Re: Call to arms - INFORMATION ANARCHY
From: tEA-TiME (tEA-TiME@TECHTHUGZ.COM)Date: 11/03/01
- Previous message: Frank Bass: "Re: Call to arms - INFORMATION ANARCHY - pause"
- In reply to: Gregory S. Youngblood: "Re: Call to arms - INFORMATION ANARCHY"
- Next in thread: Larry Sheldon: "Re: Call to arms - INFORMATION ANARCHY"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <000001c1649d$da314670$6401a8c0@DESTROYER> Date: Sat, 3 Nov 2001 13:29:27 -0600 From: tEA-TiME <tEA-TiME@TECHTHUGZ.COM> Subject: Re: Call to arms - INFORMATION ANARCHY To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I have been a member of this list for about 6 months now, and am in awe
of many of the posting members and their abilities. I am, admittedly, a
novice in this field, and take great pains to learn everything I can
about any exploit posted here in this forum. Since all of you (at least
a majority of you) really understand everything, and could probably
write your own code to show an exploit without someone else having to do
it, I felt a comment from one of your amatuer users was in order.
1. Full Disclosure w/ Source Code for Exploit : Quite honestly, many of
the times source code is posted , it takes me awhile to figure out
exactly how to make it work, understand it, etc... I would put myself on
the same level of skill (or slightly higher) than a majority of script
kiddiez. The problem is not the code you guys make available. That stuff
allows legimate people like myself a chance to learn and see exactly
what's going on. Black Hats will take an exploit and write a nice self
executing script or program for the script kiddiez to use, ie... Back
Orifice, Nimba, etc... Where ou just throw in a range of IP's and away
you go. Very few script kiddiez out there take the time to learn any
programming at all. They depend on the Black Hat script / program
makers.
2. About the Black Hats : These guys, for whatever there purpose, have
as much talent as this community. If you just post an exploit, with no
code, trust me, they will figure out what to do with it, and make it
available to the script kiddie community. This puts a person like me at
an extreme disadvantage, because now I have to go lurking about for
underground code that I can use to test my systems and better educate
myself. This alone bothers me most, because as a novice, I usually have
no idea what I am getting from any of these sources (compiled program
with a backdoor, trojan in it, that executes when you do a scan of your
own machines, etc...) To cut us off, and by us I mean the next
generation of security professionals, will really hamper this community
in the future.
3. Microsoft and the Others : Of course, the biggest reason they don't
like full disclosure is two fold. Number One, it gives them bad press
(even if it doesn't create widespread bad press, this is still a bad
thing.) Number Two, the Black Hats and script kiddiez work faster than
them, and the exploit program (fully compiled and ready to run, not just
example code that someone without programming knowledge would find
almost useless) is available generally before a patch. This would happen
with full disclosure or without it, as stated in my first point. The
only way to stop that, is with absolutely no disclosure. Even then, the
Black's would have to hang up their Hats for no more fully functional
exploit programs to be available. The main thing about number two is
this. When the Black Hats give the script kiddiez the means before a
patch is available, you have widespread break-in's, takedown's, etc...
This creates mucho bad press and is much harder to bounce back against.
4. In Closing : I apologize about the length of the post, but felt you
guys might find an amatuers point of view valuable. I am a MCSE, CNE,
and CCNA, but have very little programing experience (but that is
changing daily.) The members of this community have taught me much
through full disclosure, and I will be a better security professional in
a few years because of it. One more resource to use in the fight against
system attackers and black hats. To deny me the tools in which to
prepare myself, and all others, is giving the war away.
Thanks for your time,
tEA-TiME
tEA@waronterror.com
tEA-TiME@techthugz.com
-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Gregory S.
Youngblood
Sent: Friday, November 02, 2001 7:00 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Call to arms - INFORMATION ANARCHY
Apart from the opening message that started this thread, it would appear
the follow-up posters feel that full disclosure is not needed. I feel
otherwise. Full disclosure, including exploit code to illustrate the
problem, is a valuable tool and one that I hope is never taken away from
me.
I also feel that full disclosure can be done in a responsible manner.
To me, that means (1) notifying the vendor of the problem with details
and full code, (2) public disclosure of "a" security issue with
relatively few details and no code, and (3) after a reasonable time
period (5 business days, 10 business days, a month) full disclosure.
What constitutes reasonable time should be dependant on the severity of
the problem being reported. The higher the severity, the faster I'd
prefer full disclosure.
Does that mean I'm going to analyze the code and learn it innermost
workings? No. I don't have time for that level of analysis, even if
though I'd like to be able to.
Instead, I often take the code and test it against my systems (sometimes
lab/test systems, sometimes production, sometimes both).
I also look at the work arounds, if they exist, and deploy them if they
will not affect services I have to provide. If they do affect services I
need to keep operational, I look for other work arounds to limit my
exposure. Sometimes this means looking at the exploit code a little
deeper.
Then, I retest my systems to see if the workaround is giving me any
protection.
I also retest my systems after installing patches.
In a lot of ways, the arguments for and against full disclosure are
similar to some gun ownership arguments. Full disclosure including code
that exploits the problem(s) discovered is similar to a gun. The
arguments for and against full disclosure are also similar. Some will
argue that "guns are tools, they don't kill people, people kill people",
while others will counter that less guns would mean less deaths.
It's a very delicate subject regardless.
In this case, if full disclosure is somehow marginalized or eliminated,
then we'll end up with "only the criminals having exploits". And we'll
be in a worse position as those responsible for the continuous
operations of servers and services without some of the very tools we'll
need.
Worse yet, if some get their way, just working on exploits for verifying
the security of your own systems would lead to your being classified as
a computer criminal or terrorist.
========================================================================
====
Delivery co-sponsored by Trend Micro, Inc.
========================================================================
====
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000 Earn 5%
rebate on licenses purchased for Trend Micro ScanMail for Microsoft
Exchange 2000 between October 1 and November 16. ScanMail ensures 100%
scanning of inbound and outbound traffic and provides remote software
management. For program details or to download your 30-day FREE
evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www
.a
ntivirus.com/smex2000_rebate
- Previous message: Frank Bass: "Re: Call to arms - INFORMATION ANARCHY - pause"
- In reply to: Gregory S. Youngblood: "Re: Call to arms - INFORMATION ANARCHY"
- Next in thread: Larry Sheldon: "Re: Call to arms - INFORMATION ANARCHY"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
