lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: John.Airey at rnib.org.uk (John.Airey@...b.org.uk)
Subject: Re: Second critical mremap() bug found in a
	ll Linux kernels

> -----Original Message-----
> From: Geo. [mailto:geoincidents@...info.org]
> Sent: 19 February 2004 13:39
> To: full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] Re: Second critical mremap() 
> bug found in
> all Linux kernels
> 
> 
> 
> >>Yes but it doesn't mean that we have to deliver tools any 
> script kiddie
> can take and go ahead for hacking!<<
> 
> I submit to the security industry that this is exactly what 
> is required.
> Allow me to explain.
> 
> Without worms, virus, and hacking, exactly what reason would 
> the masses of
> high bandwidth home machines have to patch? What would 
> motivate the armies
> of lazy computer owners to lock their machines down so that 
> the internet is
> not at risk of someone using known exploits to build an army 
> of floodbots
> and take control of the internet flooding off anyone who opposes them?
> 
> It is a very real danger that we have already seen beginning 
> and if security
> is not a concern then how do we protect ourselves from this 
> sort of thing
> happening?
> 
> One solution is report exploits, allow vendors sufficient 
> time to create and
> test patches, allow the masses sufficient time to apply those 
> patches, then
> release point and shoot exploit code so that the remaining unpatched
> machines are now at a very real risk. Provide script kiddie 
> tools that don't
> allow control but do allow you to effect just the exploitable 
> box by perhaps
> coding them to make it easy to shutdown the box (high 
> annoyance factor but
> not perm damage). This provides the motivation to secure the 
> world network
> so that the number of exploitable boxes doesn't reach such a 
> level that no
> segment is safe.
> 
> Digital Darwinism.
> 

I don't think we need to encourage people to do nasty things to computers to
secure them. There are plenty of people capable of doing such things with or
without publicly posted exploit code. The human race isn't as wonderful as
some would like to pretend it is. Can you name one invention that hasn't
been abused one way or another?

Note that I am not saying we shouldn't distribute this code, but I would say
be wary of any litigation or arrest that may come your way if you do so.

At the risk of another dodgy car analogy, would it be OK to drive down the
pavement/sidewalk and run over anyone who doesn't get out of the way quick
enough? That's a form of Natural Selection, is it not? Which is why people
don't really believe in evolution. 

I also doubt any population control activists would through themselves at
the car either, but that's getting way way off-topic.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@...b.org.uk 

According to the book of Acts, Eutychus was the first man to suffer from a
General Protection Fault with Windows.

- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 


Powered by blists - more mailing lists