OK, I think we've had reasonable representation on this topic, and are now down to name-calling and semantics. Couple of points: As someone who uses a pseudonym often, I can say that it's no real barrier to profiting. I can selectively reveal who I am to get contracts, jobs, book deals, etc... I don't publicly represent a company, but that's obviously easily changeable. Meanwhile, I collect "fame" (such as it is) until such a time as I chose to use it, if I do. I've got no reason to think RFP will do any of this, but to say that he couldn't is wrong. Again, I'm not trying to say anything about RFP's character (his defense of himself is 100% accurate, near as I can tell) just that being anonymous in this business doesn't stop you from doing a thing. As for the main topic... Ultimately, if you write an exploit, you may reserve the right to sell it. That's what copyright is for. I wouldn't expect a lot of sales. The rest of us would be within our rights to reverse engineer it, and produce an independently written one. I don't believe it's possible to patent an exploit. The rest of the question is all about "should". We know for sure that a number of groups are served by the release of an exploit. Here's a probably incomplete list: -Script Kiddies (or whatever you'd like to call people who use them on systems that they have no permission to) -Pen Testers -Vulnerability Database Maintainers -Remote Vulnerability Assessment Authors -IDS Signature Authors -System Administrators -Security Professionals -Vulnerability Researchers -The Publishers of the Vulnerable Software You can't successfully argue that each of those will use an exploit if it is available. I've been most of that list throughout my career, and I've had a use for exploits each step of the way. That really only leaves the question of who benefits most from having exploits, and if you want them to. Elias had some interesting points today along those lines: http://securityfocus.com/news/270 Perhaps unsurprisingly, I agree with him quite a bit. Given the list I moderate, it's pretty obvious that I support publicly releasing exploits. I hold in contempt those people who keep exploits private so that only they may use them. They have the right to do so, but I fault their character for doing so. Doesn't really matter if they're a script kiddie or a pen-tester. I don't believe they are helping if they keep vulnerability info private. That doesn't mean that I expect them to just publish the vuln with no warning. My feelings are that RFPolicy (at least last time I looked at it) is a pretty good standard for that. Now I understand that some people (such as the anti-security bunch) have a real problem with people taking someone's exploit work and publishing it or using it at a profit. I have no problem with that. They ultimately help make people more secure. What do I care if they make money at it? As long as we can have the same info so that we don't *have* to pay them, what harm does it do us? If you don't like helping ISS, then go help Renaud with Nessus. So, that's my opinion on the subject. It doesn't really affect the list much. The list is here to publish as much vulnerability information as possible. The only way my opinion affects the list is that when I find out there's an exploit being used in the wild that the rest of us don't have access to, I will do whatever I can personally to make sure the info gets out. BB
This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 10:04:01 PDT