lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <C0C2AA32.20C6A%ltr@isc.upenn.edu>
Date: Sat, 24 Jun 2006 08:37:06 -0400
From: David Taylor <ltr@....upenn.edu>
To: Gadi Evron <ge@...uxbox.org>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Amazon, MSN vulns and.. Yes, we know! Most
	sites have vulnerabilities


Yes, I realize Milw0rm is simply posting exploits sent to them. I didn't
mean to make it sound like I was putting down Milw0rm, I am just concerned
about the number of 0day's coming out.  But, this did make me think.  Maybe
a site like this should take exploit submissions via a web based form where
the submitter has to sign an agreement stating something to the affect of:

If you are submitting an exploit for a vulnerability you discovered and did
not responsibly disclose to the vendor you are a meanie.  If you did and
they chose not to address it you are a cool person.

I agree we need to see these things if they are going to be floating around.
I just wish people would be be more responsible when they discover a
vulnerability and develop an exploit for it. Try to let the vendor know
first.


On 6/23/06 10:47 PM, "Gadi Evron" <ge@...uxbox.org> wrote:

> On Fri, 23 Jun 2006, David Taylor wrote:
>> Not sure if I agree with the "Most sites don't fix them" comment but I agree
>> there are probably a lot of people that just don't get how serious the
>> report is about a vulnerability in their software.
>> 
>> What I am worried about for the moment is milw0rm. That site releases an
>> average of 6 or 7 zero day exploits a day.  It has increased the workload I
>> have letting our IT folks know about new threats. A lot of these
>> vulnerabilities are web/php based but pwn3d is pwn3d.  I would imagine it
>> feeds a lot of the zone-h.org defacement entries. I don't see as many full
>> disclosure zero-day postings as I do on milw0rm.
>> 
>> Sorry if this doesn't fit the entire subject matter of this post but just
>> had to throw it out there. It is getting hard to keep up with.
> 
> What you say makes sense, but isn't that shooting the messenger?
> 
> You are right about how dire the situation is. We have all been thinking
> hard on how to change it. I will wait for Steve Christey's reply as he
> knows how to explain these issues far better than me.
> 
> Still, milw0rm seem like good people to me. They bring you the
> information. Without them (and places like the site I am biased about,
> securiteam.com, ex-FRSIRT, etc.) only the Bad Guys would know about these.
> 
> Unrelated, we should start distinguishing again between full disclosure
> vulnerabilities and 0days (which can only be used while you don't know
> about them / you caught itw, but definitions vary - just too many
> "0days").
> 
> Gadi.
>  
>> On 6/23/06 9:30 PM, "Gadi Evron" <ge@...uxbox.org> wrote:
>> 
>>> In this post I link to a blog entry by a guy (dcrab) who does some show
>>> and tell about Amazon and MSN. You gotta love Full Disclosure. Full
>>> Disclosure and why bugtraq is here is what I talk about. Just skip my text
>>> to the end for that information.
>>> 
>>> So, yes, we know. Thanks. Yes, we know. Most sites have
>>> vulnerabilities. Most sites don't fix them. All you have to do is pick one
>>> arbitrarily and find them after a second to a few minutes of search.
>>> 
>>> Recently I exchanged some words on exactly this subject with Scott Chasin
>>> (started bugtraq back in `93). This is why Full Disclosure was originally
>>> done and part of why bugtraq was originally created. People don't often
>>> remember why, and today attack the concept of Full Disclosure and say that
>>> it is irresponsible to disclose vulnerabilities that way.
>>> 
>>> On some levels, I agree, but nothing is black and white even if I often
>>> think it is.
>>> 
>>> Some companies take security seriously. Reporting to them works. Some
>>> companies (at BEST) ignore you. Back then most companies ignored. Back
>>> then Full Disclosure was THE silver bullet and THE solution. I recently
>>> had the chance to discuss this with Aleph1 as well. He who strongly
>>> believes in Full Disclosure agrees it's a different world now.
>>> 
>>> Today, the same situation is repeated with new fields. Game companies,
>>> critical infrastructure (such as with SCADA systems), etc. who now
>>> discover the world of vulnerability research don't know how to deal with
>>> it. It is interesting to watch how the world of security repeats its
>>> history.
>>> 
>>> When someone releases the information it is a fact that everyone goes and
>>> attacks the site or builds a POC. When someone provides only with the name
>>> of the site or skeleton details of vulnerabilities... everyone goes and
>>> looks for what they know is there.
>>> 
>>> Back a few months ago a kiddie tried to sell an Excel vulnerability on
>>> FD. Now, I am not sure if this is completely related but a few months
>>> after that Microsoft released several patches for Excel. This month we
>>> have had Excel 0days.
>>> 
>>> In the world of web security the situation is more extreme. Release the
>>> bug? Everyone will exploit it. Release the site name? Everyone will find a
>>> bug there TODAY.
>>> 
>>> The point is, though, that these vulnerabilities have always been there,
>>> and they have been exploited before. We just didn't know about them. And
>>> people are surprised when corporations and sites are broken into and their
>>> personal data is stolen?
>>> 
>>> Here is a blog post of a guy who got sick of reporting vulnerabilities,
>>> and after years of trying (look at the dates), finally made a small
>>> release about MSN and Amazon (although other interesting sites are listed
>>> there.
>>> 
>>> http://blogs.hackerscenter.com/dcrab/?p=19
>>> 
>>> Noam Rathaus recently wrote about a similar issue ("From Flaw to
>>> Exploit"):
>>> http://blogs.securiteam.com/index.php/archives/449
>>> 
>>> I contacted both Amazon and MS, but this is out there and once it's out
>>> there - it's, well; out there. Full disclosure, y'know.
>>> 
>>> Gadi Evron.
>>> 
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>> 
>> 
>> ==================================================
>> David Taylor //Sr. Information Security Specialist
>> University of Pennsylvania Information Security
>> Philadelphia PA USA
>> (215) 898-1236
>> http://www.upenn.edu/computing/security/
>> ==================================================
>> 
>> Penn Information Security RSS feed
>> http://www.upenn.edu/computing/security/rss/rssfeed.xml
>> Add link to your favorite RSS reader
>> 
>> 
>> 


==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
==================================================

Penn Information Security RSS feed
http://www.upenn.edu/computing/security/rss/rssfeed.xml
Add link to your favorite RSS reader



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