Re: NYT Article this morning

[perry () imsi com (Perry E. Metzger)]

Rens Troost says:
> NYT repports this morning that 'IP Spoofing' is being 
> used to subvert sites. Anybody have details?

Yes. Its far worse than mere IP spoofing -- that would only get you in
to places which stupidly trust things like .rhosts files. The Times
did not accurately describe the scope of the problem. This is a Very
Bad Problem. People should legitimately worry about this one.

I know this is a full disclosure list, but I was asked when I learned
about this several days ago not to divulge details -- I was only told
on that condition. I'm trying to get in touch with my informant to get
relased from my promise so that I can describe the situation in
detail.

Having been in the situation of being an administrator worried about
such things and not knowing where to turn, I believe in full
disclosure. I'll try to post as full a disclosure as I can in a few
hours. I will not post code, as I doubt that Joe Hacker can use the
description to construct the attack, but you should be able to assess
if you are vulnerable without any code to exploit the problem. I'll
also note that the problem was described in the open literature some
time ago -- the New York Times article accurately notes that two Bell
Labs types described this in published papers, which should give those
in the know some hints.

In any case, CERT intends to publish an advisory today. I suspect that
the advisory will not describe how to fully fix the problem.

Perry