Slashdot Mirror

user@desktop:/opt/ltsp$ nmap bundestag.de

Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-08-13 11:16 CEST
Interesting ports on s600.bundestag.de (217.79.215.140):
Not shown: 1695 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https

Nmap finished: 1 IP address (1 host up) scanned in 31.231 seconds

Does anyone have a link to a good English translation and legal analysis of the new law? The Phenoelit page translates the law as affecting "computer programs whose aim is to commit a crime". That doesn't cover Nmap, which I designed for security professionals. But of course some blackhats use it too, and I don't want to bet my freedom on being able to convince a technologically illiterate judge in Germany of my intent.

I hope groups like the CCC (which is apparently quite powerful in Germany) are able to get this overturned! If legitimate German admins are afraid to use Nmap and other security tools while the crackers retain full access to them, that won't be a pretty sight!

-Fyodor
Insecure.Org

Does anyone have a link to a good English translation and legal analysis of the new law? The Phenoelit page translates the law as affecting "computer programs whose aim is to commit a crime". That doesn't cover Nmap, which I designed for security professionals. But of course some blackhats use it too, and I don't want to bet my freedom on being able to convince a technologically illiterate judge in Germany of my intent.

I hope groups like the CCC (which is apparently quite powerful in Germany) are able to get this overturned! If legitimate German admins are afraid to use Nmap and other security tools while the crackers retain full access to them, that won't be a pretty sight!

-Fyodor
Insecure.Org

How do you keep getting modded up? What you're saying is false. You obviously know nothing about networking.

Notice how, as I become more and more "public", less and less ports show. An attacker will only see what I get back when I nmap my box's hostname. When I nmap my LAN IP, more ports show, but not as many as show when I nmap localhost. On my router, I employ port forwarding, so nmapping my public IP of course shows fewer ports open. The 6112/tcp filtered dtspc port listing shown when nmapping my public IP is from my router. But this is STILL WHAT AN ATTACKER WOULD SEE. I don't know how I can provide more of an exact example than this, but what you're saying is just false, newb.

Everything on slashdot turns into a flamewar because there are a bunch of little kids like you that don't know wtf they're talking about, and then this banter persists, even though my original post was perfectly accurate. This isn't a pissing contest, you're giving out bad information, and then somehow being modded up for it. Maybe your posts keep getting marked as informative because the person giving you mod points didn't know about this, and has for some reason adopted your points as fact, but in doing has simply helped spread your false ideas of how the world works.

The bottom line is, if you nmap the IP address that an attacker will try to exploit, you will see what he sees, unless there is a firewall that restricts access to a range of IPs including the attacker's and not your own.

It's not like his machine sees something different when he runs `nmap ###########.com`, not unless my last statement is true.

vic@localhost ~ $ nmap localhost

Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-08-12 16:22 EDT
Interesting ports on localhost (127.0.0.1):
Not shown: 1691 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
111/tcp open rpcbind
631/tcp open ipp
2049/tcp open nfs
3306/tcp open mysql

Nmap finished: 1 IP address (1 host up) scanned in 0.172 seconds
vic@localhost ~ $ nmap 192.168.1.2

Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-08-12 16:22 EDT
Interesting ports on 192.168.1.2:
Not shown: 1692 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
111/tcp open rpcbind
631/tcp open ipp
2049/tcp open nfs

Nmap finished: 1 IP address (1 host up) scanned in 0.175 seconds
vic@localhost ~ $ nmap ###########.com

Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-08-12 16:22 EDT
Interesting ports on ###########.com (###########):
Not shown: 1694 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
6112/tcp filtered dtspc

Nmap finished: 1 IP address (1 host up) scanned in 13.222 seconds

How do you keep getting modded up? What you're saying is false. You obviously know nothing about networking.

Notice how, as I become more and more "public", less and less ports show. An attacker will only see what I get back when I nmap my box's hostname. When I nmap my LAN IP, more ports show, but not as many as show when I nmap localhost. On my router, I employ port forwarding, so nmapping my public IP of course shows fewer ports open. The 6112/tcp filtered dtspc port listing shown when nmapping my public IP is from my router. But this is STILL WHAT AN ATTACKER WOULD SEE. I don't know how I can provide more of an exact example than this, but what you're saying is just false, newb.

Everything on slashdot turns into a flamewar because there are a bunch of little kids like you that don't know wtf they're talking about, and then this banter persists, even though my original post was perfectly accurate. This isn't a pissing contest, you're giving out bad information, and then somehow being modded up for it. Maybe your posts keep getting marked as informative because the person giving you mod points didn't know about this, and has for some reason adopted your points as fact, but in doing has simply helped spread your false ideas of how the world works.

The bottom line is, if you nmap the IP address that an attacker will try to exploit, you will see what he sees, unless there is a firewall that restricts access to a range of IPs including the attacker's and not your own.

It's not like his machine sees something different when he runs `nmap ###########.com`, not unless my last statement is true.

vic@localhost ~ $ nmap localhost

Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-08-12 16:22 EDT
Interesting ports on localhost (127.0.0.1):
Not shown: 1691 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
111/tcp open rpcbind
631/tcp open ipp
2049/tcp open nfs
3306/tcp open mysql

Nmap finished: 1 IP address (1 host up) scanned in 0.172 seconds
vic@localhost ~ $ nmap 192.168.1.2

Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-08-12 16:22 EDT
Interesting ports on 192.168.1.2:
Not shown: 1692 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
111/tcp open rpcbind
631/tcp open ipp
2049/tcp open nfs

Nmap finished: 1 IP address (1 host up) scanned in 0.175 seconds
vic@localhost ~ $ nmap ###########.com

Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-08-12 16:22 EDT
Interesting ports on ###########.com (###########):
Not shown: 1694 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
6112/tcp filtered dtspc

Nmap finished: 1 IP address (1 host up) scanned in 13.222 seconds

How do you keep getting modded up? What you're saying is false. You obviously know nothing about networking.

