lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <OFA31B090A.6B5F02AC-ON85257030.005FCBA5-85257030.0061462D@mailrouter.net>
Date: Thu, 30 Jun 2005 13:42:28 -0400
From: Matt.Carpenter@...icor.com
To: aviram@...ondsecurity.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Publishing exploit code - what is it good for


We are a company that actively keeps up to date on publicly available 
exploits.  Their availability not only prompts us to understand the risks 
when prioritizing, but also provide us with the necessary tools to dispel 
nay-sayers arguments of disbelief.  Nothing like showing management the 
true risks...

Beyond that, from a more theoretical standpoint, we believe that 
full-disclosure and publicly accessible exploits serve as a cattle-prod 
for vendors that would otherwise ignore vulnerabilities.  Exploits are not 
easily available, so they must not exist.  We all know that this is not 
the case. 

My personal opinion is that full-disclosure allows those whose minds are 
inclined to break things something constructive to do, short of joining 
the dark side.  I'm much less likely to consider H.D. Moore a danger to my 
network since he is able to release his (their) toolset freely. Otherwise, 
the urge to "prove" how great they are might lead more hacker-types down 
the seductive path.  HDM is great, and we all know it.  He doesn't have to 
prove it by doing a "seriously righteous hack."

But that's just my thinking.  Dangerous to listen too closely.

 
Matthew Carpenter
IT Security Specialist
Alticor Corporation
Phone: 616-787-0287
Email: matt.carpenter@...icor.com
Page Me (230 characters Max)
Email ITSS On-Call Account


-----BEGIN PGP PUBLIC KEY FINGERPRINT-----
PGP Fingerprint: 52C3 328D C29C 178B 2DFD 9EA8 C710 0042 8CB4 3CDB
-----END PGP PUBLIC KEY FINGERPRINT-----




Aviram Jenik <aviram@...ondsecurity.com> 
30/06/2005 08:13

To
full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
cc

Subject
Publishing exploit code - what is it good for






Hi,

I recently had a discussion about the concept of full disclosure with one 
of 
the top security analysts in a well-known analyst firm. Their claim was 
that 
companies that release exploit code (like us, but this is also relevant 
for 
bugtraq, full disclosure, and several security research firms) put users 
at 
risks while those at risk gain nothing from the release of the exploit.

I tried the regular 'full disclosure advocacy' bit, but the analyst 
remained 
reluctant. Their claim was that based on their own work experience, a 
security administrator does not have a need for the exploit code itself, 
and 
the vendor information is enough. The analyst was willing to reconsider 
their 
position if an end-user came forward and talked to them about their own 
benefit of public exploit codes. Quote: " If I speak to an end-user 
organization and they express legitimate needs for exploit code, then I'll 

change my opinion."

Help me out here. Full disclosure is important for me, as I'm sure it is 
for 
most of the people on these two lists. If you're an end-user organization 
and 
are willing to talk to this analyst and explain your view (pro-FD, I 
hope), 
drop me a note and I'll put you in direct contact.

Please note: I don't need any arguments pro or against full disclosure; 
all 
this has been discussed in the past. I also don't need you to tell me 
about 
someone else or some other project (e.g. nessus, snort) that utilizes 
these 
exploits. Tried that. Didn't work.

What I need is a security administrator, CSO, IT manager or sys admin that 
can 
explain why they find public exploits are good for THEIR organizations. 
Maybe 
we can start changing public opinion with regards to full disclosure, and 
hopefully start with this opinion leader.

TIA.

-- 
Aviram Jenik
Beyond Security

http://www.BeyondSecurity.com
http://www.SecuriTeam.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