Full Disclosure mailing list archives
RE: Re: Second critical mremap() bug found in a ll Linux kernels
From: John.Airey () rnib org uk
Date: Thu, 19 Feb 2004 14:59:01 -0000
-----Original Message----- From: Geo. [mailto:geoincidents () getinfo org] Sent: 19 February 2004 13:39 To: full-disclosure () lists netsys com Subject: RE: [Full-disclosure] Re: Second critical mremap() bug found in all Linux kernelsYes but it doesn't mean that we have to deliver tools anyscript kiddie can take and go ahead for hacking!<< I submit to the security industry that this is exactly what is required. Allow me to explain. Without worms, virus, and hacking, exactly what reason would the masses of high bandwidth home machines have to patch? What would motivate the armies of lazy computer owners to lock their machines down so that the internet is not at risk of someone using known exploits to build an army of floodbots and take control of the internet flooding off anyone who opposes them? It is a very real danger that we have already seen beginning and if security is not a concern then how do we protect ourselves from this sort of thing happening? One solution is report exploits, allow vendors sufficient time to create and test patches, allow the masses sufficient time to apply those patches, then release point and shoot exploit code so that the remaining unpatched machines are now at a very real risk. Provide script kiddie tools that don't allow control but do allow you to effect just the exploitable box by perhaps coding them to make it easy to shutdown the box (high annoyance factor but not perm damage). This provides the motivation to secure the world network so that the number of exploitable boxes doesn't reach such a level that no segment is safe. Digital Darwinism.
I don't think we need to encourage people to do nasty things to computers to secure them. There are plenty of people capable of doing such things with or without publicly posted exploit code. The human race isn't as wonderful as some would like to pretend it is. Can you name one invention that hasn't been abused one way or another? Note that I am not saying we shouldn't distribute this code, but I would say be wary of any litigation or arrest that may come your way if you do so. At the risk of another dodgy car analogy, would it be OK to drive down the pavement/sidewalk and run over anyone who doesn't get out of the way quick enough? That's a form of Natural Selection, is it not? Which is why people don't really believe in evolution. I also doubt any population control activists would through themselves at the car either, but that's getting way way off-topic. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey () rnib org uk According to the book of Acts, Eutychus was the first man to suffer from a General Protection Fault with Windows. - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Re: Second critical mremap() bug found in a ll Linux kernels John . Airey (Feb 19)