[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200309232223.h8NMNlL26482@netsys.com>
From: matsu at mailvault.com (Matsu Kandagawa)
Subject: An open question for Snort and Project Honeynet
-----BEGIN PGP SIGNED MESSAGE-----
Thanks to Roesch's magnificent sentence-parsing spin job yesterday, like
the rest of you, I'm quite sure that, quote, "there is no trojan in
Snort".
But unless I grossly misread the statements from Phrack, the central
issue at hand was the introduction of deliberate weaknesses, not
trojans.
Do any of you have anything to say about that? When you say "look for
yourself" surely you don't mean to claim that Average Joe Admin has the
requisite skillset and detailed knowledge necessary to spot something
potentially that subtle?
And would anyone care to address the "off-by-one's, integer overflows,
and logic bugs" m1lt0n alluded to in his or her article about Snort? How
do you intend to counter the effects of Sneeze? Any comments on the
Sebek piece? How confident are you in people who are doing your code
review, anyway?
I honestly hope the PHC does the same to every last one of the
components of Project Honeynet: Honeyd, VMWare, the works. Whether you
choose to admit it or not, the latest releases from Phrack do more to
further the improvement of these technologies than the vast majority of
researchers who are scared stiff at the prospect of losing funding. You
complain now and tisk-tisk about the PHCs "juvenile" approach and tell
yourselves it's all social engineering, but why not ask yourself where
you'd be if they chose to sit on the papers they released yesterday
instead? Ignoring people because you find them distateful doesn't make
the problem go away.
Hot tip for the initiated: With this bounteous cornucopia of unintended
assistance from Phrack, it's better than even money that Major Martin
and friends are likely to start asking some serious questions about all
the money they've been pouring into substandard and intellectually
dishonest research products. And don't think they don't know about who
you've been corresponding with and trying to impress with your work,
either. You aren't as slick as you think you are.
If these recent embarrassments don't result in SIGNIFICANT improvements
in Snort and a top-to-bottom review of honeynet design, I strongly
suspect there's going to be some serious consequences. Just a wee hunch.
I swear to God if I had a hundred thousand dollars in unmarked bills
right now, I'd hand it over to the Phrack men this very minute with a
hearfelt "thank you".
In sum, "Everybody relax"-- the eternal refrain of the con artist--
might be good enough for people likely to be swayed by such assurances
(or those who prefer to stick their heads in the sand to avoid
unpleasant truths) but unfortunately for you, some of the people you've
been working with demand a hell of a lot more.
By the way, your explanation of how your machines were owned was one of
the most disgraceful cop-outs I've seen in a long, long time.
Evolve or die,
Matsu.
"who must be just some zit-faced chink PHC kid posting trolls from his
mother's basement".
(I have no interest in addressing your ad-hominem attacks, so I just
thought I'd say it for you and get that out of the way.)
-----BEGIN PGP SIGNATURE-----
Version: MailVault 2.2 from Laissez Faire City http://www.mailvault.com
iQA/AwUAP3DHf2M5xTGTuR0REQKFvACeK1INlkC0a+y/nn2u5d1gfX99RL8An2L/
QR6ZTONuJk0p8Lc2x4KEa5pl
=GNIL
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists