This was sent to me by an associate.  Many points are made in a simple, concise
manner.  Spread it like wildfire!  -aj.



-----Original Message-----
From: Kamal Southall [mailto:kamals@mpowernet.com] 
Sent: Thursday, July 29, 1999 12:12 PM
To: ntsecurity@iss.net
Subject: RE: [NTSEC] Back Orifice 2000


TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net
Contact ntsecurity-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

> >    Can you trust a tool developed by people who specifically claim to
break
> >    secure systems for a hobby?  Would you take homemade candy from
someone
> >    who was an admitted serial poisoner?

	Yes, I would. In fact the whole question, in this case, strikes me
as
being just daft

Firstly the tool is open source now, so it can be examined for faults,
malicious side functions, etc. I trust ANY tool enough to use that is
open source and that I have the source code for.  There is NOTHING
hidden in the source code, I can modify the source code which ever way
that I like. There are legitimate remote admin functions for this tool,
though netbus seems to be more useful.  It is also plain to see that
this tool was designed in such a way to be useful to an attacker.  If
Microsoft's Windows 95/98 security model (what security model) was not
so broken by design, so DOA, this would not be a problem.  There are
trojan horse tools available for Unix, the impact of them is minor
compared to the potential impact of Netbus and BO2K.  If a luser has a
trojan in his directory it runs under his UID, it does not, by default,
have unlimited access to the system unless the trojan was designed to
exploit some security bug unique to that OS.  BO2K by default has access
to the whole system.  The fact that Microsoft claims that Windows 9* is
not designed as, and should not be used as, a network OS is immaterial
because *they* market it as a network operating system, there are
thousands of corporations with lans of Windows 95 boxes set up many of
which are gatewayed to the Internet.  The Internet is ubiquitous to home
computer users.  This, in effect, means that millions of people are
nodes on the Internet using an OS, the vender of which claims
(correctly) is not designed as a network OS, but still markets it as an
Internet ready Network OS.  The fact that these systems have NO real
security seems to be besides the point eh ?

The fact that CDC has done this to increase awareness of these GROSS
design flaws is a favor, I say. Sort of like a terrorist hiding and
shooting you with a paint ball gun just so that you know that you are
not safe and that your operational security is flawed.  Or like a kid
stealing your car just to show you that it can be done and then
returning it under your nose.  Unethical ? Yes, in a way, Immoral ?
Perhaps, perhaps not, effective ?  Yes to anyone with half a brain. 
Sometimes the ends do justify the means even if these means make MY job
of supporting MY customers a *lot* harder.  It is a trade off that I am
willing to make, you release dangerous tools to wake my vender up, I
yell at my vender and say "I told you so".  Stuff then, on occasion,
gets fixed. 

BO2K seems, to me, to be a proof of concept tool, "yes we can do this,
yes it is easy, yes we have been saying this for 5 YEARS, yes *no one*
is listening to us, so yes we will take matters in our own hands"

Secondly, as to the intent behind its release, I hold no illusions over
what I suspect to have been some of the motives behind this tool, nor do
I *care*.  I suspect that their motives were not to "empower" hordes of
ankle bitters world wide, kids who these folks are quite contemptuous
of, I suspect that some of their motives lay simply in one upping
venders, a media stunt, sort of the digital equivalent of picking one's
nose with one's middle finger and then waving it around in public.  Why
?  I don't know, why do many people have a grudge against Microsoft ? 
They write bad software, and have historically (though recently they
have gotten much better at this, well not *much*...) been UNRESPONSIVE
to the complaints of their customers.  UNIX vendors were once like this
(and a number *still* are btw) but Microsoft takes it to new heights of
absurdity.

As to 'claiming to break secure systems as a hobby' what, may I ask, is
wrong with this ?

