RE: Releasing patches is bad for security

From: Brian Taylor (drak3_at_attbi.com)
Date: 02/28/04

  • Next message: Joe Miller: "Re: Releasing patches is bad for security" 
    To: "'Ross M. W. Bennetts'" <rbennett@une.edu.au>, <incidents@securityfocus.com>
Date: Sat, 28 Feb 2004 11:24:49 -0500

    >[Ross M. W. Bennetts]
    >But if a hacker did produce an exploit wouldn't he/she be more likely
    to use it surreptitiously for their own
    >private purposes and then only release it to the kiddies on the net
    after the patch has been released?

    <SNIP>

    Possibly, Ross. But that discounts one of the main motivators in the
    hacking community--the "I did it because I could" factor. I'm not
    pointing you out as an example, but many on the corporate side get
    caught up in discussions of profit (See IDS is worthless thread) or
    sometimes we believe our own propaganda that all hackers are Vladimir
    Levin clones who hack for profit. And yes... Like any entity, we do
    occasionally push out some stretched-truths to prove our point.
    Unfortunately, old David Aucsmith took it to another level...

    In reality, fame and the ability to flaunt one's superiority over "the
    establishment" are still some of the biggest motivators in the Black Hat
    community. When we "professionals" spend millions of dollars on
    firewalls, IPS, consultants, developers, etc. and some college kid (or
    younger) circumvents these with a few lines of code, that feeds their
    ego in a way that money cannot. So yes, many do it without regards to
    pay or profit. The term "proof of concept" carries a lot more weight
    among the underground than some of us think.

    That said, this type of black-hat is probably more likely to rush out
    and release it as soon as the code has been proven to work in a somewhat
    stable manner (or earlier in many cases). Waiting for the patch
    mitigates the type of widespread damage that the code would do. And
    these days, if it doesn't make the headlines of BBC, CNN, ZDTV and
    SecurityFocus, then it never really happened, right? You want every
    script kiddie from here to St. Petersburg launching this tool. You want
    to be able to say to your buddies "Bill Gates AND Tony Blair talked
    about MY worm..."

    Fortunately for us good guys, vendors have been a lot more proactive
    about looking for holes before exploits are released. We would all like
    this sort of thing to happen in initial development, but...

    Not to refute anyone except Ausmith.. I'm just providing another
    viewpoint, albeit one that a large portion of the hacking community
    shares. Knowing your enemy helps know their motivations (and modus
    operandi).

    Happy hunting!

    --BT

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Joe Miller: "Re: Releasing patches is bad for security"