Notice how, as I become more and more "public", less and less ports show. An attacker will only see what I get back when I nmap my box's hostname. When I nmap my LAN IP, more ports show, but not as many as show when I nmap localhost. On my router, I employ port forwarding, so nmapping my public IP of course shows fewer ports open. The 6112/tcp filtered dtspc port listing shown when nmapping my public IP is from my router. But this is STILL WHAT AN ATTACKER WOULD SEE. I don't know how I can provide more of an exact example than this, but what you're saying is just false, newb.

Everything on slashdot turns into a flamewar because there are a bunch of little kids like you that don't know wtf they're talking about, and then this banter persists, even though my original post was perfectly accurate. This isn't a pissing contest, you're giving out bad information, and then somehow being modded up for it. Maybe your posts keep getting marked as informative because the person giving you mod points didn't know about this, and has for some reason adopted your points as fact, but in doing has simply helped spread your false ideas of how the world works.

The bottom line is, if you nmap the IP address that an attacker will try to exploit, you will see what he sees, unless there is a firewall that restricts access to a range of IPs including the attacker's and not your own.

It's not like his machine sees something different when he runs `nmap ###########.com`, not unless my last statement is true.

vic@localhost ~ $ nmap localhost

Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-08-12 16:22 EDT
Interesting ports on localhost (127.0.0.1):
Not shown: 1691 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
111/tcp open rpcbind
631/tcp open ipp
2049/tcp open nfs
3306/tcp open mysql

Nmap finished: 1 IP address (1 host up) scanned in 0.172 seconds
vic@localhost ~ $ nmap 192.168.1.2

Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-08-12 16:22 EDT
Interesting ports on 192.168.1.2:
Not shown: 1692 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
111/tcp open rpcbind
631/tcp open ipp
2049/tcp open nfs

Nmap finished: 1 IP address (1 host up) scanned in 0.175 seconds
vic@localhost ~ $ nmap ###########.com

Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-08-12 16:22 EDT
Interesting ports on ###########.com (###########):
Not shown: 1694 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
6112/tcp filtered dtspc

Nmap finished: 1 IP address (1 host up) scanned in 13.222 seconds

I'm running Ubuntu, and I was under the impression that the default installation doesn't leave any ports open.

xxxxxx@xxxxxxx:~$ sudo nmap -p0-65535 10.31.198.130

Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-08-12 07:54 PDT
All 65536 scanned ports on 10.31.198.130 are closed
MAC Address: 00:11:D8:E1:9F:A9 (Asustek Computer)

Nmap finished: 1 IP address (1 host up) scanned in 16.486 seconds

Absolutely right! Halvar is extraordinarily talented and it will be a terrible shame if his class is canceled. But it starts on Monday, so unless they do it by video conference I can't see him making it. I still hope to see him when I fly to Vegas on Thursday, but the odds aren't good :(.

I'd like to know just what the immigration department expects US conferences to do when bringing in foreign speakers. Halvar says they wanted to treat him like an "employee" of BlackHat and get an H1-B visa. But that is a ridiculous as it is a multi-year process. Halvar thinks coming as a representative of his own German company will help, but we shouldn't have to require that foreigners incorporate just to give a simple presentation or training class here.

I'm an American who has been paid to give presentations and training in many countries, including Germany. And I've never been hassled by their immigration dept. or received any special visas. So its embarrassing and harmful that the US subjects visitors to our country to all of this crap (including the fingerprinting and pushing other countries toward RFID passports). Its no wonder that many conference producers, including BlackHat, have been increasing the number of cons held offshore. The US just isn't seen as a welcoming place.

Pardon the long rant, but I hate seeing my friends put through this. And I'm sure similar things happen to thousands of people we don't know every day. Also, if those of us in the US don't fix our system, other countries might copy it and then we'll have to deal with this shit when we travel.

-Fyodor
Insecure.Org

Thanks Michael for your support of free speech. I'm really pleased to hear you think it's "fine".

Why don't people seem to get that making these programs obscure does not make you safer? I for one want to monitor my wireless network to see if they are vulnerable to such "cracking" (goddammit, "cracking" is removing copy protection and has been for two decades!!) tools.

They tried to shut down nmap in the same way (it first appeared in Phrack, btw), but I think most people will agree it's an absolutely essential tool for securing your network and checking for open ports, etc.

Making these types of programs illegal (it's this just a macafied kismet?) is absolutely crazy and will result in more, not fewer security breaches.

Well, there's not really just one way to split up the OS'es, see nmap TCP/IP OS fingerprinting, but it's kind of disheartening that Cisco is using the UA for that, as it's the least secure thing you could possibly do. Kind of a name badge, "Hi My name is: CEO of Your Company" and security letting him pass without a card swipe or ID check because he says it so it must be true. Nmap OS Fingerprinting is really very cool if you haven't checked it out before. OpenBSD hides itself pretty well and FreeBSD does ok with certain switches turned on. But of course the detection just gets better each time too.

Stand back baby, I'm a Nessus monkey with a long list of a**holes, a can 'o nmap, a fully loaded Metasploit, and I ain't afraid to use 'em.

