Full Disclosure mailing list archives
Re: Publishing exploit code - what is it good for
From: Matt.Carpenter () alticor com
Date: Thu, 30 Jun 2005 13:42:28 -0400
We are a company that actively keeps up to date on publicly available exploits. Their availability not only prompts us to understand the risks when prioritizing, but also provide us with the necessary tools to dispel nay-sayers arguments of disbelief. Nothing like showing management the true risks... Beyond that, from a more theoretical standpoint, we believe that full-disclosure and publicly accessible exploits serve as a cattle-prod for vendors that would otherwise ignore vulnerabilities. Exploits are not easily available, so they must not exist. We all know that this is not the case. My personal opinion is that full-disclosure allows those whose minds are inclined to break things something constructive to do, short of joining the dark side. I'm much less likely to consider H.D. Moore a danger to my network since he is able to release his (their) toolset freely. Otherwise, the urge to "prove" how great they are might lead more hacker-types down the seductive path. HDM is great, and we all know it. He doesn't have to prove it by doing a "seriously righteous hack." But that's just my thinking. Dangerous to listen too closely. Matthew Carpenter IT Security Specialist Alticor Corporation Phone: 616-787-0287 Email: matt.carpenter () alticor com Page Me (230 characters Max) Email ITSS On-Call Account -----BEGIN PGP PUBLIC KEY FINGERPRINT----- PGP Fingerprint: 52C3 328D C29C 178B 2DFD 9EA8 C710 0042 8CB4 3CDB -----END PGP PUBLIC KEY FINGERPRINT----- Aviram Jenik <aviram () beyondsecurity com> 30/06/2005 08:13 To full-disclosure () lists grok org uk, bugtraq () securityfocus com cc Subject Publishing exploit code - what is it good for Hi, I recently had a discussion about the concept of full disclosure with one of the top security analysts in a well-known analyst firm. Their claim was that companies that release exploit code (like us, but this is also relevant for bugtraq, full disclosure, and several security research firms) put users at risks while those at risk gain nothing from the release of the exploit. I tried the regular 'full disclosure advocacy' bit, but the analyst remained reluctant. Their claim was that based on their own work experience, a security administrator does not have a need for the exploit code itself, and the vendor information is enough. The analyst was willing to reconsider their position if an end-user came forward and talked to them about their own benefit of public exploit codes. Quote: " If I speak to an end-user organization and they express legitimate needs for exploit code, then I'll change my opinion." Help me out here. Full disclosure is important for me, as I'm sure it is for most of the people on these two lists. If you're an end-user organization and are willing to talk to this analyst and explain your view (pro-FD, I hope), drop me a note and I'll put you in direct contact. Please note: I don't need any arguments pro or against full disclosure; all this has been discussed in the past. I also don't need you to tell me about someone else or some other project (e.g. nessus, snort) that utilizes these exploits. Tried that. Didn't work. What I need is a security administrator, CSO, IT manager or sys admin that can explain why they find public exploits are good for THEIR organizations. Maybe we can start changing public opinion with regards to full disclosure, and hopefully start with this opinion leader. TIA. -- Aviram Jenik Beyond Security http://www.BeyondSecurity.com http://www.SecuriTeam.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Publishing exploit code - what is it good for, (continued)
- Re: Publishing exploit code - what is it good for Joachim Schipper (Jun 30)
- Re: Publishing exploit code - what is it good for Erik Fichtner (Jun 30)
- Re: Publishing exploit code - what is it good for Erick Mechler (Jun 30)
- Re: Publishing exploit code - what is it good for devnull (Jun 30)
- Re: Publishing exploit code - what is it good for James Wicks (Jun 30)
- Re: Publishing exploit code - what is it good for Anders B Jansson (Jun 30)
- Re: Publishing exploit code - what is it good for bugtraq (Jun 30)
- Re: Publishing exploit code - what is it good for Ill will (Jun 30)
- Re: Publishing exploit code - what is it good for Gary E. Miller (Jun 30)
- Re: Publishing exploit code - what is it good for Steve Milner (Jun 30)
- Re: Publishing exploit code - what is it good for Matt . Carpenter (Jun 30)
- Re: Publishing exploit code - what is it good for Michael Holstein (Jun 30)
- Re: Publishing exploit code - what is it good for Jason Coombs (Jun 30)
- Re: Publishing exploit code - what is it good for Kenneth Ng (Jun 30)
- Re: Publishing exploit code - what is it good for KF (lists) (Jun 30)
- Re: Publishing exploit code - what is it good for Jason Coombs (Jun 30)
- Re: Publishing exploit code - what is it good for Joachim Schipper (Jun 30)
- RE: Publishing exploit code - what is it good for James C Slora Jr (Jun 30)
- Re: Publishing exploit code - what is it good for Thomas Reinke (Jun 30)
- Re: Publishing exploit code - what is it good for John Madden (Jun 30)
- Re: Publishing exploit code - what is it good for Skip Carter (Jun 30)
- Re: Publishing exploit code - what is it good for Damian Menscher (Jun 30)
- RE: Publishing exploit code - what is it good for Glenn.Everhart (Jun 30)