[RC5] RC5 keys aren't the only things being cracked by the million.

sklein at mint.net sklein at mint.net
Wed Nov 3 15:41:54 EST 1999


Charles Franks <Charlz at lvcablemodem.com> wrote:

> This definitely would be a project where one would have to a serious
> risk/benefit study. If the information gathered by this kind of effort
> fell into the wrong hands it would be a major disaster.

Yes. However, if systems with common security flaws aren't identified,
serious problems could result. Consider the following situation and two
possible senarios:

A bank rolls out it's new web banking program. This places machines with
access to account information on the internet. One of these machines is
vulnerable. It shouldn't happen; if this was a perfect world it wouldn't
happen; but...

Senario 1: A (rather capable) script kiddie comes along and hax0rs the
machine. A couple changes later he has an extra million or so and a trail
of half altered logs pointing at him. The changes are discovered and
quite some effort is expended reversing them. But, the story ends with
accounts straight and our lame hax0r behind bars for theft.

Senario 2: The hole goes unnoticed until an organization who's name
shall remain shrouded in dark mystery finds reason to target the bank.
An untraceable call, a decisive attack, an intellegent agent, loose
on the bank's internal network, insidious damage... By the time it's
discovered, it's too late.

But the "good guys" pose an increasing threat to the clueless script
kiddie, and his various activities certainly don't have a positive effect
on the network. How much more beneficial to be scanned by an identifiable
and responsible group who will contact me with their findings than a
foot loose anonymous individual with no ethic that i've heard about.

> D.net gets enough negative connotations from being involved with the
> cracking of encrypted messages that are part of a legitimate contest. I
> can only imagine the firestorm generated by an effort of massively
> testing the security of thousands of systems...

Yes, i suspect this project would be more apropriate for a different
group. In which case discussion should be moved off D.net's list.
There are some very interesting comments at
http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&id=32
but that's hardly a useful forum. Does anyone know if The Internet
Auditing Project people have put any effort into IDDN? (the International
Digital Defense Network) If no one does, i think i'll put some effort into
finding out.

> without being asked by the
> owners or sanctioned by some group such as the National Infrastructure
> Protection Center (NIPC) or some other government entity. And of course
> that would only apply to testing systems located in the USA.

I would be very hesitent to involve government. From the comments at the
link above, it seems that governments often already have such scans in
place. And, in a sense, those decisions are the responsiblility of the
"ruling" network admins who are affected by them. Not unnaffected third
parties.

<snip insightful comment about press sensationalism>

Cheers,
Seth W. Klein
--
sklein at mint.net
http://members.mint.net/sklein/

--
To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest



More information about the rc5 mailing list