lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0404230210360.11632@samurai.beefed.org>
From: orochford at beefed.org (Oliver.C.Rochford)
Subject: THCIISSLame exploit

On Fri, 23 Apr 2004, Elver Loho wrote:

Sorry, my bad, for the most part I was referring to the original flame
from Feher Tamas.

Your Points are totally valid, I should have added the text from feher,
but as I'm replying I might as well say my $0.5 ;)


> Okay, I'll bite.
>
> : 1. the code is given as is, if it doesn't work for you...learn to code
>
> The whole idea was binaries vs source code. My point, which you seem to have
> missed, was that it's better to have source code than a binary. Plus the
> release of a binary along with the source code is redundant. And, as someone
> pointed out, might also create problems with the authorities. And I can code
> quite well, thank you for being concerned.
>

Creating problems with the autohorites should be left to the original
poster to assess. I am sure jcyberpunk has knowledge of how the law
applies to him in this respect.
Also, as a side note....law is morally questionable in many cases, and I
personally far outweigh security compared to legal restraints.




> Source code might fall under freedom of speech. Binaries definitely don't. If
> he released that in a country where compiled exploits might get you more
> attention from the authorities, he's still going to have problems even if he
> did release the binary on the Internet. As for getting a new job, etc, I,
> again, thank you for taking interest in my life, but that won't be an issue.
>
> Also, I think it's more interesting if exploit code is released before a
> patch. The reactions of people are much more interesting to observe. Plus it
> gives you something to look for instead of just sitting and praying to
> whatever deity you worship that you don't get hacked. Of course, that's
> assuming the original advisory isn't informative enough.
>


I disagree, releasing source code for a vulnerability before a patch is
irresponisble. Advisories fair enough, but actual working code is a no-no
(and that is where legal restrictions apply i'd say, as has been proven in
the past).
Judging by the reactions here, people egtting uptight about exploit code
for know and resolved bugs..i'd hate to see them react to unpatched
vulnerabilities.
Also, you can't protect against what you don't know. In a sense we are
trusting software vendors blind in regard to the security of their
products (rather strangely, if Microsoft was a guide dog..i'd say it's
doing a terrible job)

> : 3. If you don't like people posting exploits for bugs, get a new hobby/job
>
> Again, this was about binaries vs source code. I prefer the latter. I have no
> problem with people releasing exploits. I much enjoy seeing clever code.
>
> : 4. If it is illegal in your country, good for you!! It isn't in the FREE
> : world, thank god. Firewall you nation off, it helps us all
>
> No, it's quite legal around here. I don't know what the laws are there in the
> UK, but I did however hear that the DMCA might create problems for some avid
> exploit coders in parts of the world usually classified as "the free world".
> Didn't HP pull it on SnoSoft once? And, of course, there are the computer
> crime laws which can usually be wrapped around just about any exploit
> release. It's very hard to prove that you didn't have malicious intent.
>

DMCA is abused in many senses more as a tool to stop share prices from
falling due to incompetence and negligence than an actual tool to protect
IP or anything resembling a legitimate use. Once again, I care little for
DMCA, catch me if you can....
Once again, it was directed at the obviously annoyed windows admin (dare i
say MCSE.......) Feher


> : 5. The bug has been reported, a fix has been issued, where's the darn
> : problem??
>
> There's a problem? Other than, according to one security researcher on this
> list, the author of this exploit walking on thin ice because he released the
> binary as well, there is no problem to speak of. Well, there's that of
> internet censorship, but that's a dead horse which would require some medical
> attention from real lawyers before it can be beaten again.
>

Directed at anyone annoyed about the release of a binary/sourcecode
If we are all able to compile it...where's the harm in a binary? Also, I
don't have any programming tools on the windows platform, I don't code for
windows period. I appreciated the binary release alone for that reason


> : I for one am glad to be able to test it, to have a binary to make a snort
> : sig etc etc
>
> Yes, but you are able to compile the exploit code yourself, are you not? I
> assume you are. I also assume that you are capable of writing your own
> exploits if you really had the need for them. And let's not bring up the need
> for Snort after patching. That horse started stinking a long time ago
> already.
>
>

See the above point. As for snort....monitoring networks with
several snort sensors, for users who I cannot force to patch....and also
wanting to know what is being thrown at those networks....some people like
to know what's going on, and also use statistics (however questionable or
dubious, I do't want to start a flame war regaridng snort or any other
IDS, if you don't like it , or don't agree it is useful...I don't care
(not directed at you personally btw)) to get a feel for things.

