[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] no more public exploits

To: "Duquette, John" <john.duquette@xxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] no more public exploits
From: "Yabby" <yabby@xxxxxxxxxxxx>
Date: Tue, 27 Apr 2004 22:00:09 +0200

> systems.  Haven't all the recent worms taught people anything?
>
> However, Johnny I'm sorry to see that people who can't control themselves
on
> the Internet have forced you to stop publishing code.  Can't say I blame
> you, but I don't have to like it.

From what I am noticing arround me, the worms of the past (especially
blaster on the windows front) have moved a lot of people to improve patching
procedures and take security a lot more seriously. What I notice a lot when
performing audits, for instance, is a system being nicely patched with
MS03-026, but MS03-039 being absent...

A substancial part of the sysadmin population (no, not the serious ones
stefan ;-) shrug when their server suddenly reboots (it came back up, didn't
it) and won't even notice an additional listener on their system. This last
thing is not surprising, because when you keep 20 unnecessary default
services running, it is not likely you will notice one more.... However,
they initiate immediate action as soon as their director starts complaining
that he can't use his spreadsheet because of the fact his workstation keeps
rebooting...

Got a question for you all. What is more harmfull:
1. exploit code that can be used to convince people that these
vulnerabilities pose a realy threat. Yeah, it might evolve into a worm, but
this worm will only hit the people that refuse to do what they are payed for
anyway, creating awareness for the need of applying security patches at the
same time.
2. no exploit code is publicly realeased, causing a lot of administrators
not to take the threat seriously. Exploits are only present to parties
developing them for themselfes. These parties silently use the exploits on
financial instituations, that won't notice or (when finding out) are too
embarrassed to make the event public. OR, private exploits are used by
foreign countries or multinationals in order to gain a competitative edge...

I'll go for the first one if you don't mind...

Fact remains that I think that releasing exploit code two weeks after the
patch has been made available is a bit quick. Responsible researchers would
do everyone a favor on waiting at least a month to allow for full regression
testing in testing and pre-production environments...

maarten
(Who knows that choosing between two wrongs doesn't make one right, but
still... you have to make a choice)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- [Full-Disclosure] Detecting newly added Windows Services (was: no more public exploits)
  - From: Marcel Krause

References:
- RE: [Full-Disclosure] no more public exploits
  - From: Duquette, John

Prev by Date: RE: [Full-Disclosure] no more public exploits and general PoC gui de lines
Next by Date: RE: [Full-Disclosure] no more public exploits and general PoC gui de lines
Previous by thread: Re: [Full-Disclosure] no more public exploits
Next by thread: [Full-Disclosure] Detecting newly added Windows Services (was: no more public exploits)
Index(es):
- Date
- Thread