lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.21.0606240809070.19096-100000@linuxbox.org>
Date: Sat, 24 Jun 2006 08:11:20 -0500 (CDT)
From: Gadi Evron <ge@...uxbox.org>
To: David Taylor <ltr@....upenn.edu>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Amazon, MSN vulns and.. Yes, we know! Most
	sites have vulnerabilities


On Sat, 24 Jun 2006, David Taylor wrote:
> Yes, I realize Milw0rm is simply posting exploits sent to them. I didn't
> mean to make it sound like I was putting down Milw0rm, I am just concerned
> about the number of 0day's coming out.  But, this did make me think.  Maybe
> a site like this should take exploit submissions via a web based form where
> the submitter has to sign an agreement stating something to the affect of:
> 
> If you are submitting an exploit for a vulnerability you discovered and did
> not responsibly disclose to the vendor you are a meanie.  If you did and
> they chose not to address it you are a cool person.
> 
> I agree we need to see these things if they are going to be floating around.
> I just wish people would be be more responsible when they discover a
> vulnerability and develop an exploit for it. Try to let the vendor know
> first.


Once again we are mostly in agreement, but there is one point I do
disagree on completely.

How would having the vulnerability being exploited by Bad Guys already,
who get it via their sources, while not letting the Good Guys know about
and put pressure on the vendor to fix help out?

Like I said earlier, this isn't black and white and some vendors do things
right, still, the one thing about Full Disclosure no one can dispute,
despite whatever else it may be - it works.

Now how is the exploits being out and just us not knowing about them help
us any? The ones who use the for harm will do so regardless.

	Gadi.


> On 6/23/06 10:47 PM, "Gadi Evron" <ge@...uxbox.org> wrote:
> 
> > On Fri, 23 Jun 2006, David Taylor wrote:
> >> Not sure if I agree with the "Most sites don't fix them" comment but I agree
> >> there are probably a lot of people that just don't get how serious the
> >> report is about a vulnerability in their software.
> >> 
> >> What I am worried about for the moment is milw0rm. That site releases an
> >> average of 6 or 7 zero day exploits a day.  It has increased the workload I
> >> have letting our IT folks know about new threats. A lot of these
> >> vulnerabilities are web/php based but pwn3d is pwn3d.  I would imagine it
> >> feeds a lot of the zone-h.org defacement entries. I don't see as many full
> >> disclosure zero-day postings as I do on milw0rm.
> >> 
> >> Sorry if this doesn't fit the entire subject matter of this post but just
> >> had to throw it out there. It is getting hard to keep up with.
> > 
> > What you say makes sense, but isn't that shooting the messenger?
> > 
> > You are right about how dire the situation is. We have all been thinking
> > hard on how to change it. I will wait for Steve Christey's reply as he
> > knows how to explain these issues far better than me.
> > 
> > Still, milw0rm seem like good people to me. They bring you the
> > information. Without them (and places like the site I am biased about,
> > securiteam.com, ex-FRSIRT, etc.) only the Bad Guys would know about these.
> > 
> > Unrelated, we should start distinguishing again between full disclosure
> > vulnerabilities and 0days (which can only be used while you don't know
> > about them / you caught itw, but definitions vary - just too many
> > "0days").
> > 
> > Gadi.
> >  
> >> On 6/23/06 9:30 PM, "Gadi Evron" <ge@...uxbox.org> wrote:
> >> 
> >>> In this post I link to a blog entry by a guy (dcrab) who does some show
> >>> and tell about Amazon and MSN. You gotta love Full Disclosure. Full
> >>> Disclosure and why bugtraq is here is what I talk about. Just skip my text
> >>> to the end for that information.
> >>> 
> >>> So, yes, we know. Thanks. Yes, we know. Most sites have
> >>> vulnerabilities. Most sites don't fix them. All you have to do is pick one
> >>> arbitrarily and find them after a second to a few minutes of search.
> >>> 
> >>> Recently I exchanged some words on exactly this subject with Scott Chasin
> >>> (started bugtraq back in `93). This is why Full Disclosure was originally
> >>> done and part of why bugtraq was originally created. People don't often
> >>> remember why, and today attack the concept of Full Disclosure and say that
> >>> it is irresponsible to disclose vulnerabilities that way.
> >>> 
> >>> On some levels, I agree, but nothing is black and white even if I often
> >>> think it is.
> >>> 
> >>> Some companies take security seriously. Reporting to them works. Some
> >>> companies (at BEST) ignore you. Back then most companies ignored. Back
> >>> then Full Disclosure was THE silver bullet and THE solution. I recently
> >>> had the chance to discuss this with Aleph1 as well. He who strongly
> >>> believes in Full Disclosure agrees it's a different world now.
> >>> 
> >>> Today, the same situation is repeated with new fields. Game companies,
> >>> critical infrastructure (such as with SCADA systems), etc. who now
> >>> discover the world of vulnerability research don't know how to deal with
> >>> it. It is interesting to watch how the world of security repeats its
> >>> history.
> >>> 
> >>> When someone releases the information it is a fact that everyone goes and
> >>> attacks the site or builds a POC. When someone provides only with the name
> >>> of the site or skeleton details of vulnerabilities... everyone goes and
> >>> looks for what they know is there.
> >>> 
> >>> Back a few months ago a kiddie tried to sell an Excel vulnerability on
> >>> FD. Now, I am not sure if this is completely related but a few months
> >>> after that Microsoft released several patches for Excel. This month we
> >>> have had Excel 0days.
> >>> 
> >>> In the world of web security the situation is more extreme. Release the
> >>> bug? Everyone will exploit it. Release the site name? Everyone will find a
> >>> bug there TODAY.
> >>> 
> >>> The point is, though, that these vulnerabilities have always been there,
> >>> and they have been exploited before. We just didn't know about them. And
> >>> people are surprised when corporations and sites are broken into and their
> >>> personal data is stolen?
> >>> 
> >>> Here is a blog post of a guy who got sick of reporting vulnerabilities,
> >>> and after years of trying (look at the dates), finally made a small
> >>> release about MSN and Amazon (although other interesting sites are listed
> >>> there.
> >>> 
> >>> http://blogs.hackerscenter.com/dcrab/?p=19
> >>> 
> >>> Noam Rathaus recently wrote about a similar issue ("From Flaw to
> >>> Exploit"):
> >>> http://blogs.securiteam.com/index.php/archives/449
> >>> 
> >>> I contacted both Amazon and MS, but this is out there and once it's out
> >>> there - it's, well; out there. Full disclosure, y'know.
> >>> 
> >>> Gadi Evron.
> >>> 
> >>> _______________________________________________
> >>> Full-Disclosure - We believe in it.
> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>> Hosted and sponsored by Secunia - http://secunia.com/
> >> 
> >> 
> >> ==================================================
> >> David Taylor //Sr. Information Security Specialist
> >> University of Pennsylvania Information Security
> >> Philadelphia PA USA
> >> (215) 898-1236
> >> http://www.upenn.edu/computing/security/
> >> ==================================================
> >> 
> >> Penn Information Security RSS feed
> >> http://www.upenn.edu/computing/security/rss/rssfeed.xml
> >> Add link to your favorite RSS reader
> >> 
> >> 
> >> 
> 
> 
> ==================================================
> David Taylor //Sr. Information Security Specialist
> University of Pennsylvania Information Security
> Philadelphia PA USA
> (215) 898-1236
> http://www.upenn.edu/computing/security/
> ==================================================
> 
> Penn Information Security RSS feed
> http://www.upenn.edu/computing/security/rss/rssfeed.xml
> Add link to your favorite RSS reader
> 
> 
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