Re: [Full-disclosure] Publishing exploit code - what is it good for

From: KF (lists) (kf_lists_at_digitalmunition.com)
Date: 06/30/05

  • Next message: Damian Menscher: "[Full-disclosure] Re: Publishing exploit code - what is it good for" 
    Date: Thu, 30 Jun 2005 16:10:46 -0400
To: full-disclosure@lists.grok.org.uk

    Change control policy at one of my jobs put me in an identical
    situation. I flat out could not patch a machine unless I could produce a
    cmd.exe or /bin/sh prompt remotely.

    Putting that stuff aside how about the vendors that like to try to hide
    things from you? Vendors love Jedi Mind tricks..."these aren't the
    droids you are looking for." If PoC is not produced you are never hip to
    the things that leave your OS vulnerable. For example...
    http://news.com.com/2100-1023-947325.html

    -KF

    Kenneth Ng wrote:

    >I have had administrators refuse to patch systems until I could prove
    >that I could break in using an exploit right in front of them. I've
    >been told that they need to balance my theoritical risk against their
    >actual outlay of resources (yet, for some reason, they bet the
    >lottery).
    >
    >On 6/30/05, Jason Coombs <jasonc@science.org> wrote:
    >
    >
    >>>What I need is a security administrator, CSO, IT manager or sys admin
    >>>that can explain why they find public exploits are good for THEIR
    >>>organizations. Maybe we can start changing public opinion with regards
    >>>to full disclosure, and hopefully start with this opinion leader.
    >>>
    >>>
    >_______________________________________________
    >Full-Disclosure - We believe in it.
    >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    >Hosted and sponsored by Secunia - http://secunia.com/
    >
    >
    >
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Damian Menscher: "[Full-disclosure] Re: Publishing exploit code - what is it good for"

    Relevant Pages

    • RE: [Full-disclosure] Our Industry Is Seriously Ethics Impaired
      ... to get the patch done in a reasonable time frame? ... >The company is planning to reward security researchers who reveal ... >information on newly discovered vulnerabilities. ... >3Com will notify affected vendors of security flaws so they can ...
      (Full-Disclosure)
    • Re: Hogwash
      ... Be ready on Monday morning for a small patch, ... >>> contacts with various projects and vendors know no more than what was ... >> If you fail to immunize your users, then the best you can do is tell ... then the bug will be public. ...
      (FreeBSD-Security)
    • RE: [fw-wiz] terminal services
      ... > people didn't patch their machines. ... Yes, but if you look at all the patches and DLL versions, it's a twisty ... > No doubt, but the holes are secondary to what I believe the root problem is, ... > which is laziness on the part of users, admins and vendors to apply patches ...
      (Firewall-Wizards)
    • Re: IO-APIC on nforce2 [PATCH] + [PATCH] for nmi_debug=1 + [PATCH] for idle=C1halt, 2.6.5
      ... I cannot see anyone using your above patch without an integrated ... I'm not clued-in on the nmi_watchdog and 8259 ack issues. ... any support from the vendors. ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)
    • RE: [fw-wiz] terminal services
      ... > pointing out the danger of opening extra holes in your firewall. ... people didn't patch their machines. ... Vendors need to stop sticking their ...
      (Firewall-Wizards)