Bugtraq mailing list archives
Re: new iss stuff
From: mouse () collatz mcrcim mcgill edu (der Mouse)
Date: Tue, 10 May 1994 17:56:12 -0400
Announcing INTERNET SECURITY SCANNER 2.0
[...80+-line ad mostly deleted...] Is bugtraq a place for ads? If you want to mention it, put in a pointer to where to find more info (even if just "mail me for more"), fine...but an ad for a for-fee binary-only product, that's well over half content-free hype, is IMO inappropriate for bugtraq.
ISS 2.0 will not be distributed to the public directly because of the following reasons:Since site admins are members of the 'public' (at least when I last checked), this suggests that only 'correct' sites (read: those on the largest sites only, or with the 'right' connections) net.legends will be able to get this package?
After reading the rest of it, I suspect it's more likely those that execute a license agreement and pay a fee.
1) There were complaints that networks were being scanned by sites from other organizations. To reduce the liability of this kind problem, ISS 2.0 has built in control of what network addresses can be scanned and probed so that an organization's copy can not be used to attack other networks.I take it that this means its a binary distribution only? How else do they enforce control what addresses are scanned?
I assumed so too, and wrote to the address given in the announcement, pointing out that no properly security-paranoid admin will let a binary-only program anywhere _near_ hir machine, especially when (as I assume is the case here) it is to be run as root. That part of my letter was not reponded to.
2) It ensures that crackers (intruders) are no longer getting new security vulnerabilities to check for as these checks are place into ISS.
I remarked (to this person) that he surely didn't think the cracker community wouldn't get hold of ISS, and he indicated this was not a concern to him - he didn't think it would happen soon. IMO this indicates enough ignorance of security realities that I doubly shun any code from that source. I also remarked that it was trivial to sic a syscall tracer on ISS to see what vulnerabilities it checks for, in response to the part about not letting everyone know about vulnerabilities as soon as they went into ISS. That part of my letter also was not replied to.
Yes, this kind of "security update" leaves a rotton taste in my mouth.
Amen. der Mouse mouse () collatz mcrcim mcgill edu
Current thread:
- iss equivalents, (continued)
- iss equivalents *Hobbit* (May 11)
- Source vs. binary for tools Jeremy Epstein -C2 PROJECT (May 12)
- runaway lockd problems (SunOS 4.1.3) Pat Myrto (May 12)
- [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 [8LGM] Security Team (May 12)
- Re: [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 Pat Myrto (May 13)
- Re: [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 Gene Spafford (May 13)
- Re: Time For New Security Package? (was Re: new iss stuff) Mark (May 10)
- Selling binaries Karyn Pichnarczyk (May 10)
- Re: new iss stuff Timothy Newsham (May 10)
- Re: new iss stuff Pat Myrto (May 10)
- Re: new iss stuff Andrew Watts (May 10)
- Re: new iss stuff Pat Myrto (May 10)
- Re: new iss stuff Steven C. Blair (May 10)
- iss: _my_ last two cents der Mouse (May 11)
- Re: passwd -F Pat Myrto (May 10)
- Re: passwd -F Daniel Azuelos (May 11)