| version 1.468, 2005/07/07 16:18:45 |
version 1.469, 2005/07/07 21:23:32 |
|
|
| Jeremy Andrews writes about the recent Blind ICMP attacks discovered |
Jeremy Andrews writes about the recent Blind ICMP attacks discovered |
| by Fernando Gont, and the fixes done by him and OpenBSD during the |
by Fernando Gont, and the fixes done by him and OpenBSD during the |
| 2005 Hackathon. |
2005 Hackathon. |
| The article talks extensively about the technical background of the |
The article goes into the technical background of the |
| attacks, mentioning blind ICMP attacks, "hard" ICMP errors, source |
attacks, mentioning blind ICMP attacks, "hard" ICMP errors, source |
| quenching, and path MTU discovery. |
quenching, and path MTU discovery; |
| Many helpful RFCs and technical papers are linked from the explanations. |
many helpful RFCs and technical papers are linked from the explanations. |
| They are followed by a recall of the whole ICMP story, involving Gont's |
This is followed by a recap of the whole ICMP story, involving Gont's |
| struggle with other free projects, Cisco lawyers, Microsoft people, |
struggle with other free projects, Cisco lawyers, Microsoft people, |
| and others.<br> |
and others.<br> |
| The article comes to the conclusion that OpenBSD was the first project |
The article concludes that OpenBSD was the first project |
| to take Fernando Gont's findings seriously, and also the first group to |
to take Fernando Gont's findings seriously, and also the first group to |
| be really painless to work with. |
be really painless to work with. |
| <p> |
<p> |
|
|
| issue June 25, 2005</strong></font><br> |
issue June 25, 2005</strong></font><br> |
| This article looks at computer crime, especially the way upcoming |
This article looks at computer crime, especially the way upcoming |
| vulnerability reports are dealt with. It also gives a short overview of the |
vulnerability reports are dealt with. It also gives a short overview of the |
| different institutions involved in the process (vendors, free projects, CERTs). |
institutions involved in the process (vendors, free projects, CERTs). |
| <br> |
<br> |
| The author mentions the work of Andy Ozment, who researches vulnerability |
The author mentions the work of Andy Ozment, who researches vulnerability |
| disclosure at the University of Cambridge. Using OpenBSD as a good example |
disclosure at the University of Cambridge. Using OpenBSD as a good example |
| of how disclosure and consequent fixing of bugs helps to strengthen security, |
of how disclosure and consequent fixing of bugs helps to strengthen security, |
| he refutes the widely spread FUD that disclosing vulnerabilities leads to |
he refutes the widely spread FUD that disclosing vulnerabilities leads to |
| more harm than good. Ozment's methodology was to examine OpenBSD's CVS logs |
more harm than good. Ozment's methodology was to examine OpenBSD's CVS logs |
| and noting when fixes were published; his research shows that |
and note when fixes were published; his research shows that |
| <i>"the number of vulnerabilities decreases as a result of disclosure"</i>. |
<i>"the number of vulnerabilities decreases as a result of disclosure"</i>. |
| <p> |
<p> |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to press.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www