lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <41D0B4C3.9090601@pwarchitects.com> From: dk at pwarchitects.com (dk) Subject: Possible apache2/php 4.3.9 worm DanB UK wrote: >>Do read the code carefully though Dan. Right off hand I can see errors >>that were also in the code posted to bugtraq on the 20th; K-OTik may >>have added more, dunno. > > > It is probable that they have added errors in. To curb the script > kiddies picking things up and modifying it and releasing it. Yeah, I think it has been mentioned here that K-otik does this with their posted code, which is fine by me. :) > I have a bit of a worry about that and my talk, whether or not to > release my sample code. It could be used quite evilly if the intention > was there. I probably won't. I have had concern about this as well, but remain a staunch supported of the Full Disclosure concept sprinkled with some common sense. With the time to live for virii/worms/exploits this year (from disclosure of bug to malware exploiting it) it's obvious that the "bar" is getting progressively lower each year in regards to the skill set it takes to develop this code. Which is a shame, as developing that skill over time lends itself to a better understanding of the responsibility that comes with it. So a PoC or code that is missing key parts (that a skilled person could decipher), or an Advisory that informs the author(s) before the general public seems a socially responsible way to address bugs in our current climate. It /is/ hard not to share your work with others, and ultimately does everyone a disservice in the end not to disseminate the knowledge. :) There has been an interesting discussion regarding this on Bugtraq in regards to Prof D. J. Bernstein's class "MCS 494: Unix Security Holes" at UofI @ Chicago. I was a bit surprised how vocal both he and one of his students, Jonathan Rockway, were in the thread(s) concerning disclosure; but it was nice to see them participate in it (and disclose the bugs they found in the first place of course). Yet they both seemed to disassociated themselves with many of the real-world effects their disclosure decisions have. It would seem the comfort of Academia colors things to those within it's walls. It was a shame to see an obviously intelligent, skilled & adept math/cs professor miss the mark on some of the social implications his work has on the world -- outside of the constrained scope of his coursework. To me, it just highlighted the very problem he was trying to address. Namely, that some individuals or teams do not take responsibility for their actions outside of the limited issues they directly identify with; whether that be application coder or bug hunter. :( -- dk
Powered by blists - more mailing lists