From thievco@sprite.netnation.com Tue Sep  1 13:11:06 1998
Date: Tue, 1 Sep 1998 13:11:02 -0700 (PDT)
From: Thievco <thievco@sprite.netnation.com>
To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: FW-1 configuration guide started
Message-ID: <Pine.LNX.3.96.980901130848.663A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 

I've start a FW-1 configuration guide, located at:
http://www.thievco.com

I'd appreciate feedback.  It's very short at the moment, I plan to
write it in stages before I publish the security holes that crop up if
you don't configure it as suggested.

					BB


From thievco@sprite.netnation.com Sat Sep 26 16:27:30 1998
Date: Sat, 26 Sep 1998 16:27:29 -0700 (PDT)
From: Thievco <thievco@sprite.netnation.com>
To: majordomo@lists.us.checkpoint.com
Message-ID: <Pine.LNX.3.96.980926162626.22405A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 

subscribe fw-1-mailinglist-digest


From thievco@sprite.netnation.com Sat Sep 26 16:29:55 1998
Date: Sat, 26 Sep 1998 16:29:55 -0700 (PDT)
From: Thievco <thievco@sprite.netnation.com>
To: Majordomo@lists.us.checkpoint.com
Subject: Re: Confirmation for subscribe fw-1-mailinglist-digest
In-Reply-To: <199809262328.QAA00924@loudecho.us.checkpoint.com>
Message-ID: <Pine.LNX.3.96.980926162925.22405B-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 

 	auth 10116500 subscribe fw-1-mailinglist-digest thievco@sprite.netnation.com


From thievco@sprite.netnation.com Sat Sep 26 16:39:31 1998
Date: Sat, 26 Sep 1998 16:39:31 -0700 (PDT)
From: Thievco <thievco@sprite.netnation.com>
To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: Firewall-1 config guide
Message-ID: <Pine.LNX.3.96.980926163323.22792A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 

I've started a FW-1 config guide, located at:

http://www.thievco.com/conf/fw1confguide.html

I'd appreciate some feedback. (Something besides the fact that I'm 
not very far along yet. :) )

				BB

If you wish to respond to me, please send e-mail to
BlueBoar@thievco.com .  This account is used mostly to post to
mailing lists.
http://www.thievco.com


From thievco@sprite.netnation.com Mon Sep 28 11:03:37 1998
Date: Mon, 28 Sep 1998 11:03:37 -0700 (PDT)
From: Thievco <thievco@sprite.netnation.com>
To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: Re: [FW1] Firewall-1 config guide
Message-ID: <Pine.LNX.3.96.980928104445.13880A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 

Those are all excellent points.

I should have stated, and I will in the next version of the page, that I
won't be covering OS tightening, security policies, overall network
design, etc.  I may or may not give suggestions on DMZ design, how to
arrange rules, and useful conventions to follow.  So, perhaps it's not
fair to call it a configuration guide.

The reason I am working on this, and this is what drives what I do and
don't cover, is that I plan to publish information about how to exploit
these misconfigurations is they exist, so I thought it only fair to
publish how to close the holes before I point them out.  Since this is the
driving factor, I will obviously be publishing less complete information
than someone who is attempting to provide a comprehensive guide.  I also
assume a fair amount of FW-1 familiarity.

I also hope that no one thinks I was trying to get something out first
before someone else.  I have no vested interest in being earlier or later,
or even doing it for that matter.  I've released an incomplete guide
simply because I wanted to get a portion of the information out right
away, so I could post the attacks next if I wanted.  I was ignorant of any
other efforts along these lines until I got the replies, so there's one
useful thing about me making an announcement.

I look forward to reading both of your guides, and I will be including
appropriate links on my page.  I already had plans to link to the FAQs, I
just hadn't done so yet.

						BB
http://www.thievco.com


-----------------------------------
Dameon Welch wrote:
>
> I am working on something along these lines, though I have not made any
> of my "work in progress" available to the public yet.

Since we are getting into shameless plugs... ;)

I just finished a book on network security. One of the chapters is a
walk through on how to configure FW-1 including preparing the OS and
configuring rules, properties, security servers, NAT, etc, etc, etc.

The link to the book up on Amazon is in my tag. It should be on-line
within a few weeks.

> One of the things I think any configuration document should go over is
> the whole process. It's not just configuring the firewall, but figuring
> out what things need to be protected, how valuable those things are, who
> needs access and how. It's looking at your entire network and figuring
> out where the entry points are and making sure no one gets into or out
> of your network unless they're supposed to.

I could not agree with this statement more. Its all risk assessment and
valuing the assets you wish to protect. I've included chapters on this
as well.

> Obviously, you could write a book on this one topic alone.

