Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security The Internet

Security Tools More Harmful Than Helpful? 116

Posted by CowboyNeal from the made-too-well dept.
soblasted writes "With the recent 2.0 release of the Metasploit Framework, people are wondering if security tools like it do more good than harm. This article attempts to answer the question. The legitimate use of the framework is for security researchers to use in exploit testing and development.It will run on any OS with Perl, and includes a CLI and web GUI, along with many ready to run exploits and payload modules. With HP also developing systems to preemptively attack their own networks, has this become acceptable?" This issue reminds me of the first release of SATAN and the uproar it caused.
This discussion has been archived. No new comments can be posted.

Security Tools More Harmful Than Helpful? More

Security Tools More Harmful Than Helpful?

Comments Filter:

  • Duh (Score:5, Insightful)

    by Anonymous Coward on Friday April 09, 2004 @07:59AM (#8813918)
    Any tool can be used incorrectly.

    Run ping -f to the wrong host and it's a DDoS attack, not a test of simple dropped packets

    run apache's tester, 'ab' to the wrong host and it's a DDoS attack, and not a test of a webserver

    run X to the wrong host and it's a , not a

    • Wrong (Score:1, Offtopic)

      by Anonymous Coward
      DDoS requires more than one host to be "Distributed".

    • Re:Duh (Score:5, Funny)

      by AndroidCat ( 229562 ) on Friday April 09, 2004 @08:16AM (#8813971) Homepage
      Post a link to helpful information on Slashdot, and it's a DDoS attack...
    • I'm not sure It'd be a DDoS attack unless you were running ping -f over many ssh logins to a server farm against a single IP.

      Remember, as a geek it is youre duty to use the right Acryonynms and use them in the right places.
      • yeah, it kinda pissed me off too. 5 points for insightful & he's wrong. a DOS attack yes, but not distributed.
      • Remember, as a geek it is youre duty to use the right Acryonynms and use them in the right places.

        DDoS distributed from a single computer.
        Seems right to me.

        You also have the phenomenon of a single task thrashing.

    • Any tool can be used incorrectly.

      Run ping -f to the wrong host and it's a DDoS attack, not a test of simple dropped packets

      Wikipedia [wikipedia.org] recently encountered something similar. To stem abuse, they've been scanning for and blocking open proxies. Unfortunately, this was seen as abuse [wikipedia.org].

  • What, no link, CowboyNeal? (Score:5, Funny)

    by Dachannien ( 617929 ) on Friday April 09, 2004 @08:00AM (#8813921)
    You know, you'd think that a google search for "satan" [google.com] wouldn't be all that helpful for us noobs. Guess I was wrong!
  • Of course, any time you release a tool that can be used for good or evil, there will be people that use it for good and those who use it for evil. I would much rather at least have the tools exist than be stuck when some evil person creates a supervirus using a tool they stole because we can't get that tool publicly.

  • That's SANTA to you! (Score:4, Interesting)

    by Gaewyn L Knight ( 16566 ) <vaewyn@nOspam.wwwrogue.com> on Friday April 09, 2004 @08:03AM (#8813929) Homepage Journal
    Heh... my favorite part of the whole SATAN thing was they included the script to change every reference to SANTA in case you were offended.

    They thought of everything... or thought they had... until they found themselves in the middle of a storm of controversy.

    Ahh... those were the good old days :P

  • Securty Tools (Score:4, Insightful)

    by kpogoda ( 580939 ) on Friday April 09, 2004 @08:06AM (#8813939)
    It will be a mojor help to both the administrators and the hackers. But this is not a readical change from the current situation. Hackers and Crackers already employ many of the same tools for troubleshooting and other less legitimate purposes.

    • Leveling the field (Score:5, Insightful)

      by Benm78 ( 646948 ) on Friday April 09, 2004 @08:41AM (#8814072) Homepage
      Lets just assume that most 'bad' hackers have more knowledge of security flaws and holes than most system administrators.

      I this scenario, a set of 'hacking' tools made availble to those administrators can help them find vulnerabilities, fix them, and then test if their solution is working properly.

      If these tools were only available to people with the intention to abuse them, it would be much harder to secure a system.

      Personally, I believe that currently the knowlegde of security flaws is greater among the hackers, since they specialize in exploiting them. Most administrators have many tasks besides system security. With a set of proper tools to diagnose their systems, security could be maintained with less effort.

