Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: [Full-disclosure] Publishing exploit code - what is it good for
From: bruen () coldrain net
Date: Thu, 30 Jun 2005 08:38:30 -0400 (EDT)

Hi Aviram,

  There are two main problems with your analyst friend's position. The 
first is that he has no business deciding for me or anyone else as to 
whether or not my needs are legitimate. I get to decide if I need/want 
something (like exploit code) or not, his arrogance notwithstanding.

 The second point is that he, like most software vendors, have to yet to
figure out that their products are consumer products and should be treated
just like automobiles and toys. Consumer product testing is very public.
Software is the same. We all want to know *exactly* how the product fails,
just like any other consumer product, no exceptions.

 It is no longer about "full disclosure", it's about being just like 
everyone else. There is no difference between how my software gets 
exploited and how my child safety seat fails.

                 cheers, bob  



On Thu, 30 Jun 2005, Aviram Jenik wrote:


Hi,

I recently had a discussion about the concept of full disclosure with one of 
the top security analysts in a well-known analyst firm. Their claim was that 
companies that release exploit code (like us, but this is also relevant for 
bugtraq, full disclosure, and several security research firms) put users at 
risks while those at risk gain nothing from the release of the exploit.

I tried the regular 'full disclosure advocacy' bit, but the analyst remained 
reluctant. Their claim was that based on their own work experience, a 
security administrator does not have a need for the exploit code itself, and 
the vendor information is enough. The analyst was willing to reconsider their 
position if an end-user came forward and talked to them about their own 
benefit of public exploit codes. Quote: " If I speak to an end-user 
organization and they express legitimate needs for exploit code, then I'll 
change my opinion."

Help me out here. Full disclosure is important for me, as I'm sure it is for 
most of the people on these two lists. If you're an end-user organization and 
are willing to talk to this analyst and explain your view (pro-FD, I hope), 
drop me a note and I'll put you in direct contact.

Please note: I don't need any arguments pro or against full disclosure; all 
this has been discussed in the past. I also don't need you to tell me about 
someone else or some other project (e.g. nessus, snort) that utilizes these 
exploits. Tried that. Didn't work.

What I need is a security administrator, CSO, IT manager or sys admin that can 
explain why they find public exploits are good for THEIR organizations. Maybe 
we can start changing public opinion with regards to full disclosure, and 
hopefully start with this opinion leader.

TIA.




-- 
Dr. Robert Bruen
Cold Rain Technologies 
http://coldrain.net
+1.802.579.6288

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]