Garrett D'Amore wrote: > Darren Reed wrote: >> On 11/25/09 10:45, Garrett D'Amore wrote: >>> ... >>> >>> This is totally different from nmap, btw. IIUC, nmap does scans to >>> passively identify potential weaknesses. I don't think it actually >>> has any *exploits* for them. (Put another way, I don't think "nmap" >>> used solely by itself can do serious harm. I think yersinia is >>> quite different. I think their choice of name is suitably apropos >>> -- naming after the black plague.) >>> >>> I feel strongly enough about this that I'm going to derail. >> >> Let me summarise the differences that I see: >> >> * I can use nmap from my workstation at Sun to remotely probe and >> test a host connected to the Internet anywhere in the world for >> services that it provides and might be vulnerable, all the while >> looking like it is Sun doing that; >> >> * I can use yersinia to at most disrupt traffic on SWAN but more >> likely this would be restricted to the LAN segment I'm on at Sun. >> >> Whilst the primary raison d'etre for both might be different, so too >> is the scope of their aid to someone undertaking nefarious activity. >> >> yersnia isn't going to help you break into a remote host but it might >> help you become the man in the middle when you others wouldn't have. >> Even then it only threatens unencrypted traffic or encrypted traffic >> without peer authentication. It also a possible threat when the trust >> relationship between two hosts does not involve cryptography. >> >> I think that derailing this case is an over-reaction primarily >> because it has been seen as an "attack" tool without properly >> considering what the scope of its potential targets is. > > Are you saying that the attacks that yersinia provides can't take down > router infrastructure?
No, I'm saying that the damage it can do is local. You can't run it at Sun and take down IBM's routers. As their web page states: "We are pen-testers, so we need this little proggie for making chaos in our customers networks." > To me it sure looks like they can. While its likely that these > attacks will be confined to just your enterprise (be it Sun, or > elsewhere on your corporate network), it still seems like they have an > active component that nmap lacks. Whether nmap is passive or active is a matter of opinion. Some might argue that since its use in certain circumstances requires further criminal intent then even an unproductive scan could be deemed a criminal act. > Picture an attach launched on a lan segment against a large corporate > router which just happens to have an interface on your segment. If > this brings down critical router infrastructure for a trading house, > the cost can amount to millions of dollars. While clearly the > (ab)user of the tool should bear the bulk of the blame and > responsibility, I'm not comfortable with the idea that our actions > here might have been overly facilitating for that user. In a corporate environment where sophisticated networking infrastructure has been deployed (for example, HSRP), I'm pretty sure they'll have the means to identify where an attack came from and take appropriate action (probably hand the attacker a pink slip.) If a person means to harm a corporation, then they'll find the means to do so. Whether it be going public with dirty laundry, walking in to work with a concealed weapon or whatever they decide to do, there's not much that is going to stop them. Computer attacks are often seen as an easier avenue because the computer does all the work for you (so to speak) and attackers often think (or hope) that they don't leave any traces behind. To a reasonably skilled person, shipping a working compiler that can build functional basic tools like telnet and ftp is all that's required to make up for the lack of nmap. Heck, I could probably write a program in C to do a basic scan with less text than is in this email. I don't know how sophisticated yersnia is but as we now include bpf/pf-packet (which, modulo crossbow bugs, make sending out layer 2 packets trivial) it's probably not that hard to code up some simple attacks. It's important to seperate the tool from the act. If that wasn't possible then you wouldn't be able to buy guns (because they're used to kill people) or many other sorts of instruments. As it stands, I don't think we (PSARC) should make decisions about which applications are shipped with Solaris based on what they could possibly be used for. I mean are we going to stop providing kernel networking because it can be used to run web servers that deliver child pornography? Or used by applications such as yersnia to attack other systems? I don't think so. Whilst various people might have personal, ideological, opinions on what is and isn't included, because of what something does, I don't think that makes for a solid argument (actually more likely to devolve into word slinging matches.) Darren
