Full Disclosure mailing list archives
RE: Remote Mercury32 Imap exploit
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Wed, 1 Dec 2004 00:33:51 +0100 (CET)
On Tue, 30 Nov 2004, muts wrote:
If I'm not mistaken, the point isn't to get a *working exploit* out to the public, but more of a proof of concept to point out a vulnerability. The only reason to release a *fully* working exploit out to the wild would be to get popular amongst the script kiddies. Well done, you're popular now :)
Oh really. People who research and either publish or fix security issues in other people's code do a service to us all. Regardless of what they deliver, is it a working exploit or just a vague advisory, for a conscious administrator, having it is far better than just lettings bugs thrive, and keeping vendors completely unaccountable. And since these researchers usually do it for free, they deserve nothing but our respect. Yes, respect - regardless of what our best guess on their true motivation is, to that. By a bad analogy: I may believe that Linus Torvalds does his stuff just to get more attention, pick up chicks, and be able to do less and get paid more, but this does not mean we should be hating him; and even if he dares not do things my way and not in a way most convenient to me at the very moment (gasp!), it is better than not having them done at all. Why? Because, get this, even if my accussations were true, he could be very well spending his time achieving these very goals without giving anything to others. This is not to say we should not have discussions and arguments; but there is a not-so-fine line between constructive criticism and potentially harmful bashing, and you seem to have crossed it. This is a sad example that the world today is naive enough to give more rights and benefits to lazy vendors who, thanks to "responsible" disclosure they seem to be biggest supporters of, may invest much less and suffer much fewer side effects of their incompetence or corner-cutting practices - whereas researchers, instead of being given protection from frivolous attempts to silence security research by overzealous vendors who are more concerned about their PR than actual security of their products, are instead deemed guilty merely because they did not play by some arbitrary rules imposed by the few. Responsible disclosure is just a view, and so is full disclosure and non-disclosure. All of those can be supported by certain oversimplified arguments, and neither viewpoint is truly superior. But, if on a full-disclosure list, one chooses to pass as a de facto moral standard a practice specifically favorable for and favored by companies that would be best off marginalizing security disclosure and associated publicity - we have a problem. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2004-12-01 00:06 -- http://lcamtuf.coredump.cx/photo/current/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Remote Mercury32 Imap exploit Michal Zalewski (Nov 30)
- <Possible follow-ups>
- RE: Remote Mercury32 Imap exploit John (Nov 30)
- RE: Remote Mercury32 Imap exploit barabas mutsonline (Dec 01)
- Re: Remote Mercury32 Imap exploit JxT (Dec 01)
- Remote Mercury32 Imap exploit JohnH (Dec 01)
- Re: Remote Mercury32 Imap exploit class 101 (Dec 03)
- RE: Remote Mercury32 Imap exploit Randal, Phil (Dec 03)