Great example of how lua can extend the functionality of a program. Check out the Nmap Scripting Engine.

With lua and NSE, nmap can now do things like vulnerability testing. Why not download nmap now and give it a try?

Great example of how lua can extend the functionality of a program. Check out the Nmap Scripting Engine.

With lua and NSE, nmap can now do things like vulnerability testing. Why not download nmap now and give it a try?

My primary workstation system using Windows Server 2003, SP #2, running the NMap port to Win32, when done in a fully security hardened setup via tools like:

Security Configuration Wizard (SCW - A WINDOWS SERVER 2003 TOOL ONLY, AFAIK)

Security Analysis Tool and Templates in MMC.EXE

Services cutoffs in services.msc as well as policies, & also altering the running ones (many of them allow for this IN SERVICES.MSC MIND YOU) logon entity for many to less than LocalSystem.

gpedit.msc

secpol.msc

regedit.exe (for performance and security hacks application, 123 of them)

A LinkSys/CISCO True NAT firewalling hardware router

Software combined w/ hardware NAT firewall router @ the OS' native firewall

Software combined w/ hardware NAT firewall router @ the port filtration level (the poor man's firewall as it is called as another added layer for layered security)

IP Security Policy that compliments the software firewall, port filters, & Hardware NAT router.

* The last 3 work at the IpFltDrv.sys, IpSec.sys (ip security filtering policies), & IpNAT.sys (firewall hook) drivers level (repectively IN THAT ORDER, iirc)

A custom adbanner blocking hosts file (to speedup my surfing not calling out to DNS servers, I don't run those services on my workstation anyhow, nor do I run DHCP via software anymore either)

IE 7 set with Windows 2003 Server's default 'hardened' IE 6 setup (you can do this to XP or 2000 manually though, same deal as below next really)

AND all browsers set to max security (using IE security zones properly on IE & Outlook Express, turning off java/javascript - activex/activescript usage except for pages that need it, by tab, in Opera by site prefs like my RAID 1 web interface noted below for a test of NMap for Win32 4.20)

and more (etc. like ANTIVIRUS IN NOD32, BEST THERE IS, AND antispyware in SPYBOT TEATIMER RUNNING)

That setup, on this test using NMap for Win32 on a hardened Windows Server 2003 SP#2 setup, got this score result:

E:\>nmap -P0 -sT -F -O -A 192.168.0.xx

Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-03-30 02:18 Eastern Standard
Time

Interesting ports on 192.168.0.xx:
Not shown: 1255 closed ports

PORT STATE SERVICE VERSION

8080/tcp open http Jetty httpd 4.2.23 (Windows 2003/5.2 x86 java/1.4.2_10)

OS and Service detection performed. Please report any incorrect results at http: //insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 289.203 seconds

Pretty good, considering I left my RAID 1 mgt. and its java engine running for my Promise SuperTrak Ex8350 PCI-e SATA1/2 128mb ECC Ram Caching controller (via its WebPam interface, java run no less). That would not have even showed up if I did turn it off, but it was an example the scan was indeed, working.

(And, what it's showing is coming thru 8080 & once I turn that service off? The scan returns nothing @ all on my client rig I ran the test on, but my server rig running IIS 6.x on Win2k3 SP #2 & SQLServer 2005 still have hits on it, because of IIS largely... but on my workstation, zippo, because once I turn off my RAID 1 controller service (WebPAM) no java running listening is why).

Windows machines, especially those on Windows Server 2003 SP #2 fully hardened (doesn't take THAT long to do) can do well security-wise if you do things right (like not opening up email attachments from strangers, lol, you know this I bet though of course) can do well.

Vista does well surprisingly as well on tests like CIS Tool 1.0 (by the "center for internet security") and on Belarc Advisor tests as well. Not as good as a hardened system like mine, but better than XP by default, AND probably better than Windows Server 2003 (VISTA's codebase iirc no less) does prior to hardening.

E.G.-> On CIS Tool 1.0? My system nails an 84.735 of 100 possible score (151 passed, 7 failed),

I have been participating as a mentor for the SoC program since it started, and I highly recommend it. It is a great way to get paid, gain valuable experience and a great resume booster, and write code which will be used by thousands or millions of people! Your can read about the successful creations of Nmap SoC students in 2005 and 2006.

This year I am involved with three projects which have been accepted for SoC this year:

• Nmap Security Scanner (SoC Ideas Page)
• UMIT (SoC Ideas Page). This is an Nmap graphical front end which started out as a student's Nmap-SoC project, and now he has been accepted by Google to run it as an independent SoC project!
• Computer Professionals for Social Responsibility (SoC Ideas Page). I serve on the board of directors for this 501(c)3 nonprofit which aims to educate and influence policy makers and the public on technical issues.

And even if none of those projects float your boat, there are 128 others to choose from. Remember that you can apply for multiple projects, and doing so can (with sufficient care and detail for each application) be a good way to increase your odds.

-Fyodor
Insecure.Org

I have been participating as a mentor for the SoC program since it started, and I highly recommend it. It is a great way to get paid, gain valuable experience and a great resume booster, and write code which will be used by thousands or millions of people! Your can read about the successful creations of Nmap SoC students in 2005 and 2006.

This year I am involved with three projects which have been accepted for SoC this year:

• Nmap Security Scanner (SoC Ideas Page)
• UMIT (SoC Ideas Page). This is an Nmap graphical front end which started out as a student's Nmap-SoC project, and now he has been accepted by Google to run it as an independent SoC project!
• Computer Professionals for Social Responsibility (SoC Ideas Page). I serve on the board of directors for this 501(c)3 nonprofit which aims to educate and influence policy makers and the public on technical issues.