    • I agree. The assumption that many people make is that sysadmins have the time to focus on keeping up with the wide array of security flaws out there and that they are more knowledgable than the college/high school kids who spend their relatively vast amounts of free time just looking at exploits.

      A tool like this is great. Every tech-ops/sysadmin guy I know is way overworked and has way too many problem spaces to address (versus most developers which struggle with just learning a different language much l

  • First release of Satan (Score:5, Funny)

    by Tandoori Haggis ( 662404 ) on Friday April 09, 2004 @08:07AM (#8813943)
    Do subsequent versions of Satan have fewer vulnerabilities? ie resistance to garlic, silver, crosses, upright pentagrams, white witches, holy water, Billy Graham etc?

  • It's a dual edge sword (Score:5, Interesting)

    by drizst 'n drat ( 725458 ) on Friday April 09, 2004 @08:07AM (#8813946)
    Having tools to help in identification of weaknesses is not a bad idea (one side) - OTOH - the same tools can also help a hacker use that information to exploit your system (other side). Not that they couldn't do it anyway -- but hey -- this is faster. It was stated in the article that "The problem today is that many organizations do not patch systems until a working exploit is released". How true this as well as the comment that "The bottom line is that exploits are not only useful but are (also) required for many types of legitimate work." Brings to mind some of the restrictions that are placed on useful processes such as the remote commands, snmp, and other features built into the OS. Nice to know where problems are so that they can be locked down ... but what if you really need them ...

  • eye for an eye (Score:5, Insightful)

    by irokie ( 697424 ) on Friday April 09, 2004 @08:10AM (#8813952) Homepage
    i think the point made in the article that "this toold allows admins to play on the same level as the attackers" is a very valid point and should be paraded out in front of anyone who says "but this will only cause more attacks by making the attackes easier for the attackers to execute"
    newsflash; even the l4m0r-est script kiddie has a plethora of tools like this (most of which are usually loaded with trojan's and the like).
    giving admins legit, supported and just plain better tools means that admins have the ability to check their systems' vulnerability easily. and an admin equipped with a tool for automating exploits has a better chance of stumbling across an exploit no one has found yet, because he hasn't spent all night checking for vulnerabilities earlier.

  • The debate... (Score:5, Insightful)

    by Alioth ( 221270 ) <no@spam> on Friday April 09, 2004 @08:11AM (#8813954) Journal
    The debate is almost pointless. If there's complex software, and that complex software has bugs, it is inevitable that exploits and exploit kits like the one in the story will be written.

    Railing against them won't make them go away - maybe the author(s) of this particular tool will give up, but there are plenty of other authors who will inevitably write something similar anyway.
    • "If there's complex software, and that complex software has bugs"

      Man, stupid wrong memes. Does NOBODY remember Prof. Dijkstra?

      Most software is designed for mathematically trivial problems, which solutions can be mathematically prooven. There is *NO EXCUSE* for bugs, other then being a not so good math guy, and thus a mediocre programmmer. He, I dont program.

      peace

      "/Dread"
      • So you want computers to only solve problems that are decidable? Unless that is the case, I see your Dijkstra and raise you one Rice's Theorem.
      • Most software is designed for mathematically trivial problems, which solutions can be mathematically prooven

        That's an overly simplistic summary. That's like saying that a building is a trivial set of nails in pieces of wood, or just a bunch of bricks with mortar.

        Most software is designed for millions or trillions of mathematically trivial problems, and a large percentage of those problems have numerous variables. Can you imagine mathematicallly proving trillions of calculations?
        • That's like saying that a building is a trivial set of nails in pieces of wood, or just a bunch of bricks with mortar.

          The pieces taken in isolation may be trivial, but such as "Is it the right building? In the right place?" are not. The nail may support the pieces of wood it is nailed into, but what about supporting everything that the wood supports?
          Disktra's comment is that most software is designed only to the level of the trivial. He makes no assertion that there is anything trivial about an assemblage

  • Patching is a faulty security paradigm (Score:4, Insightful)

    by ehack ( 115197 ) on Friday April 09, 2004 @08:12AM (#8813960) Journal
    The whole test/patch paradigm is wrong, regarding security: The patches can only be issued when the problem becomes visible, which is doubtless too late for many out there. Also, a significant fraction of users are unskilled, or simply leave their machines unattended, and cannot patch in time.

