RE: no more public exploits and general PoC gui de lines

[Harlan Carvey <keydet89 () yahoo com>]

Well, then the hole you get stuck in with that
particular situation is systems going unpatched, b/c
there is no exploit for the vulnerability.

A company I used to work for was that way.  Regardless
of what security strongly recommended, patches weren't
being installed in a timely manner...largely b/c there
were no reports of actual exploit code being released.
 However, a customer insisted that the patches be
installed ASAP...the logic used by the sysadmins
didn't jive.

> Having proof of concept code is always valuable 
> (and the sooner the better),
> but I question releasing exploits that execute code
> on the target machine. Having a DoS PoC is enough...
> The legitimate pentesters will be able to modify the
> PoC to execute code on the target while, at the same
> time, the "kiddies" will be stuck with something of 
> little or no use to them. This way everybody is
> happy.
> Some of you might say that some "kiddies" will be
> able
> to modify the DoS PoC to execute code for their
> malicious
> needs. Well, if this is the case, then we are no
> longer
> dealing with "kiddies"... If they can do this then
> they
> are capable of creating their own exploits... 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html