Full Disclosure mailing list archives
RE: RE : RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release
From: Strategic Reconnaissance Team <recon () snosoft com>
Date: 29 Jan 2003 16:25:04 -0500
Well, You also need to consider that this is causing extra stress for the vendors. We are in fact forcing them to kick out of their normal schedule, and work overtime to fix problems. If we all did this, they would be overly swamped and probably go under, or so I'd think. Before we started SNOsoft I worked for a software company. I left because there was no security design or testing involved in the development process. Whenever someone released an advisory, the entire team would go nuts trying to fix it. Granted, security should have been a part of the product, but we do need to keep in mind that its not. The question is, how do we make it a part of the process. How do we educate the people that need to be educated (CEO's CTO's Managers). We can't do that at the low level. Anyway, my two cents is getting too long.. thats my ten cents. On Wed, 2003-01-29 at 14:59, Giri, Sandeep wrote:
Hi!From a security professional's point of view, releasing an exploit isbeneficial. If he releases exploit someone would certainly write a virus for the same. Which will make companies realise the benefit in hiring the security professionals. So, from my point of view, writing viruses which doesn't physically destroy any thing is also okay;) Sorry, if it hurts the ethics..and if it sends wrong singnals about my area of work. Thanks. Regards, Sandeep Giri -----Original Message----- From: hellNbak [mailto:hellnbak () nmrc org] Sent: Wednesday, January 29, 2003 11:16 PM To: Ron DuFresne Cc: Strategic Reconnaissance Team; Nicolas Villatte; full-disclosure () lists netsys com Subject: Re: RE : RE : [Full-disclosure] [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Thanks for adding zero value Ron. We are not talking about working with vendors or notifying vendors. I made the assumption that the Snosoft guys have their own policy on what to do with vendors. We have our own at NMRC and we are quite willing to work with a vendor. But that is not what we are discussing here. On Wed, 29 Jan 2003, Ron DuFresne wrote:Date: Wed, 29 Jan 2003 08:35:39 -0600 (CST) From: Ron DuFresne <dufresne () winternet com> To: hellNbak <hellnbak () nmrc org> Cc: Strategic Reconnaissance Team <recon () snosoft com>, Nicolas Villatte <Nicolas.Villatte () advalvas be>, full-disclosure () lists netsys com Subject: Re: RE : RE : [Full-disclosure] [Secure Network Operations, Inc.] FullDisclosure != Exploit Release On Tue, 28 Jan 2003, hellNbak wrote: [SNIP]So I say release the code, try and make it as crippled as possible (localhost only or whatever) so at least you know that *your* code won't be directly used for malicious intent. Yeah exploits and malicious code/worms/virus'/whatever will still exist and be abused but regardless of what you and anyone else for that matter do it always will. At least with releasing code you can take comfort in knowing that youarehelping those who cannot help themselves. That is of course if you believe in helping others and don't just release advisories for the media-whoring marketing purposes (hello to my friends at ISS ;p).What's interesting about the disclosure debates in their various forms, is that it has been ongoing since the first earliest security lists, <check the http://securitydigest.org/ site>. In fact, the debate seemed to be at time a near show stopper for a number of the early lists, at times they never got much beyond the topic, for long periods of time, and some lists died or went stagemant while enthralled within the discussion process>. And, to this day it persists. Though the trend has been softened with the term "responsible" prepended. In that light, rather then issueing a quick advisory with a borked exploit enclosed, it might be better to issue the warning, after first letting the vendor<s> in question know of your findings and giving them at least a modicum of time to ingest your work, then later down the road, posting the code you developed. Perhaps allowing a large portion of those exposed, to fix their sites and be prepared for the coming mess of adverse packets? Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
-- Strategic Reconnaissance Team <recon () snosoft com> Secure Network Operations, Inc.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RE: RE : RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Giri, Sandeep (Jan 29)
- RE: RE : RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Ken Pfeil (Jan 29)
- RE: RE : RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)