NetStumbler.org Forums - View Single Post

07-29-2001

>> and will be making my data public. If I don't someone else will (shrug). <<

I agree, but at the same time I disagree. This is why I'm torn on the issue as to whether or not to post data. On the one hand, it's the easiest way to raise general awareness about how widespread this problem is (and will continue to be) unless people start fixing their AP's. And that's something we definitely need - there are way too many open AP's here in DC.

But the "publish the info to raise the awareness" argument doesn't always wash. Take last week's Code Red worm for example -- eEye found the vulnerability and felt that it was their obligation to publish way too much source code about how it actually worked. Both Russ (moderator of NTBugTraq) and Microsoft felt that eEye went too far in their disclosure.

And what did we get from it? A worm that spread to over 350,000 servers on the Internet, and had the potential to do much more damage (if it had been programmed a bit better). As someone who works specifically in the Internet industry, I'm particularly sensitive to these issues. eEye - in my opinion - went too far in publishing as much code as they did. We've not seen the last of the Code Red exploits, and I have a feeling the next few will be much more effective.

In any case, this message isn't intended to target anyone's particular opinion - just to spur debate and further thoughts on this subject.

Here's a thought - perhaps a more noble approach would be to have NetStumbler attempt to make an HTTP request out whenever it's thrown an IP. It could even include the AP name, type, channel, lat/long, etc. A server on the back-end could catch the incoming IP address (since many companies use NAT on the back-end) and an application engine could look up that IP address with ARIN to find out who owns the netblock. An email could be sent to the owner of the net block letting them know that their network is open. This is similar to what some people did with Code Red - since any server that was "attacking" was known to be infected, a few people got smart and filtered through their log files to find all the infected hosts and then sent automated emails out letting the netblock owners they'd been hit.

Can't wait for my external antenna to arrive.

-Toomer

07-29-2001	#10 (permalink)
Posts: n/a	On publishing data.. >> and will be making my data public. If I don't someone else will (shrug). << I agree, but at the same time I disagree. This is why I'm torn on the issue as to whether or not to post data. On the one hand, it's the easiest way to raise general awareness about how widespread this problem is (and will continue to be) unless people start fixing their AP's. And that's something we definitely need - there are way too many open AP's here in DC. But the "publish the info to raise the awareness" argument doesn't always wash. Take last week's Code Red worm for example -- eEye found the vulnerability and felt that it was their obligation to publish way too much source code about how it actually worked. Both Russ (moderator of NTBugTraq) and Microsoft felt that eEye went too far in their disclosure. And what did we get from it? A worm that spread to over 350,000 servers on the Internet, and had the potential to do much more damage (if it had been programmed a bit better). As someone who works specifically in the Internet industry, I'm particularly sensitive to these issues. eEye - in my opinion - went too far in publishing as much code as they did. We've not seen the last of the Code Red exploits, and I have a feeling the next few will be much more effective. In any case, this message isn't intended to target anyone's particular opinion - just to spur debate and further thoughts on this subject. Here's a thought - perhaps a more noble approach would be to have NetStumbler attempt to make an HTTP request out whenever it's thrown an IP. It could even include the AP name, type, channel, lat/long, etc. A server on the back-end could catch the incoming IP address (since many companies use NAT on the back-end) and an application engine could look up that IP address with ARIN to find out who owns the netblock. An email could be sent to the owner of the net block letting them know that their network is open. This is similar to what some people did with Code Red - since any server that was "attacking" was known to be infected, a few people got smart and filtered through their log files to find all the infected hosts and then sent automated emails out letting the netblock owners they'd been hit. Can't wait for my external antenna to arrive. -Toomer