[Full-Disclosure] [Secure Network Operations, Inc.] FullDisclosure != Exploit Release
dufresne at winternet.com
Wed Jan 29 14:35:39 GMT 2003
On Tue, 28 Jan 2003, hellNbak wrote:
> So I say release the code, try and make it as crippled as possible
> (localhost only or whatever) so at least you know that *your* code won't
> be directly used for malicious intent. Yeah exploits and malicious
> code/worms/virus'/whatever will still exist and be abused but regardless
> of what you and anyone else for that matter do it always will.
> At least with releasing code you can take comfort in knowing that you are
> helping those who cannot help themselves. That is of course if you
> believe in helping others and don't just release advisories for the
> media-whoring marketing purposes (hello to my friends at ISS ;p).
What's interesting about the disclosure debates in their various forms, is
that it has been ongoing since the first earliest security lists, <check
the http://securitydigest.org/ site>. In fact, the debate seemed to be at
time a near show stopper for a number of the early lists, at times they
never got much beyond the topic, for long periods of time, and some lists
died or went stagemant while enthralled within the discussion process>.
And, to this day it persists. Though the trend has been softened with the
term "responsible" prepended. In that light, rather then issueing a quick
advisory with a borked exploit enclosed, it might be better to issue the
warning, after first letting the vendor<s> in question know of your
findings and giving them at least a modicum of time to ingest your work,
then later down the road, posting the code you developed. Perhaps
allowing a large portion of those exposed, to fix their sites and be
prepared for the coming mess of adverse packets?
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
Full-Disclosure is hosted and sponsored by Secunia.