> elver
>
> : On Thu, 22 Apr 2004, Elver Loho wrote:
> : > : >Publishing the binary is VX-ing and is criminal. That is very clear.
> : > :
> : > : Again, you assume this is illegal in every country. This is the
> : > : Internet, there are no laws here. ;)
> : >
> : > Do you think the Internet should be regulated by laws? Or do you think we
> : > should rely on self-regulation in the form of moderation and common
> : > decency? Because the latter isn't working out as you can see. I'd like to
> : > take Ian Clarke's view of freedom of speech and say that I don't mind
> : > seeing kiddy porn on the net, but hell, some of that stuff truly IS sick.
> : > Cultivating it by giving it the status of freedom of speech would just
> : > have unfortunate effects on the society as a whole and on the well-being
> : > of its various current and future members. While I don't think the
> : > Internet should (or indeed, could) be regulated as a whole, I believe
> : > that it would be possible and good to apply laws of the poster's country
> : > of origin. What it comes down to in this case: is the release of (binary)
> : > exploits allowed in Germany or not?
> : >
> : > : >To share knowledge with security researchers does not require
> : > : >releasing binary executables, professional testers can compile the
> : > : >source code for themselves.
> : > :
> : > : Not everyone has a C/C++ compiler. Even if you do have a C/C++
> : > : compiler, you may have to port the code to your OS which takes time. If
> : > : you also compile the exploit, everyone can test it. You assume a script
> : > : kiddie can't compile an exploit and that the script kidde can't use any
> : > : of the exploits sent to this list if it's only in source form. Nice
> : > : protection, but it doesn't work.
> : >
> : > I think you missed the point here. C/C++ compilers are available for free
> : > and anyone doing any kind of professional computer security work will
> : > have one. You also assume that porting the code to one's OS of choice
> : > takes time. However, if the exploit is released as a binary, porting the
> : > code to someone's OS of choice is impossible with the exception of being
> : > able to run some Windows binaries on Linux and a few other OSes. Besides,
> : > this is what we have standards for. Writing source code that will compile
> : > on a multitude of operating systems is easy. And with the advent of good
> : > interpreted languages such as Python and Perl, it's trivial.
> : > As for script kiddies, then they are an unfortunate by-product of our
> : > society. They will eventually grow up and join the ranks of blackhats,
> : > whitehats or leave the computer security field entirely. Having been one
> : > in the past myself, and not being proud of it, I can tell you that
> : > nothing will protect such exploits from script kiddies. Some of them have
> : > big brains on them and if one of them figures it out, everyone will
> : > figure it out. It's a society where the only currency is respect earned
> : > by showing other members your level of intelligence. Surprisingly, people
> : > like that fit nicely into Eric S. Raymond's mindset of an open-source
> : > hacker as portrayed in his collection of essays titled "The Cathedral and
> : > the Bazaar."
> : >
> : > : >Avoid releasing binaries and you will not have problems with the
> : > : >authorities.
> : > :
> : > : I assume you meant to say "Avoid releasing EXPLOIT binaries ..."
> : >
> : > That sentence was in context. Ripping it out of context to point out such
> : > things is pointless.
> : >
> : >
> : > Elver Loho
> : >
> : > _______________________________________________
> : > Full-Disclosure - We believe in it.
> : > Charter: http://lists.netsys.com/full-disclosure-charter.html
> :
> : _______________________________________________
> : Full-Disclosure - We believe in it.
> : Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> --
> Elver Loho
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