    Sadly, security problems were already better dealt with by Unix when it was designed, more than thirty years ago, than by Windows now, but the large number of Linux boxen that get rooted shows that the Unix model is now hopelessly out of date. It is time to catch up on the basic issues, separate the programs from the data more effectively, provide PCs with effective data backup,
    and maybe freeze some essential functionality in firmware so that it cannot be overwritten.

    • Re:Patching is a faulty security paradigm (Score:5, Insightful)

      by Vancorps ( 746090 ) on Friday April 09, 2004 @08:46AM (#8814091)
      This is what MS is attempting to do with XP Service Pack 2

      They are entering the game where all memory must be flagged as executable or not-executable when allocated. Great step in the right direction.

      Also, I don't have any servers apps that have data in the same location. Exchange and Active Directory are all stored on a RAID 5 while the operating system is only mirrored. We have an image of the operating system which is fully working and we only bother to backup the array. Occasionally we will check the OS's integrity with Tripwire and if it passes then we create a new image and store it along side the old image just in case the unforeseeable happens.

      There are ways to deal with these issues, I'd say Linux and Windows following the exact same patching model, the only difference is there are a lot more people developing patches for Linux. Speaks well for OSS but education is still a problem, for whatever the reason many Linux users and worse, admins don't know shit about designing a secure and reliable environment.

      As for the firmware idea, I believe that is where the industry is headed. It is a good idea but it does restrict the capabilities of a system while also having a very large margin for error. I can imagine a new install of an OS would require several firmware updates to get the required interface to work, and what if you installed the wrong firmware? It's like an Intel board today, if you want to upgrade the firmware there are so many pre-reqs its often a pain in the ass and worse yet, its a requirement because your backplane will keep dying without it. I think its best just to create a secure model for which to install. Force people to store programs and data in a different location and with different permissions.
      • Exactly. The Unix/Linux model of seperation of programs and data is done at the file system level. Which works good, not perfect but well. Linux systems need to be targetted specifically by a person, because each system is a little different, even from the same distrobution.

        If MS really is doing the same thing to memory managment(a set of permissions for code in memory)It will be one of the few things that MS actually innovated. It will also be a huge boon to security buffer overflows. Kill off Outloo
    • You don't know what you're talking about. Unix was ludicrously insecure initially, with design flaws like the mkdir race condition [ucdavis.edu]. It took many years to reach the level of security it has today. Even 6 or 7 years ago sendmail was still full of holes.

      • Re:Patching is a faulty security paradigm (Score:4, Insightful)

        by Tassach ( 137772 ) on Friday April 09, 2004 @10:50AM (#8815292)
        Sendmail is still full of holes. Sendmail 8.11.7 was released just over a year ago (30 Mar 2003). In that year there have been no less than 5 critical bugs discovered including 2 remote root exploits and a DOS vulnerability.

        I got sick of playing whack-a-mole with Sendmail's bugs and switched over to postfix [postfix.org] in that year there has been only one bug discovered in postfix -- a DOS vulnerability. AFAIK, Postfix has NEVER had a remote root exploit.

        Security is HARD to get right. Postfix was designed from the ground up with security in mind by one of the leading experts in the field of computer security, and it still occasionally has problems. OpenBSD is reviewed line-by-line for security problems by some of the most anal-retentive programmers in the world, and it still has an occasional hole. Programs like sendmail, where security is a poorly-implemented afterthought, can never be trusted.

    • You're totally right. Software should only be deployed when it's 100% certified bug-free.

      Patching is a reality. As long as software evolves and develops, patches will be a reality.

      The number of boxes that get rooted are proportional to the number of unprotected, badly-run boxes and always will be. It's easy to sweep your arm and declare things unsuitable, but this proves and solves nothing.
      • Look, you can tell people to drive more carefully, AND move to mandate crash-helmets or seatbelts. YES, maintenance of the boxen by knowledgeable sysadmins will reduce the issues, but in practice at least 70% of the boxen out there are not maintainable by patching. HOWEVER, as long as we keep sayingthat any wormed machine is the user's fault, Microsoft has no reason to implement a different security model. Last, not least, viruses/worms are now VERY fast-acting, with a large number of machines contaminated
    • No, there is nothing wrong with patching, it's just that no company has ever bothered to ship an operating system which doesn't make applying patches like pulling teeth (including Sun here as well).

