lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0IJ5006J0ZO2K9P2@vms048.mailsrvcs.net>
Date: Tue, 05 Jul 2005 10:10:05 -0700
From: "wnorth" <wnorth@...izon.net>
To: "'Aviram Jenik'" <aviram@...ondsecurity.com>,
	<full-disclosure@...ts.grok.org.uk>, <bugtraq@...urityfocus.com>
Subject: RE: Publishing exploit code - what is it good for


Aviram,

Working at a major organization, I find the one thing that is most
frustrating is trying to validate whether a public exploit is actually a
threat or not, we rely on tools like nessus and such the like that may or
may not provide false positives. I believe public exploits (full disclosure)
is a necessity and whether or not top security firms believe it, doesn't
matter to me, it's not something that will never be stopped. I'd give you my
company name, but unfortunately I am not allowed to. Suffice to say it is a
major privately held organization that does business in the billions per
year. They are very adamant about putting security in place, and not just
from an attack and penetration perspective, but true engineering of
applications with security in mind.

If this analyst believes that all that public exploits do are put users at
risk, they are missing the bottom line of this whole thing, which
is...education. OK so we'll all simply rely on the vendors to patch our
systems, without fully investigating the ramifications of those patches on
3rd party applications that are either relying on the O/S or sharing an O/S
or that are integrated with the very system we are patching. The bottom line
is public exploits help to educate us security engineers and sys admins on
security, and provide us with an in-depth look at what other people are
doing to exploit systems, it's an education process, it helps us it does not
detour us. What detours us is when some kid or frustrated person decides to
wrap up the exploit in some mass-distribution application. 

Conversely the argument could be made that if public exploits where not
available the number of these worms/viruses would be far minimized, to which
my response would be, take away information from people and they will find
other means to obtain it. Sure we can try and argue against public exploits
because they give mischievous people opportunity to wreak havoc on systems
that we have to support, but if you have a good patch management and AV
solution in place, guess what...you have nothing to worry about.

This is my personal opinion having worked in security for quite a few years
as well as managing a team of senior systems engineers responsible for
enterprise systems.

-Wesley North
wnorth@...kedup.com  

-----Original Message-----
From: Aviram Jenik [mailto:aviram@...ondsecurity.com] 
Sent: Thursday, June 30, 2005 5:14 AM
To: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com
Subject: Publishing exploit code - what is it good for

Hi,

I recently had a discussion about the concept of full disclosure with one of
the top security analysts in a well-known analyst firm. Their claim was that
companies that release exploit code (like us, but this is also relevant for
bugtraq, full disclosure, and several security research firms) put users at
risks while those at risk gain nothing from the release of the exploit.

I tried the regular 'full disclosure advocacy' bit, but the analyst remained
reluctant. Their claim was that based on their own work experience, a
security administrator does not have a need for the exploit code itself, and
the vendor information is enough. The analyst was willing to reconsider
their position if an end-user came forward and talked to them about their
own benefit of public exploit codes. Quote: " If I speak to an end-user
organization and they express legitimate needs for exploit code, then I'll
change my opinion."

Help me out here. Full disclosure is important for me, as I'm sure it is for
most of the people on these two lists. If you're an end-user organization
and are willing to talk to this analyst and explain your view (pro-FD, I
hope), drop me a note and I'll put you in direct contact.

Please note: I don't need any arguments pro or against full disclosure; all
this has been discussed in the past. I also don't need you to tell me about
someone else or some other project (e.g. nessus, snort) that utilizes these
exploits. Tried that. Didn't work.

What I need is a security administrator, CSO, IT manager or sys admin that
can explain why they find public exploits are good for THEIR organizations.
Maybe we can start changing public opinion with regards to full disclosure,
and hopefully start with this opinion leader.

TIA.

--
Aviram Jenik
Beyond Security

http://www.BeyondSecurity.com
http://www.SecuriTeam.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