And even if none of those projects float your boat, there are 128 others to choose from. Remember that you can apply for multiple projects, and doing so can (with sufficient care and detail for each application) be a good way to increase your odds.

-Fyodor
Insecure.Org

I have been participating as a mentor for the SoC program since it started, and I highly recommend it. It is a great way to get paid, gain valuable experience and a great resume booster, and write code which will be used by thousands or millions of people! Your can read about the successful creations of Nmap SoC students in 2005 and 2006.

This year I am involved with three projects which have been accepted for SoC this year:

• Nmap Security Scanner (SoC Ideas Page)
• UMIT (SoC Ideas Page). This is an Nmap graphical front end which started out as a student's Nmap-SoC project, and now he has been accepted by Google to run it as an independent SoC project!
• Computer Professionals for Social Responsibility (SoC Ideas Page). I serve on the board of directors for this 501(c)3 nonprofit which aims to educate and influence policy makers and the public on technical issues.

And even if none of those projects float your boat, there are 128 others to choose from. Remember that you can apply for multiple projects, and doing so can (with sufficient care and detail for each application) be a good way to increase your odds.

-Fyodor
Insecure.Org

When I received numerous subpoenas (these weren't NSLs) from different branches of the FBI in 2004, I notified my users on nmap-hackers and that led to coverage on Slashdot and elsewhere. Perhaps because of the publicity, the FBI has not sent me a single subpoena since then.

I agree with the majority of the comments here that restrictive NSL gag orders as described in TFA are an outrage!

-Fyodor
Insecure.Org

Well how about the Slacker SoC project from nmap? http://insecure.org/nmap/GoogleGrants.html

(Of course these were ideas for the 2006 SoC, but hopefully you'll get a chance to do IT this this year too).

That could be. And don't get me wrong -- I'm a big OpenBSD fan and even have one of their posters framed and hanging in my home. But I think they could have handled this better. Given that security is their main selling point, I'd like to see the OpenBSD guys treat all buffer overflows as potentially exploitable. In this case, it appears that the fix to 3.9 and 4.0 branches was delayed for an extra week until Core produced a working remote root exploit. The problem with requiring a working exploit from bug reporters is that most of them lack the ability or inclination (or both) to produce one. This bug just happened to be reported by some of the best exploit writers in the world.

Also, even if the bug did only allow anyone to cause remote kernel panic on your OpenBSD firewall or server with a single packet, that is still a security vulnerability. They can call it a DoS vulnerability if they are sure one cannot lead to code execution.

-Fyodor

I'm a bit surprised that the summary didn't mention the rather interesting timeline in the Core advisory, which implies an attempted cover up. I don't know all the facts, so I'll let the document speak for itself:

• 2007-02-20: First notification sent by Core.
• 2007-02-20: Acknowledgement of first notification received from the OpenBSD team.
• 2007-02-21: Core sends draft advisory and proof of concept code that demonstrates remote kernel panic.
• 2007-02-26: OpenBSD team develops a fix and commits it to the HEAD branch of source tree.
• 2007-02-26: OpenBSD team communicates that the issue is specific to OpenBSD. OpenBSD no longer uses the term "vulnerability" when referring to bugs that lead to a remote denial of service attack, as opposed to bugs that lead to remote control of vulnerable systems to avoid oversimplifying ("pablumfication") the use of the term.
• 2007-02-26: Core email sent to OpenBSD team explaining that Core considers a remote denial of service a security issue and therefore does use the term "vulnerability" to refer to it and that although remote code execution could not be proved in this specific case, the possibility should not be discarded. Core requests details about the bug and if possible an analysis of why the OpenBSD team may or may not consider the bug exploitable for remote code execution.
• 2007-02-28: OpenBSD team indicates that the bug results in corruption of mbuf chains and that only IPv6 code uses that mbuf code, there is no user data in the mbuf header fields that become corrupted and it would be surprising to be able to run arbitrary code using a bug so deep in the mbuf code. The bug simply leads to corruption of the mbuf chain.
• 2007-03-05: Core develops proof of concept code that demonstrates remote code execution in the kernel context by exploiting the mbuf overflow.
• 2007-03-05: OpenBSD team notified of PoC availability.
• 2007-03-07: OpenBSD team commits fix to OpenBSD 4.0 and 3.9 source tree branches and releases a "reliability fix" notice on the project's website.
• 2007-03-08: Core sends final draft advisory to OpenBSD requesting comments and official vendor fix/patch information.
• 2007-03-09: OpenBSD team changes notice on the project's website to "security fix" and indicates that Core's advisory should reflect the requirement of IPv6 connectivity for a successful attack from outside of the local network. 2007-03-12: Advisory updates with fix and workaround information and with IPv6 connectivity comments from OpenBSD team. The "vendors contacted" section of the advisory is adjusted to reflect more accurately the nature of the communications with the OpenBSD team regarding this issue.
• 2007-03-12: Workaround recommendations revisited. It is not yet conclusive that the "scrub in inet6" directive will prevent exploitation. It effectively stops the bug from triggering according to Core's tests but OpenBSD's source code inspection does not provide a clear understanding of why that happens. It could just be that the attack traffic is malformed in some other way that is not meaningful for exploiting the vulnerability (an error in the exploit code rather than an effective workaround?). The "scrub" workaround recommendation is removed from the advisory as precaution.
• 2007-03-13: Core releases this advisory.

