version 1.468, 2005/07/07 16:18:45 |
version 1.469, 2005/07/07 21:23:32 |
|
|
Jeremy Andrews writes about the recent Blind ICMP attacks discovered |
Jeremy Andrews writes about the recent Blind ICMP attacks discovered |
by Fernando Gont, and the fixes done by him and OpenBSD during the |
by Fernando Gont, and the fixes done by him and OpenBSD during the |
2005 Hackathon. |
2005 Hackathon. |
The article talks extensively about the technical background of the |
The article goes into the technical background of the |
attacks, mentioning blind ICMP attacks, "hard" ICMP errors, source |
attacks, mentioning blind ICMP attacks, "hard" ICMP errors, source |
quenching, and path MTU discovery. |
quenching, and path MTU discovery; |
Many helpful RFCs and technical papers are linked from the explanations. |
many helpful RFCs and technical papers are linked from the explanations. |
They are followed by a recall of the whole ICMP story, involving Gont's |
This is followed by a recap of the whole ICMP story, involving Gont's |
struggle with other free projects, Cisco lawyers, Microsoft people, |
struggle with other free projects, Cisco lawyers, Microsoft people, |
and others.<br> |
and others.<br> |
The article comes to the conclusion that OpenBSD was the first project |
The article concludes that OpenBSD was the first project |
to take Fernando Gont's findings seriously, and also the first group to |
to take Fernando Gont's findings seriously, and also the first group to |
be really painless to work with. |
be really painless to work with. |
<p> |
<p> |
|
|
issue June 25, 2005</strong></font><br> |
issue June 25, 2005</strong></font><br> |
This article looks at computer crime, especially the way upcoming |
This article looks at computer crime, especially the way upcoming |
vulnerability reports are dealt with. It also gives a short overview of the |
vulnerability reports are dealt with. It also gives a short overview of the |
different institutions involved in the process (vendors, free projects, CERTs). |
institutions involved in the process (vendors, free projects, CERTs). |
<br> |
<br> |
The author mentions the work of Andy Ozment, who researches vulnerability |
The author mentions the work of Andy Ozment, who researches vulnerability |
disclosure at the University of Cambridge. Using OpenBSD as a good example |
disclosure at the University of Cambridge. Using OpenBSD as a good example |
of how disclosure and consequent fixing of bugs helps to strengthen security, |
of how disclosure and consequent fixing of bugs helps to strengthen security, |
he refutes the widely spread FUD that disclosing vulnerabilities leads to |
he refutes the widely spread FUD that disclosing vulnerabilities leads to |
more harm than good. Ozment's methodology was to examine OpenBSD's CVS logs |
more harm than good. Ozment's methodology was to examine OpenBSD's CVS logs |
and noting when fixes were published; his research shows that |
and note when fixes were published; his research shows that |
<i>"the number of vulnerabilities decreases as a result of disclosure"</i>. |
<i>"the number of vulnerabilities decreases as a result of disclosure"</i>. |
<p> |
<p> |
|
|