Re: [Full-disclosure] Publishing exploit code - what is it good for

From: Erick Mechler (emechler_at_techometer.net)
Date: 06/30/05

  • Next message: John Horn: "[Full-disclosure] Re: Publishing exploit code - what is it good for" 
    Date: Thu, 30 Jun 2005 10:36:57 -0700
To: Joachim Schipper <j.schipper@math.uu.nl>

    :: Blackhats may get along with only a handful of exploits, if they're
    :: willing to try to find targets to match their collection, but a
    :: pentester should have the collection to match the target.
    ::
    :: This is doubly true if we're not talking about a dedicated pentester,
    :: but about a sysadmin with a networking/security background who likes to
    :: verify that the patches did, indeed, work.

    To that I say let the people producing the patches deliver the exploit code
    as a POC that the patches did, indeed, work. Releasing exploit code before
    the patch is released helps nobody except the blackhats.

    :: Also, exploits will be distributed, publicly or otherwise - doing it in
    :: the open means we know what happens when.

    You should, as an admin, assume that once a vulnerability is released, the
    exploit has been too, whether you see it attached to the vuln announcement
    or not.

    Cheers - Erick
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: John Horn: "[Full-disclosure] Re: Publishing exploit code - what is it good for"