Enough said. ;)

Cheers,
Chris
--
**************************************
cbrenton@sover.net

* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529
* Mastering Network Security
http://www.amazon.com/exec/obidos/ISBN%3D0782123430/002-0346046-8151850



From thievco@sprite.netnation.com Mon Oct 26 14:01:35 1998
Date: Mon, 26 Oct 1998 14:01:35 -0800 (PST)
From: Thievco <thievco@sprite.netnation.com>
To: BUGTRAQ@netspace.org
Subject: Re: Firewall-1 Security Advisory
Message-ID: <Pine.LNX.3.96.981026135720.18751A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status: A

If I may also address this with a small plug for myself:

I've outlined a similar set of vulnerabilities on my web site, in a FW-1
config guide that's in it's early stages.  It's available at:

http://www.thievco.com/conf/fw1confguide.html

						BB

> Issue: Checkpoint's Firewall-1 has a "feature" that can allow an 
external
> intruder to pass through the firewall and attack machines, unihibited,
on
> the protected side.
>
> Details: When Firewall-1 is installed there is an implicit rule: ANY
> (Source), ANY (Destination), ANY (Service) and ACTION (drop). This
means, in
> theory, that all IP based packets, whether incoming or outgoing should
be
> dropped. However, Firewall-1, out of the box, allows certain "core"
network
> protocols through - these being RIP (UDP port 520), DNS (UDP and TCP
port
> 53) and all ICMP except Redirects. These are allowed through, from ANY
> (source) to ANY (Destination), without being logged, before the rule
base is
> referenced.
>


From thievco@sprite.netnation.com Wed Oct 28 16:35:13 1998
Date: Wed, 28 Oct 1998 16:35:13 -0800 (PST)
From: Thievco <thievco@sprite.netnation.com>
To: BUGTRAQ@netspace.org
Subject: Re: Firewall-1 Security Advisory
In-Reply-To: <Pine.LNX.3.96.981026135720.18751A-100000@sprite.netnation.com>
Message-ID: <Pine.LNX.3.96.981028163203.20183B-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 


 I've outlined a similar set of vulnerabilities on my web site, in a FW-1
 config guide that's in it's early stages.  It's available at:
 
 http://www.thievco.com/conf/fw1confguide.html
 
 It also addresss the "allow control connections" checkbox which was
 covered in a Checkpoint advisory but wasn't mentioned here.

						BB
 
 > Issue: Checkpoint's Firewall-1 has a "feature" that can allow an
 external
 > intruder to pass through the firewall and attack machines, unihibited,
 on
 > the protected side.
 >
 > Details: When Firewall-1 is installed there is an implicit rule: ANY
 > (Source), ANY (Destination), ANY (Service) and ACTION (drop). This
 means, in
 > theory, that all IP based packets, whether incoming or outgoing should
 be
 > dropped. However, Firewall-1, out of the box, allows certain "core"
 network
 > protocols through - these being RIP (UDP port 520), DNS (UDP and TCP
 port
 > 53) and all ICMP except Redirects. These are allowed through, from ANY
 > (source) to ANY (Destination), without being logged, before the rule
 base is
 > referenced.
 >
  


From thievco@sprite.netnation.com Fri Oct 30 07:55:15 1998
Date: Fri, 30 Oct 1998 07:55:15 -0800 (PST)
From: Thievco <thievco@sprite.netnation.com>
To: ntbugtraq@listserv.ntbugtraq.com
Subject: Re: Firewall-1 Security Advisory
Message-ID: <Pine.LNX.3.96.981030074721.16568A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 

None of this is really news, but Checkpoint does a really bad job of
emphasizing exactly how important it is to not have these items checked
on.  Diligence also missed the "allow control connections" checkbox in
their advisory.

We speak to this in our FW1 config guide:

http://www.thievco.com/conf/fw1confguide.html

Even worse that what Russ mentions, there are root compromise exploits
(for unix, obviously) for DNS (UDP & TCP) and RIP.  There are plenty of
DoS attacks for ICMP.  If you have these boxes checked on in your FW1 you
invite compromise of both your firewall machine and inside machines.

						BB

>Diligence Information Security <http://www.diligence.co.uk/advis.htm>
>released an advisory  to Bugtraq
><http://www.netspace.org/cgi-bin/wa?A2=ind9810d&L=bugtraq&F=&S=&P=5792>
>regarding a possibly little-known fact about Firewall-1 v3.0b.
>
>In a nutshell, FW-1 has rules defined to permit traffic through, and to,
>the FW by default. The GUI implies that the default ruleset is deny all
>to any from any. In fact, it would appear that some ICMP, any DNS, and
>properly formatted RIP packets are allowed through prior to the normally
>viewable ruleset rules.



From thievco@sprite.netnation.com Fri Nov  6 16:07:46 1998
Date: Fri, 6 Nov 1998 16:07:45 -0800 (PST)
From: Thievco <thievco@sprite.netnation.com>
To: bugtraq@netspace.org
Subject: Re: Which crypto algorithm? was: Communicator 4.5 stores EVERYmail-password in preferences.js (decoder)
Message-ID: <Pine.LNX.3.96.981106155713.27067A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status: 

>Does anybody know the algorithm used to encrypt the passwords in
>Communicator??

Apparantly, it takes the plaintext, xors it with a fixed string,
and base64 encodes the result:

use MIME::Base64;
print ((decode_base64('NLyIPunfKw==')) ^ ("\x56" . "\xc9" . "\xef" .
"\x4a" . "\x9b" . "\xbe" . "\x5a"));

You need the MIME perl module.

This one is good up to 7 characters, because that's how long a couple of
POP passwords I have are :)

Should be pretty straightforward to extend beyond 7 characters.. just take
the encoded string from the prefs file, base64 decode it, and xor it with
your password in plaintext.  What you'll get is the fixed string to xor
with.. just extend the bytes I have above.  The sequence of bytes is
non-obvious as to the meaning (at least to me.)  It doesn't spell anything
in ASCII.  Let me know if it doesn't work on your passwords.. I'm curious.
I only had a couple to try.

						BB


From thievco@sprite.netnation.com Mon Nov 16 10:26:02 1998
Status: O
X-Status: 
Date: Mon, 16 Nov 1998 10:26:02 -0800 (PST)
From: Thievco <thievco@sprite.netnation.com>
To: blueboar@thievco.com
Subject: RE: Firewall-1 Security Advisory (fwd)
Message-ID: <Pine.LNX.3.96.981116102549.10353A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII



---------- Forwarded message ----------
Date: Mon, 2 Nov 1998 18:05:10 +0300
From: Maxim Shatskih <maxim@vest.msk.ru>
To: Thievco <thievco@SPRITE.NETNATION.COM>
Subject: RE: Firewall-1 Security Advisory

Well, and what product is better - CheckPoint's or MS Proxy Server?

> -----Original Message-----
> From:	Thievco [SMTP:thievco@SPRITE.NETNATION.COM]
> Sent:	Friday, October 30, 1998 6:55 PM
> To:	NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Subject:	Re: Firewall-1 Security Advisory
> 
> None of this is really news, but Checkpoint does a really bad job of
> emphasizing exactly how important it is to not have these items
> checked
> on.  Diligence also missed the "allow control connections" checkbox in
> their advisory.
> 
> We speak to this in our FW1 config guide:
> 
> http://www.thievco.com/conf/fw1confguide.html
> 
> Even worse that what Russ mentions, there are root compromise exploits
> (for unix, obviously) for DNS (UDP & TCP) and RIP.  There are plenty
> of
> DoS attacks for ICMP.  If you have these boxes checked on in your FW1
> you
> invite compromise of both your firewall machine and inside machines.
> 
>                                                 BB
> 
> >Diligence Information Security <http://www.diligence.co.uk/advis.htm>
> >released an advisory  to Bugtraq
> ><http://www.netspace.org/cgi-bin/wa?A2=ind9810d&L=bugtraq&F=&S=&P=579
> 2>
> >regarding a possibly little-known fact about Firewall-1 v3.0b.
> >
> >In a nutshell, FW-1 has rules defined to permit traffic through, and
> to,
> >the FW by default. The GUI implies that the default ruleset is deny
> all
> >to any from any. In fact, it would appear that some ICMP, any DNS,
> and
> >properly formatted RIP packets are allowed through prior to the
> normally
> >viewable ruleset rules.


From thievco@sprite.netnation.com Mon Nov 16 10:26:13 1998
Status: O
X-Status: 
Date: Mon, 16 Nov 1998 10:26:13 -0800 (PST)
From: Thievco <thievco@sprite.netnation.com>
To: blueboar@thievco.com
Subject: Re: Firewall-1 Security Advisory (fwd)
Message-ID: <Pine.LNX.3.96.981116102606.10353B-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII



---------- Forwarded message ----------
Date: Mon, 2 Nov 1998 10:50:45 -0500 (EST)
From: Fiji <jfay@stetson.edu>
To: Thievco <thievco@SPRITE.NETNATION.COM>
Subject: Re: Firewall-1 Security Advisory

hmm I agree with your statements to BUGTRAQ. I actually learned about the
misconfigurations of Firewall-1 from your site a while back. But here is
the main question: "When are you going to do more with your site?" You
mention that you are going to add more about attacking Firewall-1. When
are you going to put that up? You may also want to put some stuff up on
the INSPECT code. I wonder if one could buffer overflow the INSPECT
code...

-Fiji


From thievco@sprite.netnation.com Mon Nov 16 10:26:24 1998
Status: O
X-Status: 
Date: Mon, 16 Nov 1998 10:26:24 -0800 (PST)
From: Thievco <thievco@sprite.netnation.com>
To: blueboar@thievco.com
Subject: Re: Firewall-1 Security Advisory (fwd)
Message-ID: <Pine.LNX.3.96.981116102616.10353C-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII



---------- Forwarded message ----------
Date: Tue, 3 Nov 1998 12:49:21 +0800 (MALT)
From: Wong Tsang Han <tsanghan@cyberdude.com>
To: Thievco <thievco@SPRITE.NETNATION.COM>
Cc: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Firewall-1 Security Advisory


Hello All,

As Thievco mentioned, none of this is really news. 
The more important issue here is not what features or pre-configurations
the firewall software provide, but should be this:

After knowing the capabilities and functionalities of the firewall
software, security/firewall administrators should be able to determine
what security policies are needed and configure the firewall appropriatly 
using the features provided.

In another word, the security/firewall admin should know what he/she is
doing.

I agreed with Thievco about the point on DNS, RIP and DoS ICMP exploit,
but I feel this exploit is more on machines behine the firewall, when the
"Control Properties -> Security Polisy" DNS TCP/UDP, ICMP and RIP is
checked. The firewall itself will be compromised by this type of
exploit/services IF the firewall is not sufficiently configured. 

For example, to stop ICMP DoS type of exploit on the firewall machine (for
the matter to stop any IP destine for the firewall machine), one
can put a "from ANYwhere to FIREWALL for ANY services with action of DROP"
on the very FIRST line on the policy editor AND have "Accept ICMP" on the
"Control Properties -> Acept ICMP" checked WITH a "Before Last" selection 
(which is the default). Of course with this configuration, the machine
behine the firewall is not protected againt ICMP DoS attack, then again
the decision to turn "Accept ICMP" off should be a policy the
security/firewall administration should consider.

