lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <004501c354ce$f94bdac0$7044cd3e@INTERNET>
From: Nicolas.Villatte at advalvas.be (Nicolas Villatte)
Subject: DCOM RPC exploit  (dcom.c)

Chris,
It is an old debate between full / partial / non-discolsure. Everybody has
its own point. Personally I prefer to know there is an exploit and to have
it to quickly test/patch (not all patches fixes all exploits).
Public exploit will always be better than private exploit in my opinion.
You can't compare nuclear weapon to an exploit because you usually can
protect yourself from an exploit.

If everybody had nuclear weapon I do not think some countries would have
so much influence in the world politics and economics.
So if I enter your logic,  meaning public exploit=nuclear weapon, I only
see the advantage in keeping it secret to make money about it (sell the
technology to people not having it) and use it as a threat towards the
others (maybe selling security stuff in the pipe to get even richer and
keep exclusivity).

Unfortunately sometimes, there is no difference between keeping it secret
to make a lot of money on it while we still may and security through
obscurity

Cheers.

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of gregh
Sent: Sunday, July 27, 2003 5:09 AM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)



----- Original Message -----
From: Chris Paget <mailto:chrisp@...software.com>
To: Len Rose <mailto:len@...sys.com>
Cc: full-disclosure@...ts.netsys.com
Sent: Sunday, July 27, 2003 12:08 PM
Subject: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)


Len,

IMHO there's a difference between "security through obscurity" and posting
working exploit code.  Knowing that there is a vulnerability in DCOM,
accessible over a range of RPC mechanisms (primarily 135/tcp) is all that
most administrators need to know.  It's one thing knowing that you can
kill a person with a gun, and it's another to give away firearms.


Just my $0.02:


Shoot the messenger - that always stops the bad event happening.

Sorry for the sarcasm. I can never see the point in "If we don't tell the
enemy how to build a nuclear weapon they never will so we are safer as a
result" logic.


Greg - you may call me a "Jihad O'Clue." if you wish.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3374 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030728/2701689d/smime.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