Re: underestimating crackers

[jbash () CISCO COM (John Bashinski)]

> > Cisco is not aware of these vulnerabilities having been exploited by "system
> > crackers", nor of any publicly available exploitation code. Cisco does not
> > believe that the details of the vulnerabilities are widely understood in the
> > cracker community. The theoretical possibility of these vulnerabilities has,
> > however, been discussed fairly openly among PPP security professionals.

Since I wrote that text, I think I can comment on it...

> I hope these beliefs that the cracking community is somehow technically
> inept and incapable of keeping up with the literature and overcoming
> simple obstacles is not widespread.

I am not operating under the illusion that the people who write the
exploits for these things are stupid. That text was based on the fact that
we've had absolutely no reports of anybody actually exploiting that
vulnerability. Not one.

I'm not dumb enough to try to say that it's never been exploited. It may
have been, and it may not have been. However, if a lot of people knew how
to do it, I'd expect it to happen often enough that somebody would
eventually notice it and report it.

There are relatively few crackers who actually write their own code, and
there are lots of security holes. The "literature" to which you refer is
very large. I don't have to think they're incompetent to think that they
probably haven't discovered this hole yet. I just think they're busy with
other things.


                                -- John B.