      If you had any experience with BSD or Debian you would know that all it takes is a sensible package installation and update tool, and a sensible and user respectful approach to design (e.g., NOT including bug fixes and enhancements along with security updates).
  • The bad guys are becoming a corporate force (due to the requirement for Spam Bots)..

    Now we have a choice of making security testing products that might be used by the bad guys to break into other people's networks or we can let the bad guys develop these tools anyway and leave ourselves with a harder job in testing security.

    I think the tradeoff is worth it.

    Simon.

  • Metaploit Going Down (Score:5, Funny)

    by fdiskne1 ( 219834 ) on Friday April 09, 2004 @08:16AM (#8813970)
    Who needs Metaploit when all you really need is an article on the front page of /.? I was looking around the page before it was posted to /. and as I was nearing completion of the downloads, I noticed things begin to choke. "Ahhh....", I thought to myself, "Must be on /." Now with a total of 25 or so posts it's coming to a screeching halt. We really have to come up with a way to warn webmasters when their site is going to be linked from /.

  • Renaming the tools of the trade (Score:4, Insightful)

    by ehack ( 115197 ) on Friday April 09, 2004 @08:16AM (#8813973) Journal
    I suggest remote backup instead of file-sharing. And remote security testing instead of cracking. Makes it sound like you are doing a company a favor when you remotely test their security, or determine their bandwith limitations.
    • Indeed, the names you give things can strongly influence people's attitudes toward those things.

      One of my favorite examples involves my usual practice of building a lot of debug hooks into code that I write. When it's to be turned into a deliverable, I always had a problem that the people paying for the work didn't want debug hooks in the final product. Now, you and I know that when you install it in a customer's machine and it doesn't work right, that's when you really need those debug hooks, but most m

  • I think it's pretty simple (Score:5, Insightful)

    by RAMMS+EIN ( 578166 ) on Friday April 09, 2004 @08:19AM (#8813984) Homepage Journal
    I think it's pretty simple. Those meaning harm are going to write exploits/sniffers/etc. They might even share them, but you bet they will try to keep them out of the hands of the white hats. This means that if you write a tool and release it to the public, you benefit the white hats, while giving the black hats what they already had. Even in the case where bsack hats didn't have an equivalent piece yet, they will at worst be on par with the rest.

    Writing and releasing these tools is the only way to establish certainty. Certainty that, if a hole can be detected, you can. And certainty that everyone else can, so you MUST patch it. No more guessing that it will be alright and being wrong.

  • Abuse does not justify banning (Score:4, Insightful)

    by Anonymous Coward on Friday April 09, 2004 @08:21AM (#8813995)
    Over the years how many people have used hammers, axes, etc to cause harm to other people? Where I live there was just recently a fire fighter who chopped up his girlfriend with his fire axe (normally very useful in saving lives).

    In the final analysis there are always ways to abuse things and cause harm with them. That doesn't justify preventing their legitimate use. All the more so if their legitimate use actually makes their abuse all the more difficult.

    • Re:Abuse does not justify banning (Score:1, Funny)

      by Anonymous Coward
      Where I live there was just recently a fire fighter who chopped up his girlfriend with his fire axe (normally very useful in saving lives).

      I insist we ban fire axes. Misusing innocent tools for hacking is intolerable.

  • Potential Abuse == Evil Product Mentality (Score:5, Funny)

    by tallpole ( 723263 ) on Friday April 09, 2004 @08:23AM (#8814002) Homepage
    I love how many people, especially the media, love to generalize any product that has the potential for misuse to be a sinister product...

    Historically there are so many other examples, such as lockpick kits which are illegal in many states and countries, or are requiring licenses to use. Let's not forget the old Napster, or Kazaa or any other similar P2P, due to misuse, free use P2P is generalized into a piracy movement alone.

    Which reminds me of a joke- A man is at his house during prohibition in the backcountry, when a sheriff comes by and notices that he has all the equipment laid out to make moonshine. Immediately the sheriff arrests the man, citing that having the materials to make moonshine is equivalent to having the contraband itself, though he saw no liquor on the premise. The arrested man takes a long pause, thinks about the situation, and states- "Well, I guess you should arrest me for rape too then, I got all the tools for that crime also!". Embarassed, the sheriff released the man.
    • Did this work for the guy who had a map of the bank, equipment to disable the alarm, a large bag, some explosives and a detonator?

