I would just like to add this from a net admin / engineer's perspective. I think that exploits are software. Software can be propeaitary or freeware. If an exploit writer wants to sell his code that is fine; he created it and if he wishes to be paid for his work he deserves to me. My question is based on this scenario; lets say you are a pen-tester or a someone doing vulnerability assessments and you paid 1,000 or whatever dollar amount for some remote iis exploit that there is no patch for. If you are pen-testing sure you compromise the webserver but at the end of the day the clients are going to want that fixed, what do you say then? I know people (pen-testers) will say "oh well m$ hasn't patched it sorry." But I don't know if that really helps anyone. In the end all 0-days do is provide an upper hand (as in a non level playing field) to black hats or computer attackers. So in my mind selling exploits is fine; it is similar to selling any other form of software. Since exploits are not illegal (unlikes guns one cannot compare them as selling arms). Does it make me happy to know that people are doing it? No not at all but it doesn't make me happy either knowing someone coded something, released it and someone else is making 10's of thousands off of it. Perhaps the best thing to do if blackhats want to keep there sploits private and not have them used by pen-testers is exactly that; keep them private. Not sure if that means anything but that is my take as a lowly net admin. Regards, Leon
This archive was generated by hypermail 2b30 : Sat Oct 20 2001 - 11:22:56 PDT