Security Incidents mailing list archives
RE: Releasing patches is bad for security
From: "Brian Taylor" <drak3 () attbi com>
Date: Sat, 28 Feb 2004 11:24:49 -0500
[Ross M. W. Bennetts] But if a hacker did produce an exploit wouldn't he/she be more likely
to use it surreptitiously for their own
private purposes and then only release it to the kiddies on the net
after the patch has been released? <SNIP> Possibly, Ross. But that discounts one of the main motivators in the hacking community--the "I did it because I could" factor. I'm not pointing you out as an example, but many on the corporate side get caught up in discussions of profit (See IDS is worthless thread) or sometimes we believe our own propaganda that all hackers are Vladimir Levin clones who hack for profit. And yes... Like any entity, we do occasionally push out some stretched-truths to prove our point. Unfortunately, old David Aucsmith took it to another level... In reality, fame and the ability to flaunt one's superiority over "the establishment" are still some of the biggest motivators in the Black Hat community. When we "professionals" spend millions of dollars on firewalls, IPS, consultants, developers, etc. and some college kid (or younger) circumvents these with a few lines of code, that feeds their ego in a way that money cannot. So yes, many do it without regards to pay or profit. The term "proof of concept" carries a lot more weight among the underground than some of us think. That said, this type of black-hat is probably more likely to rush out and release it as soon as the code has been proven to work in a somewhat stable manner (or earlier in many cases). Waiting for the patch mitigates the type of widespread damage that the code would do. And these days, if it doesn't make the headlines of BBC, CNN, ZDTV and SecurityFocus, then it never really happened, right? You want every script kiddie from here to St. Petersburg launching this tool. You want to be able to say to your buddies "Bill Gates AND Tony Blair talked about MY worm..." Fortunately for us good guys, vendors have been a lot more proactive about looking for holes before exploits are released. We would all like this sort of thing to happen in initial development, but... Not to refute anyone except Ausmith.. I'm just providing another viewpoint, albeit one that a large portion of the hacking community shares. Knowing your enemy helps know their motivations (and modus operandi). Happy hunting! --BT --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Releasing patches is bad for security Chris Brenton (Feb 26)
- RE: Releasing patches is bad for security Dave Paris (Feb 26)
- Re: Releasing patches is bad for security Clint Bodungen (Feb 26)
- RE: Releasing patches is bad for security Curt Purdy (Feb 26)
- Re: Releasing patches is bad for security Pall Thayer (Feb 26)
- Re: Releasing patches is bad for security mgotts (Feb 26)
- RE: Releasing patches is bad for security Ross M. W. Bennetts (Feb 26)
- RE: Releasing patches is bad for security Brian Taylor (Feb 29)
- RE: Releasing patches is bad for security Ross M. W. Bennetts (Feb 26)
- Re: Releasing patches is bad for security james (Feb 26)
- RE: Releasing patches is bad for security ELLIS, STEVEN (Feb 27)
- Re: Releasing patches is bad for security james (Feb 27)
- Re: Releasing patches is bad for security Meritt James (Feb 27)
- RE: Releasing patches is bad for security ELLIS, STEVEN (Feb 27)
- <Possible follow-ups>
- RE: Releasing patches is bad for security Gary Nichols (Feb 26)
- Re: Releasing patches is bad for security Joe Miller (Feb 29)