In the profound words of fintler: > > --- Labkonto <ppht-15at_private> wrote: > > Anyone here that developed an exploit > > for the Telnetd buffer overflow on solaris, > > or know where to get one? > > Now why would you possible want something like that...if you were an admin, you'd just patch your > box and forget it. I can only assume you're trying to get into someone elses box, what makes you > think I'm going to give you a script so you can get someone fired from their job because you felt > like being an 3r3ct skr1pt k1ddi3. Ah, guilty until proven innocent, eh? Wonderful attitude, that... Since when does wanting access to exploits qualify one as a criminal?? Jesus... Does that make every visitor to SecurityFocus.com's vulnerability database a criminal? After all, in your own words, why would they possibly want access to all those exploits, if they weren't all just evil script kiddies? Give me a break... That's the poorest attempt at arguing against full disclosure that I've ever heard... It's hardly even worth responding to... But, just to humor you... If you had ever actually administered a system before, you might realize that it's generally not wise to just go around applying every single new patch that comes out to a working, actively-used production server, without any thought to the consequences... Many patches can have bad side-effects and screw up things that were working fine before... (Granted, that's usually MS patches, for the most part, but others are sometimes guilty, as well... ;-)) And, maybe the server is really critical, and every SECOND of downtime comes at great cost; so, management won't ALLOW you to take the thing down long enough to patch it, unless you can clearly demonstrate to them a clear and present danger in its current setup... Or, maybe the exploit is needed to test the patch after it's applied, to make sure it actually worked to close the hole... It's not unknown for vendors to release faulty patches that don't do what they claim, either... Or, maybe the person is just curious, and trying to learn about exploits, by playing with a live one on a box he has the right to screw with, and seeing how it works... Or, maybe they ARE just a script kiddie... Who knows? But, it doesn't matter, either way: hiding the information, under the guise of some moral superiority, while proclaiming judgement on everyone else, is just stupid and counter-productive... Anyone who has such an unreleased exploit, and is NOT releasing it to the public at large, is just helping out those very same script kiddies they profess to be guarding against, while at the same time, putting the sysadmins and other honest people that they profess to be on the side of, at a great disadvantage... Hiding information is NEVER a good course of action, and NEVER helps anyone except the bad guys (who still have plenty of ready access to the now hidden info, while the good guys do not)... -- ||========================================================================|| || Rob Seace || URL || rasat_private || || AKA: Agrajag || http://www.magrathea.com/~ras/ || robat_private || ||========================================================================|| "A dead telephone sanitizer?" "Best kind." "But what's he doing here?" "Not a lot." - The Restaurant at the End of the Universe
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 17:05:26 PDT