[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E924F679D556A345B865717377DCDFC4036F0369@ROKEMAIL.staff.ad.cqu.edu.au>
From: b.griffin at cqu.edu.au (Brad Griffin)
Subject: THCIISSLame exploit
Off-list maybe? I see dead horses with strange welt - like marks on
their flanks.
> -----Original Message-----
> From: Elver Loho [mailto:kernelpenguin@....ee]
> Sent: Friday, April 23, 2004 10:41 AM
> To: Oliver.C.Rochford; full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] THCIISSLame exploit
>
> Okay, I'll bite.
>
> : 1. the code is given as is, if it doesn't work for
> you...learn to code
>
> The whole idea was binaries vs source code. My point, which
> you seem to have missed, was that it's better to have source
> code than a binary. Plus the release of a binary along with
> the source code is redundant. And, as someone pointed out,
> might also create problems with the authorities. And I can
> code quite well, thank you for being concerned.
>
> : 2. As for the free speech etc etc...the bug is fixed, if
> you are unable to
> : patch the system you are responsible for, get a new job, if
> you didn't
> : know about the bug/fix, get a new job, if you want to bitch about
> : releasing exploit code/binaries on a security mailinglist...go do it
> : somewhere else.
>
> Source code might fall under freedom of speech. Binaries
> definitely don't. If he released that in a country where
> compiled exploits might get you more attention from the
> authorities, he's still going to have problems even if he did
> release the binary on the Internet. As for getting a new job,
> etc, I, again, thank you for taking interest in my life, but
> that won't be an issue.
>
> Also, I think it's more interesting if exploit code is
> released before a patch. The reactions of people are much
> more interesting to observe. Plus it gives you something to
> look for instead of just sitting and praying to whatever
> deity you worship that you don't get hacked. Of course,
> that's assuming the original advisory isn't informative enough.
>
> : 3. If you don't like people posting exploits for bugs, get
> a new hobby/job
>
> Again, this was about binaries vs source code. I prefer the
> latter. I have no problem with people releasing exploits. I
> much enjoy seeing clever code.
>
> : 4. If it is illegal in your country, good for you!! It
> isn't in the FREE
> : world, thank god. Firewall you nation off, it helps us all
>
> No, it's quite legal around here. I don't know what the laws
> are there in the UK, but I did however hear that the DMCA
> might create problems for some avid exploit coders in parts
> of the world usually classified as "the free world".
> Didn't HP pull it on SnoSoft once? And, of course, there are
> the computer crime laws which can usually be wrapped around
> just about any exploit release. It's very hard to prove that
> you didn't have malicious intent.
>
> : 5. The bug has been reported, a fix has been issued,
> where's the darn
> : problem??
>
> There's a problem? Other than, according to one security
> researcher on this list, the author of this exploit walking
> on thin ice because he released the binary as well, there is
> no problem to speak of. Well, there's that of internet
> censorship, but that's a dead horse which would require some
> medical attention from real lawyers before it can be beaten again.
>
> : I for one am glad to be able to test it, to have a binary
> to make a snort
> : sig etc etc
>
> Yes, but you are able to compile the exploit code yourself,
> are you not? I assume you are. I also assume that you are
> capable of writing your own exploits if you really had the
> need for them. And let's not bring up the need for Snort
> after patching. That horse started stinking a long time ago already.
>
>
> elver
>
> : On Thu, 22 Apr 2004, Elver Loho wrote:
> : > : >Publishing the binary is VX-ing and is criminal. That
> is very clear.
> : > :
> : > : Again, you assume this is illegal in every country. This is the
> : > : Internet, there are no laws here. ;)
> : >
> : > Do you think the Internet should be regulated by laws? Or
> do you think we
> : > should rely on self-regulation in the form of moderation
> and common
> : > decency? Because the latter isn't working out as you can
> see. I'd like to
> : > take Ian Clarke's view of freedom of speech and say that
> I don't mind
> : > seeing kiddy porn on the net, but hell, some of that
> stuff truly IS sick.
> : > Cultivating it by giving it the status of freedom of
> speech would just
> : > have unfortunate effects on the society as a whole and on
> the well-being
> : > of its various current and future members. While I don't think the
> : > Internet should (or indeed, could) be regulated as a
> whole, I believe
> : > that it would be possible and good to apply laws of the
> poster's country
> : > of origin. What it comes down to in this case: is the
> release of (binary)
> : > exploits allowed in Germany or not?
> : >
> : > : >To share knowledge with security researchers does not require
> : > : >releasing binary executables, professional testers can
> compile the
> : > : >source code for themselves.
> : > :
> : > : Not everyone has a C/C++ compiler. Even if you do have a C/C++
> : > : compiler, you may have to port the code to your OS
> which takes time. If
> : > : you also compile the exploit, everyone can test it. You
> assume a script
> : > : kiddie can't compile an exploit and that the script
> kidde can't use any
> : > : of the exploits sent to this list if it's only in
> source form. Nice
> : > : protection, but it doesn't work.
> : >
> : > I think you missed the point here. C/C++ compilers are
> available for free
> : > and anyone doing any kind of professional computer
> security work will
> : > have one. You also assume that porting the code to one's
> OS of choice
> : > takes time. However, if the exploit is released as a
> binary, porting the
> : > code to someone's OS of choice is impossible with the
> exception of being
> : > able to run some Windows binaries on Linux and a few
> other OSes. Besides,
> : > this is what we have standards for. Writing source code
> that will compile
> : > on a multitude of operating systems is easy. And with the
> advent of good
> : > interpreted languages such as Python and Perl, it's trivial.
> : > As for script kiddies, then they are an unfortunate
> by-product of our
> : > society. They will eventually grow up and join the ranks
> of blackhats,
> : > whitehats or leave the computer security field entirely.
> Having been one
> : > in the past myself, and not being proud of it, I can tell you that
> : > nothing will protect such exploits from script kiddies.
> Some of them have
> : > big brains on them and if one of them figures it out,
> everyone will
> : > figure it out. It's a society where the only currency is
> respect earned
> : > by showing other members your level of intelligence.
> Surprisingly, people
> : > like that fit nicely into Eric S. Raymond's mindset of an
> open-source
> : > hacker as portrayed in his collection of essays titled
> "The Cathedral and
> : > the Bazaar."
> : >
> : > : >Avoid releasing binaries and you will not have
> problems with the
> : > : >authorities.
> : > :
> : > : I assume you meant to say "Avoid releasing EXPLOIT binaries ..."
> : >
> : > That sentence was in context. Ripping it out of context
> to point out such
> : > things is pointless.
> : >
> : >
> : > Elver Loho
> : >
> : > _______________________________________________
> : > Full-Disclosure - We believe in it.
> : > Charter: http://lists.netsys.com/full-disclosure-charter.html
> :
> : _______________________________________________
> : Full-Disclosure - We believe in it.
> : Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> --
> Elver Loho
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists