Re: DCOM RPC exploit (dcom.c)

[Nick FitzGerald <nick () virus-l demon co uk>]

"gregh" <chows () ozemail com au> wrote:

> Just my $0.02:
>
> Shoot the messenger - that always stops the bad event happening.
>
> Sorry for the sarcasm. I can never see the point in "If we don't tell
> the enemy how to build a nuclear weapon they never will so we are
> safer as a result" logic. 

The logic is not that you are ultimately "safer" in the sense that 
potential "adversaries" will be _prevented forever_ from developing 
"something bad" to use against you based on this "knowledge".

The argument is that you will be probabilistically safer for a longer 
time.  If you don't give kitset weapons, or the detailed plans of how 
to make them, to all and sundry then the number of potential 
adversaries who can use that type of weapon against you is _reduced_.  
Thus, probabilistically, over many iterations of such new weapon 
possibilities and designs, it is longer on average before any one of 
these weapons whose availability has been "boosted" is used against you 
_relative to those cases where the possibilities and plans are not 
disclosed_.

Thus, not disclosing such information is part of managing the risk 
associated with a vulnerability.

That is not to say "you can get right royally shagged via DCOM over RPC 
so apply this patch now" is not valuable information of the sort that 
should not be disclosed.  However, publishing exploit code for the 
kudos of the "my willy is bigger than yours" kind, which typically is 
the only"benefit" accruing to the discloser, is somewhere between 
narcisistic bloody mindedness and outright criminal.

(At the risk of strollling even further off topic, the first point 
reminds me of something the proponents of "give us the sploits" often 
trundle out -- convincing those managers who "won't believe X is 
possible until they see it with their own eyes".  Of course, selling 
"real security" to such folk is much like being tailor to that mythical 
emporer, so availability of sploits should not be necessary at all, as 
essentially the problem in such instances reduces to one or other of, 
"will I spoil my professional reputation by being hamstrung into 
implementing half-arsed solutions because this guy's has half of a 
baboon's brain" _or_ to that of a marketing problem where the "art" is 
in deciding how to tell them any old crap so long as it is wrapped up 
in enough techno-gibberese that they think they half understand what 
you are talking about.

> Greg - you may call me a "Jihad O'Clue." if you wish.

I may, but as you're inviting name-calling, I think I am rather more 
likely to call you a silly twat that uses some chronically lame HTML 
Email client that has no place in the working armory of a security 
professional, at least not if its trivial configuration options that 
disable the sending of HTML Email are not disabled.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html