Slashdot Mirror

← Back to Stories (view on slashdot.org)

Son of SATAN? Weighing Security Software's Risks

Posted by timothy on from the guns-don't-kill-people dept.

ryanr writes "Rob Lemos put out an article on the new metasploit relese. The article reminds me of the furor over the original SATAN being released. H.D. Moore, who wrote it, rightly points out that there are commercial tools that do it better, and it's known that the kiddies have copies of those. Why pick on the open-source tool? I think Rob is being a bit provocative." Despite the headline ("Security tool more harmful than helpful?"), the article is actually pretty balanced.

26 of 128 comments (clear)

  1. Y'know by FrYGuY101 · · Score: 5, Insightful

    I've always thought the comparison of security tools to invasion tools like the idea of security through obscurity.

    Simply because there's not an automated tool which allows you to properly determine the security of your own systems, doesn't mean somebody else couldn't do it manually, or create their own tools.

    --
    "If we let things terrify us, life will not be worth living."

    - Seneca
    1. Re:Y'know by David+Hume · · Score: 5, Insightful

      I've always thought the comparison of security tools to invasion tools like the idea of security through obscurity.

      Simply because there's not an automated tool which allows you to properly determine the security of your own systems, doesn't mean somebody else couldn't do it manually, or create their own tools.


      I think the concern may be that the widespread, no-cost dissemination of tools like this decrease the costs and barriers to entry to malicious hacking. Many (if not most) of the script kiddies who may wind up using this and similar tools couldn't possibly "create their own." Simlarly, many (if not most) would not purchase, or even be pirate, commercial tools.

      Your analogy of software security to (presumably) physical world "invasion" tools (e.g., lock picks, etc.) causes me to make a prediction. The prediction is that, like lock picks, the use and possession of software security tools may in the future be licensed and regulated. Just as the unlicensed possession and use of "burlar tools" is in some jurisdictions criminal, we may get to the point that the unlicensed use or possession of "software entry" tools is regulated and licensed.

      Please don't misunderstand; I am not suggesting that this ought to occur, or that I want it to occur. I am simply suggesting that as a pure matter of fact it may occur.

      --
      Only Women Bleed (Sex, Sharia remix)
    2. Re:Y'know by Kaa · · Score: 2, Insightful

      Your analogy of software security to (presumably) physical world "invasion" tools (e.g., lock picks, etc.) causes me to make a prediction. The prediction is that, like lock picks, the use and possession of software security tools may in the future be licensed and regulated. Just as the unlicensed possession and use of "burlar tools" is in some jurisdictions criminal, we may get to the point that the unlicensed use or possession of "software entry" tools is regulated and licensed.

      Like, for example, a compiler?

      Not that I am a big fan of RMS, but his rants keep on looking less and less like paranoia and more and more like a no-rose-glasses view of the future...

      --

      Kaa
      Kaa's Law: In any sufficiently large group of people most are idiots.
  2. Re:Metadupe - Previous Comments by millahtime · · Score: 2, Insightful

    Lets look back a couple days at the same story

    --
    Evolution or ID?
  3. Sure, but ... by s20451 · · Score: 5, Insightful

    There's no substitute for a secure box. But what's lost on a lot of people is that security through obscurity is only bad if it's your only security method. True security doesn't mean that you paint a bull's eye on your forehead and taunt the crackers to come after you.

    If cracking tools are widely available, they will be used to more quickly exploit whatever vulnerabilities exist, giving the author less time to patch. It's better for everyone if these tools are hard to come by.

    --
    Toronto-area transit rider? Rate your ride.
    1. Re:Sure, but ... by FrYGuY101 · · Score: 5, Insightful

      Conversely, if cracking tools like this are widely available, authors will be somewhat forced to at least use them to test before they release insecure software.

      Saying that these tools in and of themselves being widely available is a bad thing I'm still not sold on. Yes, Script Kiddies can now possibly attack a system in a manner which they would not have been able previously, but sysadmins can also do the same, and then secure whatever holes appear as a result, meaning that not only can the script kiddie not get in, but a Black-hat can't use that avenue either. That is why these tools exist, after all.

      --
      "If we let things terrify us, life will not be worth living."

      - Seneca
    2. Re:Sure, but ... by David+Hume · · Score: 3, Insightful

      Yes, Script Kiddies can now possibly attack a system in a manner which they would not have been able previously, but sysadmins can also do the same, and then secure whatever holes appear as a result, meaning that not only can the script kiddie not get in, but a Black-hat can't use that avenue either.


      I suspect the concerns (which I personally don't agree with) are that: (a) for every sysadmin who is trying to protect "his" system (while performing other tasks) there are numerous script kiddies who are trying to break into his system; and (b) particularly given the economy, and shrinking corporate IT budgets, the script kiddies have far more time on their hands. The question one might ask is, Who does the no-cost and low-barrier dissemination of the tool most empower?

      The alternatives are not necessarily limited to no dissemination. Some might argue for taking steps to try to limit dissemination of the tools to the "good guys" -- even is such steps would be imperfect.

