[Air-l] Re: Air-l digest, Vol 1 #299 - 4 msgs

Catriona Moore catriona.moore at arthist.usyd.edu.au
Sun Feb 17 16:27:27 PST 2002


please unsubscribe

air-l-request at aoir.org wrote:

>
>
> Today's Topics:
>
>    1. widespread snmp problems (jeremy hunsinger)
>    2. Re: Air-l digest, Vol 1 #298 - 7 msgs (Jay Hauben)
>    3. Re: on gauges and other technical standards (Junghoon Kim)
>    4. Re: Re: Air-l digest, Vol 1 #298 - 7 msgs (jeremy hunsinger)
>
> --__--__--
>
> Message: 1
> Date: Tue, 12 Feb 2002 15:48:33 -0500
> From: jeremy hunsinger <jhuns at vt.edu>
> Organization: Virginia Tech
> To: air-l at aoir.org
> Subject: [Air-l] widespread snmp problems
> Reply-To: air-l at aoir.org
>
> Well by now you've all seen it, big problems with simple network
> management protocol.  What you might not have seen is how I saw it, so
> I'll share because I think it is interesting and should be for others.
>  Way back in 99 SANS issued a top 10 problems document that said to turn
> of snmp unless absolutely necessary, this is for a wide variety of
> reasons, but overall it is not very well secured protocol or management
> system, though it is quite effective.  So earlier today, I get an e-mail
> from SANS saying:
>
> 1:30 PM EST 12 February, 2002
>
> In a few minutes wire services and other news sources will begin
> breaking a story about widespread vulnerabilities in SNMP (Simple
> Network Management Protocol).  Exploits of the vulnerability cause
> systems to fail or to be taken over.  The vulnerability can be found in
> more than a hundred manufacturers' systems and is very widespread -
> millions of routers and other systems are involved.
>
> As one of the SANS alumni, your leadership is needed in making sure that
> all systems for which you have any responsibility are protected. To do
> that, first ensure that SNMP is turned off. If you absolutely must run
> SNMP, get the patch from your hardware or software vendor. They are all
> working on patches right now. It also makes sense for you to filter
> traffic destined for SNMP ports (assuming the system doing the filtering
> is patched).
>
> To block SNMP access, block traffic to ports 161 and 162 for tcp and
> udp.  In addition, if you are using Cisco, block udp for port 1993.
>
> The problems were caused by programming errors that have been in the
> SNMP implementations for a long time, but only recently discovered.
>
> CERT/CC is taking the lead on the process of getting the vendors to get
> their patches out.  Additional information is posted at
> http://www.cert.org/advisories/CA-2002-03.html
> ____
>
> Low and behold, I check yahoo at 3:30pm and there it is, posted at 2:53, an hour and 23 minutes reponse between effective announcement ot security professionals and public. Now granted that is not alot of time, but for highly efficient organizations, it probably was sufficient.
>
> After the sans announcement came out, i checked our(cddc/aoir) systems just to be sure.  at 2:40 i received the cert announcement, which is a broad announcement which generated the media most likely.
>
> what amazes me is the increasing systematization of information security and the professionalization that goes along with it, how does having an 1 hour period before announcement help sustain the appearance of professionalism, or the top 10 list, I haven't made that argument yet, but I'd be interested in opinions.
>
> --
> jeremy hunsinger                http://www.cddc.vt.edu/jeremy
> cddc/political science          http://www.cddc.vt.edu
> 526 major williams hall 0130    http://www.dromocracy.com
> virginia tech                   -under construction
> blacksburg, va 24061
> 540-231-7614
>
> --__--__--
>
> Message: 2
> Date: Tue, 12 Feb 2002 21:54:23 -0500 (EST)
> From: Jay Hauben <jrh29 at columbia.edu>
> To: air-l at aoir.org
> Cc: jrh29 at columbia.edu
> Subject: [Air-l] Re: Air-l digest, Vol 1 #298 - 7 msgs
> Reply-To: air-l at aoir.org
>
> Hi,
>
> Just to be complete, Educause lists 154 Corporate members (see
> http://www.educause.edu/memdir/memdir.html). So the fate of the
> .edu domain is not only in the hands of the education community.
> It has been my observation over the years that in particular the
> publishing industry has exerted a strong influence in Educause.
>
> Does anyone know what other organizations were considered for this
> privilege of overseeing the distribution of .edu domains?
>
> Jay
>
> --__--__--
>
> Message: 3
> Date: Wed, 13 Feb 2002 07:38:50 -0500
> Subject: Re: [Air-l] on gauges and other technical standards
> From: Junghoon Kim <junghkim at indiana.edu>
> To: air-l at aoir.org
> Reply-To: air-l at aoir.org
>
> Allan,
>
> Here is some information on technical standards setting.
>
> There were two IEEE Conference on STANDARDIZATION and INNOVATION in