-Fyodor
Insecure.Org

No FOSS tool that I know of limits what you can do with its output.

NMAP does.

Try integrating NMAP with yoru commercial product. You won't be allowed to distirbute it if you use it's output to integrate into your own stuff.

Check out their wacky addition to the GPL:

* Note that the GPL places important restrictions on "derived works", yet * it does not provide a detailed definition of that term. To avoid * misunderstandings, we consider an application to constitute a * "derivative work" for the purpose of this license if it does any of the * following: * Integrates source code from Nmap * Reads or includes Nmap copyrighted data files, such as * nmap-os-fingerprints or nmap-service-probes. * Executes Nmap and parses the results (as opposed to typical shell or * execution-menu apps, which simply display raw Nmap output and so are * not derivative works.) * Integrates/includes/aggregates Nmap into a proprietary executable * installer, such as those produced by InstallShield. * Links to a library or executes a program that does any of the above

This has been enough of a problem for the Nmap Security Scanner that we warn about McAfee specifically and suggest better alternatives on the Nmap Download Page (See the Windows section). More details about the problems we've encountered are posted here. I've spoken with McAfee executives at conferences and they say they want to fix the problem, but then it just gets lost in their bureaucracy. Sigh.

Also, it is annoying when free software gets wrongly listed on spyware databases. For example, check out the "Spyware Encyclopedia" entry on Nmap, which says "NMap belongs to the Port Scanner spyware category. It's[SIC] presense[SIC] means that your computer is infected with malicious software and is insecure." WTF? Similarly, Nmap has an entry in the "CA Spyware Information Center". If they want to warn about Nmap because it can be used for network discovery, fine. But it shouldn't be called spyware, adware, or anything like that.

-Fyodor
Insecure.Org

This has been enough of a problem for the Nmap Security Scanner that we warn about McAfee specifically and suggest better alternatives on the Nmap Download Page (See the Windows section). More details about the problems we've encountered are posted here. I've spoken with McAfee executives at conferences and they say they want to fix the problem, but then it just gets lost in their bureaucracy. Sigh.

Also, it is annoying when free software gets wrongly listed on spyware databases. For example, check out the "Spyware Encyclopedia" entry on Nmap, which says "NMap belongs to the Port Scanner spyware category. It's[SIC] presense[SIC] means that your computer is infected with malicious software and is insecure." WTF? Similarly, Nmap has an entry in the "CA Spyware Information Center". If they want to warn about Nmap because it can be used for network discovery, fine. But it shouldn't be called spyware, adware, or anything like that.

-Fyodor
Insecure.Org

This has been enough of a problem for the Nmap Security Scanner that we warn about McAfee specifically and suggest better alternatives on the Nmap Download Page (See the Windows section). More details about the problems we've encountered are posted here. I've spoken with McAfee executives at conferences and they say they want to fix the problem, but then it just gets lost in their bureaucracy. Sigh.

Also, it is annoying when free software gets wrongly listed on spyware databases. For example, check out the "Spyware Encyclopedia" entry on Nmap, which says "NMap belongs to the Port Scanner spyware category. It's[SIC] presense[SIC] means that your computer is infected with malicious software and is insecure." WTF? Similarly, Nmap has an entry in the "CA Spyware Information Center". If they want to warn about Nmap because it can be used for network discovery, fine. But it shouldn't be called spyware, adware, or anything like that.

-Fyodor
Insecure.Org

Just a few days ago, I launched a noncommercial site dedicated to this exact purpose -- encouraging and helping people move away from GoDaddy. The site is at NoDaddy.Com (I'm sure Bob Parsons loves the domain name ;).

I launched the site after GoDaddy shut down my domain SecLists.Org, as noted in this /. article summary. The site includes a list of alternative registrars that readers have recommended. It is rather sparse on details right now, but I'm working on that. I'll go through all your comments in this article tomorrow to fish out good ideas for the registrar section of the site. I'm trying to fill up the site as much as possible before GoDaddy's big SuperBowl ads air on Sunday. We are currently seeking a volunteer to set up and run the NoDaddy forums -- write me if you're interested. We're also looking for "NoDaddy girl" models, but perhaps Slashdot isn't the best place to recruit for that :).

Just today, CNET News.Com posted an article where they interviewed many registrars about there takedown policies. Unfortunately, many registrars refused or didn't bother to respond. Of those who did, the authors "found that the French registrar Gandi.net and New Orleans-based DirectNIC offered the most extensive guarantees against unnecessary domain name suspension."

-Fyodor
Insecure.Org

I must be in the brainless zone today. I cannot find this highly publicized and promoted list of IP numbers. We got articles, we got links, but IP numbers? Ogg not find. Ogg feeling stupid. Embarrass family. Ogg need know if his IP number on list, even though he regularly change router's WAN ethernet number, get new IP from glomcast. Ogg spend much time nmapping spammers. Running nessus. Ogg probably on someone's list as troublemaker. Ogg not care. Tired of UEC not from wild boar.

If someone uses the card locally, big deal. I call Chase and tell them that the card was stolen and the charge wasn't mine. Not many questions asked.

It certainly can be a big deal if you don't notice the fraudulent charge quickly, if Chase decides to investigate extensively, if you have to file police reports, dealing with card reissuance when you're travelling, if the episode makes its way onto your credit history, if the criminals continue to steal your identity in other ways, etc. Plus, the costs of credit card fraud end up being passed back to consumers as a group anyway. So you might not want to be quite so blasé about it.

