1. RFP writes to CMP pointing out errors in an article. 2. Jericho writes to the CMP team as well. More mail in the thread: a) CMP's original response to RFP b) RFP replies to CMP c) CMP will not budge d) CF replies in disgust e) RFP's final reply ** MUST READ **
From rfp@wiretrip.net Sat Sep 30 01:57:52 2000 From: rain forest puppy (rfp@wiretrip.net) To: emarkowi@cmp.com Cc: fennelly@wkeys.com, jyacono@cmp.com, gshipley@nwc.com, fnelson@cmp.com, mfratto@cmp.com, gyerxa@nwc.com, rfaletra@cmp.com, hclancy@cmp.com, pforman@cmp.com, mspiwak@cmp.com, folhors@cmp.com, ianwar@cmp.com, ahoffman@cmp.com, errata@attrition.org Date: Wed, 3 May 2000 10:51:40 -0500 (CDT) Subject: Re: IIS Security Hole (CRN is unprofessional) : If you still feel strongly about what was printed in CRN, put your : response as a "Letter To The Editor" and I will print it, but I would : need your name and location. I just so happen to have one composed... Letter to the Editor: I wanted to comment on the articles CRN published in regards to the IIS backdoor/dvwssr.dll incident. I have addressed aspects of each article separately: : http://www.crn.com/search/display.asp?ArticleID=15842 "The security flaw, first disclosed Thursday, renders solutions using the NT 4.0 Option Pack or FrontPage extensions non-compliant with the government's C2 security standard." Actually, running a web server itself makes it non-C2 compliant. http://www.microsoft.com/technet/security/c2config.asp So forget FrontPage extensions (bug or not), if you have IIS, you're not C2. I don't understand why CRN felt the need to drop anything related to C2-compliance in the article, except for the awe factor. "However, no notices had been posted as of Friday afternoon" Microsoft didn't post as of Friday afternoon, but Bugtraq and www.wiretrip.net were updated by 8:30am on Friday. I would consider these primary and secondary sources for this topic. : http://www.crn.com/search/display.asp?ArticleID=15872 "The Test Center found a Perl script on the Web that appears to have been authored by the same individual who originally reported the flaw to Microsoft." Ok, the script you posted says 'by LordRaYden'. So did they mean LordRaYden, or rfp? If they knew I was the original reporter, then why didn't they check my website, especially when the script exhibited problems? Further, the script you posted was orginally posted on Usenet-- LordRaYden posted it to alt.hack.nl. See for yourself: http://x42.deja.com/getdoc.xp?AN=611203332&CONTEXT=957296763.370933776&hitnum=4 What's funny? The script there is correct. So somehow during the process of copying it from Usenet, someone at CRN incorrectly formatted it, causing it to lose particular linefeeds and produce errors on execution. "In a preliminary examination of the script, it appears that "dvwssr.dll" is used to invoke an http request to retrieve a file over the Web" That's incorrect. The script invokes a HTTP requst to dvwssr.dll, to retrieve a file over the Web. "The Test Center has released the Perl script to the public (see below) in hopes of starting an active forum regarding the script and means to exploit the security hole." This article was posted on the 18th; the original script was to be found at www.wiretrip.net and on Bugtraq, Win2KSecAdvice, NTBugtraq, and other full-disclosure outlets. How is it in 4 days you did not even check a primary or secondary source for the security information? I would think even a little research would have turned up the original advisory and script. : http://www.crn.com/search/display.asp?ArticleID=15994 "A Perl script recently posted on alt.hackers.malicious makes that expertise unnecessary. " Again, you used Usenet as your primary source. Usenet is third-party, unverified information, and yet this is your direct source of information for your article(s)? "Whoever wrote the script is either on a par with Sir Isaac Newton and able to reverse-engineer an encryption algorithm from assembly code or, more likely, had access to the DLL source code." Security experts reverse engineer software everyday. You'd think as engineers in the 'Test Lab', they'd understand this. "The script mentions the name "Rain Forest Puppy," the so-called security consultant who first reported the flaw to Microsoft, as a clue or red herring." Red herring? Clue? If you would read Bugtraq and/or www.wiretrip.net, you will see I *did* orgininate the script. "so-called security consultant"? More like "so-called journalists". Reine Forriest, a.k.a. Rain Forest Puppy - Bath, UK
From: cult hero (jericho@attrition.org) To: ianwar@cmp.com, jyacano@cmp.com Cc: errata submission (errata@attrition.org) Date: Tue, 2 May 2000 07:30:40 -0600 (MDT) Subject: Errata in your article http://www.crn.com/dailies/digest/breakingnews.asp?ArticleID=15872 The Test Center is currently seeking the assistance of Microsoft and anyone that can successfully demonstrate how the security hole can be exploited. I'm wondering if you have contacted the author of the advisory, .rain.forest.puppy (rfp@wiretrip.net). I would have to guess that you haven't as I read your article, specifically: http://www.crn.com/sections/testcenter/perlscript.txt Looking at this script, I see that it is not written by RFP: #!/usr/bin/perl# dvwssr.pl by LordRaYden :)) Perhaps this is why your testing failed? Even the 'updated' file is not the original. I am curious how your company can run a 'test center' with 'Test Center Engineers' that could not figure out your first problem. That they did not use the original author's script and more so, did not enlist his help is somewhat baffling. As you probably know, the term 'engineer' is used for technically savvy people that are considered competant in their field. One would have to question your use of this term for your lab staff after seeing their performance. What I find more appalling is your final statement: The Test Center has released the Perl script to the public (see below) in hopes of starting an active forum regarding the script and means to exploit the security hole. Excuse me? RFP made the ORIGINAL exploit script public days before your article. It was posted on his web site as well as the Bugtraq mailing list. You can find his script at: http://www.wiretrip.net/rfp/p/doc.asp?id=45&iface=2 With 'testing labs' like this 'helping' users on the Internet, one has to wonder if there is a positive gain here, or if their added confusion and disiniformation is a negative impact. Please, strive for a higher level of reporting and testing. Brian Martin Attrition Staff