Full Disclosure mailing list archives
Re: Vulnerability Disclosure Debate
From: gridrun <gridrun () likes smart-girlies org>
Date: Fri, 08 Aug 2003 20:07:21 +0200
Matthew Murphy wrote: <snip>
As for virus/worm authors and how they find bugs to exploit, if you had any background here, you would have realized by now that the vast majority of self-propagating code targets vulnerabilities where working exploit code is available. Code Red, Nimda, Slammer, and Spida all fit this criterion. While nobody can say for a fact that no virus writer has ever found his own hole, we *can* say that trends and patterns in self-propagating code prove that the creation of such code is sped up significantly when exploit code is public.
I might have more "background" here than you, sir.
Oh I really do give a flying fsck what you believe. I just stated what happend, nothing more.They state that those releasing proof-of-concept code to the public are responsible for the creation of various malware, virii and worms, exploiting the discovered vulnberabilities. Let me tell you one thing: If you believe that you are the only ones finding vulnerabilities, then you are to be considered a bunch of arrogant, self deceited stupid ignorant bitches. Do you really think you are the only ones "31337" enough to find sec vulns??? Latest example: The people here at spacebitch.com noticed intrusions using the RPC/DCOM vulnerability at least a month before any information about it was published at all.Sure ya did -- how many of us should believe that? And I assume, of course, that you notified Microsoft of the exploit immediately, right?
You cant imagine? You dont know much about the underground, it seems. Btw, it really spread well, yeah... If you consider spreading to the news headlines a good thing, yeah. It did very well. No wonder you can't imagine. Oh well, after all you think those high profile worms make up for the "vast majority" of self propagating code... You are living in a dream world, Neo.Well, I find it pretty incredible that this "inherently dumb program" spread so well, then, if it was so worthless and buggy. Can't imagine what a *well-written* worm for that bug would have done, then!
most widely known != vast majority
You cannot imagine how a well-written worm would behave, but you claim to know what crackers want. You, sir, are contradicting yourself. Besides, it was exactly my point that mostHackers, Crackers and Script Kiddies alike are known to engage in exploit trading and often, they are discovering and exploiting vulnerabilities without going BIG NEWS about it... Do you really believe, people are sending all their 0day to @stake & co in advance, just to let them make money of the news?? Would you not rather believe that crackers finding new vulnerabilities would keep them 0day as long as possible, exploiting them undiscovered, because the majority doesnt even know the hole exists?? To me, it would seem perfectly logical for hackers and crackers alike to ONLY publish their findings after the problem was initially noticed by the public? Would it not make sense to you? To keep 0day for fun and profit as long as possible, and then releasing a modified variant of the 0day as "proof-of-concept" code, as soon as the public is noticed, and credits and publicity are to be gained by releasing the exploit code to the public?Now, you're embarrassing yourself. Crackers, and etc. don't want credit from the vast majority of the list readership (generally speaking, anyway), and could care less about what we say. Also, some realize that the act of breaking into a system under the laws of most countries is illegal, and don't want to draw attention to themselves by publishing the code they used to do it.
exploits remain 0day anyways.
You still believe vulnerabilities are not found until someone at (insert name of big money sec company here)To me, full disclosure makes perfect sense. Tell people about the vulnerability as soon as you notice it exists, you'll see "proof-of-concept" code appearing within days - essentially a proof that there were other people knowing about the vulnerability already.Not even close. While we see PoC code appear in only a few days, that is not an indicator of advanced details, particularly if the product is widely deployed, as you can start exploit development in a matter of minutes after receiving the first details, if in a position to do so (i.e, you have a box in front of you to test).
notices them, then you are way off. *knock, knock*
Descriptive like "There exists a problem in the way XYZ handles FUBAR requests. The vulnerability can be exploited remotely. Patches are available; apply immediately." ? mmkay... I share your point of view about the false sense of security tho. Perfectly valid point.Also, full disclosure, including exploit code, frees you from the obligation to believe in software vendor advisories and patches - another critical issue, demonstrated again by the RPC/DCOM flaw:Exploit code *does not* solve the problem. I can do just as well by providing no code, and just being descriptive with my details, as I can by providing code. I've provided code with some advisories; this is not a practice I engage in any longer. It really speaks poorly for the writing capabilities of the discoverer if they are incapable of offering sufficient detail to at least reproduce the flaw without providing exploit code. Exploit code, while it can conclusively prove that the vulnerability exists in a particular config, is not 100% accurate (offsets can be bad, for instance), and this can even create a false sense of security. Further, you don't get any solution by running an exploit.
Which part did you not understand? Failure of the RPC/DCOM patch to effectively address the vulnerability was discovered only when end users ran * E X P L O I T C O D E * against their own, patched servers. It might not give you a solution to the problem, but at least *you know if the problem still exists*Apparently, M$' fix doesnt really fix the problem to its full extent, and in some cases, is believed to leave machines vulnerable to the attack. Again, something which was to be discovered by END USERS loading proof-of-concept exploits and trying them on their own systems. To me, it makes no sense to blindly trust in a software vendor's patch, when it has repeately been shown that software vendor's patches often do not fully provide the anticipated security fixes.And exploit code, of course, fills that gap, right? You are talking about two different things here. MS03-026 certainly does mitigate the vulnerability at hand. Also, you must remember that vendor patches are only designed to protect against vulnerabilities that immediately impact the system being patched.
I do not oppose that the vendor should be notified with substantial information about a vulnerability, and I do not oppose that there should be a time frame for the vendor to come up with a solution.Obviously, time has NOT yet come to say goodbye to full disclosure, and doing so would leave end users at the fate of some sotware producers' industry consortium to take care of OUR security - which they have repeatedly shown to be incapable of.This depends on how you define Full Disclosure. I strongly believe that details of vulnerabilities I find should be made available to the public. This is how I define Full Disclosure. Most security researchers today have adopted the more rational viewpoint that Full-Disclosure does not require exploit code, as it has been proven many times (and will continue to be proven) that exploit code does far more damage than good. I also feel that those who require that vulnerabilities be disclosed immediately (or after some other short period), are harming the concept. The idea of Full Disclosure is that the public has the best opportunity for remedial action; this usually includes vendor fixes.
And who should balance? You?? After all, you are the "public". Unless your on someone's payroll toIn today's environment where every new vulnerability is a time bomb, we must balance the public's need to know with its requirement for suitable solutions.
post anti-FD FUD here, that is. Cheers --grid _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Vulnerability Disclosure Debate, (continued)
- Re: Vulnerability Disclosure Debate Matthew Murphy (Aug 07)
- RE: Vulnerability Disclosure Debate Jason Coombs (Aug 08)
- RE: Vulnerability Disclosure Debate Mike Fratto (Aug 08)
- RE: Vulnerability Disclosure Debate Jason Coombs (Aug 08)
- Re: Vulnerability Disclosure Debate Valdis . Kletnieks (Aug 07)
- Re: Vulnerability Disclosure Debate Aron Nimzovitch (Aug 08)
- Re: Vulnerability Disclosure Debate Valdis . Kletnieks (Aug 08)
- Re: Vulnerability Disclosure Debate Aron Nimzovitch (Aug 08)
- Message not available
- Re: Vulnerability Disclosure Debate Aron Nimzovitch (Aug 08)
- Re: Re: Vulnerability Disclosure Debate Georgi Guninski (Aug 09)
- Re: [Security] [vendor-sec] Re: Re: Vulnerability Disclosure Debate Seth Arnold (Aug 11)