Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Symantec Buys SecurityFocus, among others.
From: full-disclosure () lists netsys com (Steve)
Date: Thu, 18 Jul 2002 18:45:21 -0600

Release exploits with the vaguest of descriptions as to how they work 
(lost for examples -- just copy'n'paste the "technical bits" of some 
of the security bulletins from MS...).  Have the _only_ PoC code a 
compiled binary loaded with copyright notices forbidding reversing, 
etc.  Be sure to use some "encryption" (extremely trivial is OK as 
complexity doesn't matter; can you say XOR?) in the PoC to "protect" 
the important secret (generally the overflow "string" itself).  Be 
capricious in who you prosecute under the DMCA for incoporating 
vulnerability detection of this flaw into their products.  (Many 
other "pro-reversing" laws allow reversing if doing so is the only 
(practical) way to ensure compatibility or system inter-operation -- 
this should not be a defense against reversing a security 
vulnerability exploit...)

But how could you stop one from simply setting up a sniffer to "see"
what the exploit does on the network or monitor the local system to see
what is done?  I am all for people releasing exploit code, I see no
reason not to, but trying to protect it is a waste of time as there are
a million ways, legal ways, around it.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]