lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: sockz at email.com (sockz loves you)
Subject: Security Industry Under Scrutiny: Part One

Dear Len,

your argument is self-sealing.  it lacks substance.  if most of the attacks on 
systems are coming from script kiddies, who have found these holes NOT by
themselves but from the security industry and all the 'proof of concept' tools
that come out of it, then how does full disclosure protect the interests of the
admin?

it doesn't.

disclosing bugs to a public forum makes them known not only to system admins but
also malicious users.  and whereas an admin can only patch one system, a script
kiddy can attack many many systems.

take the recent attacks on XMB by Mike Parniak and his so called "hacking crew".
this script kiddy developed a tool based on a well known md5 exploit in XMB v1.6
Magic Lantern that gives a user admin priviledges.  he then distributed that 
tool to lesser skilled script kiddies and the end result was a week of rage 
against XMB boards around the web (oops did i just say that aloud?).  only about
20% of the boards had been patched.  and i restate: the bug had been in public
circulation for a long while and had even been in full view on XMB's software 
update page.

it even appeared on vuln-dev in mid _May_ this year!

how did full disclosure work in this case?  by your argument, Len, 6 months
would have been more than enough for all the board admins to update their 
system (all that was required was to change a file name).  why such a low
success rate?  why didn't the security industry's system work in this case (and
so many others)?

plz reply as i am very interested in your answers.

<3 sockz


----- Original Message -----
From: Len Rose <len@...sys.com>
Date: Thu, 7 Nov 2002 08:45:34 -0500 
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Security Industry Under Scrutiny: Part One


> 
> Let's also not forget the systems people who would rather know about problems
> so they can at least mitigate the situation by finding work-arounds, apply firewall
> or router filters, and/or disable services. 
> 
> It's unacceptable to be left in the dark, no matter what the cost because the people
> who aren't aware of a problem can't defend their hosts or networks.
> 
> Complaining about so-called whitehats, and the security community doesn't address
> the above. 
> 
> People have a right to know about problems, assuming that the researcher is kind
> enough to share the information.
> 
> Len
-- 
_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

Single & ready to mingle? lavalife.com:  Where singles click. Free to Search!
http://www.lavalife.com/mailcom.epl?a=2116

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