Hi,
I recently had a discussion about the concept of full disclosure with one of
the top security analysts in a well-known analyst firm. Their claim was that
companies that release exploit code (like us, but this is also relevant for
bugtraq, full disclosure, and several security research
Hi Aviram,
There are two main problems with your analyst friend's position. The
first is that he has no business deciding for me or anyone else as to
whether or not my needs are legitimate. I get to decide if I need/want
something (like exploit code) or not, his arrogance notwithstanding.
The discussion is only theoretical and of no business importance.
Exploits are disclosed, that's a fact that I as security manager have to
live and work with.
If this disclosure is good or bad is totally irrelevant.
Anyone who discovers an exploitable weakness, informs the supplier and
then
This argument has gone on for decades at least; you hear very similar things
from the feds about homeland security as well, to pick one of the more prominent
other sources.
We are engaged, when trying to defend systems, in a design contest with
attackers,
trying to keep our fortresses from being
Original Message
From: [EMAIL PROTECTED]
Message-Id:
[EMAIL PROTECTED]
I will be out of the office starting 29/06/2005 and will not return until
04/07/2005.
Hi, I'm away from the office for a couple of days.
If there is something urgent, please contact me on 0419853875 otherwise I
What is it good for? One word 'Marketing'.
- zeno
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
This is an interesting method of reducing the keyspace of attack, but
rand() is still a linear congruent PRNG. It should never be used where
cryptographically secure pseudo-random numbers are needed. I would
suggest using Blum Blum Shub or some method based on an existing
cipher in counter mode.
I think Edwin Star said it best Code – Good God Y'all What is it good for? Absolutely nothing
or was it war?-- - illwillhttp://illmob.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and
Microsoft Windows NTFS Information Disclosure
I. Synopsis
Affected Systems:
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server 2003
Risk: Moderate
Impact: Local Information Leak
Status: Maintenance Release Planned (Uncoordinated release)
Author: Matthew Murphy
I have been running some scans on some of our Cisco kit and one of our
scanners came up with the following vulnerability :
Cisco Router IOS History Bug
CVE ID:CVE-2000-0368
Vendor Reference:CSCdk43920
I would like to clarify this vulnerability by hand if possible. Does any one have
I remember using a published exploit to show proof positive something
malicious could be done to an email gateway. This so frightened the
higher ups they instituted a rigorous security policy and encouraged
me to keep abreast of constant developments. I have free reign to use
any code be it
Here is my quick $0.02:
In a lot of environments (including the one that I work on/in) we make
our own modifications to software to get them to work in such a way that
is more beneficial to our organization. Because we make modifications to
the way software works we don't always know if the
Joachim Schipper wrote:
This is doubly true if we're not talking about a dedicated pentester,
but about a sysadmin with a networking/security background who likes to
verify that the patches did, indeed, work.
Likewise; a sysadmin that likes to verify that their other security
management tools
:: Blackhats may get along with only a handful of exploits, if they're
:: willing to try to find targets to match their collection, but a
:: pentester should have the collection to match the target.
::
:: This is doubly true if we're not talking about a dedicated pentester,
:: but about a
As the security officer for our organization, I find full disclosure
to be an indispensable part of our software selection process. Software
that has not been thoroughly examined and tested is considered strongly
suspect by our organization and is not likely to find its way to our
short
list.
We are a company that actively keeps up to date on publicly available
exploits. Their availability not only prompts us to understand the risks
when prioritizing, but also provide us with the necessary tools to dispel
nay-sayers arguments of disbelief. Nothing like showing management the
true
What I need is a security administrator, CSO, IT manager or sys admin that can
explain why they find public exploits are good for THEIR organizations. Maybe
we can start changing public opinion with regards to full disclosure, and
hopefully start with this opinion leader.
Easy .. so we can
Erick,
How do you plan to mitigate known vulnerabilities in your network
without a POC? I guess you can just assume your systems are vulnerable
and then wait on the vendor to fix it...with your hands tied? I am sure
Microsoft will have that patch out next year for you.
Exploit code is used by
I have used public exploits for:
1. Verifying that the manufacturer's recommendations have been followed and
that they work. This was invaluable in the first few rounds of Microsoft RPC
patches a couple of years ago - some patches appeared to have installed
correctly but the machines were still
benefit of public exploit codes. Quote: If I speak to an end-user
organization and they express legitimate needs for exploit code, then I'll
change my opinion.
