[156] in WWW Security List Archive
Re: what are realistic threats
daemon@ATHENA.MIT.EDU (Steve Kent)
Thu Sep 29 17:56:44 1994
To: Dave Kristol <dmk@allegra.att.com>
cc: www-buyinfo@allegra.att.com, www-security@ns1.rutgers.edu
In-reply-to: Your message of Wed, 28 Sep 94 10:00:14 -0400.
Date: Thu, 29 Sep 94 11:20:41 -0400
From: Steve Kent <kent@BBN.COM>
Reply-To: Steve Kent <kent@BBN.COM>
Dave,
I'd disagree with your characterization of an active attack as
requiring hardware inline. We already have hardware in place capable
of effecting the necessary attacks, e.g., routers. If an attacker can
subvert router management protocols, then he can introduce his own
software and thus carry out an attack form the comfort of his
workstation. I've seen software capable of doing this in the X.25
environment; it was developed to support diagnosis of subsciber
network problems. Router versions are a straightforward extrapolation
of this software, and malicious versions represent a simple evolution
from there.
Steve
