lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <42C42A88.9090609@trinityz.com>
Date: Thu, 30 Jun 2005 13:23:20 -0400
From: Steve Milner <smilner@...nityz.com>
To: Aviram Jenik <aviram@...ondsecurity.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Publishing exploit code - what is it good for


Here is my quick $0.02:

In a lot of environments (including the one that I work on/in) we make 
our own modifications to software to get them to work in such a way that 
is more beneficial to our organization. Because we make modifications to 
the way software works we don't always know if the software we are using 
is actually vulnerable to exploits based upon version number. In some 
cases we have actually fixed a security problem without realizing it 
before any known vuln was released. It's also possible to open up older 
problems through patching and coding. Having exploit code available is a 
huge plus as it lets us test our software. Without it we wouldn't know 
(as quickly) if our in house version of XYZ is exploitable to the newest 
vuln release.

In a nutshell, exploit code allows people to easily find out if they are 
vulnerable to a specific problem without spending lots of time looking 
into it. After all, I'd rather exploit my own code and fix it as opposed 
to having someone else do it while I try to scramble to figure it out.

Steve

Aviram Jenik wrote:

>Hi,
>
>I recently had a discussion about the concept of full disclosure with one of 
>the top security analysts in a well-known analyst firm. Their claim was that 
>companies that release exploit code (like us, but this is also relevant for 
>bugtraq, full disclosure, and several security research firms) put users at 
>risks while those at risk gain nothing from the release of the exploit.
>
>I tried the regular 'full disclosure advocacy' bit, but the analyst remained 
>reluctant. Their claim was that based on their own work experience, a 
>security administrator does not have a need for the exploit code itself, and 
>the vendor information is enough. The analyst was willing to reconsider their 
>position if an end-user came forward and talked to them about their own 
>benefit of public exploit codes. Quote: " If I speak to an end-user 
>organization and they express legitimate needs for exploit code, then I'll 
>change my opinion."
>
>Help me out here. Full disclosure is important for me, as I'm sure it is for 
>most of the people on these two lists. If you're an end-user organization and 
>are willing to talk to this analyst and explain your view (pro-FD, I hope), 
>drop me a note and I'll put you in direct contact.
>
>Please note: I don't need any arguments pro or against full disclosure; all 
>this has been discussed in the past. I also don't need you to tell me about 
>someone else or some other project (e.g. nessus, snort) that utilizes these 
>exploits. Tried that. Didn't work.
>
>What I need is a security administrator, CSO, IT manager or sys admin that can 
>explain why they find public exploits are good for THEIR organizations. Maybe 
>we can start changing public opinion with regards to full disclosure, and 
>hopefully start with this opinion leader.
>
>TIA.
>
>  
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