Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Possible apache2/php 4.3.9 worm
From: dk <dk () pwarchitects com>
Date: Mon, 27 Dec 2004 19:20:03 -0600

DanB UK wrote:
Do read the code carefully though Dan. Right off hand I can see errors
that were also in the code posted to bugtraq on the 20th; K-OTik may
have added more, dunno.

It is probable that they have added errors in. To curb the script
kiddies picking things up and modifying it and releasing it.

Yeah, I think it has been mentioned here that K-otik does this with their posted code, which is fine by me. :)

I have a bit of a worry about that and my talk, whether or not to
release my sample code. It could be used quite evilly if the intention
was there. I probably won't.

I have had concern about this as well, but remain a staunch supported of the Full Disclosure concept sprinkled with some common sense. With the time to live for virii/worms/exploits this year (from disclosure of bug to malware exploiting it) it's obvious that the "bar" is getting progressively lower each year in regards to the skill set it takes to develop this code. Which is a shame, as developing that skill over time lends itself to a better understanding of the responsibility that comes with it.

So a PoC or code that is missing key parts (that a skilled person could decipher), or an Advisory that informs the author(s) before the general public seems a socially responsible way to address bugs in our current climate. It /is/ hard not to share your work with others, and ultimately does everyone a disservice in the end not to disseminate the knowledge. :)

There has been an interesting discussion regarding this on Bugtraq in regards to Prof D. J. Bernstein's class "MCS 494: Unix
Security Holes" at UofI @ Chicago.
I was a bit surprised how vocal both he and one of his students, Jonathan Rockway, were in the thread(s) concerning disclosure; but it was nice to see them participate in it (and disclose the bugs they found in the first place of course). Yet they both seemed to disassociated themselves with many of the real-world effects their disclosure decisions have. It would seem the comfort of Academia colors things to those within it's walls. It was a shame to see an obviously intelligent, skilled & adept math/cs professor miss the mark on some of the social implications his work has on the world -- outside of the constrained scope of his coursework.

To me, it just highlighted the very problem he was trying to address. Namely, that some individuals or teams do not take responsibility for their actions outside of the limited issues they directly identify with; whether that be application coder or bug hunter. :(


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]