| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: whitevampire at mindless.com (White Vampire) Subject: Security Industry Under Scrutiny: Part One -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Nov 10, 2002 at 09:35:24PM -0500, sockz loves you(sockz@...il.com) wrote: > Dear Len, I suppose I largely agree with Len. > your argument is self-sealing. it lacks substance. if most of the attacks on > systems are coming from script kiddies, who have found these holes NOT by > themselves but from the security industry and all the 'proof of concept' tools > that come out of it, then how does full disclosure protect the interests of the > admin? > > it doesn't. Incompetency does not work as an argument against a viable method. Hell, a guy might not know how to cook a hamburger properly at MCDonalds, it doesn't mean they're all going to make you sick. (Let's hear it for stupid metaphores.) As far as I am concerned, if a person cannot properly do their job, it is their fault. Eventually, someone is going to get a clue, and if that means eliminating jobs for those incapable of performing them, so be it. The truth is the most important subject here. The future of the Internet is somewhat incertain, as it is.. everybody wants to regulate everything. It's somewhat sad. > take the recent attacks on XMB by Mike Parniak and his so called "hacking crew". > this script kiddy developed a tool based on a well known md5 exploit in XMB v1.6 > Magic Lantern that gives a user admin priviledges. he then distributed that > tool to lesser skilled script kiddies and the end result was a week of rage > against XMB boards around the web (oops did i just say that aloud?). only about > 20% of the boards had been patched. and i restate: the bug had been in public > circulation for a long while and had even been in full view on XMB's software > update page. The emphasis on poorly implemented Web applications on security lists these days is annoying. > it even appeared on vuln-dev in mid _May_ this year! Perhaps that speaks of the userbase of that software, rather than a general consensis of Internet practices. I would also suggest the people who develop the aforementioned software implement a security or announcement list for their software. I would hope that they at least update the Web site. If a person runs outdated software, that is their fault. > how did full disclosure work in this case? by your argument, Len, 6 months > would have been more than enough for all the board admins to update their > system (all that was required was to change a file name). why such a low > success rate? why didn't the security industry's system work in this case (and > so many others)? I propose a new government agency mandating access for all Internet accessible machines across the world. This agency will be responsible for updating software without notifying the owners, thus continuing a security blanket for the world. Oh yeah, and the airlines are safe now. Really, they are. Regards, - -- \ | \ / White Vampire\Rem | http://gammaforce.org/ \|\| \/ whitevampire@...dless.com | http://gammagear.com/ "Silly hacker, root is for administrators." | http://webfringe.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (GNU/Linux) iD8DBQE9zyDY3+rxmnEDyl8RAkRnAJ4x0zMV2+AvJVAebA4weduYcsVC7gCffYU0 xsPfWjL2a5dzQB4Ru4Klgjw= =md6C -----END PGP SIGNATURE-----
Powered by blists - more mailing lists