[Full-disclosure] Re: Publishing exploit code - what is it good for

Matt.Carpenter_at_alticor.com
Date: 06/30/05

  • Next message: Michael Holstein: "Re: [Full-disclosure] Publishing exploit code - what is it good for" 
    To: aviram@beyondsecurity.com
Date: Thu, 30 Jun 2005 13:42:28 -0400

    We are a company that actively keeps up to date on publicly available
    exploits. Their availability not only prompts us to understand the risks
    when prioritizing, but also provide us with the necessary tools to dispel
    nay-sayers arguments of disbelief. Nothing like showing management the
    true risks...

    Beyond that, from a more theoretical standpoint, we believe that
    full-disclosure and publicly accessible exploits serve as a cattle-prod
    for vendors that would otherwise ignore vulnerabilities. Exploits are not
    easily available, so they must not exist. We all know that this is not
    the case.

    My personal opinion is that full-disclosure allows those whose minds are
    inclined to break things something constructive to do, short of joining
    the dark side. I'm much less likely to consider H.D. Moore a danger to my
    network since he is able to release his (their) toolset freely. Otherwise,
    the urge to "prove" how great they are might lead more hacker-types down
    the seductive path. HDM is great, and we all know it. He doesn't have to
    prove it by doing a "seriously righteous hack."

    But that's just my thinking. Dangerous to listen too closely.

     
    Matthew Carpenter
    IT Security Specialist
    Alticor Corporation
    Phone: 616-787-0287
    Email: matt.carpenter@alticor.com
    Page Me (230 characters Max)
    Email ITSS On-Call Account

    -----BEGIN PGP PUBLIC KEY FINGERPRINT-----
    PGP Fingerprint: 52C3 328D C29C 178B 2DFD 9EA8 C710 0042 8CB4 3CDB
    -----END PGP PUBLIC KEY FINGERPRINT-----

    Aviram Jenik <aviram@beyondsecurity.com>
    30/06/2005 08:13

    To
    full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
    cc

    Subject
    Publishing exploit code - what is it good for

    Hi,

    I recently had a discussion about the concept of full disclosure with one
    of
    the top security analysts in a well-known analyst firm. Their claim was
    that
    companies that release exploit code (like us, but this is also relevant
    for
    bugtraq, full disclosure, and several security research firms) put users
    at
    risks while those at risk gain nothing from the release of the exploit.

    I tried the regular 'full disclosure advocacy' bit, but the analyst
    remained
    reluctant. Their claim was that based on their own work experience, a
    security administrator does not have a need for the exploit code itself,
    and
    the vendor information is enough. The analyst was willing to reconsider
    their
    position if an end-user came forward and talked to them about their own
    benefit of public exploit codes. Quote: " If I speak to an end-user
    organization and they express legitimate needs for exploit code, then I'll

    change my opinion."

    Help me out here. Full disclosure is important for me, as I'm sure it is
    for
    most of the people on these two lists. If you're an end-user organization
    and
    are willing to talk to this analyst and explain your view (pro-FD, I
    hope),
    drop me a note and I'll put you in direct contact.

    Please note: I don't need any arguments pro or against full disclosure;
    all
    this has been discussed in the past. I also don't need you to tell me
    about
    someone else or some other project (e.g. nessus, snort) that utilizes
    these
    exploits. Tried that. Didn't work.

    What I need is a security administrator, CSO, IT manager or sys admin that
    can
    explain why they find public exploits are good for THEIR organizations.
    Maybe
    we can start changing public opinion with regards to full disclosure, and
    hopefully start with this opinion leader.

    TIA. 

    -- 
Aviram Jenik
Beyond Security
http://www.BeyondSecurity.com
http://www.SecuriTeam.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
  • Next message: Michael Holstein: "Re: [Full-disclosure] Publishing exploit code - what is it good for"

    Relevant Pages