OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Apology - not necessary

Re: Apology - not necessary

Paul D. Robertson (probertsclark.net)
Sat, 26 Sep 1998 10:19:38 -0400 (EDT)

On Sat, 26 Sep 1998, Marcus J. Ranum wrote:

> Frank Willoughby wrote:
> >IMO, there is nothing to apologize for.
>
> Frank, I gotta disagree.

I've mixed feelings on this, and nobody seems to be able to slide them
one way or another, so I'll sit on the fence but lean over towards
Frank's yard.

> Since his posting I've made a number of enquiries of unquotable
> nonexistent sources. None of them have pointed to a single
> substantive "smoking gun." Clearly the DOD may have problems
> with Israelis, after that Israeli kid embarrassed some of the
> DOD networkers so badly by pointing up how lame their security
> was, but that's the best I could find. I spoke with Checkpoint's
> VP of federal sales, and he said they've been working with NSA
> to get them source code for review. (Hopefully source code that

At the same time, there was a period last year (around this time, I think)
where at least two U.S. Government sites stopped FW-1 installs that I was
aware of.

I don't remember the first (and it could have been .gov, not .mil - I
honestly don't remember), but the second was Defense Logistics Agency
(Carlisle Barracks, Carlisle Pennsylvania).
  
While there may be a perfectly innocent reason for it, (or maybe they listened
to the rumors) it was certainly suspicious enough to fuel quite a bit of
"why-the-heck-would-they-buy-it-then-not-install-it?" speculation.

My understanding of the DLA event was that a higher command halted the
scheduled installation of FW-1 within 3 weeks of the scheduled install date to
replace it with a different product. This was after sending the site's
administrators to FW-1 training. When I was in the military, I know what that
would indicate to me, and I still find that metric to be the most appropriate
to apply in this case, Your Paranoia May Vary.

I heard about it from two different folks, both of whom seemed to be capable
of knowing fact from fiction, one of whom would have had an ulterior
motive, and the second of whom (to the best of my knowlege) wouldn't have.

Last time Checkpoint asked who was spreading "rumors" I held up my hand
on their mailing list. That's what I heard, I hope it's not too vague and
irrefutable, I'm not a consultant, I don't play in .mil or .gov, I don't
have a secret agent decoder ring, and I'd already heard enough to make me drop
FW-1 before that came around (FIN scans, OOB packets, apparent use of
the host stack for admin/VPN, frag hassles and lack of state on ICMP if
anyone's interested - and yes, I'm aware that you can fix the last of
those if you write an Inspect program, the undocumented inconsistancies
were my main gripe with that aspect).

Checkpoint's VP of Federal Sales was on spin cycle, but they didn't
seem interested in anything other than the standard "If you know a
vulnerability please tell us" line.

I'd always put the rumors prior to that point aside as "possible but no
evidence", I'm not sure the above counts as evidence for everyone, but in
this game, you take what you get and then make your own calls. I've made
mine, and I'm still comfortable with it.

> While Frank's points about national security make sense (especially
> in the light of Crypto AG and related tales) this is about
> squashing mud-slinging attempts, not security.

It's difficult to reliably seperate mud-slinging from fact when the
empirical evidence flows in parallel with the mud. As Frank points out,
anyone in an ISSO-type position has to take a paranoid stance, and
foreign intel doesn't always _just_ mean government clients. While my
list of countries is a bit longer than Frank's, his are on my list too.

To me, the main worry wouldn't be espionage, it would be the black hats
discovering the vulnerability.
 
While mud-slinging is generally a bad thing, if there's a reasonable chance
that said mud came from that mud puddle over there at the vendor's house,
it often makes sense to point out the puddle.

> For the record, I'll reiterate my $3,000 challenge for a
> disassembled proof of a trapdoor. I've appended the original
> posting below.

It's sometimes difficult to prove "trap door" from "bug". What's your
metric for proof? Can it be non-disassembled evidence (packets, rules,
sniffer output), or is a direct comparison in the code the only form of
proof you'll accept, and are there any version limits?

I'm perfectly willing to let you test the one I've heard of (read -
*unsubstantiated rumor* that I *haven't personally tested*, which may or
*may not* be there, but isn't mine to give out) under NDA (sorry, it keeps
the terms that I got it under) I'm not interested in making anything off of it
*if* it turns out that my rumor isn't a rumor.

If you've access to FW-1 with code from the time of my rumor (last June) and
the current code, we can try it on both at your convenience. I don't have
the patience to disassemble anything these days though, and I don't have a
FW-1 box.

[FWIW- I'm also willing to go over a list of holes CP's fixed and state
that it was fixed if it was, but my non-disclosure rules simply don't allow
for me asking them if they've fixed "xyzzy-hole".]

Paul
[Seekrit Agent 0.0.0.0]
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
probertsclark.net which may have no basis whatsoever in fact."
                                                                     PSB#9280

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT