lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <42C3E828.90501@math.uu.nl>
Date: Thu Jun 30 13:40:28 2005
From: j.schipper at math.uu.nl (Joachim Schipper)
Subject: Publishing exploit code - what is it good for

Aviram Jenik wrote:
> Hi,
> 
> I recently had a discussion about the concept of full disclosure with one of 
> the top security analysts in a well-known analyst firm. Their claim was that 
> companies that release exploit code (like us, but this is also relevant for 
> bugtraq, full disclosure, and several security research firms) put users at 
> risks while those at risk gain nothing from the release of the exploit.
> 
> I tried the regular 'full disclosure advocacy' bit, but the analyst remained 
> reluctant. Their claim was that based on their own work experience, a 
> security administrator does not have a need for the exploit code itself, and 
> the vendor information is enough. The analyst was willing to reconsider their 
> position if an end-user came forward and talked to them about their own 
> benefit of public exploit codes. Quote: " If I speak to an end-user 
> organization and they express legitimate needs for exploit code, then I'll 
> change my opinion."

> What I need is a security administrator, CSO, IT manager or sys admin that can 
> explain why they find public exploits are good for THEIR organizations. Maybe 
> we can start changing public opinion with regards to full disclosure, and 
> hopefully start with this opinion leader.
> 
> TIA.

How about anyone who ever hired a pen tester? It's quite impossible to 
have a comprehensive suite of tools without some collaboration, and just 
noting that the vulnerability may exist is not enough in many cases.

Blackhats may get along with only a handful of exploits, if they're 
willing to try to find targets to match their collection, but a 
pentester should have the collection to match the target.

This is doubly true if we're not talking about a dedicated pentester, 
but about a sysadmin with a networking/security background who likes to 
verify that the patches did, indeed, work.

Lastly, I know *I* subscribe to a mailinglist that announces new 
exploits - it gives me a good indication of how long a typical hacker 
takes to code an exploit once the vulnerability is released, plus it 
indicates when patching is past due.

I'm afraid we're not quite impressive enough, but finding some who are 
should not be too difficult.

Also, exploits will be distributed, publicly or otherwise - doing it in 
the open means we know what happens when.

		Joachim

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