lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 30 Jun 2005 13:55:50 -0400
From: Thomas Reinke <reinke@...urityspace.com>
To: Aviram Jenik <aviram@...ondsecurity.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Publishing exploit code - what is it good for


> benefit of public exploit codes. Quote: " If I speak to an end-user 
> organization and they express legitimate needs for exploit code, then I'll 
> change my opinion."

Heh...very close-minded to begin with. Good luck trying any
argument with this "analyst".

> Please note: I don't need any arguments pro or against full disclosure; all 
> this has been discussed in the past. I also don't need you to tell me about 
> someone else or some other project (e.g. nessus, snort) that utilizes these 
> exploits. Tried that. Didn't work.
> 
> What I need is a security administrator, CSO, IT manager or sys admin that can 
> explain why they find public exploits are good for THEIR organizations. Maybe 
> we can start changing public opinion with regards to full disclosure, and 
> hopefully start with this opinion leader.
> 
> TIA.
> 

You may wish to point out to your "analyst" that end-user benefits
are indirect  How many times have we seen organizations attempt
to sweep problems under the cover. This is an old, well understood
reason for full disclosure.  Now, how many times have their been
arguments about "this is not a code injection exploit, only a DoS,
so the customer impact is not severe, so we're delaying fixing this
until release X.Y in 3 months time", only to find someone
actually coded an exploit to prove that a vulnerability is fully
exploitable.

The end result:  Exploit code, responsibly handled, serves the exact
same purpose that vulnerability information disclosure serves: an
accountability mechanism to ensure that Vendors do not attempt to
bury information that they perceive to negatively impact their products
and services.  Thus, exploit code serves the customer by ensuring
that vendors handle vulnerabilities promptly because the vendor is
aware that exploits will likely be developed, and that the negative
publicity of exploits running wild against their products outweigh
the negative publicity of admitting (and fixing) a vulnerability.

But, somehow, giving the attitude your analyst is conveying, I'd say
more effort has been expended than is worthwhile.

Thomas
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