But honestly, my main reason for using these systems is that I don't trust the vendor. Not 3rd party fraud. For example, many online media sites put in the fine print that they will retain your credit card number and try to charge you their then-current rates every year unless you remember in time to jump through all their AOL-style cancellation hoops. This isn't just porn sites -- the Wall Street Journal Online, Morningstar.Com, and various other sites try to do this to me. So I just make a temporary number for $120 or whatever the annual charge is. Then the "auto renewal" will fail in a year and they will have to actually ask me whether I wish to renew at their then-current prices.

I've been using MBNA's system, but I'm not so happy with them for other reasons. I'd be interested in hearing what other banks offer this feature in a convenient manner with a standard web-based UI. I'm certainly not going to run IE to use PayPal's system!

Also, it is probably true that I'm more paranoid than your average user.

-Fyodor
Insecure.Org

NMAP did it

And in the The Matrix Reloaded, recall Trinity using nmap to find open ports on her victum? Nmap Author Fyodor brags bout this:
We have all seen many movies like Hackers which pass off ridiculous 3D animated eye-candy scenes as hacking. So I was shocked to find that Trinity does it properly in The Matrix Reloaded [Under $10 at Amazon]. She whips out Nmap version 2.54BETA25, uses it to find a vulnerable SSH server, and then proceeds to exploit it using the SSH1 CRC32 exploit from 2001. Shame on them for being vulnerable (timing notes). Congratulations to everyone who has helped make Nmap successful! And thanks to Jason Algol, Titney, Thorsten Delbrouck, and others for sending pics!

Authors are already free to create their own shitlists, recall that Fyodor terminated SCOs rights to distribute nmap.

http://insecure.org/stf/Nmap-3.50-Release.html

SCO Corporation of Lindon, Utah (formerly Caldera) has lately taken to an extortion campaign of demanding license fees from Linux users for code that they themselves knowingly distributed under the terms of the GNU GPL. They have also refused to accept the GPL, claiming that some preposterous theory of theirs makes it invalid (and even unconstitutional)! Meanwhile they have distributed GPL-licensed Nmap in (at least) their "Supplemental Open Source CD". In response to these blatant violations, and in accordance with section 4 of the GPL, we hereby terminate SCO's rights to redistribute any versions of Nmap in any of their products, including (without limitation) OpenLinux, Skunkware, OpenServer, and UNIXWare. We have also stopped supporting the OpenServer and UNIXWare platforms.

For what its worth, SCO announcing that they dont have to follow the GPL pretty much means an an open season for DMCA takedown notices and criminal charges against them. If they dont accept the GPL, then standard copyright law applies and any GPLed software distribution by SCO becomes a criminal case of copyright infringment.

and there are no "automatic" tools to sweep it clean

anyone who's been in academia knows that she's flat-out rejected as being a highly derivative, illogical (her work is based in fallacy) nutjob unworthy of serious attention.

You suspect "a large biased mob of editors trying to keep the article biased" in favor of Ayn Rand. The admins you have contacted all refused to "help", and you suspect that Jimbo himself is behind the edits. Have you considered the possibility you are the one who is biased -- against this "nutjob" Ayn Rand?

-Fyodor
Insecure.Org

Debian's problem has always been that its handlers place users and the usability of their distribution far below very petty internal arguments intended to frame the distro as some sort of legal pioneer

Debian did not choose this battle. They have been distributing Firefox for years in the same way they distribute other open source software. It was Mozilla who forced the issue by threatening legal action if Debian doesn't change the name or start submitting all patches (even security patches) to Mozilla for permission before they are applied. Mike Conner of Mozilla says "you should consider this, as I previously said, notice that your usage of the trademark is not permitted in this way, and we are expecting a resolution. If your choice is to cease usage of the trademark rather than bend the [Debian Free Software Guidelines] a little, that is your decision to make."

Debian asked "could we at least get a stay of execution? Etch is going into deep freeze in less than a month. Would it be possible to resolve this after the release?" and Mozilla responded that "If we were forced to revoke your permission to use the trademark, freeze state would not matter, you would be required to change all affected packages as soon as possible. Its not a nice thing to do, but we would do it if necessary, and we have done so before."

Many legal squabbles are instigated by Debian, but this isn't one of them. Mozilla has forced the issue. Linux Weekly News wrote a good summary of the situation.

-Fyodor
Insecure.Org

Yep, there's a scene in The Matrix: Reloaded where Trinity runs a port scan using nmap.

So the security world used to be pretty hostile to MS, before, you know, XPSP2, MSRC got taken seriously, etc.

Used to be? Maybe you see a different view of them when they hire you for security consulting and fly you out for their Blue Hat conferences and such. But from my outsider perspective, Microsoft is still a security disaster. Not only have we continued to see hundreds of serious vulnerabilities throughout 2006, but MS has in many cases made us wait weeks or months before patching widely exploited bugs. Heck, another actively exploited MS Office vulnerability was just discovered in the wild. If we're lucky, MS will cough up a patch on September 12, otherwise they'll probably leave users vulnerable until the next "patch Tuesday" on October 10.

Meanwhile, Microsoft recently re-issued MS06-042 with a fix for a vulnerability introduced by their first attempted fix. And they openly admit that they excluded eEye from the advisory credits because eEye embarrassed MS by making their incompetence public. MS is more interested in petty vendetas against researches than actually fixing the flaws.

