Full Disclosure mailing list archives
Re: DCOM RPC exploit (dcom.c)
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sun, 27 Jul 2003 17:02:43 +1200
"gregh" <chows () ozemail com au> wrote:
Just my $0.02: Shoot the messenger - that always stops the bad event happening. Sorry for the sarcasm. I can never see the point in "If we don't tell the enemy how to build a nuclear weapon they never will so we are safer as a result" logic.
The logic is not that you are ultimately "safer" in the sense that potential "adversaries" will be _prevented forever_ from developing "something bad" to use against you based on this "knowledge". The argument is that you will be probabilistically safer for a longer time. If you don't give kitset weapons, or the detailed plans of how to make them, to all and sundry then the number of potential adversaries who can use that type of weapon against you is _reduced_. Thus, probabilistically, over many iterations of such new weapon possibilities and designs, it is longer on average before any one of these weapons whose availability has been "boosted" is used against you _relative to those cases where the possibilities and plans are not disclosed_. Thus, not disclosing such information is part of managing the risk associated with a vulnerability. That is not to say "you can get right royally shagged via DCOM over RPC so apply this patch now" is not valuable information of the sort that should not be disclosed. However, publishing exploit code for the kudos of the "my willy is bigger than yours" kind, which typically is the only"benefit" accruing to the discloser, is somewhere between narcisistic bloody mindedness and outright criminal. (At the risk of strollling even further off topic, the first point reminds me of something the proponents of "give us the sploits" often trundle out -- convincing those managers who "won't believe X is possible until they see it with their own eyes". Of course, selling "real security" to such folk is much like being tailor to that mythical emporer, so availability of sploits should not be necessary at all, as essentially the problem in such instances reduces to one or other of, "will I spoil my professional reputation by being hamstrung into implementing half-arsed solutions because this guy's has half of a baboon's brain" _or_ to that of a marketing problem where the "art" is in deciding how to tell them any old crap so long as it is wrapped up in enough techno-gibberese that they think they half understand what you are talking about.
Greg - you may call me a "Jihad O'Clue." if you wish.
I may, but as you're inviting name-calling, I think I am rather more likely to call you a silly twat that uses some chronically lame HTML Email client that has no place in the working armory of a security professional, at least not if its trivial configuration options that disable the sending of HTML Email are not disabled. Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: DCOM RPC exploit (dcom.c), (continued)
- Re: DCOM RPC exploit (dcom.c) Nathan Seven (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 27)
- Re: DCOM RPC exploit (dcom.c) KF (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 26)
- Re: DCOM RPC exploit (dcom.c) manohar singh (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Etaoin Shrdlu (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Jean-Baptiste Marchand (Jul 29)
- Re: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 29)
- Re: DCOM RPC exploit (dcom.c) gregh (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 26)
- RE : DCOM RPC exploit (dcom.c) Nicolas Villatte (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Jason (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Chris Paget (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Jason (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Paul Schmehl (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Jason (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Paul Schmehl (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Jason (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Paul Schmehl (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 27)