lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <72a6fbc05070120514beefc8d@mail.gmail.com>
Date: Fri, 1 Jul 2005 20:51:12 -0700
From: ChayoteMu <chayotemu@...il.com>
To: "devnull@...ents.montreal.qc.ca" <devnull@...ents.montreal.qc.ca>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Publishing exploit code - what is it good for


I'm not too sure if this would help much but from a student standpoint
I understand FAR more about how the security works by knowing how to
break it, which only really works if I have source code and so
full-disclosure exploits. I KNEW what a shellcode and buffer overflow
were for years but I only UNDERSTOOD it after I read "Hacking: The Art
of Exploitation" because it broke it down for me (excellent book BTW).
Now I understand how an overflow exploit works, but don't understand
how a particular one works against a particular program without the
exploit code that I can go over and go "Oh, so that's how it does it."
The idea is that the next generation of security pros (and the current
ones I assume) need the information to be a step ahead by
understanding the tricks used by the exploit, otherwise they're always
playing catch-up to the latest exploit.

On 6/30/05, devnull@...ents.montreal.qc.ca
<devnull@...ents.montreal.qc.ca> wrote:
> [Because of all the broken autoresponders on bugtraq, the header From:
> is a bitbucket.  Use the address in the signature to reach me.]
> 
> >> Quote: " If I speak to an end-user organization and they express
> >> legitimate needs for exploit code, then I'll change my opinion."
> 
> Well, I'm not an end-user organization, but as an end user[%], the
> major benefit I see to full disclosure is that it appears to be close
> to the only thing that has any real success at getting vendors to fix
> bugs.  (In general.  There certainly are vendors that stay on top of
> things without needing the prod of public exploit disclosure.  But they
> are notable by their rarity.)
> 
> [%] "End user" is not the only hat I wear.  It's just the one I'm
>     wearing here.
> 
> /~\ The ASCII                           der Mouse
> \ / Ribbon Campaign
>  X  Against HTML               mouse@...ents.montreal.qc.ca
> / \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
> 


-- 
"To catch a thief, think like a thief. To catch a master thief, be a
master thief."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