[WEB4LIB] Re: Fortres Hack on the Horizon??

[sean dreilinger]

Isabel Danforth wrote:
> There is an email address given for st0rmer.  it is one of the free email
> providers, and I already have sent them an email informing them that this
> person is involved in cracking security software.

either that, or they're just contributing to the software development
cycle by demonstrating potential exploits in package xyz (here, fortres)
and putting an external pressure on the fortres company to secure product
weaknesses promptly-- instead of letting holes linger, obscure but open,
for the truly malicious to come and take advantage of your fortres
installation.

cracking tools by developers who do NOT post their development calendar,
source code, and evolving exploit concepts in public forums such as the
web and bugtraq are a little more disturbing. now that the library
community knows of a potential weakness in this product, you can lobby the
software vendor to refine their product too.

barbara fraser of CMU CERT (computer emergency response team) gave a great
talk at the san diego supercomputer center last year explaining the
hack/exploit/crack/patch cycle, i took notes and later did a handout-type
writeup which emphasizes security issues and planning for web sites. both
the notes and the writeup are here: 

 http://durak.org/sean/pubs/security/

sidenote - i needed to recover a password the hard way last year, and
appreciated being able to grab a brute-force password cracking program.
imagine my surprise when i read the 5-year old acknowlegements file (who
helped write the software) and recognized the first name as a responsible,
respected colleague and coworker -- probably just something he whipped up
in high school.

hope this poor gal (guy?) st0rmer doesn't suffer an fbi raid from all the
attention web4lib is sending them :-)

--sean

--
mailto:sean at savvysearch.com                sean dreilinger, mlis
 http://www.savvysearch.com                http://durak.org/sean