> >- - I have not seen any incident reports on Incidents, or any other mailing list for that matter. > >- - You'd think several high profile sites would've been attacked already with such devastating exploits, but >I've seen no reports of this. In fact, if the kids really did have such an exploit, you'd think they'd tag >their h4ndl3z all over high profile sites. But according to Alldas, high profile defacements have been >virtually nonexistent in the last year or so. > >- - Given the skill required to craft such an exploit, I'd think it would be way out of the grasp of the kids. >Since no researcher has come forth with such a vulnerability, it's logical to conclude that this does not >exist. > I'll begin by saying that I am not confirming or denying such an exploit exists, simply playing devil's advocate. As you mention in your 3rd point, the skill required to discover and develop a working exploit for such a vulnerability is far greater than the skill level of a script kiddy. With that in mind, wouldn't it be safe to make the assumption that the people (hypothetically) using this exploit are equally skilled in hiding their presence on the machine? Furthermore, what type of 'incident' would be reported? Interface problems? A web defacement? I woefully disagree that the person(s) who developed an exploit of this magnitude are going to use it to deface websites. Web defacements are generally the acts of RDS abusing script kiddies, whom you yourself stated would not be the source of this exploit. IMHO, suggesting that an person of this technical caliber would use their skill to deface websites for pure lime light is like suggesting a world class brain surgeon would expect a Nobel prize for applying a butterfly bandage. Additionally, script kiddies generally do not understand the legal ramification of defacing 'high profile' websites that have the bankroll to litigate. It's been my experience that people of the skill level required to develop such an exploit are very aware of possible consequences. If such an exploit exists, I would expect exactly what is happening now. Nothing but speculation possibly derived from someone leaking info. In short, you can not conclude that something does not exist simply because you have not found it. -Blake _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Wed Sep 18 2002 - 08:33:00 PDT