RE: [Full-Disclosure] no more public exploits and general PoC gui de lines

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 04/27/04

  • Next message: D B: "[Full-Disclosure] Decompression" 
    To: full-disclosure@lists.netsys.com
Date: Tue, 27 Apr 2004 12:37:14 -0700 (PDT)

    Well, then the hole you get stuck in with that
    particular situation is systems going unpatched, b/c
    there is no exploit for the vulnerability.

    A company I used to work for was that way. Regardless
    of what security strongly recommended, patches weren't
    being installed in a timely manner...largely b/c there
    were no reports of actual exploit code being released.
     However, a customer insisted that the patches be
    installed ASAP...the logic used by the sysadmins
    didn't jive.

    > Having proof of concept code is always valuable
    > (and the sooner the better),
    > but I question releasing exploits that execute code
    > on the target machine. Having a DoS PoC is enough...
    > The legitimate pentesters will be able to modify the
    > PoC to execute code on the target while, at the same
    > time, the "kiddies" will be stuck with something of
    > little or no use to them. This way everybody is
    > happy.
    > Some of you might say that some "kiddies" will be
    > able
    > to modify the DoS PoC to execute code for their
    > malicious
    > needs. Well, if this is the case, then we are no
    > longer
    > dealing with "kiddies"... If they can do this then
    > they
    > are capable of creating their own exploits...

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: D B: "[Full-Disclosure] Decompression"