Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
To: email@example.com Date: Sun, 27 Jul 2003 17:02:43 +1200
"gregh" <firstname.lastname@example.org> wrote:
> Just my $0.02:
> Shoot the messenger - that always stops the bad event happening.
> Sorry for the sarcasm. I can never see the point in "If we don't tell
> the enemy how to build a nuclear weapon they never will so we are
> safer as a result" logic.
The logic is not that you are ultimately "safer" in the sense that
potential "adversaries" will be _prevented forever_ from developing
"something bad" to use against you based on this "knowledge".
The argument is that you will be probabilistically safer for a longer
time. If you don't give kitset weapons, or the detailed plans of how
to make them, to all and sundry then the number of potential
adversaries who can use that type of weapon against you is _reduced_.
Thus, probabilistically, over many iterations of such new weapon
possibilities and designs, it is longer on average before any one of
these weapons whose availability has been "boosted" is used against you
_relative to those cases where the possibilities and plans are not
Thus, not disclosing such information is part of managing the risk
associated with a vulnerability.
That is not to say "you can get right royally shagged via DCOM over RPC
so apply this patch now" is not valuable information of the sort that
should not be disclosed. However, publishing exploit code for the
kudos of the "my willy is bigger than yours" kind, which typically is
the only"benefit" accruing to the discloser, is somewhere between
narcisistic bloody mindedness and outright criminal.
(At the risk of strollling even further off topic, the first point
reminds me of something the proponents of "give us the sploits" often
trundle out -- convincing those managers who "won't believe X is
possible until they see it with their own eyes". Of course, selling
"real security" to such folk is much like being tailor to that mythical
emporer, so availability of sploits should not be necessary at all, as
essentially the problem in such instances reduces to one or other of,
"will I spoil my professional reputation by being hamstrung into
implementing half-arsed solutions because this guy's has half of a
baboon's brain" _or_ to that of a marketing problem where the "art" is
in deciding how to tell them any old crap so long as it is wrapped up
in enough techno-gibberese that they think they half understand what
you are talking about.
> Greg - you may call me a "Jihad O'Clue." if you wish.
I may, but as you're inviting name-calling, I think I am rather more
likely to call you a silly twat that uses some chronically lame HTML
Email client that has no place in the working armory of a security
professional, at least not if its trivial configuration options that
disable the sending of HTML Email are not disabled.
Full-Disclosure - We believe in it.