      Further, if we are concerned about the externalities caused by 24/7 connected broad band home users who are unknowingly spewing spam, well, 24/7, we might have to recognize that few if any of them will ever use such tools to protect their systems, while the script kiddies will surely use such tools to hack them.

      Of course, the counter-argument re: home users is that "surely" somebody (Microsoft????) will use the tool to test the underlying software... and "surely" the home users will download the resulting patch. :)

      --
      Only Women Bleed (Sex, Sharia remix)
  4. What's the controversy? by awkScooby · · Score: 5, Insightful
    Is the question, "should tools exist which allow system administrators to scan their boxes for known holes?" That's an easy one to answer: YES.

    A quick glance through my log files shows that someone is scanning my boxes. Not distributing scanning tools just makes it a one sided battle (with us admins on the loosing side). Not knowing about a hole does not mean that the hole doesn't exist. So, I think that it's far better to make a level playing field, and let hackers and admins have equal opporunity for knowing the status of a box. Sure, some people won't check their systems, but that's a lost cause no matter what.

    1. Re:What's the controversy? by LostCluster · · Score: 2, Insightful

      If a scanning tool is out for a certain hole... then it's safe to say that the whole world knows that hole exists. If you're at risk for it, you better have closed it up somehow. Patch or replace the application!

      Just pretending the hole doesn't exist and wishing the scanning tool would go away isn't security... making holes go away is security.

  5. Re:This could be a good tool if.... by justMichael · · Score: 5, Insightful
    Although, I don't have a thing someone would want to hack.
    If you have a box that is online 24/7, you have something that, to someone is worth hacking.

    Whether they use to DDoS or as a spam relay or whatever else they may want it for, owned zombies are owned zombies.
  6. To use the gun analogy: by normal_guy · · Score: 5, Insightful

    Companies that create software to exploit security vulnerabilities in common software in order to get commandline access to any system don't kill systems. Script kiddies do.

    --

    Linux: Free if your time is worthless.
  7. It's a dual edge sword by Anonymous Coward · · Score: 5, Insightful

    Having tools to help in identification of weaknesses is not a bad idea (one side) - OTOH - the same tools can also help a hacker use that information to exploit your system (other side). Not that they couldn't do it anyway -- but hey -- this is faster. It was stated in the article that "The problem today is that many organizations do not patch systems until a working exploit is released". How true this as well as the comment that "The bottom line is that exploits are not only useful but are (also) required for many types of legitimate work." Brings to mind some of the restrictions that are placed on useful processes such as the remote commands, snmp, and other features built into the OS. Nice to know where problems are so that they can be locked down ... but what if you really need them ...

  8. Its Simple... by trp642 · · Score: 5, Insightful

    If guns are outlawed, only outlaws will have guns...

    If security scanning tools are outlawed, only outlaws will have security scanning tools...

  9. Re:This could be a good tool if.... by morcheeba · · Score: 4, Insightful

    Although, I don't have a thing someone would want to hack.

    Hackers wouldn't know that fact until after they've hacked into your system.

    --
    HIV Crosses Species Barrier... into Muppets
  10. What's the difference? by LostCluster · · Score: 3, Insightful

    A hole scanner just finds holes. It's a hacking tool if used by a hacker, a security tool if used by an admin... the only diffence is what the user intends on doing after the hole is discovered.

  11. Re:Don't kid yourselves... by Adriax · · Score: 5, Insightful

    Funny, when this exact argument is being used against kazaa and the like, everyone throws up their arms in protest, claiming it still has legit uses.

    I don't use this or kazaa, no reason, but I sure as hell wouldn't want to see either shot down just because they ave illegal uses along with legal ones (once that happens, how long till computers themselves are heavily restricted, if not banned because someone claims it's "painfully obvious computers are the tools of criminals and terrorists").

    --
    I don't suffer from insanity, I enjoy every minute of it!
  12. Re:This could be a good tool if.... by LostCluster · · Score: 4, Insightful

    I don't have a thing someone would want to hack

    If you have outbound bandwidth, you have something a hacker wants. Once they 0wn your box, they'll install whatever application they want to run. Be it spamming, virus spreading, distributed computing, whatever... if your data is worthless, they can just delete it to get it out of their way.

  13. Bad logic by Anonymous Coward · · Score: 1, Insightful

    This is some sort of convoluted question - 'do security tools make things worse'. Rather than explaining word for word why I feel its worse, I'll offer an analogy.

    Should brightly lit streets at night be banned because they allow muggers to see us more clearly? Surely not.
    Knowledge is power, and I'd much rather have as much knowledge available to me as possible, rather than have none and some an attacker has none either. The fact is, exploiters will always try to develop their own ways to get in, their own tools, so it would be incredibly stupid for us to decide the less we know about network security, the better.

    Security testing is a GOOD thing, before anyone puts a server online, they should try to hack it on a closed network first - and then they should have their smartest friends try to hack it, with any tools available. This sort of introspection would mean a whole lot more security on the net in general.

