Entries in Life

Dave writes:

you shouldn’t report security vulnerabilities by exploiting them on a mass scale, if you’re a professional.

What Mark did was a demonstration of an exploit, not an actual exploit. He gave us a vivid example of exactly what could happen without actually doing anything harmful.

People publish demonstrations because software vendors have historically ignore private warnings. A demonstration makes it clear to the vendor and the users what the flaw enables. The users see the flaw and pressure the vendor to fix the software.

Without the demonstration, there is no pressure from the users, and the software is rarely fixed.

Even the “white hats” in the security industry recognise this simple principle. They’ve tried various times to come up with a solution that would allow the vendors to save face and users to have their software fixed, but every effort has failed. It seems that the vendors can’t help themselves.

William F. Buckley: We do need to have a much better explanation than any we have had. Going to war to abort Husseinism is justified. But we are nevertheless entitled to know: How was intelligence information, presented as conclusive, so apparently illusory?

Finally got around to putting more pictures online. Ginger, Basil, Violet, Bike Riding, Birds, and more.

Yesterday, my mother sent me a copy of her will — who gets what. It was then that I realized that she might be feeling just a little scared about her trip to Indonesia to see the Indonesian half of my brother’s wedding. She’s on her way to the airport now.

This past week, we discovered that the primary webserver for a subsidiary was being used to send out email. They pretty quickly cut it off, but, before the problem was fully understood, the webserver was brought back online. Sure enough, it started spewing out tons of email when the attacker found that it was back online. He did a bcouple of probes and then — Boom! — the flood was back!

The source of the problem? A guestbook script that allowed anyone to send email to anyone. The first time around, the administrators for the box just turned of SMTP on the box (this was an NT IIS install) and figured that would solve the problem.

When the problem re-appeared, they finally cut off the source — the guestbook script. It isn’t clear that the script was even being used, so this may be another case of what happens when you don’t minimize the amount of software on the system.

As the admin for the Internet-connected email gateway, I finally cut off all mail from the server. Of course, I should have done that first, but better late than never. I also started capturing all the bounces for the email sent out. It was there that I found out that the emails were an attempt at credit card fraud.

I don’t know who would enter their credit card information into a website whose link they got from an email that started “You have a new guestbook entry”, but it almost seems like they would deserve what they got. Practice good net-hygiene, folks!

The good thing is that this guy didn’t seem too smart. From our end, it looks like he used his own system to perpetrate the attack. And apparently used his own domain (g0d.ca) for probing the guestbook. In any case, the information we had was passed along, so it looks like he’ll likely be caught.