Full Disclosure mailing list archives
Re: Security Industry Under Scrutiny: Part One
From: "sockz loves you" <sockz () email com>
Date: Sun, 10 Nov 2002 21:35:24 -0500
Dear Len, your argument is self-sealing. it lacks substance. if most of the attacks on systems are coming from script kiddies, who have found these holes NOT by themselves but from the security industry and all the 'proof of concept' tools that come out of it, then how does full disclosure protect the interests of the admin? it doesn't. disclosing bugs to a public forum makes them known not only to system admins but also malicious users. and whereas an admin can only patch one system, a script kiddy can attack many many systems. take the recent attacks on XMB by Mike Parniak and his so called "hacking crew". this script kiddy developed a tool based on a well known md5 exploit in XMB v1.6 Magic Lantern that gives a user admin priviledges. he then distributed that tool to lesser skilled script kiddies and the end result was a week of rage against XMB boards around the web (oops did i just say that aloud?). only about 20% of the boards had been patched. and i restate: the bug had been in public circulation for a long while and had even been in full view on XMB's software update page. it even appeared on vuln-dev in mid _May_ this year! how did full disclosure work in this case? by your argument, Len, 6 months would have been more than enough for all the board admins to update their system (all that was required was to change a file name). why such a low success rate? why didn't the security industry's system work in this case (and so many others)? plz reply as i am very interested in your answers. <3 sockz ----- Original Message ----- From: Len Rose <len () netsys com> Date: Thu, 7 Nov 2002 08:45:34 -0500 To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Security Industry Under Scrutiny: Part One
Let's also not forget the systems people who would rather know about problems so they can at least mitigate the situation by finding work-arounds, apply firewall or router filters, and/or disable services. It's unacceptable to be left in the dark, no matter what the cost because the people who aren't aware of a problem can't defend their hosts or networks. Complaining about so-called whitehats, and the security community doesn't address the above. People have a right to know about problems, assuming that the researcher is kind enough to share the information. Len
-- _______________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup Single & ready to mingle? lavalife.com: Where singles click. Free to Search! http://www.lavalife.com/mailcom.epl?a=2116 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Security Industry Under Scrutiny: Part One, (continued)
- Re: Security Industry Under Scrutiny: Part One Grant Bayley (Nov 07)
- RE: Security Industry Under Scrutiny: Part One John . Airey (Nov 07)
- RE: Security Industry Under Scrutiny: Part One sockz loves you (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Georgi Guninski (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Len Rose (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Ron DuFresne (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Georgi Guninski (Nov 07)
- RE: Security Industry Under Scrutiny: Part One João Miguel Neves (Nov 07)
- RE: Security Industry Under Scrutiny: Part One hellNbak (Nov 07)
- RE: Security Industry Under Scrutiny: Part One João Miguel Neves (Nov 07)
- RE: Security Industry Under Scrutiny: Part One ATD (Nov 14)
- Re: Security Industry Under Scrutiny: Part One White Vampire (Nov 10)
- Re: Security Industry Under Scrutiny: Part One noconflic (Nov 10)
- Re: Security Industry Under Scrutiny: Part One nonme (Nov 10)
- Re: Security Industry Under Scrutiny: Part One HggdH (Nov 10)
- Re: Security Industry Under Scrutiny: Part One Kevin Spett (Nov 11)