Full Disclosure mailing list archives
Re: Publishing exploit code - what is it good for
From: ChayoteMu <chayotemu () gmail com>
Date: Fri, 1 Jul 2005 20:51:12 -0700
I'm not too sure if this would help much but from a student standpoint I understand FAR more about how the security works by knowing how to break it, which only really works if I have source code and so full-disclosure exploits. I KNEW what a shellcode and buffer overflow were for years but I only UNDERSTOOD it after I read "Hacking: The Art of Exploitation" because it broke it down for me (excellent book BTW). Now I understand how an overflow exploit works, but don't understand how a particular one works against a particular program without the exploit code that I can go over and go "Oh, so that's how it does it." The idea is that the next generation of security pros (and the current ones I assume) need the information to be a step ahead by understanding the tricks used by the exploit, otherwise they're always playing catch-up to the latest exploit. On 6/30/05, devnull () rodents montreal qc ca <devnull () rodents montreal qc ca> wrote:
[Because of all the broken autoresponders on bugtraq, the header From: is a bitbucket. Use the address in the signature to reach me.]Quote: " If I speak to an end-user organization and they express legitimate needs for exploit code, then I'll change my opinion."Well, I'm not an end-user organization, but as an end user[%], the major benefit I see to full disclosure is that it appears to be close to the only thing that has any real success at getting vendors to fix bugs. (In general. There certainly are vendors that stay on top of things without needing the prod of public exploit disclosure. But they are notable by their rarity.) [%] "End user" is not the only hat I wear. It's just the one I'm wearing here. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse () rodents montreal qc ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
-- "To catch a thief, think like a thief. To catch a master thief, be a master thief." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Publishing exploit code - what is it good for Curt Sampson (Jul 01)
- <Possible follow-ups>
- RE: Publishing exploit code - what is it good for Socrates (Jul 01)
- RE: Publishing exploit code - what is it good for Morales, David (Seta) (Jul 01)
- Re: Publishing exploit code - what is it good for Joachim Schipper (Jul 01)
- Re: Publishing exploit code - what is it good for ChayoteMu (Jul 02)
- RE: Publishing exploit code - what is it good for Harry Metcalfe (Jul 02)
- RE: Publishing exploit code - what is it good for wnorth (Jul 05)
- Re: Publishing exploit code - what is it good for Lionel (Jul 06)