RE: RE: new internet explorer exploit (was new worm)

["Drew Copley" <dcopley () eeye com>]

> -----Original Message-----
> From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
> Sent: Monday, March 29, 2004 5:27 PM
> To: Drew Copley
> Cc: Jelmer; full-disclosure () lists netsys com; 
> bugtraq () securityfocus com
> Subject: Re: [Full-disclosure] RE: new internet explorer 
> exploit (was new worm) 
>
> On Mon, 29 Mar 2004 17:14:12 PST, Drew Copley said:
> >  
>
> > > Has anybody offered the Microsoft dude who denied the 
> > > existence of 0-days
> > > some ketchup for his fried crow? ;)
> >
> > I do not recall this quote. Such a quote would be patently 
> untrue even
> > from the viewpoint of legitimate researchers that have open 
> bugs with
> > them. Such bugs are "zero day", though the vendor may be 
> aware of them. 
>
> http://news.bbc.co.uk/1/hi/technology/3485972.stm
>
> Sad part was that the CTO for their security business and 
> technology unit.
>
> And yes, he was widely derided for it.


I missed this one!

I am generally cynical of "black hat" claims. (But, then again, what
real "black hat" is going to make any claim at all? You think these
Russian guys stealing credit cards are making claims? Or, whoever the
guilty party is?) [Not that criminals don't find an overwhelming need to
brag about their efforts...]

However, you can not prove a negative. You should not need anyone to
tell you that, but if you try and seek the truth in all things -- you
would come across this problem so often you would remember it. 

And, in security, you should never think "all is safe" or even worse,
"there can never be a problem". 

In this man's case... this just downright scares me. The webdav exploit
was huge, and it should have been scary. Why on earth would people not
be alarmed at it?

But, the very understanding of the security community should show
everyone that it is and has been steadily growing all along. The
knowledge is growing. These things are inevitable.

I think we can also reason that these security bugs will be used. Look
at the spyware field and these recent bank/cc stealing worms. Look at
all of the wild political causes out there. You could hardly have a
hotter pot to boil.

**Last note: "hackers" are not "black hats". I hate the whole idea of
people being classified as "good or evil" in that sense. That is not the
way the word has been used within the development field, within the
administration field, nor within the security community. I do not think
a single bug finder out there wears a suit and tie to work. By their
very nature they are unconventional thinkers.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html