      Yeah, okay. I realise it's just a joke. The thing is, you can make assumptions about what people are going to do with their equipment. Sometimes these assumptions are valid, sometimes they're not. Each case is different, and should be decided at the time on its own merits.
    • this remind me of a country that has been bombed and invaded on the base it had all the equipment to be an imminent threath. Sadly it was not true. Sadly this is not a joke.

  • We need these tools and we need them automated! (Score:5, Interesting)

    by Raindeer ( 104129 ) on Friday April 09, 2004 @08:25AM (#8814014) Homepage Journal
    I'm currently working on ideas to get real broadband (10 mbit) and higher to houses and businesses (minimum of 7500 houses). One of the worries I have is how such a network can be run in a safe and secure manner. Previous experience in running a campus network has learned me, that you cannot trust the end user in doing things right. This becomes espescially true when you're planning for a door to door roll-out of 10mbit+ networks. Imagine a new worm which makes use of such networks. The amount of network traffic it can generate is amazing.

    My solution would be an automated quarantine system, which would quarantine a system ones it is found compromised or vulnerable. Quarantine means in this case that the internet traffic is redirected to a specific page and there the user will find an explanation and a solution. Other traffic, like VOIP and TV over IP should run uninterrupted. (This could be realized for instance by having VOIP and TV on separate VLAN's or by allowing certain IP-adresses)

    This system has to be automated. The reasons for automation are:
    1. You cannot expect a networkadmin to continuously monitor 7500 to 50.000 connections.
    2. Vulnerabilities are many and a system you've just checked by hand could easily be vulnerable the next day, because somebody installed a new piece of software with some old problems. (One can expect people to install a vulnerable version of winamp on a daily basis! Just think of all the cd's in comptermagazines that carry a version of Winamp)
    3. Warhol worms are fast! Within fifteen minutes almost all vulnerable connections will have been infected. If the vulnerability was already known, the system should have been quarantined. If it is unknown, it should be able to disconnect 5000 infected systems immediately once it knows how to detect the vulnerability/worm.
    4. The system should preferably be scanned upon connection to the network. Time and time again.

    Yes there are all kinds of problems associated with this idea. But if you have a better solution, one that doesn't require me to rely on the intelligence of the average John Doe, please do tell me.

    • Re:We need these tools and we need them automated! (Score:4, Interesting)

      by Lumpy ( 12016 ) on Friday April 09, 2004 @09:04AM (#8814248) Homepage
      Ok first. NAT boxes with all ports closed at EACH location as an absolute requirement. only a fool thinks you need a computer directly on the internet for anything but a server.

      you can have a custom firmware written for popular NAT boxes. (comcast does) that allows you to shut off a customer's DMZ machine access if you detect that it is causing trouble and send it's iptables logs back to your server so you can detect a problem when it is happening instead of 3 days later.

      Second yout TOS needs to read that all servers running MUST be registered with you or you shut off their connection. I.E. ip address they want it on and ports that are open and why. Mister Huang on evergreen terrace is NOT allowed to put his W2K server with IIS on the net for a webserver if he does not have all unneeded ports closed.. if they bitch, have a recording of a crying baby to play back at them... (this works with corperate IT in the NOC, Marketing droids and PHB's that are not your direct report.)

      Finally, Unless they have registered a email server with you, they CANNOT send email without going through your email server... yes a few people will bitch, most wont and you will solve a large problem.

      finally set up sniffing tools and actually hire competent staff at decent wage rates. you want people that will investigate why 192.168.123.43 is trying to send 300 emails an hour. or why a large number of IP addresses are trying to access port 3250 on 192.168.123.33... automated tools can be set to alert on these triggers. you need people that can understand what the alerts mean.
      • Why 192.168.123.43 is trying to send 300 emails an hour ?

        Really easy answer: he is running an email list.

        Why a large number of IP addresses are trying to access port 3250 on 192.168.123.33 ?

        Well, because 192.168.123.33 is not the wrongdoer but because someone is faking IP packets replies to which all go back to 192.168.123.33.
        Or maybe 192.168.123.33 is running filesharing on that port, which he should well be allowed to do on a decent network.

        I guess you could handle all this by having white-lists of ho
        • that is why you hire competent people to INVESTIGATE these happenings...exactly as I said in my origional post.

