Re: Security Industry Under Scrutiny: Part One

[nonme <stf () xtra co nz>]

Hello,

Well now I imagine that most who fell victim to the script kiddies have
patched now, so in the short term sure, systems will be comprimised, but I
think on the whole people learn lessons and we end up with a more secure
internet.

In a weird kind of way, script kiddies (and worms) help security by making
holes obvious to the oblivious.

If Gobbles had not disclosed apache and ssh bugs... what do you think would
have happned.

IMHO Full Disclosure is a good thing.

-nonme.

At 09:35 PM 10/11/02 -0500, you wrote:
> Dear Len,
>
> your argument is self-sealing.  it lacks substance.  if most of the
attacks on 
> systems are coming from script kiddies, who have found these holes NOT by
> themselves but from the security industry and all the 'proof of concept'
tools
> that come out of it, then how does full disclosure protect the interests
of the
> admin?
>
> it doesn't.
>
> disclosing bugs to a public forum makes them known not only to system
admins but
> also malicious users.  and whereas an admin can only patch one system, a
script
> kiddy can attack many many systems.
>
> take the recent attacks on XMB by Mike Parniak and his so called "hacking
crew".
> this script kiddy developed a tool based on a well known md5 exploit in
XMB v1.6
> Magic Lantern that gives a user admin priviledges.  he then distributed that 
> tool to lesser skilled script kiddies and the end result was a week of rage 
> against XMB boards around the web (oops did i just say that aloud?).  only
about
> 20% of the boards had been patched.  and i restate: the bug had been in
public
> circulation for a long while and had even been in full view on XMB's
software 
> update page.
>
> it even appeared on vuln-dev in mid _May_ this year!
>
> how did full disclosure work in this case?  by your argument, Len, 6 months
> would have been more than enough for all the board admins to update their 
> system (all that was required was to change a file name).  why such a low
> success rate?  why didn't the security industry's system work in this case
(and
> so many others)?
>
> plz reply as i am very interested in your answers.
>
> <3 sockz
>
>
> ----- Original Message -----
> From: Len Rose <len () netsys com>
> Date: Thu, 7 Nov 2002 08:45:34 -0500 
> To: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Security Industry Under Scrutiny: Part One
>
>
> > Let's also not forget the systems people who would rather know about
problems
> > so they can at least mitigate the situation by finding work-arounds,
apply firewall
> > or router filters, and/or disable services. 
> >
> > It's unacceptable to be left in the dark, no matter what the cost
because the people
> > who aren't aware of a problem can't defend their hosts or networks.
> >
> > Complaining about so-called whitehats, and the security community
doesn't address
> > the above. 
> >
> > People have a right to know about problems, assuming that the researcher
is kind
> > enough to share the information.
> >
> > Len
> -- 
> _______________________________________________
> Sign-up for your own FREE Personalized E-mail at Mail.com
> http://www.mail.com/?sr=signup
>
> Single & ready to mingle? lavalife.com:  Where singles click. Free to Search!
> http://www.lavalife.com/mailcom.epl?a=2116
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html