not a good idea to write
> > > about How tos in regards to security in a open forum like this?
> > > Dan Evensen
> > > > > > >How does one go upon "penetrating" the internal VLAN on a
> > > switch while only > >having access to the external VLAN and not
> > > traversing the PIX in the > >middle? > >I have heard the response
> > > from numerous security engineers that anything is > >possible
> > > however I guess I'm a novice because I have never seen nor heard >
> > > >of > >this being done in the situation mentioned above. I
> > > attribute the idea of
> > > > >physically seperating these networks (even though VLAN based
> > > seperation is > >just as effective) as security paranoia. This
> > > isn't necessarily a bad > >thing, after all that's what security
> > > guys are paid for, however I don't > >see > >a technical reason
> > > why you can't have these VLANs connected to the same box > >as
> > > long as a properly configured firewall logically seperates them. >
> > > > Launching a DoS on these devices is pretty easy, anything which
> > > transports > data for management can be 'hacked'. > > Rob./ > >
> > > __________________________________________________________________
> > > ____ ___ > Get Your Private, Free E-mail from MSN Hotmail at
> > > http://www.hotmail.com. > FAQ, list archives, and subscription
> > > info: http://www.groupstudy.com/list/cisco.html > Report
> > > misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > > FAQ, list archives, and subscription info:
> > > http://www.groupstudy.com/list/cisco.html Report misconduct and
> > > Nondisclosure violations to [EMAIL PROTECTED]
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to
> > [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=4017&t=3666
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
