| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: Re: Any thoughts on War-Googling? (long and inflammatory)
On Sun, 18 Apr 2004, Aschwin Wesselius wrote:
> Is there anybody who is common with the technique described in this
> article? [ http://www.ebcvg.com/articles.php?id=207 ] It says something
> about using Google to target servers by searching paths to
> vulnerabilities.
I read the paper when it was first posted to SECPAPERS; although it is
good to see the subject surface, I believe this particular write-up is
largely disappointing, and does not demonstrate a threat nearly as serious
as the author wants it to appear.
The basic concept discussed in the paper relies on rehashing some fairly
old ideas, such as passive infection techniques (I described those ages
ago in a sci-fi-esque article in Phrack years ago), or locating
vulnerabilities using search engines (the latter dating back to the ages
when Altavista ruled the market) - quite notably, there are virtually no
attributions or useful references in the article, which makes me a tad
suspicious.
Naturally, there is nothing wrong in building on these foundations, but to
make the research interesting, one must provide somthing more than just
wishful thinking, for example a good feasibility analysis (based either on
theoretical models, or actual lab testing) to provide some foundations to
better understand, assess and mitigate the threat; or a balanced
discussion of implementation and deployment scenarios AND pitfalls or
mitigating factors.
Despite of claiming the research is based on actual feasibility study, it
fails to provide any factual, verifiable, or believable information that
would make it easy to accept author's claims of a possible deadly impact
of such a super-worm. Statements such as:
"It will show that such attacks are not only feasible but that their
theoretical success rate is far greater than worms targeting commercial
infrastructure."
...are completely groundless, as there is nothing that even resembles a
useful estimation of the success rate or propagation scenarios
(theoretical or not).
The paper is notably one-sided, and may appear merely as an attempt at
spreading FUD and promoting company's or author's name as the one
discovering a major threat to the infrastructure. In reality, however,
these claims are hard to believe: many omitted failure scenarios and
easy-to-break dependencies make such a worm quite easy to stop and
eradicate (single choke points and the ease of elliminating a particular
worm by search engine operators makes it quite unlikely for the worm to
succeed at flash propagation).
To summarize: although I am not against self-promotion through disclosure
(quite frankly, it would be quite a hypocrisy), I do believe that you only
deserve a credit and should be taken seriously if you either offer an
unique or novel insight, discuss a new theory or technique; or if you
write about a known subject, but with much needed objective and exhaustive
approach, offering valuable analysis of the subject and a great learning
material.
In this particular case, neither is the case (and some aspects of it -
such as the form of the announcement on SECPROGS or lack of attributions -
make it appear even more as a mere company name plug), and the paper does
not seem to warrant any serious attention, not really.
--
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2004-04-18 19:30 --
http://lcamtuf.coredump.cx/photo/current/
Powered by blists - more mailing lists