Full Disclosure mailing list archives
Re: Security Industry Under Scrutiny: Part One
From: White Vampire <whitevampire () mindless com>
Date: Sun, 10 Nov 2002 22:15:36 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Nov 10, 2002 at 09:35:24PM -0500, sockz loves you(sockz () email com) wrote:
Dear Len,
I suppose I largely agree with Len.
your argument is self-sealing. it lacks substance. if most of the attacks on systems are coming from script kiddies, who have found these holes NOT by themselves but from the security industry and all the 'proof of concept' tools that come out of it, then how does full disclosure protect the interests of the admin? it doesn't.
Incompetency does not work as an argument against a viable method. Hell, a guy might not know how to cook a hamburger properly at MCDonalds, it doesn't mean they're all going to make you sick. (Let's hear it for stupid metaphores.) As far as I am concerned, if a person cannot properly do their job, it is their fault. Eventually, someone is going to get a clue, and if that means eliminating jobs for those incapable of performing them, so be it. The truth is the most important subject here. The future of the Internet is somewhat incertain, as it is.. everybody wants to regulate everything. It's somewhat sad.
take the recent attacks on XMB by Mike Parniak and his so called "hacking crew". this script kiddy developed a tool based on a well known md5 exploit in XMB v1.6 Magic Lantern that gives a user admin priviledges. he then distributed that tool to lesser skilled script kiddies and the end result was a week of rage against XMB boards around the web (oops did i just say that aloud?). only about 20% of the boards had been patched. and i restate: the bug had been in public circulation for a long while and had even been in full view on XMB's software update page.
The emphasis on poorly implemented Web applications on security lists these days is annoying.
it even appeared on vuln-dev in mid _May_ this year!
Perhaps that speaks of the userbase of that software, rather than a general consensis of Internet practices. I would also suggest the people who develop the aforementioned software implement a security or announcement list for their software. I would hope that they at least update the Web site. If a person runs outdated software, that is their fault.
how did full disclosure work in this case? by your argument, Len, 6 months would have been more than enough for all the board admins to update their system (all that was required was to change a file name). why such a low success rate? why didn't the security industry's system work in this case (and so many others)?
I propose a new government agency mandating access for all Internet accessible machines across the world. This agency will be responsible for updating software without notifying the owners, thus continuing a security blanket for the world. Oh yeah, and the airlines are safe now. Really, they are. Regards, - -- \ | \ / White Vampire\Rem | http://gammaforce.org/ \|\| \/ whitevampire () mindless com | http://gammagear.com/ "Silly hacker, root is for administrators." | http://webfringe.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (GNU/Linux) iD8DBQE9zyDY3+rxmnEDyl8RAkRnAJ4x0zMV2+AvJVAebA4weduYcsVC7gCffYU0 xsPfWjL2a5dzQB4Ru4Klgjw= =md6C -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Security Industry Under Scrutiny: Part One, (continued)
- RE: Security Industry Under Scrutiny: Part One John . Airey (Nov 07)
- RE: Security Industry Under Scrutiny: Part One sockz loves you (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Georgi Guninski (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Len Rose (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Ron DuFresne (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Georgi Guninski (Nov 07)
- RE: Security Industry Under Scrutiny: Part One João Miguel Neves (Nov 07)
- RE: Security Industry Under Scrutiny: Part One hellNbak (Nov 07)
- RE: Security Industry Under Scrutiny: Part One João Miguel Neves (Nov 07)
- RE: Security Industry Under Scrutiny: Part One ATD (Nov 14)
- Re: Security Industry Under Scrutiny: Part One White Vampire (Nov 10)
- Re: Security Industry Under Scrutiny: Part One noconflic (Nov 10)
- Re: Security Industry Under Scrutiny: Part One nonme (Nov 10)
- Re: Security Industry Under Scrutiny: Part One HggdH (Nov 10)
- Re: Security Industry Under Scrutiny: Part One Kevin Spett (Nov 11)