Re: [Full-disclosure] Publishing exploit code - what is it good for
From: ChayoteMu (chayotemu_at_gmail.com)
Date: 07/02/05
- Previous message: Sasha Goldshtein: "Re: [Full-disclosure] plz suggest security for DLL functions"
- Maybe in reply to: Raghu Chinthoju: "Re: [Full-disclosure] Publishing exploit code - what is it good for"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 1 Jul 2005 20:51:12 -0700 To: "devnull@rodents.montreal.qc.ca" <devnull@rodents.montreal.qc.ca>
I'm not too sure if this would help much but from a student standpoint
I understand FAR more about how the security works by knowing how to
break it, which only really works if I have source code and so
full-disclosure exploits. I KNEW what a shellcode and buffer overflow
were for years but I only UNDERSTOOD it after I read "Hacking: The Art
of Exploitation" because it broke it down for me (excellent book BTW).
Now I understand how an overflow exploit works, but don't understand
how a particular one works against a particular program without the
exploit code that I can go over and go "Oh, so that's how it does it."
The idea is that the next generation of security pros (and the current
ones I assume) need the information to be a step ahead by
understanding the tricks used by the exploit, otherwise they're always
playing catch-up to the latest exploit.
On 6/30/05, devnull@rodents.montreal.qc.ca
<devnull@rodents.montreal.qc.ca> wrote:
> [Because of all the broken autoresponders on bugtraq, the header From:
> is a bitbucket. Use the address in the signature to reach me.]
>
> >> Quote: " If I speak to an end-user organization and they express
> >> legitimate needs for exploit code, then I'll change my opinion."
>
> Well, I'm not an end-user organization, but as an end user[%], the
> major benefit I see to full disclosure is that it appears to be close
> to the only thing that has any real success at getting vendors to fix
> bugs. (In general. There certainly are vendors that stay on top of
> things without needing the prod of public exploit disclosure. But they
> are notable by their rarity.)
>
> [%] "End user" is not the only hat I wear. It's just the one I'm
> wearing here.
>
> /~\ The ASCII der Mouse
> \ / Ribbon Campaign
> X Against HTML mouse@rodents.montreal.qc.ca
> / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
>
-- "To catch a thief, think like a thief. To catch a master thief, be a master thief." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: Sasha Goldshtein: "Re: [Full-disclosure] plz suggest security for DLL functions"
- Maybe in reply to: Raghu Chinthoju: "Re: [Full-disclosure] Publishing exploit code - what is it good for"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