The "Control Properties -> Security Policy" is not a stand alone, all or
nothing rule set, you can select "First, Last or Before Last" for the
rule base matching, which means it is actually being integrated with YOUR
policy you define in the policy editor. The "from ANYwhere to FIREWALL for
ANY services with action of DROP" is among many other things the CCSA
course teach you, and this is called "Stealthing the Firewall Rule".

With all this said, what I am driving at is that no matter what firewall
is being used (Gauntlet, FireWall-1, Raptor... or even self build), it is
the administrator who is responsible to understand the company's security
policy, implement it as a secure firewall configuration using whatever
features the firewall provides, constantly update him/herself on the new
types of exploit on the Internet and re-configure/patch the firewall
approriately to handle the news threats.

th

On Fri, 30 Oct 1998, Thievco wrote:

> None of this is really news, but Checkpoint does a really bad job of
> emphasizing exactly how important it is to not have these items checked
> on.  Diligence also missed the "allow control connections" checkbox in
> their advisory.
> 
> We speak to this in our FW1 config guide:
> 
> http://www.thievco.com/conf/fw1confguide.html
> 
> Even worse that what Russ mentions, there are root compromise exploits
> (for unix, obviously) for DNS (UDP & TCP) and RIP.  There are plenty of
> DoS attacks for ICMP.  If you have these boxes checked on in your FW1 you
> invite compromise of both your firewall machine and inside machines.
> 
>                                                 BB
> 
> >Diligence Information Security <http://www.diligence.co.uk/advis.htm>
> >released an advisory  to Bugtraq
> ><http://www.netspace.org/cgi-bin/wa?A2=ind9810d&L=bugtraq&F=&S=&P=5792>
> >regarding a possibly little-known fact about Firewall-1 v3.0b.
> >
> >In a nutshell, FW-1 has rules defined to permit traffic through, and to,
> >the FW by default. The GUI implies that the default ruleset is deny all
> >to any from any. In fact, it would appear that some ICMP, any DNS, and
> >properly formatted RIP packets are allowed through prior to the normally
> >viewable ruleset rules.
> 


From thievco@sprite.netnation.com Mon Nov 16 10:26:35 1998
Status: O
X-Status: 
Date: Mon, 16 Nov 1998 10:26:35 -0800 (PST)
From: Thievco <thievco@sprite.netnation.com>
To: blueboar@thievco.com
Subject: RE: Firewall-1 Security Advisory (fwd)
Message-ID: <Pine.LNX.3.96.981116102627.10353D-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII



---------- Forwarded message ----------
Date: Tue, 3 Nov 1998 15:30:10 +0100 
From: Tom Kager <Tom.Kager@DMS.CH>
Reply-To: Thievco <thievco@SPRITE.NETNATION.COM>
To: 'Thievco ' <thievco@SPRITE.NETNATION.COM>
Subject: RE: Firewall-1 Security Advisory

Hi,

I read your configuration guide and I greatly appreciate it. It looks pretty
good. I modified my Firewall to not accept DNS queries and not accept RIP. I
had already turned off ICMP. Thanks.

 I was hoping that I was hoping that you might be able to answer a couple of
questions.

Do you believe that a DMZ should be off a protected interface on the
firewall. For example, a firewall-1 firewall is configured with 3
interfaces? The first interface goes directly to the Internet connected
router, the second interface goes directly to a hub with Bastion hosts
connected, and the third interface is connected to the intranet. I was
wondering if you have any thoughts on any advantages or disadvantages of
this type of configuration.???

I am currently running Firewall-1. I am not sure that this is the Firewall
that I want to use. I have read that Stateful Inspection firewalls screen
only what they understand, whereby an application proxy is a subset of an
application and therefore will not proxy any traffic that it does not
understand. Any thoughts?

Thank you very much,
Tom Kager


-----Original Message-----
From: Thievco
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Sent: 10/30/98 4:55 PM
Subject: Re: Firewall-1 Security Advisory

None of this is really news, but Checkpoint does a really bad job of
emphasizing exactly how important it is to not have these items checked
on.  Diligence also missed the "allow control connections" checkbox in
their advisory.

We speak to this in our FW1 config guide:

http://www.thievco.com/conf/fw1confguide.html

Even worse that what Russ mentions, there are root compromise exploits
(for unix, obviously) for DNS (UDP & TCP) and RIP.  There are plenty of
DoS attacks for ICMP.  If you have these boxes checked on in your FW1
you
invite compromise of both your firewall machine and inside machines.

                                                BB

>Diligence Information Security <http://www.diligence.co.uk/advis.htm>
>released an advisory  to Bugtraq
><http://www.netspace.org/cgi-bin/wa?A2=ind9810d&L=bugtraq&F=&S=&P=5792>
>regarding a possibly little-known fact about Firewall-1 v3.0b.
>
>In a nutshell, FW-1 has rules defined to permit traffic through, and
to,
>the FW by default. The GUI implies that the default ruleset is deny all
>to any from any. In fact, it would appear that some ICMP, any DNS, and
>properly formatted RIP packets are allowed through prior to the
normally
>viewable ruleset rules.


