if you are an advocate of computer security, it makes logical sense to notify the vendor of the program before you notify a sea of potential exploiters, *regardless* of whether or not the potential exploiters know of the problem (why blindly assume that they do?). from the point of view of advocates of computer security, full disclosure shouldnt be regarded as some sort of golden truth, rather, as a tool to learn from mistakes made in the past. in accordance, vendors should be allowed to patch a bug before its existance and exploit code is plastered all over internet mailing lists (sure, small circles of hackers may have been exploiting this bug for years, but a small circle of hackers is a far different problem than the sea of script kiddies who dont even know how to use unix, but will then have access to the exploit). exploit code should not spawn a shell and give full access to the machine. if exploit coders would only release exploits that write(1, "hello world".. the root compromises out there would drop by 99% guaranteed. exploit code should be an EXAMPLE to prove that a bug is exploitable, not an instant ticket to root access on thousands of hosts for people who barely know how to use a computer. i could care less about computer security aside from the fact that i would like access to as many hosts as possible. i make these points because many so-called hackers out there think they're fighting for some golden cause by releasing potent exploit code, or mailing stupid advisories to bugtraq to claim their fame before even notifying the coders of the application in question. >From owner-bugtraqat_private Fri Feb 19 11:15:53 1999 >Received: from netspace.org ([128.148.157.6]:21552 "EHLO netspace.org" ident: "TIMEDOUT2") by brimstone.netspace.org with ESMTP id <83714-1442>; Fri, 19 Feb 1999 13:40:21 -0500 >Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8d) with > spool id 992502 for BUGTRAQat_private; Fri, 19 Feb 1999 18:32:26 > +0000 >Approved-By: aleph1at_private >Received: from resentment.infonexus.com (zagzagelat_private > [207.171.209.38]) by netspace.org (8.8.7/8.8.7) with SMTP id TAA30837 > for <bugtraqat_private>; Thu, 18 Feb 1999 19:47:52 -0500 >Received: (qmail 1802 invoked by uid 1000); 19 Feb 1999 00:46:17 -0000 >X-Mailer: ELM [version 2.4 PL25] >Content-Type: text >Message-ID: <19990219004617.24816.qmailat_private> >Date: Thu, 18 Feb 1999 16:46:17 -0800 >Reply-To: routeat_private >Sender: Bugtraq List <BUGTRAQat_private> >From: routeat_private >Subject: Re: [HERT] Advisory #002 Buffer overflow in lsof >X-To: spafat_private >To: BUGTRAQat_private >In-Reply-To: <199902181724.MAA15115at_private> from "Gene Spafford" > at Feb 18, 99 12:24:52 pm > >[Gene Spafford wrote] >| >| People who publish bugs/exploits that are not being actively exploited >| *before* giving the vendor a chance to fix the flaws are clearly >| grandstanding. They're part of the problem -- not the solution. >| > > Who is to say the vulnerability in question was NOT being exploited > prior to release? Odds are it was. Bugtraq is a full-diclosure list. > The `problem` as you succinctly put it is in *non-disclosure*. While > it is still questionable whether or not the original posters found the bug > themselves (the advisory lacked any technical detail) calling them part of > the problem is a misfire of your disdain (attacking them on the content > of the advisory --or lack thereof-- is a much better call). The problem, > in this case, would be the malevolent individual(s) breaking into your > machine exploiting this bug (before or after it was disclosed). > > Don't shoot the messenger. >-- >I live a world of paradox... My willingness to destroy is your chance for >improvement, my hate is your faith -- my failure is your victory, a victory >that won't last. > ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:20 PDT