Microsoft has made a few positive steps toward securing their products in that last couple of years, but I think most of their efforts and successes are more in the PR realm than anything with technical merit. They have spent so much money sponsoring conferences (their money does come with strings attached) and paying off security researches, that many people seem reluctant to criticize them.

OK, enough anti-MS ranting from me for now :). My main point in replying is actually to agree with you about Window. She is extremely smart and talented, and her defection to Mozilla is great news for a product which really needs more security attention. We had lunch last week to discuss Mozilla security and Window has some great ideas. Mozilla may already be much more secure than IE, but we should set a much higher bar than that! Best of luck at your new position, Window!

-Fyodor
Insecure.Org

If an employee leaves and goes crazy later, and if you didn't change all his passwords when he left, then a regular change policy will avoid one problem. Of course it's more likely that a problem employee will strike back immediately. Or will have planted back doors before leaving.

Ours usually go crazy because of the IT Adminisitrators... they leave of their own accord :D That said, we have a policy in place where once a month (over a weekend) we fire up john the ripper on a couple of Quad Xeon servers. Any password that is cracked at the end of the weekend is reset to something unintelligable and the user is warned.

With the threat of having a password that looks like line noise the users have stopped picking stupid passwords. We still run the cracking process, but we have less of a reason too now. It is rare that we even check its logs at the end of the run now. Soon we'll be able to just get back to Prey or F.E.A.R. or (in my case) NetHack and not have to worry about our passwords. Fear will keep the local users in line. Fear of this perl script. http://insecure.org/stc/sti

~ $ nmap -P0 zcodec.com

Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-09-05 06:43 PDT
Unable to find nmap-services! Resorting to /etc/services
Interesting ports on 85.255.117.106-xbox.dedi.inhoster.com (85.255.117.106):
(The 1143 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
57/tcp filtered mtp
80/tcp open www
111/tcp filtered sunrpc
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
199/tcp open smux
205/tcp filtered unknown
445/tcp filtered microsoft-ds
515/tcp filtered printer
519/tcp filtered unknown
587/tcp open submission
705/tcp filtered unknown
818/tcp filtered unknown
876/tcp filtered unknown
888/tcp filtered unknown
1433/tcp filtered ms-sql-s
1646/tcp filtered sa-msg-port
2111/tcp filtered kx
3306/tcp open mysql
4557/tcp filtered fax
20012/tcp filtered vboxd
27374/tcp filtered asp

Nmap finished: 1 IP address (1 host up) scanned in 22.663 seconds

The hostname is odd (as pointed out before)... and we learn little from a scan.

Well I'm bored. Let's go get beer.

Funny, I also carry a thumb-drive with a removable memory card slot. It's this generic one floating around online: http://www.supermediastore.com/supermedia-handy-4i n1--usb-20-flash-memory-card-reader-yellow.html

I think they're a great idea, because I can move with the SD card market as flash memory becomes denser and denser. Speed hasn't been a problem, either. The thumbdrives support USB 2.0 and my SD card seems to be capable of a very decent data transfer rate.

I have a collection of Windows tools on the drive. Not Linux tools, because I can usually accomplish whatever it is I'm doing in the Linux environments I encounter day to day.

Network Tools:
* Raw TCP/IP transfer -> netcat ( http://www.vulnwatch.org/netcat/ )
* SSH/Telnet -> putty ( http://www.chiark.greenend.org.uk/~sgtatham/putty/ )
* Port Scanner -> SuperScan4 ( http://www.foundstone.com/resources/proddesc/super scan.htm )
* Classic Port Scanner -> nmap ( http://insecure.org/nmap/download.html )
* Packet Capture and Analysis -> WireShark setup ( http://www.wireshark.org/download.html )

Editors:
* General -> vim 7.0 ( http://www.vim.org/download.php )
* Hex Editor -> xvi32 ( http://www.chmaas.handshake.de/delphi/freeware/xvi 32/xvi32.htm#download )

Development:
* Tiny C Compiler ( http://fabrice.bellard.free.fr/tcc/ )
* nasm ( http://sourceforge.net/project/showfiles.php?group _id=6208 )

Misc:
* Lightweight Windows md5sum -> md5summer ( http://www.md5summer.org/download.html )
* Process Explorer ( http://www.sysinternals.com/Utilities/ProcessExplo rer.html )
* MP3 Encoding -> RazorLame with lame ( http://www.dors.de/razorlame/download.php )
* Terminal Emulator -> TeraTerm Pro ( http://hp.vector.co.jp/authors/VA002416/teraterm.h tml )

The folder is 26.7MB.

(response from Safari user) *cough* Obtain an interactive shell through lynx *cough* Lynx NNTP vulerability *cough* Lynx CRLF injection*cough*

Unfortunately, not everyone is as kind (or patched/anti-virus'ed/etc.) as your neighbors are.

I spent three years as an abuse admin at an ISP, and spoke with a number of customers where the only likely culprit for an abuse complaint was someone "borrowing" their Wi-Fi connection (nmap is a wonderful tool for finding likely infections/file sharing clients). In almost all of these cases, securing the Wi-Fi access point made the problem go away.

It's possible that my customers were lying and that they just latched on to the Wi-Fi excuse to get me off their backs, but after three years, it (usually) wasn't too hard to tell when someone honestly had no clue and when they were covering up :)

So *that's* why I object to people using my Wi-Fi without permission.

The NSA initiative, code-named ``Pioneer Groundbreaker,'' asked AT&T unit AT&T Solutions to build exclusively for NSA use a network operations center which duplicated AT&T's Bedminster, New Jersey facility, the court papers claimed.

