lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: Sandeep-Giri at deshaw.com (Giri, Sandeep)
Subject: [Secure Network Operations, Inc.]
	 FullDisclosure != Exploit Release

Hi!
>From a security professional's point of view, releasing an exploit is
beneficial.
If he releases exploit someone would certainly write a virus for the same.
Which will make companies realise the benefit in hiring the security
professionals.

So, from my point of view, writing viruses which doesn't physically destroy
any thing is also okay;)

Sorry, if it hurts the ethics..and if it sends wrong singnals about my area
of work.

Thanks.
Regards,
Sandeep Giri



-----Original Message-----
From: hellNbak [mailto:hellnbak@...c.org]
Sent: Wednesday, January 29, 2003 11:16 PM
To: Ron DuFresne
Cc: Strategic Reconnaissance Team; Nicolas Villatte;
full-disclosure@...ts.netsys.com
Subject: Re: RE : RE : [Full-Disclosure] [Secure Network Operations,
Inc.] FullDisclosure != Exploit Release


Thanks for adding zero value Ron.

We are not talking about working with vendors or notifying vendors.  I
made the assumption that the Snosoft guys have their own policy on what to
do with vendors.  We have our own at NMRC and we are quite willing to work
with a vendor.  But that is not what we are discussing here.

On Wed, 29 Jan 2003, Ron DuFresne wrote:

> Date: Wed, 29 Jan 2003 08:35:39 -0600 (CST)
> From: Ron DuFresne <dufresne@...ternet.com>
> To: hellNbak <hellnbak@...c.org>
> Cc: Strategic Reconnaissance Team <recon@...soft.com>,
>      Nicolas Villatte <Nicolas.Villatte@...alvas.be>,
>      full-disclosure@...ts.netsys.com
> Subject: Re: RE : RE : [Full-Disclosure] [Secure Network Operations,
>      Inc.] FullDisclosure != Exploit Release
>
> On Tue, 28 Jan 2003, hellNbak wrote:
>
>
> 	[SNIP]
>
> >
> > So I say release the code, try and make it as crippled as possible
> > (localhost only or whatever) so at least you know that *your* code won't
> > be directly used for malicious intent.  Yeah exploits and malicious
> > code/worms/virus'/whatever will still exist and be abused but regardless
> > of what you and anyone else for that matter do it always will.
> >
> > At least with releasing code you can take comfort in knowing that you
are
> > helping those who cannot help themselves.  That is of course if you
> > believe in helping others and don't just release advisories for the
> > media-whoring marketing purposes (hello to my friends at ISS ;p).
> >
> >
>
> What's interesting about the disclosure debates in their various forms, is
> that it has been ongoing since the first earliest security lists, <check
> the http://securitydigest.org/ site>.  In fact, the debate seemed to be at
> time a near show stopper for a number of the early lists, at times they
> never got much beyond the topic, for long periods of time, and some lists
> died or went stagemant while enthralled within the discussion process>.
> And, to this day it persists.  Though the trend has been softened with the
> term "responsible" prepended.  In that light, rather then issueing a quick
> advisory with a borked exploit enclosed, it might be better to issue the
> warning, after first letting the vendor<s> in question know of your
> findings and giving them at least a modicum of time to ingest your work,
> then later down the road, posting the code you developed.  Perhaps
> allowing a large portion of those exposed, to fix their sites and be
> prepared for the coming mess of adverse packets?
>
> Thanks,
>
>
> Ron DuFresne
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity.  It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
> 	***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D.  Just don't touch anything.
>
>

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak@...c.org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