In the profound words of anonpdoxat_private: > [snip...] > Full disclosure of vulnerability information fixes security holes. > Fair enough. I won't bother arguing that. What exactly does the release of > exploits accomplish though? > > Security $$ Penetrator: You're vulnerable to XXX > Client: I don't believe you! > Security $$ Penetrator: Ok, here's my proof of concept > Security $$ Penetrator: See? > Client: Oh! We better patch. Here's your payment. > > Give me a fscking break. Not even the worst of people are that > thick. Never underestimate the human capacity for stupidity... ;-) Some people ARE that thick... Or, some don't so much disbelieve the existence of a problem, but just don't CARE about it, unless it can be proved to them they have a reason to care (ie: there's a tool floating around out there that any half-wit can grab and use to break in)... Also, it's not just commercial security consultants/pen-testers/etc. in the above conversations: it's often sysadmins and security admins who work for the company in question, trying to convince their own bosses that they really need to bring down Critical Server X long enough to patch it... > I think what really happens is that script kids are > armed, and this gives security professionals many case > studies to choose from and threats to identify in their > risk assessments. And some guy wanting money for an > exploit is evil. Yah ok. I won't argue this... You're definitely correct: commercial security firms benefit from the proliferation of script kiddies wielding exploits they don't understand, in the same way anti-virus firms benefit from the proliferation of virii and virii-creation kits that any lame-brain can use... And, in general, I sympathize a lot with your position throughout your message... I can understand that exploit writers may feel cheated when various companies take their hard work and make money off it, without so much as even giving them any credit, let alone a cut of the cash... However, it's really incorrect to suggest that this is the ONLY consequence of publically releasing exploit code, and that there are NO positive benefits... There are plenty of legit uses for public exploit code: 1. Encouraging the vendor to release a fix that much sooner... Many will take an "If there's not an existing exploit for it, we don't have to care too much about it yet" attitude... The mere existence of an exploit will often hasten their creation of a patch, thereby resulting in better security for all of their customers... 2. The aforementioned convincing thick-headed people of the need for applying existing patches to holes... 3. Testing whether or not a vendor-supplied patch really works, like it claims to do... (Certainly, there have been cases in the past where they didn't... It's crazy to suggest blind trust of vendors to do the right thing... It's not in their own best interests to do the right thing, if they can get away with NOT doing so...) 4. Studying the code for a variety of reasons: fingerprinting it for creating an IDS signature (yes, you talked about that later, but I still think there's some value in having a sig for a specific exploit, especially if an easily publically-available one, which all the clueless kiddies are likely to be using); trying to understand how it works, and perhaps improve on it, or extend the idea to other areas/apps (ie: code as a tool for teaching new exploit coders); trying to understand how it works, so as to avoid making the same mistakes it exploits in any code of your own (ie: code as a tool for teaching app developers how to code more securely); simply satisfying one's inate curiosity to know how things work; etc... 5. And, just generally keeping the information out in the open for all to see, rather than keeping it hidden... I've never seen ANY good ever come from keeping information hidden... There are always arguments by various people for the supposed need to keep certain info hidden (national security, the people couldn't handle it, etc.), but they're all a crock of shit... The public has a right to be informed of the full details of things which directly affect them; and, software users have a right to be informed of the full details of vulnerabilities which affect the software they use... Full details generally includes exploit code, since that's the easiest way to give full details of the problem (to those who can read the code, anyway)... But, even if not, the details would necessarily have to be enough to allow pretty much anyone who can code, to code their own exploit... Sure, in addition to all these good things, releasing exploit code also arms script kiddies and leeches wishing to make money off the code through no effort of their own... Does the bad outweigh the good? I don't think so... Quite the opposite, IMHO... But, if one disagrees, I suppose no one is suggesting all exploit coders should be FORCED to release their exploits... If they don't want to, well that's their right... I just think they're deluding themselves if they refuse to acknowledge any of the real GOOD that comes from releasing the exploits... The world may often seem full of the worst sleeze imaginable, and it can become easy to believe there's nothing else out there but that sleeze, but I assure you there are still some decent people out there who appreciate the hard work of exploit coders, and try to use it for various positive purposes... [And, for the record, I'm neither a member of the "security industry" nor the "underground"... "I'm just zis guy, you know..." ;-)] -- ||========================================================================|| || Rob Seace || URL || rasat_private || || AKA: Agrajag || http://www.magrathea.com/~ras/ || robat_private || ||========================================================================|| "Ford! There's an infinite number of monkeys outside who want to talk to us about this script for 'Hamlet' they've worked out." - THGTTG
This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 11:03:48 PDT