From thievco@sprite.netnation.com Mon Nov 16 10:29:42 1998
Status: O
X-Status: 
Date: Mon, 16 Nov 1998 10:29:42 -0800 (PST)
From: Thievco <thievco@sprite.netnation.com>
To: submit@hackernews.com
Subject: Frame spoofing vulnerability
Message-ID: <Pine.LNX.3.96.981116102711.10499A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

http://www.securexpert.com/framespoof/index.html

This is a fairly impressive demonstration... I heard about it via Bugtraq.

BlueBoar@thievco.com


From thievco@sprite.netnation.com Mon Nov 16 23:21:21 1998
Status: O
X-Status: 
Date: Mon, 16 Nov 1998 23:21:20 -0800 (PST)
From: Thievco <thievco@sprite.netnation.com>
To: submit@hackernews.com
Subject: New affiliate
Message-ID: <Pine.LNX.3.96.981116232046.7160A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

http://www.thievco.com

			BB


From thievco@sprite.netnation.com Mon Nov 16 23:23:27 1998
Status: O
X-Status: 
Date: Mon, 16 Nov 1998 23:23:27 -0800 (PST)
From: Thievco <thievco@sprite.netnation.com>
To: gimli@uni-paderborn.de
Subject: referencing your mail
Message-ID: <Pine.LNX.3.96.981116232123.7160B-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

http://www.thievco.com/advisories/nspreferences.html

Thought you might be intereseted.  This is a follow-up to your posting to
Bugtraq about the preferences.js file problems.

					BB


From thievco@sprite.netnation.com Tue Nov 17 22:09:01 1998
Status: O
X-Status: 
Date: Tue, 17 Nov 1998 22:09:01 -0800 (PST)
From: Thievco <thievco@sprite.netnation.com>
To: submit@hackernews.com
Subject: Dispatches from the hacker wars
Message-ID: <Pine.LNX.3.96.981117220743.370A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

http://cypherpunks:cypherpunks@www.nwfusion.com/news/1116hackers.html

NetworkWorld Fusion normally requires a password... someone
(not me) set up the cypherpunks account already.

					BB


From thievco@sprite.netnation.com Sun Dec  6 21:32:01 1998
Status: O
X-Status: 
Date: Sun, 6 Dec 1998 21:32:01 -0800 (PST)
From: Thievco <thievco@sprite.netnation.com>
To: submit@hackernews.com
Subject: Strikeback
Message-ID: <Pine.LNX.3.96.981206213020.27690A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

http://www.internetwk.com/news1298/news120498-12.htm

Heh...  An article about companies installing software that retaliates
when attacked.  That could be more fun than a smurf attack!  Has a quote
from jeff Moss, too.

					BB


From thievco@sprite.netnation.com Sun Dec 13 18:53:32 1998
Status: O
X-Status: 
Date: Sun, 13 Dec 1998 18:53:31 -0800 (PST)
From: Thievco <thievco@sprite.netnation.com>
To: submit@hackernews.com
Subject: Steal caught
Message-ID: <Pine.LNX.3.96.981213185058.23381A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

I can't be the only one to have sent this in... but just in case:
http://www.zdnet.com/zdtv/cybercrime/features/story/0,3700,2175248,00.html

See what happens when you take weekends off? :)

					BB


From thievco@sprite.netnation.com Tue Jan 12 09:27:48 1999
Status: O
X-Status: 
Date: Tue, 12 Jan 1999 09:27:48 -0800 (PST)
From: Thievco <thievco@sprite.netnation.com>
To: tan@l0pht.com
Subject: UL
Message-ID: <Pine.LNX.3.96.990112092709.25675A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

>As a hacker, is the relationship between the
>hot-shot safe crackers and the UL an attractive one you would be
>interested in? 

Sure.  If it wasn't of interest, why would so many of us be
doing it voluntarily already?

>Is the UL listing process for installations sufficient?

No, see below.  Just to be clear, it's not sufficient, but
it may be an improvement over the current situation, if
we're talking about info security tools.

>Will it encounter problems unforeseen by this article? As an insurer,
>am I missing part of the picture; 

I know you're aware of this, but it didn't stand out to me as
being addressed enough:  Info security tools in the hands of
security admins are very plastic... they can change dramatically
with a single re-configuration.  They are also (typically) part of
a larger system, and not self-contained.  A firewall can be configured
correctly, but it won't save a web server with a bad CGI script.
COntrast this with a physical safe:  It's self-contained, and
the expectation is that people don't modify their safes every
day.

>are companies actually insuring
>their computer systems and data to mitigate loss or liability? 

My company isn't, at least not yet.  This idea seems really strange
to me.  Perhaps I'm too cynical... I've worked with too many infosec
groups to believe that anyone has a good enough security policy,
and follows it, to justify insuring them.  People are sloppy and
make bad decisions, myself included.  Again, security admins have
MUCH more control over info security products than a pysical safe.

>As a
>manufacturer do you foresee problems with the UL model being imposed
>on computer security products? 

I'm not a manufacturer, but I see things like the ICSA certification
being somewhat mandatory.  Wrong or right, any kind of label that
implies one product has passed a certain set of criteria becomes
a selling point.

>As an end user do you feel that
>computer security is important? 

Um, yeah :)

>Do you feel that the current system
>actually is sufficient? 

