RE: Re: Second critical mremap() bug found in a ll Linux kernels

[John.Airey () rnib org uk]

> -----Original Message-----
> From: Geo. [mailto:geoincidents () getinfo org]
> Sent: 19 February 2004 13:39
> To: full-disclosure () lists netsys com
> Subject: RE: [Full-disclosure] Re: Second critical mremap() 
> bug found in
> all Linux kernels
>
>
>
> > > Yes but it doesn't mean that we have to deliver tools any 
> script kiddie
> can take and go ahead for hacking!<<
>
> I submit to the security industry that this is exactly what 
> is required.
> Allow me to explain.
>
> Without worms, virus, and hacking, exactly what reason would 
> the masses of
> high bandwidth home machines have to patch? What would 
> motivate the armies
> of lazy computer owners to lock their machines down so that 
> the internet is
> not at risk of someone using known exploits to build an army 
> of floodbots
> and take control of the internet flooding off anyone who opposes them?
>
> It is a very real danger that we have already seen beginning 
> and if security
> is not a concern then how do we protect ourselves from this 
> sort of thing
> happening?
>
> One solution is report exploits, allow vendors sufficient 
> time to create and
> test patches, allow the masses sufficient time to apply those 
> patches, then
> release point and shoot exploit code so that the remaining unpatched
> machines are now at a very real risk. Provide script kiddie 
> tools that don't
> allow control but do allow you to effect just the exploitable 
> box by perhaps
> coding them to make it easy to shutdown the box (high 
> annoyance factor but
> not perm damage). This provides the motivation to secure the 
> world network
> so that the number of exploitable boxes doesn't reach such a 
> level that no
> segment is safe.
>
> Digital Darwinism.

I don't think we need to encourage people to do nasty things to computers to
secure them. There are plenty of people capable of doing such things with or
without publicly posted exploit code. The human race isn't as wonderful as
some would like to pretend it is. Can you name one invention that hasn't
been abused one way or another?

Note that I am not saying we shouldn't distribute this code, but I would say
be wary of any litigation or arrest that may come your way if you do so.

At the risk of another dodgy car analogy, would it be OK to drive down the
pavement/sidewalk and run over anyone who doesn't get out of the way quick
enough? That's a form of Natural Selection, is it not? Which is why people
don't really believe in evolution. 

I also doubt any population control activists would through themselves at
the car either, but that's getting way way off-topic.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey () rnib org uk 

According to the book of Acts, Eutychus was the first man to suffer from a
General Protection Fault with Windows.

- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html