Re: THCIISSLame exploit

["Oliver.C.Rochford" <orochford () beefed org>]

1. the code is given as is, if it doesn't work for you...learn to code

2. As for the free speech etc etc...the bug is fixed, if you are unable to
patch the system you are responsible for, get a new job, if you didn't
know about the bug/fix, get a new job, if you want to bitch about
releasing exploit code/binaries on a security mailinglist...go do it
somewhere else.

3. If you don't like people posting exploits for bugs, get a new hobby/job

4. If it is illegal in your country, good for you!! It isn't in the FREE
world, thank god. Firewall you nation off, it helps us all

5. The bug has been reported, a fix has been issued, where's the darn
problem??

I for one am glad to be able to test it, to have a binary to make a snort
sig etc etc




@mail:datacide () inet-sec org

/******************************************
 * Created with PINE, microsoft-free zone *
 ******************************************/


On Thu, 22 Apr 2004, Elver Loho wrote:

> : >Publishing the binary is VX-ing and is criminal. That is very clear.
> : Again, you assume this is illegal in every country. This is the Internet,
> : there are no laws here. ;)
>
> Do you think the Internet should be regulated by laws? Or do you think we
> should rely on self-regulation in the form of moderation and common decency?
> Because the latter isn't working out as you can see. I'd like to take Ian
> Clarke's view of freedom of speech and say that I don't mind seeing kiddy
> porn on the net, but hell, some of that stuff truly IS sick. Cultivating it
> by giving it the status of freedom of speech would just have unfortunate
> effects on the society as a whole and on the well-being of its various
> current and future members. While I don't think the Internet should (or
> indeed, could) be regulated as a whole, I believe that it would be possible
> and good to apply laws of the poster's country of origin. What it comes down
> to in this case: is the release of (binary) exploits allowed in Germany or
> not?
>
> : >To share knowledge with security researchers does not require
> : >releasing binary executables, professional testers can compile the
> : >source code for themselves.
> : Not everyone has a C/C++ compiler. Even if you do have a C/C++ compiler,
> : you may have to port the code to your OS which takes time. If you also
> : compile the exploit, everyone can test it. You assume a script kiddie can't
> : compile an exploit and that the script kidde can't use any of the exploits
> : sent to this list if it's only in source form. Nice protection, but it
> : doesn't work.
>
> I think you missed the point here. C/C++ compilers are available for free and
> anyone doing any kind of professional computer security work will have one.
> You also assume that porting the code to one's OS of choice takes time.
> However, if the exploit is released as a binary, porting the code to
> someone's OS of choice is impossible with the exception of being able to run
> some Windows binaries on Linux and a few other OSes. Besides, this is what we
> have standards for. Writing source code that will compile on a multitude of
> operating systems is easy. And with the advent of good interpreted languages
> such as Python and Perl, it's trivial.
> As for script kiddies, then they are an unfortunate by-product of our society.
> They will eventually grow up and join the ranks of blackhats, whitehats or
> leave the computer security field entirely. Having been one in the past
> myself, and not being proud of it, I can tell you that nothing will protect
> such exploits from script kiddies. Some of them have big brains on them and
> if one of them figures it out, everyone will figure it out. It's a society
> where the only currency is respect earned by showing other members your level
> of intelligence. Surprisingly, people like that fit nicely into Eric S.
> Raymond's mindset of an open-source hacker as portrayed in his collection of
> essays titled "The Cathedral and the Bazaar."
>
> : >Avoid releasing binaries and you will not have problems with the
> : >authorities.
> : I assume you meant to say "Avoid releasing EXPLOIT binaries ..."
>
> That sentence was in context. Ripping it out of context to point out such
> things is pointless.
>
>
> Elver Loho
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html