lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.21.0705122012410.15601-100000@linuxbox.org>
Date: Sat, 12 May 2007 20:13:21 -0500 (CDT)
From: Gadi Evron <ge@...uxbox.org>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: Broadband routers and botnets - being proactive

Fergie replied on NANOG to my recent post on the subject of broadband
routers insecurity:

> I'll even go a step further, and say that if ISPs keep punting
> on the whole botnet issue, and continue to think of themselves
> as 'common carriers' in some sense -- and continue to disengage
> on the issue -- then you may eventually forced to address those
> issues at some point in the not-so-distant future.
>
> I understand the financial disincentives, etc., but if the problem
> continues to grow and fester, and consumer (and financial institutions)
> losses grow larger, things may take a really ugly turn.

He is right, but I have a comment I felt it was important - to me - to
make. Not just on this particular vulnerability, but on the "war".

I must admit, vulnerabilities are endless and new exploitation vectors
will never end, even if it was possible and we were all 100% secure,
someone (an attacker rather than a vulnerability) will find a way to make
it 99% again for the right investment or with the right moment of
brilliance.

Enough with cheap philosophy though... as tired (even exhausted) as I am
of the endless repeating circle which security is, on all levels (from the
people involved through the interests involved all the way to the
same-old-FUD) I still haven't burned out, and I am still here.

The world isn't going to end tomorrow, and even if the Internet was to die
(which I doubt it will), we will survive. However, in the recent couple of
years a new community has been forming which we started refering to as
"Internet security operations". These folks, for various motives, work to
make the Internet stay up and become safer (actually being safe is a long
lost battle we should have never fought the way things were built).

With such a community being around, treating issues beyond our little
corner of the `net is possible to a level, and at least some progress is
made. Some anti virus engineers no longer care only about samples, some
network engineers no longer care only about their networks, etc.

Is any of this a solution? No. The problems themselves will not go away,
they aren't in any significant fashion currently being dealt with beyond
the tactical level of a fire brigade.

Is it the end than? Of course not. But operations vs. research are
determined by intelligence. As we have some intelligence, I can point to
yet another annoying vulnerability in the endless circle which those of us
who will want to, can study, and if they feel it is justified, defend
against. That is the broadband routers issue, which personally I'd really
rather avoid.

Unfortunately, this limited defense is what most of us can do at our own
homes, or tops as a volunteer fire brigade or neighborhood watch.

The Internet is the most disconnected global village I can imagine, but
we all have the funny uncle on another network and a weird one on yet
another. I sometimes feel that the old analogy of the Internet to the Wild
West is not quite it. Perhaps we are living in the Wild West, only if
instead of wastelands and small towns, we have New York city and the laws
of a feudal dark ages Kingdom.

Things will eventually change, and some of us will stick around to help
that change (or try to). For now though, it is about one vulnerability
ignored at a time, and working on our communities.

	Gadi Evron.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