lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <72a6fbc05070120514beefc8d@mail.gmail.com> Date: Sat Jul 2 14:48:19 2005 From: chayotemu at gmail.com (ChayoteMu) Subject: Publishing exploit code - what is it good for I'm not too sure if this would help much but from a student standpoint I understand FAR more about how the security works by knowing how to break it, which only really works if I have source code and so full-disclosure exploits. I KNEW what a shellcode and buffer overflow were for years but I only UNDERSTOOD it after I read "Hacking: The Art of Exploitation" because it broke it down for me (excellent book BTW). Now I understand how an overflow exploit works, but don't understand how a particular one works against a particular program without the exploit code that I can go over and go "Oh, so that's how it does it." The idea is that the next generation of security pros (and the current ones I assume) need the information to be a step ahead by understanding the tricks used by the exploit, otherwise they're always playing catch-up to the latest exploit. On 6/30/05, devnull@...ents.montreal.qc.ca <devnull@...ents.montreal.qc.ca> wrote: > [Because of all the broken autoresponders on bugtraq, the header From: > is a bitbucket. Use the address in the signature to reach me.] > > >> Quote: " If I speak to an end-user organization and they express > >> legitimate needs for exploit code, then I'll change my opinion." > > Well, I'm not an end-user organization, but as an end user[%], the > major benefit I see to full disclosure is that it appears to be close > to the only thing that has any real success at getting vendors to fix > bugs. (In general. There certainly are vendors that stay on top of > things without needing the prod of public exploit disclosure. But they > are notable by their rarity.) > > [%] "End user" is not the only hat I wear. It's just the one I'm > wearing here. > > /~\ The ASCII der Mouse > \ / Ribbon Campaign > X Against HTML mouse@...ents.montreal.qc.ca > / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B > -- "To catch a thief, think like a thief. To catch a master thief, be a master thief."
Powered by blists - more mailing lists