The current system of {no, ICSA, CISSP} certification?  No.

>Have you been wanting something better or do
>you feel that you are being slighted by my insinuation that you do not
>fully understand the products you purchase? 

Ego dictates that I'm somewhat insulted.  But to be fair, given the
number of products I have to deal with in the rather vast security
system at my day job, there is no way I can know everything I need to.

The only kind of certification that is useful (and I think
the UL listings are) are those that have a very strict set of critera,
so one can see exactly what is and isn't certified.  Of course, the
type of things that the UL works with are, IMNSHO, orders of magnitude
easier to evaluate.  They are also mostly fixed configuration.  Still,
the UL listings can't help people who don't understand.  For example,
the UL can evaluate an extension cord for 110V use by specifying some
minimum wire gauge.  That won't help if I don't read the proper use
instructions, string 5 of them together and plug my 220V clothes
dryer into that.  Many argue that the problem with firewalls is that
people can misconfigure them because they don't understand.

What's required for infosec products, since I have the ability to
change my copy of the product at will, is a re-certification
each time I change it.  Possibly this could be another piece
of software, but unless the infosec product is fairly trivial, 
I think Mr. Turing has an issue with that.  The other obvious
choice is an audit.  As most of us know, that audit has to be done
by someone other than the person implementing the system.

Finding auditors who know what they are doing is a whole
different rant. :)

Should you desire to repost any or all of my response, you have
my full permission.

					BB


From thievco@sprite.netnation.com Wed Jan 20 22:40:39 1999
Status: O
X-Status: 
Date: Wed, 20 Jan 1999 22:40:37 -0800 (PST)
From: Thievco <thievco@sprite.netnation.com>
To: submit@hackernews.com
Subject: New rant
Message-ID: <Pine.LNX.3.96.990120223903.3001A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

I've posted a new rant that might be of interest to the HNN readers:
http://www.thievco.com/rants/trendysec.html

It has to do with me not being happy with biometrics and public Internet
access terminals.

						BB


From thievco@sprite.netnation.com Mon Jun 28 11:00:36 1999
Status: O
X-Status: 
Date: Mon, 28 Jun 1999 11:00:36 -0700 (PDT)
From: Thievco <thievco@sprite.netnation.com>
To: aleph1@underground.org, russ.cooper@rc.on.ca
Subject: Bugtraq-Dev?
Message-ID: <Pine.LNX.3.96.990628104647.3498A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

Howdy.  I'm Blue Boar, I run the Thievco site. (www.thievco.com).

I've been contemplating starting a mailinglist for the purpose of
discussing exploits.  Specifically, for help on how to write them.  While
your lists are generally used to announce a problem that has already been
researched, I'd like to have one for people who aren't sure they have a
problem, or who need help developing an exploit for it.  For many holes, I
myself would fall into the latter category.

I understand the extra controversy of such a list.  I'm not asking for
opinions on that (though you're welcome to provide them.)  That part is my
problem.

I'm mailing you two because I see such a list as an extension to the
bugtraq(s).  I want to know if either of you have any objection to
something like "bugtraq-dev" as a name for it?  That's really all the
"sponsorship" I'm looking for... that, and letting a post through
announcing it, when it's ready.

I respect both of you enough that if there is an objection, I will drop
the use of the bugtraq name in any way.  No reason is required.
Additionally, if either of you have similar plans (as possibly hinted at
in Aleph's securityfocus announcement) I'll drop mine.

I await your responses. 

				BB

P.S. I could also use hints on what you think are good list hosts.  I
could pay a nominal amount.. say $100/year.


From thievco@sprite.netnation.com Mon Jun 28 16:27:45 1999
Status: O
X-Status: 
Date: Mon, 28 Jun 1999 16:27:45 -0700 (PDT)
From: Thievco <thievco@sprite.netnation.com>
To: Russ <Russ.Cooper@rc.on.ca>
cc: aleph1@underground.org
Subject: RE: Bugtraq-Dev?
In-Reply-To: <61143C10CC8AD211A2F10000F878E6830677B1@ns.rc.on.ca>
Message-ID: <Pine.LNX.3.96.990628155326.16190A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII



On Mon, 28 Jun 1999, Russ wrote:

> Well, if I had my choice, I would rename NTBugtraq in a
> flash...unfortunately the name is a little too popular and referenced
> now to simply dump it in favor of NTAdvice or SecurityAdvice or some
> other name...
> 
> I'm certainly not the one who can claim anything to the word
> "Bugtraq", as I said in my List Charter and list announcement, its
> based around what Aleph1 had been moderating.

Understood.  That's why I ask both of you.  I understand you to mean,
then: "Not recommended, but use that name if you must.  I'm not saying
no."

> If I were you, I would go for something that's more yours.
> "How2exploit.com" and "How2exploit.org" are both open domain names??
> You could be dev@How2exploit.com or some such list name.

That doesn't convey exactly what I have in mind.. I want to extend the
Bugtraqs a bit, to allow for some discussion.  Both of you keep the lists
mostly to finished announcement, with a little side discussion.  I want to
allow a bit more.  I would tend to disallow "d00d, write me a spl0itz for
product x!!!!11" and allow something like "Hey, I think I've found an
exploitable hole because of this behaviour..can someone help me tell if
this is exploitable."

