Dailydave mailing list archives
Re: Dreaming of Summer
From: David Maynor <dave () 0dayspray com>
Date: Sun, 07 Dec 2003 00:04:34 -0500
On Sat, 2003-12-06 at 23:43, Sean Batt wrote:
Hello Daves et al, Forgive me for asking a daft question; I'm not a security professional, just a refugee from Full-Disclosure. On Sat, 6 Dec 2003, David Maynor wrote:... I think the shot at troajning a debian package like ssh is worth a local root, this is of course if i was just intrested in blackhat activity. For whitehat i would much rather keep the 0day for pentesting purposes.I can't quite understand how a whitehat would use a 0day. Isn't a whitehat ethically bound to fix or report vulnerabilities?
What is wrong with using code I worte to perform my job? This would be diffrent if I were just out defacing random webpages, but if its my job, there seems to be a big diffrence to me.
Say a WH is contracted to do pentesting, she wanders into an environment secured against known vulnerabilities, uses a 0day and then what does she report? "You're still vulnerable! I got in. Here's proof. Can't tell you how I did it: proprietary tools, trade secrets, etc etc."
I am of the belief that good security comes from a process and not just implementing a single tool. Lets take the example you used. A whitehat performs a pentest on a server with critical info on it. The pentest (like most good ones) have a local and a remote portion. Lets say this 0day is against ssh. Now if this machine is configured correctly even though i have 0day for a service they are running i should not be able to get to the machine to exploit it. Wrappers and firewalls and such, basically layers of security. If the remote and local attack is succesful they have more problems that just a vuln sshd, they have a broken security model. This is what you report to the client. If you were to ask a average customer of a pentest or security audit "would you like the results to be valid until the next large vuln, or do you want a comprehensive audit that will help you even if there is new 0day?" The answer is often obvious. Alot of people seem to lose sight that pentesting is suppose to improve security, regardless if the tester gets in or not.
Am I being naive thinking that ethical stance is the difference between black and white hats? I guess I'm missing something (probably a lot) about the utility of 0days and the practice of penetration testing and if anyone can comment on that I'd appreciate it.
As I said before security is a process. As a security professional it is my job to help protect my client against all threats, known or otherwise. You do this by limiting exposure so if there is a 0day the effect will be reduced. How do you test the affects a remote 0day would have on a client unless you have them? -- David Maynor http://www.0dayspray.com/~dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Dreaming of Summer, (continued)
- Re: Dreaming of Summer surreal (Dec 06)
- Re: Re: Dreaming of Summer David Maynor (Dec 06)
- RE: Dreaming of Summer Kohlenberg, Toby (Dec 06)
- Re: Dreaming of Summer Dave Aitel (Dec 06)
- RE: Dreaming of Summer Brass, Phil (ISS Atlanta) (Dec 06)
- RE: Dreaming of Summer David Maynor (Dec 06)
- Re: Dreaming of Summer Tri Huynh (Dec 06)
- Re: Dreaming of Summer Dave Aitel (Dec 06)
- Re: Dreaming of Summer David Maynor (Dec 06)
- Re: Dreaming of Summer Sean Batt (Dec 06)
- Re: Dreaming of Summer David Maynor (Dec 06)
- Pen-Testing Disclosure was Re: Dreaming of Summer dailydave (Dec 08)
- Re: Dreaming of Summer David Maynor (Dec 06)
- RE: Dreaming of Summer David Maynor (Dec 06)
- Re: Dreaming of Summer surreal (Dec 06)
- RE: Dreaming of Summer David Maynor (Dec 06)
- Re: Dreaming of Summer Dave Aitel (Dec 06)
- Re: Dreaming of Summer David Maynor (Dec 06)
- RE: Dreaming of Summer David Maynor (Dec 07)
- RE: Dreaming of Summer Halvar Flake (Dec 09)