Moshe Zadka wrote:
>
> On Mon, 25 Dec 2000 16:41:49 +0200, System1 <[EMAIL PROTECTED]> wrote:
>
> > using ICQ remote attacker is able to make full port scan on networks behind
> > the firewall.
>
> No, when a user uses the client with a bug, a remote attacker is able to....
No, it's a protocol feature not a bug in a certain version.
Note that this exist in all the icq clients because of that.
>
> > If ICQ gives people the ability to make scans of my servers that are behind
> > firewall I dont want it here. its only troubles.
>
> People will go to great lengths to circumvent you (I can think of a couple
> of ways I'd circumvent it if I wanted to), so you'll just annoy them and not
> have any security benefit. A better thing to do is to let users run ICQ
> remotely on a DMZ'ed completely, and then politely ask them to do so.
Huh?! Run it on a DMZ? I don't get how you can do that in a way that
will
benefit the users and/or the security of your network.
If you mean running the clients
off a DMZ machine and making the clients connect to from the
(safe) inner network, than it opens even larger security holes than
running
ICQ from the inside of your network.
> An even better way is to help users upgrade to a better ICQ version.
No, (read up)
>
> In any way, I'm a strong advocate of the "company policy/polite request"
> methodology rather then the technical solutions, because the technical
> solutions *will* be circumvented. (I know -- I worked in a company
> that all of a sudden got a firewall and an idiot sysadmin. I saw the
> circumventions -- it took everyone who wanted to about one day
> to return to use ICQ)
As you said, the sysadmin was an idiot, if a sysadmin wants
he can easily block ICQ. Ofcourse he'll have to know
how to do it or it will not be effective (like in your situation).
And that's what all this thread is about.
--
Alon Oz,
Aduva Research Team,
Mailto: [EMAIL PROTECTED]
--
A proud member in the Evil Linux cyberterrorist hackers (ELCH)
organization
A who can launch Denial of Service attacks against the embedded devices
in your 6-slice toaster with advanced pingflood Open Source classified
exploit codes hidden inside strongly encrypted Russian mafia pornography
that innocent American children download from online gambling web sites
located in the Northern Mariana Islands
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
