[Full-disclosure] Publishing exploit code - what is it good for
mike at alanpickel.com
Fri Jul 1 02:18:48 BST 2005
1) Over a long period of time, after learning the different dimensions
of attack, PoC code can turn you into a pretty good pen tester of your
own network and setup. We all learn from our mistakes. You learn
nothing from a security alert with no details as to what exact mistake
was made in a product where others could learn from.
2) (in some cases) PoC code although temporarily causes harm, sometimes
overall improves internet security as a whole. Look at MS blaster, we
all learned quick to patch the correct ports (well most of us) and now
use firewalls as well as Microsoft turning them on by default.
3) PoC code will get the vendor to take quick action. With no poc, they
will take there little old time to patch their product. They assume its
not being used in the wild, but how could anyone be so sure?
From: full-disclosure-bounces at lists.grok.org.uk
[mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Aviram
Sent: Thursday, June 30, 2005 8:14 AM
To: full-disclosure at lists.grok.org.uk; bugtraq at securityfocus.com
Subject: [Full-disclosure] Publishing exploit code - what is it good for
I recently had a discussion about the concept of full disclosure with
the top security analysts in a well-known analyst firm. Their claim was
companies that release exploit code (like us, but this is also relevant
bugtraq, full disclosure, and several security research firms) put users
risks while those at risk gain nothing from the release of the exploit.
I tried the regular 'full disclosure advocacy' bit, but the analyst
reluctant. Their claim was that based on their own work experience, a
security administrator does not have a need for the exploit code itself,
the vendor information is enough. The analyst was willing to reconsider
position if an end-user came forward and talked to them about their own
benefit of public exploit codes. Quote: " If I speak to an end-user
organization and they express legitimate needs for exploit code, then
change my opinion."
Help me out here. Full disclosure is important for me, as I'm sure it is
most of the people on these two lists. If you're an end-user
are willing to talk to this analyst and explain your view (pro-FD, I
drop me a note and I'll put you in direct contact.
Please note: I don't need any arguments pro or against full disclosure;
this has been discussed in the past. I also don't need you to tell me
someone else or some other project (e.g. nessus, snort) that utilizes
exploits. Tried that. Didn't work.
What I need is a security administrator, CSO, IT manager or sys admin
explain why they find public exploits are good for THEIR organizations.
we can start changing public opinion with regards to full disclosure,
hopefully start with this opinion leader.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure is hosted and sponsored by Secunia.