[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0IJ5006J0ZO2K9P2@vms048.mailsrvcs.net>
Date: Tue, 05 Jul 2005 10:10:05 -0700
From: "wnorth" <wnorth@...izon.net>
To: "'Aviram Jenik'" <aviram@...ondsecurity.com>,
<full-disclosure@...ts.grok.org.uk>, <bugtraq@...urityfocus.com>
Subject: RE: Publishing exploit code - what is it good for
Aviram,
Working at a major organization, I find the one thing that is most
frustrating is trying to validate whether a public exploit is actually a
threat or not, we rely on tools like nessus and such the like that may or
may not provide false positives. I believe public exploits (full disclosure)
is a necessity and whether or not top security firms believe it, doesn't
matter to me, it's not something that will never be stopped. I'd give you my
company name, but unfortunately I am not allowed to. Suffice to say it is a
major privately held organization that does business in the billions per
year. They are very adamant about putting security in place, and not just
from an attack and penetration perspective, but true engineering of
applications with security in mind.
If this analyst believes that all that public exploits do are put users at
risk, they are missing the bottom line of this whole thing, which
is...education. OK so we'll all simply rely on the vendors to patch our
systems, without fully investigating the ramifications of those patches on
3rd party applications that are either relying on the O/S or sharing an O/S
or that are integrated with the very system we are patching. The bottom line
is public exploits help to educate us security engineers and sys admins on
security, and provide us with an in-depth look at what other people are
doing to exploit systems, it's an education process, it helps us it does not
detour us. What detours us is when some kid or frustrated person decides to
wrap up the exploit in some mass-distribution application.
Conversely the argument could be made that if public exploits where not
available the number of these worms/viruses would be far minimized, to which
my response would be, take away information from people and they will find
other means to obtain it. Sure we can try and argue against public exploits
because they give mischievous people opportunity to wreak havoc on systems
that we have to support, but if you have a good patch management and AV
solution in place, guess what...you have nothing to worry about.
This is my personal opinion having worked in security for quite a few years
as well as managing a team of senior systems engineers responsible for
enterprise systems.
-Wesley North
wnorth@...kedup.com
-----Original Message-----
From: Aviram Jenik [mailto:aviram@...ondsecurity.com]
Sent: Thursday, June 30, 2005 5:14 AM
To: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com
Subject: Publishing exploit code - what is it good for
Hi,
I recently had a discussion about the concept of full disclosure with one of
the top security analysts in a well-known analyst firm. Their claim was that
companies that release exploit code (like us, but this is also relevant for
bugtraq, full disclosure, and several security research firms) put users at
risks while those at risk gain nothing from the release of the exploit.
I tried the regular 'full disclosure advocacy' bit, but the analyst remained
reluctant. Their claim was that based on their own work experience, a
security administrator does not have a need for the exploit code itself, and
the vendor information is enough. The analyst was willing to reconsider
their position if an end-user came forward and talked to them about their
own benefit of public exploit codes. Quote: " If I speak to an end-user
organization and they express legitimate needs for exploit code, then I'll
change my opinion."
Help me out here. Full disclosure is important for me, as I'm sure it is for
most of the people on these two lists. If you're an end-user organization
and are willing to talk to this analyst and explain your view (pro-FD, I
hope), drop me a note and I'll put you in direct contact.
Please note: I don't need any arguments pro or against full disclosure; all
this has been discussed in the past. I also don't need you to tell me about
someone else or some other project (e.g. nessus, snort) that utilizes these
exploits. Tried that. Didn't work.
What I need is a security administrator, CSO, IT manager or sys admin that
can explain why they find public exploits are good for THEIR organizations.
Maybe we can start changing public opinion with regards to full disclosure,
and hopefully start with this opinion leader.
TIA.
--
Aviram Jenik
Beyond Security
http://www.BeyondSecurity.com
http://www.SecuriTeam.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists