In the 1990s, Saturday Night Live was awesome. (I may be dating myself here.) Dana Carvey had a wonderful character called the Church Lady. A little old lady who was uptight and smug with her very own talk show called “Church Chat”. One of her catch phrases was “Now, who could it be? Could it be…SATAN?”
I was reminded of this while doing some research into the origin of Vulnerability Scanners. The first one was called COPS but the second one, that was called SATAN. It even came out at the right time, in 1995.
For the Church Lady, SATAN was clearly the bad guy. For system administrators, SATAN was clearly the good guy. It wasn’t the be all and find all vulnerabilities, rather it recognized several network related problems and tried to determine if your system was vulnerable to them. It didn’t go out and wreak havoc, rather it sat on the network and said “Hi, I’m here, what can I do?”.
According to http://www.fish2.com/satan/summary.html it found, among other things, “writable anonymous FTP home directory”. Anonymous FTP was the thing at the time. Just like downloading from a web page, it was a way of transferring information from one host to another. I downloaded Linux ™ for the first time using anonymous FTP. The ability to write to a FTP home directory as an anonymous user was just, well, scary. It would be the same as a random web server allowing you to upload whatever you wanted and immediately serving it to the public.
It’s a bad thing.
It has been over 20 years since SATAN was first released. What lessons did we learn from SATAN and how can we use this moving forward? Write a column for DTRAP on the benefits of hindsight to vulnerability research and submit it to https://dtrap.acm.org/