Re: David Litchfield talks about the SQL Worm in the Washington Post

[Georgi Guninski <guninski () guninski com>]

David Litchfield wrote:
..snip...
> With this in mind I am questioning the benefits of publishing proof of
> concept code. I am due to present a paper on the remotely exploitable buffer
> overrun in the Microsoft Locator service at Blackhat this February but
> should I then also publish the code used to demonstrate the problem? Should
> I even be discussing the problem in a public arena?
>
> Some will argue that full disclosure is a good thing. Others will abhor it.
> There is no one correct answer - it must be a personal decision and for the
> moment I am undecided.
>

So Litchfield, snosoft and others are "uncertain" whether they should disclose
PoC, seems because of a worm.
Does this impact the availability of PoC for bugs in the past month?
I think the answer is clearly "no" - cf "[Full-Disclosure] locator exploit" and
"[Full-Disclosure] Exploit for CVS double free() for Linux pserver".
IMHO this proves the author not releasing PoC does not impact significantly the
availability of the exploit (there are more examples in the past year).
Which reminds me of a poem by an author I can't remember which is taught in .bg
schools - "I fell, another one comes in my place, what the fsck does one person
matter" (very roughly translated to english, don't remember exactly even the .bg
version).

Georgi Guninski
http://www.guninski.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html