lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: attica at stackheap.org (S . f . Stover)
Subject: No Subject (re: openssh exploit code?)

On 21 Oct 03 12:22:53AM mitch_hurrison@...lip.com[mitch_hurrison@...lip.com] wrote:
: Again, what is it about your personality that makes you incapable
: of taking part in an adult discussion of responsible disclosure
: issues? Is it that anyone who has a different opinion than yours
: is automatically not worth your time? That sounds kind of nazi-like
: to me mr. Schmehl. 

In Paul's defense, some aspects of this thread did degrade to some pretty
immature behaviour - some of it mine.  For that I'll apologize to the list.  I
respect your point Mitch, but your e-mails can come off as pretty
condescending...  You don't seem to have much respect for people that don't
code as well as you claim to, which is often a pretty big pill to swallow.  As
I said before, there are those of us who got into the security biz from other
areas than programming, which means we *are* less capable of figuring out this
exploit.  The age old question really comes down to "should people just
getting started in this area be treated like vermin?".  From my perspective, I
would hope not.  Every so often this issue comes up - the seasoned programmers
bashing the newer guy who asks for help.  Not without reason, mind you.  There
is no way for you to know my motives - and assuming the worst of people is
usually the best response (as sad as that is).

If you recall, my original post did not request the code itself, but just
asked if anyone had seen it.  I had only heard rumours and not actually heard
of anyone actually being compromised - which prompted my question to see if it
truly existed.

: It's quite saddening to see this list turn into a pack of hungry
: saliving fools at even a hint of an exploit for this issue. You
: seem to have more of a hardon for the "juarez" than any "kiddie"
: I've ever met. Even when trying to debate some of the issues
: surrounding the disclosure of such a potentially devastating
: exploit all one gets is "yeah, yeah. Now make with the warez".

I don't think it has progressed to this level.  I asked if anyone had seen
code for this exploit.  You pretty much ran me over with "it's definitely
exploitable, so STFU and patch", at which point other people chimed in asking
for a bit more information.  As I said in an earlier e-mail, my point was not
to badger people for code, just information.  In this e-mail, and a couple
others from other folks, I have gathered as much as I need to point me in the
right direction - for which I thank every one who contributed.

<snip>

: Now on a larger scale, I think it's rather foolish to cop an attitude
: that assumes anything that doesn't exist in the public eye isn't
: possible.

I agree completely.  I didn't make my original request to justify patching.

: This is the year 2003. We aren't
: the only ones reading these lists people. Do you really want to
: be responsible for arming the more hostile elements in the world
: with such a tool? I can't stress it enough. Noone should release
: this exploit. And to be honoust in this day and age I think anyone
: releasing exploits to the general public is losing sight of a
: bigger picture that affects us all. Now I'm not talking about
: the Nth trivial snosoft local stack overflow "exploit". I'm talking about the apaches, the openssh's and the ms rpc's. Time and time
: again it's become apparent that full disclosure simply does not
: function. And allthough I realise that there will always be people supporting 
: full disclosure, I think even with the disclosure of vulnerability
: information releasing exploits is something that's not justifiable
: in any way.

So what is the solution?  How can information be disseminated from those who
know and those who don't?  Not everyone can spend the time to learn how to
understand vulnerabilities like this.  Should they remain dependent upon
people who they only know from lists to tell them what and where to patch?  I
realize there are other institutions like SecurityFocus and ISS X-Force, etc.
that release advisories also, but that is still trusting an unknown entity.  I
don't have the answer, well, I know the answer for me is to learn this - but
not everyone has that luxury.

: There is simply no need for exploits, especially not one that would
: affect people and nations around the globe. You have to look beyond
: your own little egocentric world of friendly exploit dev and "but it's fun",
: and take a look at the bigger picture. 

There are those of us who have a different bigger picture to look at.  I am
*not* coming from a "but it's fun" angle, but I can't speak for anyone else,
nor can I expect the people who don't know me to believe me just because I
said it.

: So to you Paul, and to the rest of this list. I say once again
: if you can't write the exploit. You don't..need.. the exploit.

I really have a hard time following this logic - I'm no mechanic, so does that
mean I don't have the right to drive a car?  Again, the answer for me is to
buckle down and learn this, which is fine w/ me (and I'll be sure not to ask
the list for help), but like I stated previously, not everyone has that
luxury.  Consider IDS R&D groups.  While they may have the resources to dig
in and fully develop their own exploit code to write signatures from, doesn't
this delay their ability to put out quality signatures?  Or what if their code
works, but not in the same way as the code in the field?  Considering that
this is ssh (i.e. encrypted) maybe IDS isn't the best example, but I think the
point stands.  There are people out there who are not interested in "0wning
boxen", and have a valid need/desire for code.  The problem is separating
these folks from the so called "leeches".  I understand this, which is why I
respect people's right to refuse to help me if they don't know me.

But it really would be nice to put the right tools in the hands of the folks
that need it.


-- 

aka Dolph Longhorn
attica@...ckheap.org
GPG Key ID: 0xF8F859D0
http://pgp.mit.edu:11371/pks/lookup?search=0xF8F859D0&op=index

"There is no such thing as right and wrong, there's just popular opinion."
-Jeffrey Goines
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031021/bf35d664/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