http://www.perlmonks.org?node_id=158021


in reply to Re: Does fatalsToBrowser give too much information to a cracker?
in thread Does fatalsToBrowser give too much information to a cracker?

"I'm convinced my source is safe."

Then you really don't even need an exception handler, do you? *Smiles*

The fact that an exception handler is triggered indicates that the software was caused to behave in a way which is not within normal bounds. While I can appreciate your point of view as someone who would like to help me fix the problem, there are just as many (or even more) people who would like to see how they can abuse this new found "feature" to comprimise my system. What you call debugging detail, the others half calls a roadmap.

I bet the developers of the first TCP/IP stacks (with predictable sequence numbers) thought their source was safe... until Kevin Mitnick abused it. I bet the developers of ICMP error messaging never thought it would be used to recon systems. I have to assume that the person on the other side of my system is smarter than me, more clever than me, and would like to comprimise my security.

Update for Juerd

"And exactly how did he abuse TCP/IP?"

The Mitnick attack was based on predicting sequence numbers... this is why most current TCP/IP stacks use non-predictable sequences.

Replies are listed 'Best First'.
Re: Re: Re: Does fatalsToBrowser give too much information to a cracker?
by Juerd (Abbot) on Apr 10, 2002 at 14:06 UTC

    Then you really don't even need an exception handler, do you? *Smiles*

    Well, I do. Errors are often caused by external problems, like exceeded disk quotas, connection errors etc. Or null bytes inserted in my source with terrible harddisk crashes.

    until Kevin Mitnick abused it.

    And exactly how did he abuse TCP/IP? The same way criminals abuse roads to get away? Or are you one of the many people who just blame this Mitnick guy for everything that is a crack?

    I bet the developers of ICMP error messaging never thought it would be used to recon systems.

    It's not the protocol that lets people abuse, it's the implementation. That's because it's very simple to make mistakes in lower level languages (hence Perl's huge number of bugs :)

    I have to assume that the person on the other side of my system is smarter than me, more clever than me, and would like to comprimise my security.

    Even if he is and would, how could error messages help crack a well written Perl program?

    U28geW91IGNhbiBhbGwgcm90MTMgY
    W5kIHBhY2soKS4gQnV0IGRvIHlvdS
    ByZWNvZ25pc2UgQmFzZTY0IHdoZW4
    geW91IHNlZSBpdD8gIC0tIEp1ZXJk