Re: [Full-disclosure] Publishing exploit code - what is it good for

To: Aviram Jenik <aviram@xxxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Publishing exploit code - what is it good for
From: Joachim Schipper <j.schipper@xxxxxxxxxx>
Date: Thu, 30 Jun 2005 14:40:08 +0200
Cc: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <200506301513.48789.aviram@xxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Mathematisch Instituut
References: <200506301513.48789.aviram@xxxxxxxxxxxxxxxxxx>
User-agent: Mozilla Thunderbird 0.8 (X11/20040917)

Aviram Jenik wrote:

Hi,
I recently had a discussion about the concept of full disclosure with one ofthe top security analysts in a well-known analyst firm. Their claim was thatcompanies that release exploit code (like us, but this is also relevant forbugtraq, full disclosure, and several security research firms) put users atrisks while those at risk gain nothing from the release of the exploit.
I tried the regular 'full disclosure advocacy' bit, but the analyst remainedreluctant. Their claim was that based on their own work experience, asecurity administrator does not have a need for the exploit code itself, andthe vendor information is enough. The analyst was willing to reconsider theirposition if an end-user came forward and talked to them about their ownbenefit of public exploit codes. Quote: " If I speak to an end-userorganization and they express legitimate needs for exploit code, then I'llchange my opinion."

What I need is a security administrator, CSO, IT manager or sys admin that canexplain why they find public exploits are good for THEIR organizations. Maybewe can start changing public opinion with regards to full disclosure, andhopefully start with this opinion leader.
TIA.

How about anyone who ever hired a pen tester? It's quite impossible tohave a comprehensive suite of tools without some collaboration, and justnoting that the vulnerability may exist is not enough in many cases.

Blackhats may get along with only a handful of exploits, if they'rewilling to try to find targets to match their collection, but apentester should have the collection to match the target.

This is doubly true if we're not talking about a dedicated pentester,but about a sysadmin with a networking/security background who likes toverify that the patches did, indeed, work.

Lastly, I know *I* subscribe to a mailinglist that announces newexploits - it gives me a good indication of how long a typical hackertakes to code an exploit once the vulnerability is released, plus itindicates when patching is past due.

I'm afraid we're not quite impressive enough, but finding some who areshould not be too difficult.

Also, exploits will be distributed, publicly or otherwise - doing it inthe open means we know what happens when.


                Joachim

Follow-Ups:
- Re: [Full-disclosure] Publishing exploit code - what is it good for
  - From: devnull

References:
- Publishing exploit code - what is it good for
  - From: Aviram Jenik

Prev by Date: Re: [Full-disclosure] Publishing exploit code - what is it good for
Next by Date: [DRUPAL-SA-2005-002] Drupal 4.6.2 / 4.5.4 fixes input validation issue
Previous by thread: Re: [Full-disclosure] Publishing exploit code - what is it good for
Next by thread: Re: [Full-disclosure] Publishing exploit code - what is it good for
Index(es):
- Date
- Thread