Full Disclosure mailing list archives
Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release
From: Blue Boar <BlueBoar () thievco com>
Date: Wed, 29 Jan 2003 14:24:54 -0800
Richard M. Smith wrote:
>>> One problem with anyone making private exploits is that >>> they always seem to get leaked, no matter who it is.I've written at least a dozen proof-of-concept examples for security holes. I've given these examples to vendors and shared them withfriends and other security researchers.
Then you're pretty much guaranteed that some of them made it to people you didn't want them to. Not only are people pretty poor about keeping secrets to themselves, but they could have been stolen from any of those people.
I'm not aware of any of thembeing made public.
I didn't say "public", but there are obviously many degrees of public. Obviously, I say "always" in the same sense that "software always has holes" or "hackers always get in." Plus, I specifically said that I don't know if this "fact" is pro or con exploit release.
In addition, I serious doubt that any of the examples are of much use to anyone except to the vendor who messed up in the first place.
Does that mean the vulnerabilities were also not made public, and so the vendor slipstreamed the fixes?
Vendors probably find the bulk of security holes and I seriously doubt many of these problems have proof-of-concept code published for them.
So are we better or worse off for not knowing?
OTOH we know that public proof-of-concept examples are going to get into the wrong hands.
Yes, and I maintain that private ones will as well. So why did you find and exploit the problems to begin with? Why not just let the vendor find them and silently patch them?
BB _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: R: [Secure Network Operations, Inc.]FullDisclosure != Exploit Release, (continued)
- Re: R: [Secure Network Operations, Inc.]FullDisclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- Re: RE : [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Blue Boar (Jan 29)
- Re: RE : [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- Re: RE : [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Blue Boar (Jan 29)
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Day Jay (Jan 29)
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
- [Secure Network Operations, Inc.] Full Disclosure Conclusion? ATD (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure Conclusion? yossarian (Jan 29)
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release hellNbak (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Blue Boar (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Rick Updegrove (security) (Jan 29)
- RE: RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Geo (Jan 29)
- RE: RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- Re: Full Disclosure != Exploit Release Paul Schmehl (Jan 29)
- Re: Re: Full Disclosure != Exploit Release hellNbak (Jan 29)
- RE: Re: Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
- Re: Re: Full Disclosure != Exploit Release Georgi Guninski (Jan 29)
- Re: Re: Full Disclosure != Exploit Release KF (Jan 29)
- Re: Re: Full Disclosure != Exploit Release Blue Boar (Jan 29)