          Or maybe 192.168.123.33 is running a closed Quake III server on a wierd port and he is hosting the game?? or possibly a custom IRC server. either way, if the customer did not NOTIFY the provider of the fact that he/she was going to run a server then it's his own fault if it get's shut down.

          a simple web form to say "I'm opening and running something on port 9080" will keep mister underpaid NOC st
          • Nice idea, but why did you bring NAT into it in your first post? Just firewall all ports not registered as opened for reason X on your server. Otherwise I (were I to use your service) would need to either decide in advance that I may need to serve something (if you explain it properly to new customers you would likely get lots of yes's), or I need to suddenly change my IP, just because I want to host that game of Quake.
            You would also have to either do 1-1 NAT for anybody running a server (making it just th
            • NAt will protect the users from each other. if I simply NAt and firewall the whole userbase one script kiddie customer can cause damage/havoc/etc...

              the key to serenity is to have all networks untrusted. assume EVERYTHING is hostile.
            • yes you need to notigy me in advance.. so 3 seconds before you host that quake game you go to www.opentheportsformeplease.com and register that you are goign to play online quake, hosting a game.

              30 milliseconds later, before you even get quake loaded, the port is open, the note is available in the NOC that you have a port open for use and to disregard the flood of traffic there.

              simply having the main servers communicate to the customers NAT box to open that port for them (most internet users would ball up
              • Fair enough, I was thinking NAT at the network level, but what you are describing sounds rather nice, although you need a bit of smarts in the NAT boxes, to figure out which LAN-side IP to point the port at (if I have a NAT box standing around I want to connect all my machines). But other than that it sounds nice. If IPs where not in so damn short supply, I would still prefer a (hardware) firewall controlled by the NOC to a NAT device, but I guess NAT at that level is so common that most people can live wit
          • If I had to notify my ISP every time I wanted to run a service, I would move.

            Which I did, btw.

            You have the AOL mentality.

            You must allow the user to do whatever they want. Your network should be completely transparent to them. As far as they are concerned, they are connected to the internet.

            This is what you are selling (an interent connection). If you can't do it, let someone else do it.
            If you don't want to do it, let someone else do it.
            If you think it can't be done... you get the picture.

            If Mr. SuperCr
    • I'm currently working on ideas to get real broadband (10 mbit)...

      Broadband != high bandwidth.

      Broadband signalling means multiple frequencies on the media, as opposed to baseband, where there is only one. Ethernet is a baseband technology.

      These sorts of misconceptions result in well-defined technical terms such as broadband being re-defined for consumers as meaning something entirely different - because consumers have been led to believe it means something else. "Define broadband please - CA" [theregister.co.uk] It's

      • AARGHH... sorry for not getting that definition just exactly right. But with that whole rant on broadband you have given an excellent example of why people outside of the technical world have so much trouble talking to techies. Next time you read an article, a comment etc, read it and ask yourself: Do I understand what is meant? Does the definition of this particular term have a relevancy to the subject at hand? Does giving the definition add to level of discourse? Do I have anything to say on the subject?
        • But with that whole rant on broadband you have given an excellent example of why people outside of the technical world have so much trouble talking to techies.

          This is Slashdot. You are in the technical world here, my friend. It is reasonable to make certain assumptions about the level of technical knowledge present - especially when you are responding to a post with a technical question in an article about a highly technical subject.

          I didn't really intend my post to be a rant, per se, but I can see wh

  • re: metasploit (Score:5, Informative)

    by brennz ( 715237 ) on Friday April 09, 2004 @08:28AM (#8814031)
    Metasploit is similar to Core Impact.

    I'll gladly add this to my tools, without any cash outlay.

    Want more security tools [isecom.org]?

  • Bad Logic (Score:5, Insightful)

    by re-Verse ( 121709 ) on Friday April 09, 2004 @08:30AM (#8814035) Homepage Journal
    This is some sort of convoluted question - 'do security tools make things worse'. Rather than explaining word for word why I feel its worse, I'll offer an analogy.

    Should brightly lit streets at night be banned because they allow muggers to see us more clearly? Surely not.
    Knowledge is power, and I'd much rather have as much knowledge available to me as possible, rather than have none and some an attacker has none either. The fact is, exploiters will always try to develop their own ways to get in, their own tools, so it would be incredibly stupid for us to decide the less we know about network security, the better.

    Security testing is a GOOD thing, before anyone puts a server online, they should try to hack it on a closed network first - and then they should have their smartest friends try to hack it, with any tools available. This sort of introspection would mean a whole lot more security on the net in general.