  14. Security tools = Trouble? Perhaps... by Anonymous Coward · · Score: 1, Insightful

    Of course, any time you release a tool that can be used for good or evil, there will be people that use it for good and those who use it for evil. I would much rather at least have the tools exist than be stuck when some evil person creates a supervirus using a tool they stole because we can't get that tool publicly.

  15. Oh know, will this create a new breed? by DR+SoB · · Score: 3, Insightful

    Is it possible this will create a new breed of mega elite hackers that don't need to know much about the inner workings of computers to hack, they can just run automated tools to do it for them? Maybe we can call them script-kiddies or something? What's that you say, they already have these? OH!

    Of course these tools are good, the script kiddies already have k-rad tools from CodC and what-nots. News flash: many admins already use actually HACKER tools to try and find 'sploits on their pwn machines!

    I remember when I was a youngin and to be classified at all as a hacker you had to have at least _some_ knowledge of machine code. Ahh, those were the days..

    --
    Mod +5 Drunk
  16. Full Disclosure vs. Security Through Obscurity by Glamdrlng · · Score: 5, Insightful
    If cracking tools are widely available, they will be used to more quickly exploit whatever vulnerabilities exist, giving the author less time to patch. It's better for everyone if these tools are hard to come by.


    I disagree. If those tools are available to whitehats then security professionals can run them in lab environments and develop countermeasures like Layer 7 firewall filters and IDS rules. Furthermore, if I'm aware of an exploit that's serious enough of a risk, I have the option of killing a port on the firewalls until the risk has been mitigated. But I can't do any of those things if I'm not aware of the vulnerability andif don't know how the tool works. Not only that, but if these cats have made good on their promise to communicate with IDS vendors about ways to detect metasploit in action, then I honestly don't see how someone could make a more benign tool. I haven't seen anything on snort.org yet, but then again I'd imagine many of the exploits run by metasploit already have signatures available.

    Security professionals are inherently disadvantaged compared to blakhats. They have more time on their hands, and they have more numbers. At the end of the day, if security professionals don't have access to tools like this, then we're at even more of a disadvantage.
    --

    Yes, my only tool is a hammer. And you're starting to look like a nail.
  17. Re:Don't blame the tool... by duffbeer703 · · Score: 2, Insightful
    Blaming the author of this tool because it might be used by hackers is like blaming a gun manufacturer because the gun they make might kill someone.


    The anti-gun lobby is doing just that right now.
    --
    Conformity is the jailer of freedom and enemy of growth. -JFK
  18. These tools just help hackers by skintigh2 · · Score: 3, Insightful

    Also, binoculars should be banned because they just help terrorists look for physical security vulnerabilities.

    We need strong laws to protect people who are too lazy and incompetent to protect themselves. Security through court-ordered obscurity is the only way to freedom.

  19. Re:Blah by duffbeer703 · · Score: 2, Insightful

    There is no magic about exploiting security vulnerabilities. I have actually discovered or re-discovered exploits in the course of day-to-day Unix sysadmin duties.

    One of the biggest problems that we face is that the boundary between expert and uninformed observer is very blurry when it comes to technical issues.

    Ignorant "experts" litter the television and radio airwaves, and have a nasty habit of publishing themselves on the internet and in print.

    To a gun owner, the "guns don't kill people, people kill people" argument makes alot of sense. They shoot guns for sport and enjoy shooting targets, clays or animals.

    Likewise, when programmers or computer enthusiasts hear people suggest "banning" some tool, they think something along the lines of "hey, why does this clueless dolt want to ban something that he knows little or nothing about".

    Try understanding other people's points of view.

    --
    Conformity is the jailer of freedom and enemy of growth. -JFK
  20. Security through wishful thinking. by Chris+Burke · · Score: 4, Insightful

    If cracking tools are widely available, they will be used to more quickly exploit whatever vulnerabilities exist, giving the author less time to patch. It's better for everyone if these tools are hard to come by.

    Cracking tools are and will be widely available. How effective were the courts at stopping the spread of DeCSS? Tools already exist. They will either be written or pirated, and passed around on IRC. You can't stop them from existing. You can use them yourself, for your own benefit.

    Attempting to get rid of widely available free tools that white hats could use to their benefit so that black hats won't have them isn't Security through Obscurity. It's Secruity through Wishful Thinking.

    The only reasonable way to go forward with security is that your machine must be secure in spite of the existence of cracking tools. The best way to do this is to use the tools yourself, not to try to prevent them from existing. "Outlaw cracking tools, and only outlaws will have cracking tools" may be cliche, but poor prose can still be true.

    --

    The enemies of Democracy are
  21. as much as i love reading /. by neoThoth · · Score: 3, Insightful

    The story really was toned to stir the pot. the tool is a great help to those of us in the infosec community whose jobs it is to SECURE networks. Other tools like CANVAS (and a host of others I can't think of right now) do the same thing and most aren't even open source. Any one can run Nessus but the biggest issue with any vuln Scanner is *false positives*. This tool allows verification of vulnerability.
    Rob I want you to apologize to HD Moore and go sit in the corner and think about what you've done.

    (crap there goes my karma)