RE: Re: Second critical mremap() bug found in all Linux kernels

["Geo." <geoincidents () getinfo org>]

> > Yes but it doesn't mean that we have to deliver tools any script kiddie
can take and go ahead for hacking!<<

I submit to the security industry that this is exactly what is required.
Allow me to explain.

Without worms, virus, and hacking, exactly what reason would the masses of
high bandwidth home machines have to patch? What would motivate the armies
of lazy computer owners to lock their machines down so that the internet is
not at risk of someone using known exploits to build an army of floodbots
and take control of the internet flooding off anyone who opposes them?

It is a very real danger that we have already seen beginning and if security
is not a concern then how do we protect ourselves from this sort of thing
happening?

One solution is report exploits, allow vendors sufficient time to create and
test patches, allow the masses sufficient time to apply those patches, then
release point and shoot exploit code so that the remaining unpatched
machines are now at a very real risk. Provide script kiddie tools that don't
allow control but do allow you to effect just the exploitable box by perhaps
coding them to make it easy to shutdown the box (high annoyance factor but
not perm damage). This provides the motivation to secure the world network
so that the number of exploitable boxes doesn't reach such a level that no
segment is safe.

Digital Darwinism.

Geo.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html