| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 Jun 2005 21:18:48 -0400 From: "Michael Evanchik" <mike@...npickel.com> To: "Aviram Jenik" <aviram@...ondsecurity.com>, <full-disclosure@...ts.grok.org.uk>, <bugtraq@...urityfocus.com> Subject: RE: Publishing exploit code - what is it good for 1) Over a long period of time, after learning the different dimensions of attack, PoC code can turn you into a pretty good pen tester of your own network and setup. We all learn from our mistakes. You learn nothing from a security alert with no details as to what exact mistake was made in a product where others could learn from. 2) (in some cases) PoC code although temporarily causes harm, sometimes overall improves internet security as a whole. Look at MS blaster, we all learned quick to patch the correct ports (well most of us) and now use firewalls as well as Microsoft turning them on by default. 3) PoC code will get the vendor to take quick action. With no poc, they will take there little old time to patch their product. They assume its not being used in the wild, but how could anyone be so sure? Michael Evanchik www.michaelevanchik.com -----Original Message----- From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Aviram Jenik Sent: Thursday, June 30, 2005 8:14 AM To: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com Subject: [Full-disclosure] Publishing exploit code - what is it good for Hi, I recently had a discussion about the concept of full disclosure with one of the top security analysts in a well-known analyst firm. Their claim was that companies that release exploit code (like us, but this is also relevant for bugtraq, full disclosure, and several security research firms) put users at risks while those at risk gain nothing from the release of the exploit. I tried the regular 'full disclosure advocacy' bit, but the analyst remained reluctant. Their claim was that based on their own work experience, a security administrator does not have a need for the exploit code itself, and the vendor information is enough. The analyst was willing to reconsider their position if an end-user came forward and talked to them about their own benefit of public exploit codes. Quote: " If I speak to an end-user organization and they express legitimate needs for exploit code, then I'll change my opinion." Help me out here. Full disclosure is important for me, as I'm sure it is for most of the people on these two lists. If you're an end-user organization and are willing to talk to this analyst and explain your view (pro-FD, I hope), drop me a note and I'll put you in direct contact. Please note: I don't need any arguments pro or against full disclosure; all this has been discussed in the past. I also don't need you to tell me about someone else or some other project (e.g. nessus, snort) that utilizes these exploits. Tried that. Didn't work. What I need is a security administrator, CSO, IT manager or sys admin that can explain why they find public exploits are good for THEIR organizations. Maybe we can start changing public opinion with regards to full disclosure, and hopefully start with this opinion leader. TIA. -- Aviram Jenik Beyond Security http://www.BeyondSecurity.com http://www.SecuriTeam.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists