RE: THCIISSLame exploit

["Brad Griffin" <b.griffin () cqu edu au>]

 Off-list maybe? I see dead horses with strange welt - like marks on
their flanks.

> -----Original Message-----
> From: Elver Loho [mailto:kernelpenguin () hot ee] 
> Sent: Friday, April 23, 2004 10:41 AM
> To: Oliver.C.Rochford; full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] THCIISSLame exploit
>
> Okay, I'll bite.
>
> : 1. the code is given as is, if it doesn't work for 
> you...learn to code
>
> The whole idea was binaries vs source code. My point, which 
> you seem to have missed, was that it's better to have source 
> code than a binary. Plus the release of a binary along with 
> the source code is redundant. And, as someone pointed out, 
> might also create problems with the authorities. And I can 
> code quite well, thank you for being concerned.
>
> : 2. As for the free speech etc etc...the bug is fixed, if 
> you are unable to
> : patch the system you are responsible for, get a new job, if 
> you didn't
> : know about the bug/fix, get a new job, if you want to bitch about
> : releasing exploit code/binaries on a security mailinglist...go do it
> : somewhere else.
>
> Source code might fall under freedom of speech. Binaries 
> definitely don't. If he released that in a country where 
> compiled exploits might get you more attention from the 
> authorities, he's still going to have problems even if he did 
> release the binary on the Internet. As for getting a new job, 
> etc, I, again, thank you for taking interest in my life, but 
> that won't be an issue.
>
> Also, I think it's more interesting if exploit code is 
> released before a patch. The reactions of people are much 
> more interesting to observe. Plus it gives you something to 
> look for instead of just sitting and praying to whatever 
> deity you worship that you don't get hacked. Of course, 
> that's assuming the original advisory isn't informative enough.
>
> : 3. If you don't like people posting exploits for bugs, get 
> a new hobby/job
>
> Again, this was about binaries vs source code. I prefer the 
> latter. I have no problem with people releasing exploits. I 
> much enjoy seeing clever code.
>
> : 4. If it is illegal in your country, good for you!! It 
> isn't in the FREE
> : world, thank god. Firewall you nation off, it helps us all
>
> No, it's quite legal around here. I don't know what the laws 
> are there in the UK, but I did however hear that the DMCA 
> might create problems for some avid exploit coders in parts 
> of the world usually classified as "the free world". 
> Didn't HP pull it on SnoSoft once? And, of course, there are 
> the computer crime laws which can usually be wrapped around 
> just about any exploit release. It's very hard to prove that 
> you didn't have malicious intent.
>
> : 5. The bug has been reported, a fix has been issued, 
> where's the darn
> : problem??
>
> There's a problem? Other than, according to one security 
> researcher on this list, the author of this exploit walking 
> on thin ice because he released the binary as well, there is 
> no problem to speak of. Well, there's that of internet 
> censorship, but that's a dead horse which would require some 
> medical attention from real lawyers before it can be beaten again.
>
> : I for one am glad to be able to test it, to have a binary 
> to make a snort
> : sig etc etc
>
> Yes, but you are able to compile the exploit code yourself, 
> are you not? I assume you are. I also assume that you are 
> capable of writing your own exploits if you really had the 
> need for them. And let's not bring up the need for Snort 
> after patching. That horse started stinking a long time ago already.
>
>
> elver
>
> : On Thu, 22 Apr 2004, Elver Loho wrote:
> : > : >Publishing the binary is VX-ing and is criminal. That 
> is very clear.
> : > :
> : > : Again, you assume this is illegal in every country. This is the
> : > : Internet, there are no laws here. ;)
> : >
> : > Do you think the Internet should be regulated by laws? Or 
> do you think we
> : > should rely on self-regulation in the form of moderation 
> and common
> : > decency? Because the latter isn't working out as you can 
> see. I'd like to
> : > take Ian Clarke's view of freedom of speech and say that 
> I don't mind
> : > seeing kiddy porn on the net, but hell, some of that 
> stuff truly IS sick.
> : > Cultivating it by giving it the status of freedom of 
> speech would just
> : > have unfortunate effects on the society as a whole and on 
> the well-being
> : > of its various current and future members. While I don't think the
> : > Internet should (or indeed, could) be regulated as a 
> whole, I believe
> : > that it would be possible and good to apply laws of the 
> poster's country
> : > of origin. What it comes down to in this case: is the 
> release of (binary)
> : > exploits allowed in Germany or not?
> : >
> : > : >To share knowledge with security researchers does not require
> : > : >releasing binary executables, professional testers can 
> compile the
> : > : >source code for themselves.
> : > :
> : > : Not everyone has a C/C++ compiler. Even if you do have a C/C++
> : > : compiler, you may have to port the code to your OS 
> which takes time. If
> : > : you also compile the exploit, everyone can test it. You 
> assume a script
> : > : kiddie can't compile an exploit and that the script 
> kidde can't use any
> : > : of the exploits sent to this list if it's only in 
> source form. Nice
> : > : protection, but it doesn't work.
> : >
> : > I think you missed the point here. C/C++ compilers are 
> available for free
> : > and anyone doing any kind of professional computer 
> security work will
> : > have one. You also assume that porting the code to one's 
> OS of choice
> : > takes time. However, if the exploit is released as a 
> binary, porting the
> : > code to someone's OS of choice is impossible with the 
> exception of being
> : > able to run some Windows binaries on Linux and a few 
> other OSes. Besides,
> : > this is what we have standards for. Writing source code 
> that will compile
> : > on a multitude of operating systems is easy. And with the 
> advent of good
> : > interpreted languages such as Python and Perl, it's trivial.
> : > As for script kiddies, then they are an unfortunate 
> by-product of our
> : > society. They will eventually grow up and join the ranks 
> of blackhats,
> : > whitehats or leave the computer security field entirely. 
> Having been one
> : > in the past myself, and not being proud of it, I can tell you that
> : > nothing will protect such exploits from script kiddies. 
> Some of them have
> : > big brains on them and if one of them figures it out, 
> everyone will
> : > figure it out. It's a society where the only currency is 
> respect earned
> : > by showing other members your level of intelligence. 
> Surprisingly, people
> : > like that fit nicely into Eric S. Raymond's mindset of an 
> open-source
> : > hacker as portrayed in his collection of essays titled 
> "The Cathedral and
> : > the Bazaar."
> : >
> : > : >Avoid releasing binaries and you will not have 
> problems with the
> : > : >authorities.
> : > :
> : > : I assume you meant to say "Avoid releasing EXPLOIT binaries ..."
> : >
> : > That sentence was in context. Ripping it out of context 
> to point out such
> : > things is pointless.
> : >
> : >
> : > Elver Loho
> : >
> : > _______________________________________________
> : > Full-Disclosure - We believe in it.
> : > Charter: http://lists.netsys.com/full-disclosure-charter.html
> :
> : _______________________________________________
> : Full-Disclosure - We believe in it.
> : Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> --
> Elver Loho
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html