    • Re:Bad Logic (Score:2, Insightful)

      by nacturation ( 646836 )
      Should brightly lit streets at night be banned because they allow muggers to see us more clearly?

      I think that's a poor analogy. A better one would be this: Should automated tools to check whether a house's doors are locked and alarmed be banned, given that burglars can check houses to see which are vulnerable? Especially if you consider that very few people actually use the tool to check their own house?

      The ideal answer is that those tools should be made available to everyone, both for houses and for s

      • Re:Bad Logic (Score:3, Insightful)

        by jrexilius ( 520067 )
        I think his original assertion is valid, but the analogy is bad.

        The security world is like an arms race and, just like in the real world, its helpfull to buy better weapons from allies then to spend all your productivity just on weapons (please lets not digress into politics here).

        Sysadmins have limited time and many problems to deal with. These tools allow them not only to address more problems but are also helpful in lobbying for management support ($) to fix problems. By being able to document and de
      • Weird - I submitted a reply here - somehow it didn't get posted, or something else happened along the way (at work, maybe replaced the tab before hitting submit.. hmm. anyway - it went something like this.

        I don't think it was a poor analogy. I mean, the point you make is another good one, and I'm not interested in starting an argument.. I've agreed with a lot of your posts in the past, and have actually modded a few of them up.

        I was trying to draw a bit of a metaphor with 'knowledge' as 'light'. On a
        • I see the point in your analogy -- I just thought that my analogy was a bit more, er... analogous. :)

          The problem I see with the darwinian approach to security (and I agree that it's heading that way) is that in biological survival of the fittest, the unfit eventually die out from various causes and don't affect the rest of the gene pool. In computer security, the unfit computers are hijacked and used to attack the rest of the gene pool. Plus, I'd rather not see a lot of people ruined via identity theft,
          • Its interesting where you talk of unfit computers being used to attack others - this happens in the insect world too - ants often kidnap other ant eggs to work for them, unknowning thier whole life that they are working for the enemy. Virus' go a stop further and actually jack right in to genetic code, convincing the host to stop using all of its energy on self replication and start replicating more viruses.

            I'm a big genetics freak, so this parallel you draw my attention to is really interesting. I start

  • It would be around anyway (Score:3, Insightful)

    by Eudial ( 590661 ) on Friday April 09, 2004 @08:50AM (#8814122)
    Tools like this would be around even if they were not developed in this public manner. Only this way we give the poor admins the ability to test their networks so that they don't have to learn the hard way that they needed to patch up their systems.

  • Norton Internet Security prevents many of my clients from using the Internet at all, even when I adjust the settings. So I have them get a hardware firewall.

  • Duel Edge Sword (Score:3, Insightful)

    by truG33k ( 740973 ) on Friday April 09, 2004 @09:31AM (#8814484)
    Most tools out now are duel edged swords, providing useful feature in one hand, while being able to do harm if used other than the way the designer intended. A baseball bat is just equipment for a game, until you crack somebodies skull open with it.

  • I'm the one you fear is going to use this program. (Score:5, Interesting)

    by Sheepdot ( 211478 ) on Friday April 09, 2004 @09:36AM (#8814526) Journal
    I've known about and been exploiting the ms-its vulnerability for a full week and then some now. I had a Proof-of-Concept within the first 2 hours of the original post by a concerned IRC user on bugtraq.

    While this tool doesn't test for IE vulnerabilities like the one I have been exploiting, it covers a lot of commonly used attacks that have already been done by script kiddies for (in some cases like the apache chunked vulnerability) upwards of two years!

    It also tests a lot of "duh" kinds of exploits that any serious web, mail, and NT/2000/2003 administrator would want to test. Admins and security consultants have been using Nessus for the last three years or so and people don't question that anymore.

    I think the issue here with Metasploit's Framework is that it's modular, so script-kiddies like me can sit back and develop and trade exploits. My response to that is: get over it.

    I've been trading exploits for so long now with my *own* PERL code that the only thing this program does is maybe cut my time down in half. And why would I want to release a module for Metasploit when I can make my own EXE's using perlcc and Cygwin?

    If anything, perlcc and Cygwin contribute more to proliferation. And I kind of doubt they are going the way of the dodo anytime soon.

  • Other Useful Utilities (Score:5, Informative)

    by Inhibit ( 105449 ) on Friday April 09, 2004 @09:40AM (#8814568) Homepage Journal
    NMAP [insecure.org] Port scanner from insecure.org

    SATAN [fish.com] the aformentioned Security Admin Tool for Analyzing Networks.

