<<< Date Index >>>     <<< Thread Index >>>

RE: What is the point here?




1.  I'm sorry your software got hacked but I'd be willing to bet that
the individuals that did it weren't the ones that posted it to BugTraq.

2.  As a pen tester I actually use the POCs and updated POCs.  I can't
tell a customer that they *may* be vulnerable to this and that.  I
sometimes have to show them by using POC code.  Also, if you think the
first/only place this stuff is posted to is BugTraq, you are wrong.  

3.  If an updated exploit is out there, I want to see it so I can figure
out how to protect my (and my customers') systems.  Waiting for a patch
is the wrong answer as this takes waayy too long.

4.  I agree 100% that if a Whitehat finds the vulnerability then he
should notify the manufacturer first.  That's his/her responsibility but
I don't think it's the moderator's job to determine if a manufacturer
has been notified or created a patch.  How would a moderator verify
notification?  Or even want to?  That'd be an ugly job!  Swimming
through voice and email systems trying to find a human at each
company... Ugh...    



-----Original Message-----
From: Alun Jones [mailto:alun@xxxxxxxxx] 
Sent: Sunday, January 18, 2004 10:47 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: What is the point here?


I've been meaning to say something about this for some considerable time
now, on various exploits and "proofs of concept" that have been posted
to this list.

Fine, I get the idea of posting a sample exploit, or a POC, as a means
to spurring on developers (and administrators) to fix and patch systems
against attack.  But really, unless there's a 'fix' that turns out not
to be a fix, what is the point of posting a "second version" of a sample
exploit or POC? [Maybe there's a good example in this case, but the
poster never mentioned what the change was from the standpoint of
getting the hole fixed]

What is the point of cleaning up a sample exploit?  What is the point of
posting more and "better" POCs?  What is the point of admitting such to
this list?  I know it's a moderated list, because I've seen my own share
of rejected messages, so I'm going to ask what the point is of the
moderation?

We've seen several POCs posted to this list with absolutely no attempt
made to contact the developers, and we've seen people take other POCs
and "fix them", so that they install a remote shell without alerting the
administrators of the machine.  Why?

If full disclosure in the name of protecting systems is what we're
about, then we need to be contacting vendors of systems we breech, and
we need to be posting code that goes only as far as is necessary to
demonstrate the breech - _not_ far enough to be the source for the next
root kit.

And the moderators for this mailing list need to take some
responsibility (ooh, that's going to get my post rejected, for sure!),
and start rejecting "updated" POCs unless they serve some security
_improvement_ purpose.  For instance, if the vendor disclaims the
presence of the bug, downplays it, or uses the POC's tie to one OS or
another to claim that other OSes are safe. Quite honestly, many of the
"second stab" POCs that I've seen to date appear to be nothing more than
an attempt to get some misplaced sense of glory, and/or to say "here's
the start of a root-kit, play with it now, kiddies, I'm washing my hands
of the whole affair, it's not my fault if you turn it into the next
Blaster / SoBig / whatever."

Posting exploits is _not_ a measure of first-resort.  Exploits should be
used as proof of concept in the last-resort, when vendors or admins have
entirely ignored a problem that you have tried to warn them about.
Exploits should be released as proof of concept _after_ a successful
patch has been released, so that admins can test that the patch fixes
the hole (of course, that would mean they'd want to test the exploit on
an unpatched machine first), or so that they can verify that the patch
applies a full fix.

Exploits should not be released in a form that practically screams
"okay, crackers, hackers and evil scum, come and play with this - the
vendors don't know about it yet".  Was it necessary for this "proof of
concept" to provide a remote _shell_ as their "proof"?  Never mind
_this_ PoC, when posting your next one, or when you're a moderator
approving the posting of a PoC, ask yourself if the systematic wide
publication of this message will serve to improve security, or will
serve as a root-kit for pimply wastrels?

Is the content of this discussion substantially different from the sort
of discussion you'd find in cracker IRC chats?  Other than a nod to
posturing that might place this as a Bugtraq posting, what I see quite
often in here contains technically the same content as:

Hey, d00dz, I jus g0t a GPF in da server.  [Instructions]
Woah, man, yeah, like, totally, I turned it into a sneaky remote shell.
Don' tell my teacherz or nuffin.  [Binary attachment]

I really don't know why _you_ signed up for Bugtraq.  Me, I signed up
because someone posted an exploit for my software here some time ago,
and didn't bother to tell me about it first.  I'd like to think that
isn't Bugtraq's purpose.

I'd like to think that Bugtraq positions itself as something more than a
semi-sneaky, behind-the-back-of-the-vendors rant group, or an assembly
point for root-kit starters.  Moderators, please stop accepting posts
where the poster has stated specifically that they have not yet notified
the vendor, or where the only new thing that is contributed is a more
insidious version of an existing exploit.  And posters, please consider
carefully before you post whether what you post is going to contribute
to an increase in security or a decrease in security.  If you cannot
claim that your post will help to improve security, then do us a favour
and take it somewhere else.

Alun Jones, MS MVP (Security, Windows SDK)
-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | alun@xxxxxxxxxx
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.