I'm not too sure if this would help much but from a student standpoint
I understand FAR more about how the security works by knowing how to
break it, which only really works if I have source code and so
full-disclosure exploits. I KNEW what a shellcode and buffer overflow
were for years but I only
On Thu, Jun 30, 2005 at 10:36:57AM -0700, Erick Mechler wrote:
:: Blackhats may get along with only a handful of exploits, if they're
:: willing to try to find targets to match their collection, but a
:: pentester should have the collection to match the target.
::
:: This is doubly true if
Hi Aviram,
There are two main problems with your analyst friend's position. The
first is that he has no business deciding for me or anyone else as to
whether or not my needs are legitimate. I get to decide if I need/want
something (like exploit code) or not, his arrogance notwithstanding.
The discussion is only theoretical and of no business importance.
Exploits are disclosed, that's a fact that I as security manager have to
live and work with.
If this disclosure is good or bad is totally irrelevant.
Anyone who discovers an exploitable weakness, informs the supplier and
then
PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, June 30, 2005 8:39 AM
To: Aviram Jenik
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] Publishing exploit code - what is it good
for
Hi Aviram,
There are two main problems with your analyst
What is it good for? One word 'Marketing'.
- zeno
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
I think Edwin Star said it best Code – Good God Y'all What is it good for? Absolutely nothing
or was it war?-- - illwillhttp://illmob.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and
Joachim Schipper wrote:
This is doubly true if we're not talking about a dedicated pentester,
but about a sysadmin with a networking/security background who likes to
verify that the patches did, indeed, work.
Likewise; a sysadmin that likes to verify that their other security
management tools
:: Blackhats may get along with only a handful of exploits, if they're
:: willing to try to find targets to match their collection, but a
:: pentester should have the collection to match the target.
::
:: This is doubly true if we're not talking about a dedicated pentester,
:: but about a
What I need is a security administrator, CSO, IT manager or sys admin that can
explain why they find public exploits are good for THEIR organizations. Maybe
we can start changing public opinion with regards to full disclosure, and
hopefully start with this opinion leader.
Easy .. so we can
Mechler
Sent: Thursday, June 30, 2005 12:37 PM
To: Joachim Schipper
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] Publishing exploit code - what
is it good for
:: Blackhats may get along with only a handful of exploits, if they're
[Because of all the broken autoresponders on bugtraq, the header From:
is a bitbucket. Use the address in the signature to reach me.]
Quote: If I speak to an end-user organization and they express
legitimate needs for exploit code, then I'll change my opinion.
Well, I'm not an end-user
What I need is a security administrator, CSO, IT manager or sys admin
that can explain why they find public exploits are good for THEIR
organizations. Maybe we can start changing public opinion with regards
to full disclosure, and hopefully start with this opinion leader.
You won't find any
The release of exploit code is good for my organization for two
reasons: It keeps my IT administrators and software vendors on their
toes.
I know a lot of IT administrators who sit on patches and remediation
techniques because there is only proof-of-concept information
available. When there is
Change control policy at one of my jobs put me in an identical
situation. I flat out could not patch a machine unless I could produce a
cmd.exe or /bin/sh prompt remotely.
Putting that stuff aside how about the vendors that like to try to hide
things from you? Vendors love Jedi Mind
Though my experience doesnt dig in miles deep, in my humble opinion, I think it has evolved this way; the present state is the eventuality of the series of debates, discussions etc like this ones, which led us into full disclosure. To prove in support of full disclosure, lets assume there is no
1) Over a long period of time, after learning the different dimensions
of attack, PoC code can turn you into a pretty good pen tester of your
own network and setup. We all learn from our mistakes. You learn
nothing from a security alert with no details as to what exact mistake
was made in a
17 matches
Mail list logo
