Re: Possible apache2/php 4.3.9 worm

[dk <dk () pwarchitects com>]

DanB UK wrote:
> > Do read the code carefully though Dan. Right off hand I can see errors
> > that were also in the code posted to bugtraq on the 20th; K-OTik may
> > have added more, dunno.
>
>
> It is probable that they have added errors in. To curb the script
> kiddies picking things up and modifying it and releasing it.

Yeah, I think it has been mentioned here that K-otik does this with 
their posted code, which is fine by me. :)

> I have a bit of a worry about that and my talk, whether or not to
> release my sample code. It could be used quite evilly if the intention
> was there. I probably won't.

I have had concern about this as well, but remain a staunch supported of 
the Full Disclosure concept sprinkled with some common sense. With the 
time to live for virii/worms/exploits this year (from disclosure of bug 
to malware exploiting it) it's obvious that the "bar" is getting 
progressively lower each year in regards to the skill set it takes to 
develop this code. Which is a shame, as developing that skill over time 
lends itself to a better understanding of the responsibility that comes 
with it.

So a PoC or code that is missing key parts (that a skilled person could 
decipher), or an Advisory that informs the author(s) before the general 
public seems a socially responsible way to address bugs in our current 
climate. It /is/ hard not to share your work with others, and ultimately 
 does everyone a disservice in the end not to disseminate the knowledge. :)

	There has been an interesting discussion regarding this on Bugtraq in 
regards to Prof D. J. Bernstein's class "MCS 494: Unix
Security Holes" at UofI @ Chicago.
I was a bit surprised how vocal both he and one of his students, 
Jonathan Rockway, were in the thread(s) concerning disclosure; but it 
was nice to see them participate in it (and disclose the bugs they found 
in the first place of course).
Yet they both seemed to disassociated themselves with many of the 
real-world effects their disclosure decisions have. It would seem the 
comfort of Academia colors things to those within it's walls. It was a 
shame to see an obviously intelligent, skilled & adept math/cs professor 
miss the mark on some of the social implications his work has on the 
world -- outside of the constrained scope of his coursework.

To me, it just highlighted the very problem he was trying to address. 
Namely, that some individuals or teams do not take responsibility for 
their actions outside of the limited issues they directly identify with; 
whether that be application coder or bug hunter. :(

--
dk

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html