Re: sshd exploit & $1,000 whine

["Robert A. Seace" <ras () slartibartfast magrathea com>]

In the profound words of anonpdox () hushmail com:
>
[snip...]
> Full disclosure of vulnerability information fixes security holes.
> Fair enough. I won't bother arguing that. What exactly does the release of
> exploits accomplish though?
>
> Security $$ Penetrator: You're vulnerable to XXX
> Client: I don't believe you!
> Security $$ Penetrator: Ok, here's my proof of concept
> Security $$ Penetrator: See?
> Client: Oh! We better patch. Here's your payment.
>
> Give me a fscking break. Not even the worst of people are that
> thick. 

        Never underestimate the human capacity for stupidity... ;-)
Some people ARE that thick...  Or, some don't so much disbelieve
the existence of a problem, but just don't CARE about it, unless
it can be proved to them they have a reason to care (ie: there's
a tool floating around out there that any half-wit can grab and
use to break in)...

        Also, it's not just commercial security consultants/pen-testers/etc.
in the above conversations: it's often sysadmins and security
admins who work for the company in question, trying to convince
their own bosses that they really need to bring down Critical
Server X long enough to patch it...

> I think what really happens is that script kids are
> armed, and this gives security professionals many case
> studies to choose from and threats to identify in their
> risk assessments. And some guy wanting money for an
> exploit is evil. Yah ok.

        I won't argue this...  You're definitely correct:
commercial security firms benefit from the proliferation of
script kiddies wielding exploits they don't understand, in
the same way anti-virus firms benefit from the proliferation
of virii and virii-creation kits that any lame-brain can use...
And, in general, I sympathize a lot with your position
throughout your message...  I can understand that exploit
writers may feel cheated when various companies take their
hard work and make money off it, without so much as even
giving them any credit, let alone a cut of the cash...

        However, it's really incorrect to suggest that this is
the ONLY consequence of publically releasing exploit code,
and that there are NO positive benefits...  There are plenty
of legit uses for public exploit code:

1.      Encouraging the vendor to release a fix that much sooner...
        Many will take an "If there's not an existing exploit for it,
        we don't have to care too much about it yet" attitude...  The
        mere existence of an exploit will often hasten their creation
        of a patch, thereby resulting in better security for all of
        their customers...

2.      The aforementioned convincing thick-headed people of the need
        for applying existing patches to holes...

3.      Testing whether or not a vendor-supplied patch really works,
        like it claims to do...  (Certainly, there have been cases in
        the past where they didn't...  It's crazy to suggest blind
        trust of vendors to do the right thing...  It's not in their
        own best interests to do the right thing, if they can get away
        with NOT doing so...)

4.      Studying the code for a variety of reasons: fingerprinting it
        for creating an IDS signature (yes, you talked about that later,
        but I still think there's some value in having a sig for a specific
        exploit, especially if an easily publically-available one, which
        all the clueless kiddies are likely to be using); trying to understand
        how it works, and perhaps improve on it, or extend the idea to
        other areas/apps (ie: code as a tool for teaching new exploit coders);
        trying to understand how it works, so as to avoid making the same
        mistakes it exploits in any code of your own (ie: code as a tool for
        teaching app developers how to code more securely); simply satisfying
        one's inate curiosity to know how things work; etc...

5.      And, just generally keeping the information out in the open for
        all to see, rather than keeping it hidden...  I've never seen ANY
        good ever come from keeping information hidden...  There are always
        arguments by various people for the supposed need to keep certain
        info hidden (national security, the people couldn't handle it, etc.),
        but they're all a crock of shit...  The public has a right to be
        informed of the full details of things which directly affect them;
        and, software users have a right to be informed of the full details
        of vulnerabilities which affect the software they use...  Full details
        generally includes exploit code, since that's the easiest way to give
        full details of the problem (to those who can read the code, anyway)...
        But, even if not, the details would necessarily have to be enough to
        allow pretty much anyone who can code, to code their own exploit...

Sure, in addition to all these good things, releasing exploit code also
arms script kiddies and leeches wishing to make money off the code through
no effort of their own...  Does the bad outweigh the good?  I don't think
so...  Quite the opposite, IMHO...  But, if one disagrees, I suppose no
one is suggesting all exploit coders should be FORCED to release their
exploits...  If they don't want to, well that's their right...  I just
think they're deluding themselves if they refuse to acknowledge any of
the real GOOD that comes from releasing the exploits...  The world may
often seem full of the worst sleeze imaginable, and it can become easy
to believe there's nothing else out there but that sleeze, but I assure
you there are still some decent people out there who appreciate the hard
work of exploit coders, and try to use it for various positive purposes...

[And, for the record, I'm neither a member of the "security industry"
nor the "underground"...  "I'm just zis guy, you know..." ;-)]

-- 
||========================================================================||
||    Rob Seace    ||               URL              || ras () magrathea com ||
||  AKA: Agrajag   || http://www.magrathea.com/~ras/ || rob () wordstock com ||
||========================================================================||
"Ford! There's an infinite number of monkeys outside who want to talk to us
 about this script for 'Hamlet' they've worked out." - THGTTG