Wednesday, March 02, 2016

An open letter to Sec. Ashton Carter


For security research, I regularly "mass scan" the entire Internet. For example, my latest scan shows between 250,000 and 300,000 devices still vulnerable to Heartbleed. This is legal. This is necessary security research. Yet, I still happily remove those who complain and want me to stop scanning them.

The Department of Defense didn't merely complain, but made threats, forcing me to stop scanning them. You guys were quite nasty about it, forcing me to figure out for myself which address ranges belong to the DoD.

These threats are likely standard procedure at the DoD, investigating every major source of scans and shutting down those you might have power over. But the effect of this is typical government corruption, preventing me from reporting the embarrassing detail of how many DoD systems are still vulnerable to Heartbleed (but without stopping the Chinese or Russians from knowing this detail).

Please remove your threats, so that I can scan the DoD in the same way I scan the rest of the Internet. This weekend I'll be scanning the Internet for system susceptible to the DROWN attack. I would like to include DoD in those scans.

I write to you now because you are making overtures to Silicon Valley, and offering bug bounties. Fixing this problem would help in this process.

Robert Graham


david.j.mercer said...

oh that process of figuring out which blocks not to scan must have been messy.

Unknown said...

Online writing services are playing an important role in every student's academic life. to prepare an essay we need to put a little bit effort on it. We need to research more about the topic. But now it is very easy to prepare effective essays with the help of online writing service. These are the services offering high quality writing assistance and writing essays for cheap. It will be more helpful for the students to reduce their workload. So that they can concentrate more on studies.

algorythm said...

I've found the response to mass scanning is hugely dependant on what port(s) you are hitting and how (syn? ack? full connect with HTTP verbs? Consecutive IPs/ports or random? etc.)

I'm curious whether you plan to make an effort to determine if you are hitting an actual web server vs. a load balancer when you scan for DROWN? I've a theory that a large number of the supposed vulnerable 'sites' in the numbers released in the report are actually not a web server, but a load balancer that's set to accept all the things regardless of what the actual server behind it accepts. If that's true, the numbers are skewed, as the server would reject the connection from an actual client, and the website would not be affected.

algorythm said...
This comment has been removed by the author.
Hristos said...

Why not just add a default exclude.txt in the repo with those ranges in there... :D

Anonymous said...

I appreciate that the name of commenter number two is Edna.

I think that's the DoD's unnoficial response to you.

Codename Edna: Operation Writing Essays on the Cheap Brah

Ryan said...

doot doot doot