Bugtraq mailing list archives
Re: What is the point here?
From: Mariusz Woloszyn <emsi () ipartners pl>
Date: Tue, 20 Jan 2004 12:54:22 +0100 (CET)
On Sun, 18 Jan 2004, Alun Jones wrote:
I've been meaning to say something about this for some considerable time now, on various exploits and "proofs of concept" that have been posted to this list. Fine, I get the idea of posting a sample exploit, or a POC, as a means to spurring on developers (and administrators) to fix and patch systems against attack. But really, unless there's a 'fix' that turns out not to be a fix, what is the point of posting a "second version" of a sample exploit or POC? [Maybe there's a good example in this case, but the poster never mentioned what the change was from the standpoint of getting the hole fixed] What is the point of cleaning up a sample exploit? What is the point of posting more and "better" POCs? What is the point of admitting such to this list? I know it's a moderated list, because I've seen my own share of rejected messages, so I'm going to ask what the point is of the moderation? We've seen several POCs posted to this list with absolutely no attempt made to contact the developers, and we've seen people take other POCs and "fix them", so that they install a remote shell without alerting the administrators of the machine. Why? If full disclosure in the name of protecting systems is what we're about, then we need to be contacting vendors of systems we breech, and we need to be posting code that goes only as far as is necessary to demonstrate the breech - _not_ far enough to be the source for the next root kit.
(...blah blah...) If you make a BT a list that filters out the exploits there will appear a lot other lists or distributions channels that spread exploits/PoC (no matter what they are). The result is: Admins reading BT will think that the BUG just mentioned is hardly, or not exploitable as they seen no exploit, while the exploit is distributed among blackhats. It's been discussed here many, maaaaaany times. We don't see a need to quote it again. Rgrds, -- Mariusz Wołoszyn Internet Security Specialist, GTS - Internet Partners
Current thread:
- exploit for HD Soft Windows FTP Server 1.6 mandrag (Jan 13)
- What is the point here? Alun Jones (Jan 19)
- RE: What is the point here? Andrew Hintz ( Drew ) (Jan 19)
- RE: What is the point here? ken kousky (Jan 19)
- Re: What is the point here? Adam Shostack (Jan 20)
- Re: What is the point here? Systems Administrator (Jan 19)
- Re: What is the point here? Mariusz Woloszyn (Jan 20)
- Re: What is the point here? Damian Menscher (Jan 20)
- Re: What is the point here? Jason Coombs (Jan 21)
- What is the point here? Alun Jones (Jan 19)