This is not a NERF childproof world.  There are malicious people out
there.   There are people who want my company's proprietary information,
who want to break my network security.  Those who "break secure systems
as a hobby" invariably find out that what is considered to be secure is
anything but.  This is *life* and one kind of has to deal with it.  If
no one bothered to break these systems then we, and our customers, would
be ripe and ready to be raped by intruders.  Why ?  Because we would be
complacent, our venders would be complacent, no one would bother
redesigning software to be more secure.  The only people with a
knowledge of the security holes in our software would be the very people
who we are trying to keep out of our networks.  I truly hope that no one
is suggesting that we go back to the network security of 15 years ago,
when kids cruised through WANS getting into all sorts of sensitive
systems using guest accounts, default accounts, and criminally stupid
security holes.  Despite all of the media hype of today most network
installations are more secure, or at least *designed* more securely
(implementation is another matter) than ever before, by an order of
magnitude.  

The people in CDC and other "high profile" "hacker groups" "claim to
break secure systems"  THAT THEY OWN as a hobby.  Most of these people
are quite explicit about that.  As far as believing this claim, I have
no problems here either.  Do I truly believe that people who to
conventions, chat with Feds, hold corporate jobs during the daytime, and
are pushing their 30's in age, still break into .edu machines and lower
tier corporate Internet systems for the thrills ?  Many of the people in
these groups were known in hacker circles, in their youth, as being
hackers.  Many of these people are now in their late 20's and early 30's
with corporate jobs, and as high profile as they come across as do I
think that they would be stupid enough to illegally hack into servers ?
No I doubt it, its possible of course, but I doubt it.

These people are also more skilled than they were in their youths, by an
order of magnitude, and the kinds of systems that *some* of them (not
all) once broke into like voyeurs, they can now afford to buy, and many
of these kinds of hackers do.  I know of guys with a number of surplus
vaxen, newer Alpha servers, and rows of sparc based minis.  They hack on
these all day, they code all day, it makes them happy, as happy as a
baby with new toys.  I know of people with their own surplus Cell site
equipment who set up their own AMPS cellular networks for the kicks, and
give out phones to their friends.  The fact that some of these people
may indeed have hacked into systems illegally 5 or 6 years ago is
irrelevant to me, people make mistakes then they grow up and mature.  I
am not going to hold my stock broker's high school days of breaking into
cars and joy ridding in them over his head, will I ?  Why do people
treat computer hackers differently ?  

These people hack code, then they try to break the security of software
that they purchase and then they release the results to US, where it is
useful. (see some of the work done by Dildog, for example, or the
released work done by the l0pht)  This gives network and sysadmins an
advantage.  Now, do I feel that releasing such software and tools to
hordes of irresponsible and stupid 15 year olds is a criminally
irresponsible act ?  Actually, yes I do.  However, that is life, deal
with it.  As far as I am concerned the fact that they are helping admins
more than makes up for this.  Perhaps I am wrong, perhaps I am very,
very, wrong.  I do not know, this is my opinion.  To me this is common
sense, but (of course) your mileage may vary.

There are some acts that are, frankly, so irresponsible that even I
could not condone them.  The release of BO2K, however, is not one of
them.  There are some acts that are so unethical that even I could not
condone them, again this is not one of them.  Will this tool make
certain aspects of my job harder ?  Yes, can I live with this ?  Yes as
long as something productive comes out of it.  I really hope that
Windows 2000 is not as broken, by design, as Windows 9*.  If this ends
up being the case, I really hope that IBM gets off its duff and does
something useful with OS/2 Client/Server.  And hires some competent
marketing staff as well...  And yes, I really hope that someone from
microsoft is reading this and takes my gripes seriously instead of going
into some knee-jerk defense mode.  As to Virus Scanner Venders, I have
additional gripes but, needless to say, this post is far too long as it
is.

As for me, I use Windows 95 because I have to, I support customers with
95 because I must, I use NT because I have to for certain Applications. 
The second that ODBC drivers for linux become more stable, I know where
*I* am headed :-)  If IBM cleans up OS/2 Client and gives it decent
security (and the ability to execute Win 95 binaries)  I'd also grab a
hold of OS/2 as well. 

Am I wrong ?  Perhaps, but I guess that I will just have to live with
that...

-- 
"Knowledge is better than riches, for     -- http://www.mpowernet.com
knowledge guards you while you guard      -- kamals@mpowernet.com
riches... Riches diminish with spending   -- webspinner@mpowernet.com
but knowledge increases with it."	      --(5 1 3) 3 8 1 - S U R F
-'Ali Ibn Abi Talib