On 19 July 1999, Kent Crispin <[EMAIL PROTECTED]> wrote:
>On Sun, Jul 18, 1999 at 07:16:28PM -0700, Mark C. Langston wrote:
[...]
>> This is a little far-fetched Kent. First of all, it does NOT happen
>> "ALL THE TIME, IN THE REAL WORLD." And if you'd like to debate this
>> particular point, feel free. I'll start by referring you to things
>> like the USENIX Security Conference proceedings, and work from there.
>
>Let's work from practical experience and practical reality, OK?
>
Sure thing, Kent.
>Songbird gets from 5-10 clearly security significant probes a week.
>By that I mean a full scan of my network to a particular port known
>to be associated with a vulnerability, or something of similar
>obviousness.
Congrats, Kent. you've discovered skript-kiddies. Now, would you care
to tell us, of all those scripted attacks perpetrated by people who
mostly have no clue what they're doing, what percentage would be
willfully manipulating the voting system in a meaningful manner
for ICANN?
>
>This morning shortly after midnight, for example, I got a scan
>directed to the IMAP port, coming from an unregistered IP address,
>which, by the traceroute, came from Korea. When time permits, and
>when it is practical, I track down the contacts for the source of
>such probes, and send them email. I won't do this with the Korean
>probe, because, from prior experience, finding a contact in Korea has
>not been easy. I have, however, communicated with sys admins all
>over the world under similar circumstances.
>
Ditto.
>Around 30-50% of the time I get a reply, thanking me for letting them
>know that their system had been hacked. In other words, they DIDN'T
>KNOW THEY HAD BEEN COMPROMISED UNTIL SOMEONE ON THE OUTSIDE LET THEM
>KNOW.
>
And anyone who runs a system that is vulnerable to such easily-obtained
scripted attacks has probably been vulnerable for some time, and will
continue to be. you and I both know it, Kent, so don't make it out
as something more than irresponsible sysadminning. The hackers weren't
talented. The sysadmins were lazy. And it's irrelevant, unless the
voting system is being run on such a host.
>
>All this is at Songbird, an absolutely insignificant atoll in the
>network sea. My day job exposes me to an entirely different level of
>attacks. The detection tools are much more sophisticated, it is
>true, but the target is much larger and more interesting.
>
I've been in similar situations. My personal system sees around
5-10 attempts a day. They don't bother me. For exactly the
reasons I outline above, and because I know I maintain the system well
enough to thwart 99% of all attacks. The 1% (or less than 1%) who
might actually pose a threat would have no interest in my system.
And if they did, there's enough system-level security in place to
ensure they are caught. It's not rocket science, Kent. Run a
secure system, you can stop worrying about whether all the software
is protected from the trojanning you've got to great lengths to
play up in this conversation.
>It would not be too much of an exaggeration to say that we are under
>continuous attack, from multiple sources. We don't send friendly
>emails to the contacts, though, because there simply isn't time.
>
So you're saying that the ICANN voting system would come under the
same cracker interest as systems that potentially hold US nuclear
secrets? Somehow, I don't think so.
(NOTE: by 'potentially', I mean that a cracker may think the system
holds such information. It has no bearing on whether the system
does indeed hold such information, or is even in a position to
help the cracker acquire access to such information.)
[...]
>> If you want to push this point further, I can put you in touch
>> with, say, folks at NAI, folks working tiger teams on the east coast,
>> etc. for real-world data.
>
>I would be interested in any real data you could provide.
>
I'll ask them if they'd be willing to provide it.
>> Hell, I could probably dig up some of the
>> better-known purveyors of these attacks and get them to give you a
>> feel for how often this happens.
>
>I have a pretty good feel for how often this happens, from first hand
>direct experience.
Gosh, Kent. So do I. Guess we both speak with authority on this, then.
>
>> However, unless you want to move
>> this conversation over to Bugtraq, I don't recommend you push this
>> FUD further.
>
>Marcus Ranum's firewall-wizards list would be a better place.
>Doubtless you could comment on the long recent "OK, I've been hacked,
>now what?" thread?
I don't know, Kent, because I don't follow firewall-wizards that
closely. As I said, I'm not currently employed in a security capacity,
so I only check the archives every so often. If you'd like, I'll go
read it and get back to you on that.
>
>> Secondly, most of your scenario above assumes zero trust of the person
>> running the elections. I will state right now that, unless there is a
>> trusted third-party that can run the elections (If you'll recall, I've
>> already asked that this happen, to no avail), SOMEONE is going to come
>> up with this argument. It's a straw man. No matter what you do, the
>> above will always be a valid argument from someone's point of view,
>> because there will always be an "evil sorcerer" sitting behind the
>> curtain, pulling the strings, manipulating reality. For further
>> reference, see Descartes.
>
>I'd love to -- could you give me a specific reference, please?
Rene Descartes' First Meditation -- the "Evil Genius" Hypothesis.
If you'd like me to be more specific, I'll dig up the ISBN for an
intro to philosophy textbook.
>
>> At some point, you must draw the line and
>> place some initial faith in the person running the system, and the
>> system itself.
>
>As I have pointed out in other email, there are voting systems that do not
>require TTPs.
>
>[...]
>
As I have pointed out in other email, these voting systems suffer from
their own problems.
>> Now, if you'd like to debate security matters in a more realistic
>> world, I'm more than willing.
>
>I'm sure you are. But I don't want to waste *your* time.
C'mon, Kent. Waste some of my time.
--
Mark C. Langston Let your voice be heard:
[EMAIL PROTECTED] http://www.idno.org
Systems Admin http://www.icann.org
San Jose, CA http://www.dnso.org