> INFORMATION TECHNOLOGY (SIIT). You may access conference websites and
> get some articles on technical standards setting in IT sector.
>
> The first conference website:
> http://www-i4.informatik.rwth-aachen.de/~jakobs/siit99/Final.html
>
> The second conference website: http://www.siit2001.org/
>
> =
>
> Also here are three books I recommend.
>
> 1. Shaping Standardization:  A study of standards processes and
> standard policies in the field of telematic services, by Tineke
> Egyedi, Ph.D. Thesis, 1996, Delft Technical University: this is also
> published as book-format, you may get this one by using inter-library
> loan. I used it before.
>
> It analyzes standards setting process by using the social construction
> technology (SCOT) theory. I like this book very mainly because it
> provides a clear 'analytical' framework.
>
> If you wanna read other articles by her, here is her website:
> http://www.tbm.tudelft.nl/webstaf/tinekee/
>
> 2. Standards Policy for Information Infrastructure, Edited by Brian
> Kahin and Janet Abbate, MIT 1995
>
> covers extensive IT standards setting issues
>
> 3. Inventing the Internet, by Janet Abbate, MIT 1999 (Chapter on
> TCP/IP Vs. OSI is especially interesting)
>
> Good luch for your thesis,
>
> Best,
> Junghoon Kim
>
> =========================================
> Associate instructor and Doctoral student
> Department of Telecommunications
> Indiana University, bloomington
> USA
> &
> Ph. D candidate
> Faculty of Policy Studies
> Chuo University, Tokyo
> Japan
> ============================
>
> -------------------
> > Hello all,
> >
> > After reading the recent discussion on railroad gauges deriving from
> > ancient standards, I am curious if anyone is doing work looking into
> > technical standards.  I'm writing my undergrad honors thesis on
> technical
> > Internet standards, and the need for public interest involvement in
> the
> > standardization process, viewing this as a subset of the "technical
> is
> > political" or "code is law" body of work.  Although my thesis is
> > predominantly policy-oriented, I'd really like some theory to work
> with,
> > aside from market failures and civic governance.  Chasing citations
> > back and forth has not turned up a whole lot in this area.  If
> > anyone has any suggestions for literature that delves into examining
> the
> > larger impacts of specific technical design decisions, from any
> > perspective (sociology, psychology, policy, etc) I would really
> appreciate
> > it.
> >
> > Thanks for your help,
> > /allan
> >
> >                 ... et surtout||Allan Friedman
> >                  n'oubliez pas||Center for Social and Policy Studies
> >                      de tomber||Swarthmore College
> >                       amoureux||allan at friedmans.org
> >                 http://www.sccs.swarthmore.edu/~allan
> >
> > "For the umpteenth time that evening, he wished computer code
> responded
> > to threats of physical violence..."
> >
> >
> >
> > _______________________________________________
> > Air-l mailing list
> > Air-l at aoir.org
> > http://www.aoir.org/mailman/listinfo/air-l
> >
> >
> >
>
> --__--__--
>
> Message: 4
> Date: Wed, 13 Feb 2002 09:14:51 -0500
> From: jeremy hunsinger <jhuns at vt.edu>
> Organization: Virginia Tech
> To: air-l at aoir.org
> Subject: Re: [Air-l] Re: Air-l digest, Vol 1 #298 - 7 msgs
> Reply-To: air-l at aoir.org
>
> As I recall, no, educause lobbied to get it, there was some debate late
> in the game about whether it should be given to something like Verisign,
> but it did not get far, the story is somewhat documented in various
> places.
> Jay Hauben wrote:
>
> >Hi,
> >
> >Just to be complete, Educause lists 154 Corporate members (see
> >http://www.educause.edu/memdir/memdir.html). So the fate of the
> >.edu domain is not only in the hands of the education community.
> >It has been my observation over the years that in particular the
> >publishing industry has exerted a strong influence in Educause.
> >
> >Does anyone know what other organizations were considered for this
> >privilege of overseeing the distribution of .edu domains?
> >
> >
> >Jay
> >
> >
> >_______________________________________________
> >Air-l mailing list
> >Air-l at aoir.org
> >http://www.aoir.org/mailman/listinfo/air-l
> >
>
> --
> jeremy hunsinger                http://www.cddc.vt.edu/jeremy
> cddc/political science          http://www.cddc.vt.edu
> 526 major williams hall 0130    http://www.dromocracy.com
> virginia tech                   -under construction
> blacksburg, va 24061
> 540-231-7614
>
> --__--__--
>
> _______________________________________________
> Air-l mailing list
> Air-l at aoir.org
> http://www.aoir.org/mailman/listinfo/air-l
>
> End of Air-l Digest





More information about the Air-L mailing list