Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: 07/27/03

  • Next message: Shanphen Dawa: "Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)"
    To: full-disclosure@lists.netsys.com
    Date: Sun, 27 Jul 2003 17:02:43 +1200
    
    

    "gregh" <chows@ozemail.com.au> wrote:

    > Just my $0.02:
    >
    > Shoot the messenger - that always stops the bad event happening.
    >
    > Sorry for the sarcasm. I can never see the point in "If we don't tell
    > the enemy how to build a nuclear weapon they never will so we are
    > safer as a result" logic.

    The logic is not that you are ultimately "safer" in the sense that
    potential "adversaries" will be _prevented forever_ from developing
    "something bad" to use against you based on this "knowledge".

    The argument is that you will be probabilistically safer for a longer
    time. If you don't give kitset weapons, or the detailed plans of how
    to make them, to all and sundry then the number of potential
    adversaries who can use that type of weapon against you is _reduced_.
    Thus, probabilistically, over many iterations of such new weapon
    possibilities and designs, it is longer on average before any one of
    these weapons whose availability has been "boosted" is used against you
    _relative to those cases where the possibilities and plans are not
    disclosed_.

    Thus, not disclosing such information is part of managing the risk
    associated with a vulnerability.

    That is not to say "you can get right royally shagged via DCOM over RPC
    so apply this patch now" is not valuable information of the sort that
    should not be disclosed. However, publishing exploit code for the
    kudos of the "my willy is bigger than yours" kind, which typically is
    the only"benefit" accruing to the discloser, is somewhere between
    narcisistic bloody mindedness and outright criminal.

    (At the risk of strollling even further off topic, the first point
    reminds me of something the proponents of "give us the sploits" often
    trundle out -- convincing those managers who "won't believe X is
    possible until they see it with their own eyes". Of course, selling
    "real security" to such folk is much like being tailor to that mythical
    emporer, so availability of sploits should not be necessary at all, as
    essentially the problem in such instances reduces to one or other of,
    "will I spoil my professional reputation by being hamstrung into
    implementing half-arsed solutions because this guy's has half of a
    baboon's brain" _or_ to that of a marketing problem where the "art" is
    in deciding how to tell them any old crap so long as it is wrapped up
    in enough techno-gibberese that they think they half understand what
    you are talking about.

    > Greg - you may call me a "Jihad O'Clue." if you wish.

    I may, but as you're inviting name-calling, I think I am rather more
    likely to call you a silly twat that uses some chronically lame HTML
    Email client that has no place in the working armory of a security
    professional, at least not if its trivial configuration options that
    disable the sending of HTML Email are not disabled.

    Regards,

    Nick FitzGerald

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Shanphen Dawa: "Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)"

    Relevant Pages

    • Re: OT: Question for the gunners
      ... It's all about viewers and money; just like other TV sports. ... It would be if I were in a position to protect you with a weapon you don't ... those people carry loaded guns around me does not make me safer. ... person with a gun. ...
      (rec.gambling.poker)
    • Re: Not a happy lot at all.
      ... an "offensive weapon" in the form of a stick should I feel the need. ... The aggressor has the luxury of time to go find something ... who can usually be relied upon to be unarmed - making it safer for the ... those unwilling to break the law. ...
      (uk.legal)
    • Re: WOTT - Should everyone learn weapons?
      ... a safer situation for you or your family. ... People who buy guns are more prone to violence and crime than ... Yes but guns are a tier 1 weapon. ... or Long Term Care Insurance is "living in fear"? ...
      (rec.martial-arts)
    • Re: USMC Rules For Gunfighting
      ... Always have a drawn weapon is different from having to get ready to ... A reason exists and to always be safe by having the behind th eback ... If you do not feel safer, you need to have attitudes changed. ...
      (sci.military.naval)