Full Disclosure mailing list archives
Re: Security Industry Under Scrutiny: Part One
From: nonme <stf () xtra co nz>
Date: Mon, 11 Nov 2002 16:25:57 +1300
Hello, Well now I imagine that most who fell victim to the script kiddies have patched now, so in the short term sure, systems will be comprimised, but I think on the whole people learn lessons and we end up with a more secure internet. In a weird kind of way, script kiddies (and worms) help security by making holes obvious to the oblivious. If Gobbles had not disclosed apache and ssh bugs... what do you think would have happned. IMHO Full Disclosure is a good thing. -nonme. At 09:35 PM 10/11/02 -0500, you wrote:
Dear Len, your argument is self-sealing. it lacks substance. if most of the
attacks on
systems are coming from script kiddies, who have found these holes NOT by themselves but from the security industry and all the 'proof of concept'
tools
that come out of it, then how does full disclosure protect the interests
of the
admin? it doesn't. disclosing bugs to a public forum makes them known not only to system
admins but
also malicious users. and whereas an admin can only patch one system, a
script
kiddy can attack many many systems. take the recent attacks on XMB by Mike Parniak and his so called "hacking
crew".
this script kiddy developed a tool based on a well known md5 exploit in
XMB v1.6
Magic Lantern that gives a user admin priviledges. he then distributed that tool to lesser skilled script kiddies and the end result was a week of rage against XMB boards around the web (oops did i just say that aloud?). only
about
20% of the boards had been patched. and i restate: the bug had been in
public
circulation for a long while and had even been in full view on XMB's
software
update page. it even appeared on vuln-dev in mid _May_ this year! how did full disclosure work in this case? by your argument, Len, 6 months would have been more than enough for all the board admins to update their system (all that was required was to change a file name). why such a low success rate? why didn't the security industry's system work in this case
(and
so many others)? plz reply as i am very interested in your answers. <3 sockz ----- Original Message ----- From: Len Rose <len () netsys com> Date: Thu, 7 Nov 2002 08:45:34 -0500 To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Security Industry Under Scrutiny: Part OneLet's also not forget the systems people who would rather know about
problems
so they can at least mitigate the situation by finding work-arounds,
apply firewall
or router filters, and/or disable services. It's unacceptable to be left in the dark, no matter what the cost
because the people
who aren't aware of a problem can't defend their hosts or networks. Complaining about so-called whitehats, and the security community
doesn't address
the above. People have a right to know about problems, assuming that the researcher
is kind
enough to share the information. Len-- _______________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup Single & ready to mingle? lavalife.com: Where singles click. Free to Search! http://www.lavalife.com/mailcom.epl?a=2116 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Security Industry Under Scrutiny: Part One, (continued)
- Re: Security Industry Under Scrutiny: Part One Georgi Guninski (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Len Rose (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Ron DuFresne (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Georgi Guninski (Nov 07)
- RE: Security Industry Under Scrutiny: Part One João Miguel Neves (Nov 07)
- RE: Security Industry Under Scrutiny: Part One hellNbak (Nov 07)
- RE: Security Industry Under Scrutiny: Part One João Miguel Neves (Nov 07)
- RE: Security Industry Under Scrutiny: Part One ATD (Nov 14)
- Re: Security Industry Under Scrutiny: Part One White Vampire (Nov 10)
- Re: Security Industry Under Scrutiny: Part One noconflic (Nov 10)
- Re: Security Industry Under Scrutiny: Part One nonme (Nov 10)
- Re: Security Industry Under Scrutiny: Part One HggdH (Nov 10)
- Re: Security Industry Under Scrutiny: Part One Kevin Spett (Nov 11)