Date: Mon, 19 Jan 2004 17:49:15 -0500
From: "ken kousky" <kkousky@...inc.com>
To: "'Alun Jones'" <alun@...is.com>, <bugtraq@...urityfocus.org>
Subject: RE: What is the point here?


Alun,

Couldn't agree more. I'm a huge advocate of openness, I argue to many in
government agencies that obscurity damages security. I've written about the
Washington sniper case on the value that disclosures, even when against
policy, actually helped save lives. I'd suggest everybody look at the work
of the Federation of American Scientists www.fas.org and their secrecy
newsletter.

But with all that as background, showing off with better exploits isn't
helping the cause or our defense strategies.

Thanks for speaking up Alun and now we need to respond to your suggested
actions - can we collectively agree to more stringent guidelines for
postings here?

KWK


-----Original Message-----
From: Alun Jones [mailto:alun@...is.com] 
Sent: Sunday, January 18, 2004 10:47 PM
To: bugtraq@...urityfocus.org
Subject: What is the point here?

I've been meaning to say something about this for some considerable time
now, on various exploits and "proofs of concept" that have been posted to
this list.

Fine, I get the idea of posting a sample exploit, or a POC, as a means to
spurring on developers (and administrators) to fix and patch systems against
attack.  But really, unless there's a 'fix' that turns out not to be a fix,
what is the point of posting a "second version" of a sample exploit or POC?
[Maybe there's a good example in this case, but the poster never mentioned
what the change was from the standpoint of getting the hole fixed]

What is the point of cleaning up a sample exploit?  What is the point of
posting more and "better" POCs?  What is the point of admitting such to this
list?  I know it's a moderated list, because I've seen my own share of
rejected messages, so I'm going to ask what the point is of the moderation?

We've seen several POCs posted to this list with absolutely no attempt made
to contact the developers, and we've seen people take other POCs and "fix
them", so that they install a remote shell without alerting the
administrators of the machine.  Why?

If full disclosure in the name of protecting systems is what we're about,
then we need to be contacting vendors of systems we breech, and we need to
be posting code that goes only as far as is necessary to demonstrate the
breech - _not_ far enough to be the source for the next root kit.

And the moderators for this mailing list need to take some responsibility
(ooh, that's going to get my post rejected, for sure!), and start rejecting
"updated" POCs unless they serve some security _improvement_ purpose.  For
instance, if the vendor disclaims the presence of the bug, downplays it, or
uses the POC's tie to one OS or another to claim that other OSes are safe.
Quite honestly, many of the "second stab" POCs that I've seen to date appear
to be nothing more than an attempt to get some misplaced sense of glory,
and/or to say "here's the start of a root-kit, play with it now, kiddies,
I'm washing my hands of the whole affair, it's not my fault if you turn it
into the next Blaster / SoBig / whatever."

Posting exploits is _not_ a measure of first-resort.  Exploits should be
used as proof of concept in the last-resort, when vendors or admins have
entirely ignored a problem that you have tried to warn them about.  Exploits
should be released as proof of concept _after_ a successful patch has been
released, so that admins can test that the patch fixes the hole (of course,
that would mean they'd want to test the exploit on an unpatched machine
first), or so that they can verify that the patch applies a full fix.

Exploits should not be released in a form that practically screams "okay,
crackers, hackers and evil scum, come and play with this - the vendors don't
know about it yet".  Was it necessary for this "proof of concept" to provide
a remote _shell_ as their "proof"?  Never mind _this_ PoC, when posting your
next one, or when you're a moderator approving the posting of a PoC, ask
yourself if the systematic wide publication of this message will serve to
improve security, or will serve as a root-kit for pimply wastrels?

Is the content of this discussion substantially different from the sort of
discussion you'd find in cracker IRC chats?  Other than a nod to posturing
that might place this as a Bugtraq posting, what I see quite often in here
contains technically the same content as:

Hey, d00dz, I jus g0t a GPF in da server.  [Instructions]
Woah, man, yeah, like, totally, I turned it into a sneaky remote shell.
Don' tell my teacherz or nuffin.  [Binary attachment]

I really don't know why _you_ signed up for Bugtraq.  Me, I signed up
because someone posted an exploit for my software here some time ago, and
didn't bother to tell me about it first.  I'd like to think that isn't
Bugtraq's purpose.

I'd like to think that Bugtraq positions itself as something more than a
semi-sneaky, behind-the-back-of-the-vendors rant group, or an assembly point
for root-kit starters.  Moderators, please stop accepting posts where the
poster has stated specifically that they have not yet notified the vendor,
or where the only new thing that is contributed is a more insidious version
of an existing exploit.  And posters, please consider carefully before you
post whether what you post is going to contribute to an increase in security
or a decrease in security.  If you cannot claim that your post will help to
improve security, then do us a favour and take it somewhere else.

Alun Jones, MS MVP (Security, Windows SDK)
-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | alun@...is.com.
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
 

Powered by blists - more mailing lists