    TripWire [tripwire.org] for checking when someone's trying to access your system, and stopping them.

    Shorewall [sourceforge.net] a relatively easy to set up firewall-in-a-box for Linux.
  • This issue reminds me of the first release of SATAN and the uproar it caused.

    That was a great uproar and a good package. Dan Farmer sure took some flak for that one. He lost a good security gig with SGI as I recall.

    But one of the coolest parts of the kit was the postscript file that featured an Intel-like logo that read "Satan Inside".

    I had great fun printing those on self-adhesive transparency material and widely distributing..

    A quick search turned up one of many sources for the postscript:

    Satan [catalog.com]

  • I think the personal firewall is the best example of this. It's great at keeping all kinds of software on your machine from getting out. But a lot of people think its also good at keeping worms and things out. Which it is, kind of. But I think the recent attacks that exploited vulnerabilities in personal firewall programs prove otherwise.

  • Blah (Score:5, Insightful)

    by harikiri ( 211017 ) on Friday April 09, 2004 @11:11AM (#8815565)
    Some sleepy thoughts before I crash...

    This is the time-old argument of gun's dont kill people, people kill people. Except, it is now being applied against electronic "tools". Another saying comes to mind "if you outlaw xyz, then only outlaws will have xyz".

    A decade ago, black-hat hackers and security administrators did not have the same access to information and tools that we have today. Crackers are no longer working in the dark, reverse engineering operating systems and applications/services from scratch. Operating system source code is readily available for both the open-source systems (Linux/BSD), along with most of the commercial variants (HP/Solaris/etc) in the black-hat community. With access to this information, they're able to literally scan the code for bad programming practice (grep sprintf) to quickly identify vulnerabilities.

    This open-source transparency has been both a blessing and a curse for the open OS's - in that vulnerabilities can quickly be found by an enterprising auditor, but likewise can be quickly closed by any decent programmer. This is not the case however with the closed platforms, because the source is not available.

    Likewise with penetration tools. When a vulnerability comes out, such as the infamous PHF bug, a cracker can within a few minutes put together a crude scanner to identify these systems for exploitation. Likewise a security administrator can and needs to use a similar tool to audit his network for any sign of the vulnerability.

    However, there should be some industry self-policing going on regarding the public release of certain tools. For example, if a vulnerability emerges and you want to scan and actively "test" whether you are vulnerable (instead of soley checking a service banner - you try to exploit the vulnerability), the test does not need to grant you uid 0. Instead, you can release a binary tool which simply created a root-owned file on the server, in / , called "YOU_ARE_VULN_TO_X". Both tools will confirm whether or not you are vulnerable - but one is significantly less vulnerable to abuse (by the average script kiddy) than the other.

    However, in the long run, the security industry is a very profitable one, and one way to get a head start is to be prolific and vocal in releasing high-quality exploits (and hoping to get noticed by a security company). This is as much about ego as it is about getting a cool job, and while that attraction is there, you're going to keep seeing security tools with no restrictions emerge.

  • If you outlaw guns... (Score:5, Insightful)

    by suwain_2 ( 260792 ) on Friday April 09, 2004 @11:12AM (#8815576) Journal
    ...only outlaws will have guns.

    Same with security tools. Restrict them because they're "More Harmful Than Helpful" and those who use them for harm will still have them, but those who use them for good won't be able to test their networks first.

    I don't question for a second that they're widely abused. But banning them will only mean that network administrators can't check their own networks.

  • These tools just help hackers (Score:4, Funny)

    by skintigh2 ( 456496 ) on Friday April 09, 2004 @01:00PM (#8816832)
    Also, binoculars should be banned because they just help terrorists look for physical security vulnerabilities.

    We need strong laws to protect people who are too lazy and incompetent to protect themselves. Security through court-ordered obscurity is the only way to freedom.

  • Spiderman rule (Score:2, Insightful)

    by drunkenbatman ( 464281 )
    When in doubt, remember Stan Lee: with great power comes great responsibility. When you're talking about guns, security tools, money, r00t, broadband, or any form of power. The question seems to be, can you trust an individual to shoulder that responsibility, and if there are a few out there you can't trust, do you remove the power from everyone...

Slashdot Top Deals

Old programmers never die, they just hit account block limit.

Close