mailing list archives
Symantec Buys SecurityFocus, among others.
From: full-disclosure () lists netsys com (Steve)
Date: Thu, 18 Jul 2002 18:45:21 -0600
Release exploits with the vaguest of descriptions as to how they work
(lost for examples -- just copy'n'paste the "technical bits" of some
of the security bulletins from MS...). Have the _only_ PoC code a
compiled binary loaded with copyright notices forbidding reversing,
etc. Be sure to use some "encryption" (extremely trivial is OK as
complexity doesn't matter; can you say XOR?) in the PoC to "protect"
the important secret (generally the overflow "string" itself). Be
capricious in who you prosecute under the DMCA for incoporating
vulnerability detection of this flaw into their products. (Many
other "pro-reversing" laws allow reversing if doing so is the only
(practical) way to ensure compatibility or system inter-operation --
this should not be a defense against reversing a security
But how could you stop one from simply setting up a sniffer to "see"
what the exploit does on the network or monitor the local system to see
what is done? I am all for people releasing exploit code, I see no
reason not to, but trying to protect it is a waste of time as there are
a million ways, legal ways, around it.