[Full-disclosure] Publishing exploit code - what is it good for
From: Aviram Jenik (aviram_at_beyondsecurity.com)
Date: 06/30/05
- Previous message: Martin Schulze: "[Full-disclosure] [SECURITY] [DSA 733-1] New crip packages fix insecure temporary files"
- Next in thread: bruen_at_coldrain.net: "Re: [Full-disclosure] Publishing exploit code - what is it good for"
- Reply: bruen_at_coldrain.net: "Re: [Full-disclosure] Publishing exploit code - what is it good for"
- Reply: Joachim Schipper: "Re: [Full-disclosure] Publishing exploit code - what is it good for"
- Reply: Anders B Jansson: "Re: [Full-disclosure] Publishing exploit code - what is it good for"
- Maybe reply: Glenn.Everhart_at_chase.com: "RE: [Full-disclosure] Publishing exploit code - what is it good for"
- Reply: bugtraq_at_cgisecurity.net: "Re: [Full-disclosure] Publishing exploit code - what is it good for"
- Maybe reply: Joxean Koret: "Re: [Full-disclosure] Publishing exploit code - what is it good for"
- Reply: Gary E. Miller: "[Full-disclosure] Re: Publishing exploit code - what is it good for"
- Reply: Steve Milner: "[Full-disclosure] Re: Publishing exploit code - what is it good for"
- Reply: Matt.Carpenter_at_alticor.com: "[Full-disclosure] Re: Publishing exploit code - what is it good for"
- Reply: Michael Holstein: "Re: [Full-disclosure] Publishing exploit code - what is it good for"
- Maybe reply: Todd Towles: "RE: [Full-disclosure] Publishing exploit code - what is it good for"
- Reply: James C Slora Jr: "[Full-disclosure] RE: Publishing exploit code - what is it good for"
- Reply: Thomas Reinke: "[Full-disclosure] Re: Publishing exploit code - what is it good for"
- Reply: John Madden: "[Full-disclosure] Re: Publishing exploit code - what is it good for"
- Reply: Damian Menscher: "[Full-disclosure] Re: Publishing exploit code - what is it good for"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com Date: Thu, 30 Jun 2005 15:13:47 +0300
Hi,
I recently had a discussion about the concept of full disclosure with one of
the top security analysts in a well-known analyst firm. Their claim was that
companies that release exploit code (like us, but this is also relevant for
bugtraq, full disclosure, and several security research firms) put users at
risks while those at risk gain nothing from the release of the exploit.
I tried the regular 'full disclosure advocacy' bit, but the analyst remained
reluctant. Their claim was that based on their own work experience, a
security administrator does not have a need for the exploit code itself, and
the vendor information is enough. The analyst was willing to reconsider their
position if an end-user came forward and talked to them about their own
benefit of public exploit codes. Quote: " If I speak to an end-user
organization and they express legitimate needs for exploit code, then I'll
change my opinion."
Help me out here. Full disclosure is important for me, as I'm sure it is for
most of the people on these two lists. If you're an end-user organization and
are willing to talk to this analyst and explain your view (pro-FD, I hope),
drop me a note and I'll put you in direct contact.
Please note: I don't need any arguments pro or against full disclosure; all
this has been discussed in the past. I also don't need you to tell me about
someone else or some other project (e.g. nessus, snort) that utilizes these
exploits. Tried that. Didn't work.
What I need is a security administrator, CSO, IT manager or sys admin that can
explain why they find public exploits are good for THEIR organizations. Maybe
we can start changing public opinion with regards to full disclosure, and
hopefully start with this opinion leader.
TIA.
-- Aviram Jenik Beyond Security http://www.BeyondSecurity.com http://www.SecuriTeam.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: Martin Schulze: "[Full-disclosure] [SECURITY] [DSA 733-1] New crip packages fix insecure temporary files"
- Next in thread: bruen_at_coldrain.net: "Re: [Full-disclosure] Publishing exploit code - what is it good for"
- Reply: bruen_at_coldrain.net: "Re: [Full-disclosure] Publishing exploit code - what is it good for"
- Reply: Joachim Schipper: "Re: [Full-disclosure] Publishing exploit code - what is it good for"
- Reply: Anders B Jansson: "Re: [Full-disclosure] Publishing exploit code - what is it good for"
- Maybe reply: Glenn.Everhart_at_chase.com: "RE: [Full-disclosure] Publishing exploit code - what is it good for"
- Reply: bugtraq_at_cgisecurity.net: "Re: [Full-disclosure] Publishing exploit code - what is it good for"
- Maybe reply: Joxean Koret: "Re: [Full-disclosure] Publishing exploit code - what is it good for"
- Reply: Gary E. Miller: "[Full-disclosure] Re: Publishing exploit code - what is it good for"
- Reply: Steve Milner: "[Full-disclosure] Re: Publishing exploit code - what is it good for"
- Reply: Matt.Carpenter_at_alticor.com: "[Full-disclosure] Re: Publishing exploit code - what is it good for"
- Reply: Michael Holstein: "Re: [Full-disclosure] Publishing exploit code - what is it good for"
- Maybe reply: Todd Towles: "RE: [Full-disclosure] Publishing exploit code - what is it good for"
- Reply: James C Slora Jr: "[Full-disclosure] RE: Publishing exploit code - what is it good for"
- Reply: Thomas Reinke: "[Full-disclosure] Re: Publishing exploit code - what is it good for"
- Reply: John Madden: "[Full-disclosure] Re: Publishing exploit code - what is it good for"
- Reply: Damian Menscher: "[Full-disclosure] Re: Publishing exploit code - what is it good for"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
