Bugtraq mailing list archives

Re: new iss stuff

From: mouse () collatz mcrcim mcgill edu (der Mouse)
Date: Tue, 10 May 1994 17:56:12 -0400

        Announcing
                   INTERNET SECURITY SCANNER 2.0

[...80+-line ad mostly deleted...]

Is bugtraq a place for ads?  If you want to mention it, put in a
pointer to where to find more info (even if just "mail me for more"),
fine...but an ad for a for-fee binary-only product, that's well over
half content-free hype, is IMO inappropriate for bugtraq.

ISS 2.0 will not be distributed to the public directly because of
the following reasons:

Since site admins are members of the 'public' (at least when I last
checked), this suggests that only 'correct' sites (read: those on the
largest sites only, or with the 'right' connections) net.legends will
be able to get this package?


After reading the rest of it, I suspect it's more likely those that
execute a license agreement and pay a fee.

1) There were complaints that networks were being scanned by sites
   from other organizations.  To reduce the liability of this kind
   problem, ISS 2.0 has built in control of what network addresses
   can be scanned and probed so that an organization's copy can not
   be used to attack other networks.

I take it that this means its a binary distribution only?  How else
do they enforce control what addresses are scanned?


I assumed so too, and wrote to the address given in the announcement,
pointing out that no properly security-paranoid admin will let a
binary-only program anywhere _near_ hir machine, especially when (as I
assume is the case here) it is to be run as root.  That part of my
letter was not reponded to.

2) It ensures that crackers (intruders) are no longer getting new
   security vulnerabilities to check for as these checks are place
   into ISS.


I remarked (to this person) that he surely didn't think the cracker
community wouldn't get hold of ISS, and he indicated this was not a
concern to him - he didn't think it would happen soon.  IMO this
indicates enough ignorance of security realities that I doubly shun any
code from that source.

I also remarked that it was trivial to sic a syscall tracer on ISS to
see what vulnerabilities it checks for, in response to the part about
not letting everyone know about vulnerabilities as soon as they went
into ISS.  That part of my letter also was not replied to.

Yes, this kind of "security update" leaves a rotton taste in my
mouth.


Amen.

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu

Current thread:

iss equivalents, (continued)
- - - iss equivalents *Hobbit* (May 11)
    - Source vs. binary for tools Jeremy Epstein -C2 PROJECT (May 12)
    - runaway lockd problems (SunOS 4.1.3) Pat Myrto (May 12)
    - [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 [8LGM] Security Team (May 12)
    - Re: [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 Pat Myrto (May 13)
    - Re: [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 Gene Spafford (May 13)
    - Re: Time For New Security Package? (was Re: new iss stuff) Mark (May 10)
  - Selling binaries Karyn Pichnarczyk (May 10)
- Re: new iss stuff Everett F Batey WA6CRE (May 10)
- Re: new iss stuff root () maths su oz au (May 10)
- Re: new iss stuff der Mouse (May 10)
  - Re: new iss stuff Timothy Newsham (May 10)
- Re: new iss stuff jallen () nersc gov (May 10)
  - Re: new iss stuff Pat Myrto (May 10)
    - Re: new iss stuff Andrew Watts (May 10)
    - Re: new iss stuff Pat Myrto (May 10)
    - Re: new iss stuff Steven C. Blair (May 10)
    - iss: _my_ last two cents der Mouse (May 11)
  - passwd -F Steve Mitchell (May 10)
    - Re: passwd -F Pat Myrto (May 10)
    - Re: passwd -F Daniel Azuelos (May 11)

(Thread continues...)