lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0401201247560.22279@dzyngiel.ipartners.pl>
Date: Tue, 20 Jan 2004 12:54:22 +0100 (CET)
From: Mariusz Woloszyn <emsi@...rtners.pl>
To: Alun Jones <alun@...is.com>
Cc: bugtraq@...urityfocus.org
Subject: Re: What is the point here?


On Sun, 18 Jan 2004, Alun Jones wrote:

> I've been meaning to say something about this for some considerable time
> now, on various exploits and "proofs of concept" that have been posted to
> this list.
>
> Fine, I get the idea of posting a sample exploit, or a POC, as a means to
> spurring on developers (and administrators) to fix and patch systems against
> attack.  But really, unless there's a 'fix' that turns out not to be a fix,
> what is the point of posting a "second version" of a sample exploit or POC?
> [Maybe there's a good example in this case, but the poster never mentioned
> what the change was from the standpoint of getting the hole fixed]
>
> What is the point of cleaning up a sample exploit?  What is the point of
> posting more and "better" POCs?  What is the point of admitting such to this
> list?  I know it's a moderated list, because I've seen my own share of
> rejected messages, so I'm going to ask what the point is of the moderation?
>
> We've seen several POCs posted to this list with absolutely no attempt made
> to contact the developers, and we've seen people take other POCs and "fix
> them", so that they install a remote shell without alerting the
> administrators of the machine.  Why?
>
> If full disclosure in the name of protecting systems is what we're about,
> then we need to be contacting vendors of systems we breech, and we need to
> be posting code that goes only as far as is necessary to demonstrate the
> breech - _not_ far enough to be the source for the next root kit.
>
(...blah blah...)

If you make a BT a list that filters out the exploits there will appear a
lot other lists or distributions channels that spread exploits/PoC (no
matter what they are).
The result is: Admins reading BT will think that the BUG just mentioned
is hardly, or not exploitable as they seen no exploit, while the exploit
is distributed among blackhats.

It's been discussed here many, maaaaaany times. We don't see a need to
quote it again.

Rgrds,

-- 
Mariusz Wołoszyn
Internet Security Specialist, GTS - Internet Partners


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