Heh...very close-minded to begin with. Good luck trying any
argument with this analyst.
Please note: I don't need any arguments pro
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On (30/06/05 15:13), Aviram Jenik didst pronounce:
What I need is a security administrator, CSO, IT manager or sys admin
that can explain why they find public exploits are good for THEIR
organizations. Maybe we can start changing public opinion
I recently had a discussion about the concept of full disclosure with one of
the top security analysts in a well-known analyst firm. Their claim was that
companies that release exploit code (like us, but this is also relevant for
bugtraq, full disclosure, and several security research
[Because of all the broken autoresponders on bugtraq, the header From:
is a bitbucket. Use the address in the signature to reach me.]
Quote: If I speak to an end-user organization and they express
legitimate needs for exploit code, then I'll change my opinion.
Well, I'm not an end-user
What I need is a security administrator, CSO, IT manager or sys admin
that can explain why they find public exploits are good for THEIR
organizations. Maybe we can start changing public opinion with regards
to full disclosure, and hopefully start with this opinion leader.
You won't find any
The release of exploit code is good for my organization for two
reasons: It keeps my IT administrators and software vendors on their
toes.
I know a lot of IT administrators who sit on patches and remediation
techniques because there is only proof-of-concept information
available. When there is
On Thu, 30 Jun 2005, Skip Carter wrote:
I think its a question of what the role of the 'security administrator' is
within
the enterprise. If their job is primarily threat evaluation and appropriate
patching/updating in response, then I agree that the publication of an exploit
is not very
While performing penetration testing at the request of a Fortune 500
financial services company, I discovered a vulnerability that, if
abused, could have been used to initiate fraudulent funds transfers,
stock market transactions, etc.
The client was skeptical when told the exploit could occur in
Change control policy at one of my jobs put me in an identical
situation. I flat out could not patch a machine unless I could produce a
cmd.exe or /bin/sh prompt remotely.
Putting that stuff aside how about the vendors that like to try to hide
things from you? Vendors love Jedi Mind
On Thu, 30 Jun 2005, Aviram Jenik wrote:
What I need is a security administrator, CSO, IT manager or sys admin that can
explain why they find public exploits are good for THEIR organizations. Maybe
we can start changing public opinion with regards to full disclosure, and
hopefully start with
Melvin Klassen wrote:
[EMAIL PROTECTED] (Matthew Murphy) at Jun 30, 2005 12:01:59 PM wrote:
However, an apparent error in the NTFS driver's code causes the file
system to incorrectly assign disk blocks to files before they have been
initialized. Following a recovery from a system
Though my experience doesnt dig in miles deep, in my humble opinion, I think it has evolved this way; the present state is the eventuality of the series of debates, discussions etc like this ones, which led us into full disclosure. To prove in support of full disclosure, lets assume there is no
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Update Advisory
___
Package name: squirrelmail
Advisory
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Update Advisory
___
Package name: php-pear
Advisory ID:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Update Advisory
___
Package name: kernel
Advisory ID:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Update Advisory
___
Package name: kernel-2.4
Advisory
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Instructions
hackers: go and exploit.
admins: go and remove xmlrpc.php
both: have fun
ilo--
-BEGIN PGP SIGNATURE-
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4
1) Over a long period of time, after learning the different dimensions
of attack, PoC code can turn you into a pretty good pen tester of your
own network and setup. We all learn from our mistakes. You learn
nothing from a security alert with no details as to what exact mistake
was made in a
[EMAIL PROTECTED] (Matthew Murphy) at Jun 30, 2005 12:01:59 PM wrote:
However, an apparent error in the NTFS driver's code causes the file
system to incorrectly assign disk blocks to files before they have been
initialized. Following a recovery from a system shutdown, uninitialized
data
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
-
Debian Security Advisory 735-1 [EMAIL PROTECTED]
http://www.debian.org/security/Michael Stone
July 01, 2005
friends,
We are developing a software that makes use of a COM DLL. The whole
logic lies in the dll. The User Interface is in VC++. DLL exposes
functions, application calls it and displays result. Now, we found
that anybody can copy the DLL, register it and make use of those
functions.
Please
40 matches
Mail list logo