That plan was abandoned in favor of the NSA acquiring the monitoring technology itself, plaintiffs' lawyers Bruce Afran said.
The NSA says on its Web site that in June 2000, the agency was seeking bids for a project to ``modernize and improve its information technology infrastructure.'' The plan, which included the privatization of its ``non-mission related'' systems support, was said to be part of Project Groundbreaker.
Mayer said the Pioneer project is ``a different component'' of that initiative.

The groundbreaker program is well known, in fact its infamous... in being a really really expensive network upgrade. The kind of thing with rewiring offices and buying lots of bandwidth from the likes of AT&T.

And I mean a lot of bandwidth. A lot of the DoD bandwidth contracts currently up for grabs are of course available online for anyone to see. (But shame on the nytimes, shame shame shame!) How did you think intercepted traffic came from all over the world back (But especially big telco sites) to Maryland? Still wonder why companies like AT&T want to do everything to help the NSA?

And of course groundbreaker is over budget and insecure.

So what is this secret new thing that is being claimed? The hints are:

• Its mentioned on the NSA website
• Its "non mission related"
• Its a component of a network upgrade
• And its called a "network operation center"

It makes sense that the NSA would want a new but ordinairy "network operation center" with its new network. You really really need one of those to show politicians around (scroll to "nsa loads nmap" for a good laugh). Especially the ones who know nothing about intelligence except what they have seen on 24. (I would be funny if there werent so many schools planes trains and subways blown up around the world after 9/11)

Guiding them past the movie theater and showing the huge list of languages in which movies are shown isn't glamorous, though it should get the point across of sigint being of no use without humans to read and hear it... It might also show why having computers that can display bidirectional text isn't some fancy feature nobody uses. (Its usefull for such obscure languages as say Arabic, just to name something random of the top of my head.) I guess the lack of lighting the 24 set designers came up with for dramatic effect makes these NOC places a little cheaper to run than hiring qualified analyst though.

Sure it could also be a top secret surveillance program advanced beyond anything ever seen before, possible including extra terrestrial technology and tinfoil hat countermeasures... I mean in theory you could call that a NOC I guess.

This possible hype reminds me of the echelon story. After unspecific press accounts surrounding a big and sloppy EU investigation about "echelon" people assumed the worse and the hype started to build and build.

Now some time has passed historians have been able to figure out exactly what component is codenamed echelon, and it looks a little like this. (Thats an 70`s VAX 11/780, for those who couldn't tell, shame on you)

I don't know why you think eEye has such close ties to MS. They have been embarrassing and exploiting the hell out of MS for years. They drive MS crazy by releasing powerful exploit code and giving conference presentations such as "Remote Windows Kernel Exploitation" (BlackHat 2005). I like these guys a lot :).

-Fyodor (Insecure.Org)

TFA also states that "People who distribute networking vulnerability scanning tools such as Nmap or Nessus could also be caught up in part (b), Clayton warned.". A quick reading of section 41 seems to bear that out. As author and maintainer of the Nmap Security Scanner, I am more than a little concerned.

I'm certainly not going to let anything as silly as some U.K. law stop me from distributing Nmap, but I also don't want to become like Dmitry Skylarov the next time I give a presentation in England. And even if (as I would expect) the rest of the world ignores this, it could have a chilling effect on important security tools and research from U.K. citizens. Think of all the good research and tools that David Litchfield from London (NGS Software) has brought us. And my London friend Hoobie brought us the free Brutus password cracker, which appears to be prohibited by this bill.

The good news is that this is just a proposal. So I would join the chorus in urging our British friends to make their voice heard against this silly bill.

-Fyodor
Insecure.Org

TFA also states that "People who distribute networking vulnerability scanning tools such as Nmap or Nessus could also be caught up in part (b), Clayton warned.". A quick reading of section 41 seems to bear that out. As author and maintainer of the Nmap Security Scanner, I am more than a little concerned.

I'm certainly not going to let anything as silly as some U.K. law stop me from distributing Nmap, but I also don't want to become like Dmitry Skylarov the next time I give a presentation in England. And even if (as I would expect) the rest of the world ignores this, it could have a chilling effect on important security tools and research from U.K. citizens. Think of all the good research and tools that David Litchfield from London (NGS Software) has brought us. And my London friend Hoobie brought us the free Brutus password cracker, which appears to be prohibited by this bill.

The good news is that this is just a proposal. So I would join the chorus in urging our British friends to make their voice heard against this silly bill.

-Fyodor
Insecure.Org

'while id Software is especially careful to lock down its game engines'

http://www.insecure.org/sploits/quake.backdoor.htm l

nmap is very, very cool ... and a great opportunity to hack on the best network scanner around ... plus you could be famous! ;-)

• Create a new graphical frontend and powerful results viewer
• Generate graphical maps from the Nmap XML output (you can take inspiration from projects like fe3d and Cheops/Cheops-NG).
• Create a web interface for scanning your networks and reporting the results.
• Become a performance Czar, whipping out your profilers and introducing your own algorithms to make Nmap run even faster while using fewer resources.
• Create a brand new interpretation of the venerable Netcat and Hping utilities.
• Add scripting/module support to Nmap so it can be used for vulnerability assessment or more intrusive application discovery.

I think those are some of the coolest projects, though the page lists others (and is always growing as I get new ideas). And don't forget, you can always propose any new idea you come up with -- don't feel limited to that list.

And while we hope you consider Nmap, remember that you can increase your odds by applying to multiple projects. I've seen some pretty cool ideas from the other organizations.

-Fyodor