| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: DCOM RPC exploit (dcom.c) "gregh" <chows@...mail.com.au> wrote: > Just my $0.02: > > Shoot the messenger - that always stops the bad event happening. > > Sorry for the sarcasm. I can never see the point in "If we don't tell > the enemy how to build a nuclear weapon they never will so we are > safer as a result" logic. The logic is not that you are ultimately "safer" in the sense that potential "adversaries" will be _prevented forever_ from developing "something bad" to use against you based on this "knowledge". The argument is that you will be probabilistically safer for a longer time. If you don't give kitset weapons, or the detailed plans of how to make them, to all and sundry then the number of potential adversaries who can use that type of weapon against you is _reduced_. Thus, probabilistically, over many iterations of such new weapon possibilities and designs, it is longer on average before any one of these weapons whose availability has been "boosted" is used against you _relative to those cases where the possibilities and plans are not disclosed_. Thus, not disclosing such information is part of managing the risk associated with a vulnerability. That is not to say "you can get right royally shagged via DCOM over RPC so apply this patch now" is not valuable information of the sort that should not be disclosed. However, publishing exploit code for the kudos of the "my willy is bigger than yours" kind, which typically is the only"benefit" accruing to the discloser, is somewhere between narcisistic bloody mindedness and outright criminal. (At the risk of strollling even further off topic, the first point reminds me of something the proponents of "give us the sploits" often trundle out -- convincing those managers who "won't believe X is possible until they see it with their own eyes". Of course, selling "real security" to such folk is much like being tailor to that mythical emporer, so availability of sploits should not be necessary at all, as essentially the problem in such instances reduces to one or other of, "will I spoil my professional reputation by being hamstrung into implementing half-arsed solutions because this guy's has half of a baboon's brain" _or_ to that of a marketing problem where the "art" is in deciding how to tell them any old crap so long as it is wrapped up in enough techno-gibberese that they think they half understand what you are talking about. > Greg - you may call me a "Jihad O'Clue." if you wish. I may, but as you're inviting name-calling, I think I am rather more likely to call you a silly twat that uses some chronically lame HTML Email client that has no place in the working armory of a security professional, at least not if its trivial configuration options that disable the sending of HTML Email are not disabled. Regards, Nick FitzGerald
Powered by blists - more mailing lists