> As far as hosting goes, LSoft (http://www.lsoft.com) has been great
> for both Aleph1 and myself. They have a version that will do 500
> subscribers for free (or next to nothing) if you host the deliveries.
> Not sure how many subscribers you were planning on.

I've thought of them...  was trying to get feedback on how it was to work
with them, thanks.  I hadn't given much thought to how many people.. was
just going to let folks subscribe.

> As far as opinion, why don't you simultaneously host
> "How2makeApipeBomb.com"...;-]

That attitude is expected, and I can deal with it.  I think you
misunderstand the intention, and it won't be the last time.  Basically,
I've sat on a number of problems in the past because I didn't have either
the time or skill to finish up the investigation.  I'd like to be able to
do something with those.  

Also, there is a book I'm working on that is semi-related, and I'd like
the list to exist to go with that, even if I'm not running it.  I'd like
to contact both of you again about that later (there is a chapter on
reporting problems) but that's a different topic.

> Seriously, there's certainly going to be a lot of interest in such a
> list, guess the real question is whether or not you'd get anyone to
> post to it or not (with answers, I mean, rather than questions).

The plan is to moderate out the dumb questions for the most part.  I'm
hoping for half-answered questions.  Judging by discussions (or attempted
discussions) for the bugtraqs in the past, there is an interest, and by
the folks who can answer them, too.

> You're going to end up with a very large volume list (tons of
> subscribers, I mean) which will be costly to deliver (either in
> licenses from LSoft, or at the very least, bandwidth!). 

I'll have to take a close look at the L-soft costs.

> Of course if
> the goods aren't delivered via the list, you'll have extremely high
> turnover with no real impact.

Sure.  Though, it wouldn't break my heart to have a lower-volume list, if
the quality can be maintained at all.  The only thing I might regret is if
I do such a bad job that I kill the concept.  I believe the concept needs
to happen, whether I'm involved or not.

> So it depends on how you think you're going to achieve a viable list
> community of more than just wanna-be hackers chewing up your bandwidth
> to deliver a few pearls of wisdom.

I assume it's all done through clever moderation. :)  Basically, some of
my motivation is selfish.. I'd like to be able to participate in such a
list. and if i need to start it, so be it.  Heck, maybe later I can trick
some poor suc... Umm, turn the reins over to someone else in the future.
I have no need to profit from such a list in any way, and please don't
take that as a criticism.  I admire greatly the folks like yourself who
spend huge amounts of time to provide such a service.  I have no objection
to folks making a living while providing me with a service.  I already
make a living, and this type of thing is a hobby (well, sort of.. I make
my living doing security stuff.)  I say this only to demonstrate that,
yes, I would be fine giving the list away to the right person.  I might
keep that as a goal...  I don't doubt I could.. I just have to
successfully demonstrate the concept, and set the tone first.

I have no idea what it's like to moderate a list, so I'll be learning the
hard way.  

I realize how this sounds.  I've no way to prove that I've got the
maturity and knowledge for such a topic, and still keep my anonymity.
(You know me by my real name as well, Russ.)  So, given that, I appreciate
you taking the time to even respond.  Thanks.

						BB


From thievco@sprite.netnation.com Mon Jun 28 17:52:49 1999
Status: O
X-Status: 
Date: Mon, 28 Jun 1999 17:52:49 -0700 (PDT)
From: Thievco <thievco@sprite.netnation.com>
To: Russ <Russ.Cooper@rc.on.ca>
Subject: RE: Bugtraq-Dev?
In-Reply-To: <61143C10CC8AD211A2F10000F878E6830677B3@ns.rc.on.ca>
Message-ID: <Pine.LNX.3.96.990628174303.688A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII


> Do you work on West Hastings Street too?

??

> That was a joke...hence the smiley...;-]

I know, but the joke isn't there, unless the thought occurs.

> I don't think its a good idea to leverage off of the credibility of the
> Bugtraqs. I hope I have lived up to Aleph1's, but I'm sure he was

Clear enough.  I'll pick a different name.  Hmm... exploit-dev?

It seems clear that Russ won't be starting such a list... the only
question remains if Aleph1 will?

> There's definitely an interest in such a list, the problem is, if its
> not active then you will have a high turn-over of subscribers. This gets
> real tough to handle from a moderators perspective, especially if there
> are a lot of people subscribed. You'll get the same old questions over
> and over and if people aren't around for very long, you won't establish
> contacts with your community. Contributors want to see readers learning,
> that's typically their motivation.

I agree.  I'm not sure that's my motivation... perhaps that's a problem in
of itself.  I guess my intention is to produce advisories that are
suitable for the Bugtraqs.

> Well, you won't be a low volume list unless you operate a closed list.

By "volume" I'm referring to the posts that I allow.. naturally, the
amount I have to sift through would be much higher.

> Your list description is going to attract all the wanna-be hackers,
> whether you want them or not, and each of them are going to require
> another 1.5kb of bandwidth to deliver those few messages. Consider this,
> a single message to NTBugtraq requires approx. 25MB of bandwidth to
> deliver. Figure it out, it takes a while if you don't have a fat
> pipe...now multiply it by 3 or 4 messages per day.

Perhaps there is a fundamental misunderstaning on my part about how the
l-soft list operates?  Do the mails not originate from their server, using
their pipe?  (Understanding that there is a pricing issue, which I haven't
investigated yet.)

