Re: Exploit Ease Level

[sec () ORGONE NEGATION NET (jms)]

On Sat, 29 Apr 2000, Mark L. Jackson wrote:

> //  you know, a qualified system administrator / security official can
> //  generally figure out whats going on in the code in an exploit and
> reach
> //  those conclusions by him/herself.
>
> Really? Your telling me that a sysadmin who does not code all day long,
> does not debug code (not scripts), and generally is not even trained to
> code (one or two classes is not being trained) can see an exploit that
> professional programmers can't?????

heh, i was talking about looking at an exploit and seeing whats going on,
not auditing the source for every daemon you run.

> My experience with sysadmins is that they can barely find their way to
> work.

i can barely find my way to the bathroom in the morning on a good day, but
show me source code to an exploit and i can usually figure out whats what.
not always, by any means, but usually.  and lord knows i cant code.

> //  the answer to your concerns isnt to dummy down exploits or their
> //  descriptions, it is to do the homework needed to understand
> //  what the code
> //  in front of you is doing, and to reach your own conclusions concerning
> //  threat assessment.
>
> No the answer is for companies to stop accepting crap for software.

yyyyyyyyyeah..

im a little leary of the above sentiment; named, the latest imap
bug, RSAREF bug, these arent "crap" software by a longshot. which
companies are you referring to?

> I am all for a 'dummy down' approach. [my guess is you were being
> derogatory. Making something simple does not diminish someone's edibility,
> it increases it. To assume that you have to have a PhD before you should
> be able to understand an explanation of an exploit is sheer arrogance] I
> rely on others to keep me informed. That is called being efficient. It is
> not a 'bad thing'. I can not fix all the world's problems, I can only fix
> mine. Sometimes that a less than desirable solution, but it is reality.
> I don't have time to even keep up with known problems in the languages I
> code in; much less the platforms I am working on. *I have to turn out
> code.* I AM NOT A RESEARCHER. ANY help is welcome, especially if it is
> well laid out and easily accessible.

wait wait.. you have to turn out code, but you feel you need a PHD to
understand the basic mechanics of the average buffer exploit source code?
huh..

hyperbole aside, it sounds like we agree that a lot of admins need to clue
themselves.  i certainly put a lot of energy into trying to clue myself,
and im sure you do as well.

like, heres the real flaw in the "keep it simple" argument as i see it:

very often, the exploits we see pop up are not "public" exploits.  they
have _no_ comments above and beyond shout-outs and credits to the authors,
if that.  so if we make the younger talent in the admin pool reliant on
Hack By Numbers instructions, these people are going to sit around and
chew their cud when they see code that they dont understand, and while
the tumbleweeds behind their eyeballs bounce around a little faster while
they debate disabling the software in question, some 14 year old just
compiled it, wrote a mass scanner, and is actively owning his corner of
the net.

as for public exploits, all i ask for in pubic releases of exploit code is
that people show me the faulty code, include a patch, or explain why no
patch is forthcoming. and usually thats what i get.

and for those instances where i see code in front of me i dont understand,
and/or i need some help, there is this list :)

-jason storm
 negation industries

~you gotta chug.~
        -u.c.b.