Full Disclosure mailing list archives
Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release
From: "David Howe" <DaveHowe () cmn sharp-uk co uk>
Date: Wed, 29 Jan 2003 12:13:21 -0000
I have been following the subject of full disclosure for a while, and as most of you know, have dealt with some of the issues that full disclosure can cause (HP/Secure Network Operations/DMCA). While the idea of full disclosure is a good idea, and while we support it, we feel that the exploit source code should not be released to everyone.
That is of course your choice. Vendors in particular were prone to deny a vunerability existed unless exploit code were published to prove it. However, as part of a managed announcement, I can't see any value outside of the obvious - to allow admins to scan for vunerable systems on their own network - as a vendor has already produced a patch. Note I say *a* vendor though - sometimes using the scan tool against theoretically unrelated systems produces surprising results....
It is possible to prove a vulnerability exists by releasing well written advisories.
No, it isn't. If the advisory is truely Full Disclosure, it will contain enough information that the exploit can be written *anyhow*. By not attaching such an exploit, you make it impossible for many less skilled administrators (who are diligent enough to closely monitor lists like this one, but don't have the coding skills required to write (for example) a arp packet rewriter) to test their own systems. Note however that, given that *testing* is the goal here, not actual exploitation, a suitably written testing spec (a nessus plugin for example?) may well be more useful to the bulk of the readers of this list than an actual exploit would be; sysadmins do not want to exploit their own systems, they want to test them.
Proof of concept code is useful for legitimate contract based penetration tests.
Again, not really. pentesters should not be exploiting the holes they find (unless you wish to daisychain your way into a more secure area - such as the effect of the DNS bug on a system foolish enough to be running their DNS server on a internet-exposed but non-dmz/internal host.
It is also useful for study as it demonstrates fundamental flaws computers today (not built in security). But again, proof of concept code is not for everyone.
again, actual exploit code is not needed. the disclosure advisory should give a detailed enough description of the general principles behind the exploit that a skilled researcher could apply that to testing for other similar vunerabilities in other packages. I don't know about the rest of the list but I would be *overjoyed* to see exploit code replaced with nessus plugins in advisories - giving us instant, hands-on access to testing tools without the overheads of actually working over exploit code to create them. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release, (continued)
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Day Jay (Jan 29)
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
- [Secure Network Operations, Inc.] Full Disclosure Conclusion? ATD (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure Conclusion? yossarian (Jan 29)
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release hellNbak (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Blue Boar (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Rick Updegrove (security) (Jan 29)
- RE: RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Geo (Jan 29)
- RE: RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- Re: Full Disclosure != Exploit Release Paul Schmehl (Jan 29)
- Re: Re: Full Disclosure != Exploit Release hellNbak (Jan 29)
- RE: Re: Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
- Re: Re: Full Disclosure != Exploit Release Georgi Guninski (Jan 29)
- Re: Re: Full Disclosure != Exploit Release KF (Jan 29)
- Re: Re: Full Disclosure != Exploit Release Blue Boar (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)