Again, thanks for the feedback.  I'll send an announcement your way when
I'm ready.  It will probably be a little while, though I realize I'm
making it sound immeninent.

					BB


From thievco@sprite.netnation.com Mon Jun 28 17:58:07 1999
Status: O
X-Status: 
Date: Mon, 28 Jun 1999 17:58:07 -0700 (PDT)
From: Thievco <thievco@sprite.netnation.com>
To: Russ <Russ.Cooper@rc.on.ca>
cc: aleph1@underground.org
Subject: RE: Bugtraq-Dev?
In-Reply-To: <61143C10CC8AD211A2F10000F878E6830677B3@ns.rc.on.ca>
Message-ID: <Pine.LNX.3.96.990628175633.3746A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

Ok, now I see... I'm confusing the L-soft software with the service that
netspace.org provides (using the L-soft software.)  

So, to clarify, I was contemplating using the netspace.org services.


From thievco@sprite.netnation.com Mon Jun 28 19:55:52 1999
Status: O
X-Status: 
Date: Mon, 28 Jun 1999 19:55:52 -0700 (PDT)
From: Thievco <thievco@sprite.netnation.com>
To: Russ <Russ.Cooper@rc.on.ca>
cc: aleph1@underground.org
Subject: RE: Bugtraq-Dev?
In-Reply-To: <61143C10CC8AD211A2F10000F878E6830677B3@ns.rc.on.ca>
Message-ID: <Pine.LNX.3.96.990628194544.22933A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

..And I see netspace.org is for Brown students and faculty only.. OK,
doing great so far. :)

Anyway, I was trying to indicate I'll probably have the list "hosted"
somewhere.. I'll do the research on that.

Ok, no need for Russ to respond any futher, thanks.

Aleph1, just a yes or no on if you've got plans for a similar list,
thanks.

					BB


From thievco@sprite.netnation.com Tue Jun 29 11:25:11 1999
Status: O
X-Status: 
Date: Tue, 29 Jun 1999 11:25:11 -0700 (PDT)
From: Thievco <thievco@sprite.netnation.com>
To: Aleph One <aleph1@underground.org>
Subject: Re: Bugtraq-Dev?
In-Reply-To: <19990629103246.W5993@underground.org>
Message-ID: <Pine.LNX.3.96.990629110954.569A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

> We might be able to host such a site for you, although I would have to
> consult with some other people and make sure we have to resources to do
> so. Let me know if you are interested and I'll look into it.

Thanks for getting back to me.  Yes, Russ convinced me to pick a different
name.  I'm thinking exploit-dev (I think the dev part speaks to my hopes
for such a list, so I'd like to keep that.)  After getting a clue or two
from Russ, I would be very much interested in whether you would host such
a list.

> > P.S. I could also use hints on what you think are good list hosts.  I
> > could pay a nominal amount.. say $100/year.
> 
> Thanks you. Hopefully that will never be necessary. Personally I think
> such move would will the list overnight. The list are really successful
> because of two factors: moderation and the subscriber base (since it
> is they who generate the content). Charging money would kill the
> subscriber base and thus kill the lists.

A little misunderstanding there... I would never charge for such a list
(it would be a bit insulting to charge people to write exploits for
each-other, no? :) )  I was making reference to me paying a hosting
service to host the list.  After talking with Russ, and doing some actual
checking on typical costs to host such a list, is see $100 is pitifully
low.  I could probably go as high as $500 before my accounting department 
(my wife :) ) says no.  I will have to find a hosting service that is
willing to give steep discounts basically as a favor to help such a list.
I would never consider the low-cost lists which embed ads in each e-mail,
though I've got no problems with related web-sites with banner ads and
such. (i.e. if SecurityFocus is willing to host such a list, they're more
than welcome to get whatever PR they can from hosting the list, I'm just
against third-party ads embedded in the actual e-mails.  Something like
"list hosted by securityfocus.com, to unsubscribe... would be fine.  Is
Security Focus' business model based at all on ad revenue?) A final option
is for me to throw up an OpenBSD box on my home 384K Internet
connection, and see how long that holds out while I figure out another
option.

						BB


From thievco@sprite.netnation.com Thu Sep  2 18:16:37 1999
Status: O
X-Status: 
Date: Thu, 2 Sep 1999 18:16:37 -0700 (PDT)
From: Thievco <thievco@sprite.netnation.com>
To: majordomo@lists.us.checkpoint.com
Message-ID: <Pine.LNX.3.96.990902181611.12800A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

unsubscribe fw-1-mailinglist-digest



From thievco@sprite.netnation.com Sat Nov 13 10:15:00 1999
Status: O
X-Status: 
Date: Sat, 13 Nov 1999 10:15:00 -0800 (PST)
From: Thievco <thievco@sprite.netnation.com>
To: colonel@army.net
Subject: icq2000
Message-ID: <Pine.LNX.3.96.991113101324.4273A-100000@sprite.netnation.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

For whatever reason, since we're both hosted at netNation, I can't seem
to mail you via my normal mail setup (it bounces):

   ----- The following addresses had permanent fatal errors -----
<colonel@army.net>

   ----- Transcript of session follows -----
554 MX list for army.net. points back to peace.netnation.com
554 <colonel@army.net>... Local configuration error

In any case, the file can be found at:

www.thievco.com/icq2000.exe

				BB


