[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <72a6fbc05070120514beefc8d@mail.gmail.com>
Date: Sat Jul 2 14:48:19 2005
From: chayotemu at gmail.com (ChayoteMu)
Subject: Publishing exploit code - what is it good for
I'm not too sure if this would help much but from a student standpoint
I understand FAR more about how the security works by knowing how to
break it, which only really works if I have source code and so
full-disclosure exploits. I KNEW what a shellcode and buffer overflow
were for years but I only UNDERSTOOD it after I read "Hacking: The Art
of Exploitation" because it broke it down for me (excellent book BTW).
Now I understand how an overflow exploit works, but don't understand
how a particular one works against a particular program without the
exploit code that I can go over and go "Oh, so that's how it does it."
The idea is that the next generation of security pros (and the current
ones I assume) need the information to be a step ahead by
understanding the tricks used by the exploit, otherwise they're always
playing catch-up to the latest exploit.
On 6/30/05, devnull@...ents.montreal.qc.ca
<devnull@...ents.montreal.qc.ca> wrote:
> [Because of all the broken autoresponders on bugtraq, the header From:
> is a bitbucket. Use the address in the signature to reach me.]
>
> >> Quote: " If I speak to an end-user organization and they express
> >> legitimate needs for exploit code, then I'll change my opinion."
>
> Well, I'm not an end-user organization, but as an end user[%], the
> major benefit I see to full disclosure is that it appears to be close
> to the only thing that has any real success at getting vendors to fix
> bugs. (In general. There certainly are vendors that stay on top of
> things without needing the prod of public exploit disclosure. But they
> are notable by their rarity.)
>
> [%] "End user" is not the only hat I wear. It's just the one I'm
> wearing here.
>
> /~\ The ASCII der Mouse
> \ / Ribbon Campaign
> X Against HTML mouse@...ents.montreal.qc.ca
> / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
>
--
"To catch a thief, think like a thief. To catch a master thief, be a
master thief."
Powered by blists - more mailing lists