Kevin Poulsen, SecurityFocus 2003-11-23
Security pros gathering at a Stanford University Law School conference on responsible vulnerability disclosure Saturday harmonized on the principle that vendors should be privately notified of holes in their products, and given at least some time to produce a patch before any public disclosure is made. But there was pronounced disagreement on the question of whether or not researchers should publicly release proof-of-concept code to demonstrate a vulnerability.
Colapse all |
Post comment
Screw the vendors
2003-11-24
Anonymous (2 replies)
Anonymous (2 replies)
I run Nessus scans on our network atleast once a month and have had and continue to equipment crash as a result. I've called several of the vendors and they still havn't fixed the problem and have simply told me to stop scanning. I bet if I wrote some easy to use code and published it on the net t...
[ more ] [ reply ]
[ more ] [ reply ]
Screw the vendors
2003-11-25
Rodrigo Otaviano <rodrigo (at) otaviano (dot) com [email concealed]>
Rodrigo Otaviano <rodrigo (at) otaviano (dot) com [email concealed]>
Well, I think the best way to approach this kind of situation is by firstly contacting the vendor and trying to work with them. When I say "work with them" I mean you need to demonstrate that you are interested in having a fast solution to the problem.
I've recently gone through a similar situati...
[ more ] [ reply ]
I've recently gone through a similar situati...
[ more ] [ reply ]
Screw the vendors? Screw the users at the same time.
2003-12-02
Alun Jones
Alun Jones
Where to start, where to start...
Your post is short-sighted. First, there quite obviously are several people working for product vendors who care very deeply about the security of their products.
Second, publishing an exploit, particularly as you say, "easy to use code", is going to result i...
[ more ] [ reply ]
Your post is short-sighted. First, there quite obviously are several people working for product vendors who care very deeply about the security of their products.
Second, publishing an exploit, particularly as you say, "easy to use code", is going to result i...
[ more ] [ reply ]
Exploit Code on Trial
2003-11-24
Bob Radvanovsky
Bob Radvanovsky
I can hardly say that Microsoft is the only company that does NOT want exploits published, and for that, there are several reasons, one of which is the fact that this puts unnecessary blame and a scutinzing eye upon Microsoft to produce more secure, more competent software. Microsoft (lately) has b...
[ more ] [ reply ]
[ more ] [ reply ]
Exploit Code on Trial
2003-11-24
Anonymous
Anonymous
Exploit code definately should stay. Some descriptions of how the vulnerability works gets fudged as it is passed along. I trust exploit code more than the description of how it's done. Besides that, the code let's you get dirty with the vulnerability and shows you exactly how to do it. Once you kno...
[ more ] [ reply ]
[ more ] [ reply ]
Exploit Code on Trial
2003-11-24
TW
TW
I have, and will continue to use exploit code in my day to day job. I am tasked with rating the threat that new vulnerabilities can have against my corporation. I test and process known exploits for several reasons: To confirm that the vulnerability is valid against MY systems as configured, and ...
[ more ] [ reply ]
[ more ] [ reply ]
Private first, then public, THEN publish exploit
2003-11-24
Anonymous (1 replies)
Anonymous (1 replies)
First, notify the vendor privately and give them a reasonable amount of time to come out with a patch. Second, if the vendor is ignoring the problem, go public with the vulnerability, but do NOT publish exploit code yet. Only if the vendor publicly denies the vulenrability, or says "it's not explo...
[ more ] [ reply ]
[ more ] [ reply ]
Private first, then public, THEN publish exploit
2003-11-25
Anonymous
Anonymous
Hate to say this ... but that's what CERT was originally used for, and it simply didn't work.
It took months for vendors to actually fix problems. So some white/grey hats just got tired and decided to rapidly publish exploit code.
What motivation does a vendor have to fix code quickly? If it...
[ more ] [ reply ]
It took months for vendors to actually fix problems. So some white/grey hats just got tired and decided to rapidly publish exploit code.
What motivation does a vendor have to fix code quickly? If it...
[ more ] [ reply ]
Exploit Code on Trial
2003-11-25
Leif Ericksen
Leif Ericksen
Should we publish a book or should we not publish a book. Should we print a news story or should we not print a news story. Should we allow a person to speak or should we silence them (forever?).
OK, I have to agree with the folks that have stated that having exploit code out in the wild 'force...
[ more ] [ reply ]
OK, I have to agree with the folks that have stated that having exploit code out in the wild 'force...
[ more ] [ reply ]
Exploit Code on Trial - final word
2003-11-25
Anonymous (1 replies)
Anonymous (1 replies)
Great discussion ?.
Though I see one agreement form Kevin?s article & other posting ?..
All will like to have access to new exploits & most don?t want to turn them into worms to bring down the internet ?. We all love it (internet)?.
White/Black hacker could follow a personnel code to
1 . rele...
[ more ] [ reply ]
Though I see one agreement form Kevin?s article & other posting ?..
All will like to have access to new exploits & most don?t want to turn them into worms to bring down the internet ?. We all love it (internet)?.
White/Black hacker could follow a personnel code to
1 . rele...
[ more ] [ reply ]
Exploit Code on Trial - final word
2003-11-25
Anonymous
Anonymous
I think the reality here is that companies that have the resources to research the flaws are in a positiong to create a rvenue stream. This will ensure more dollars from MS, think @stake. This will keep it out of the mainstream news and this will make it easier for vendors like Symantec to sell an e...
[ more ] [ reply ]
[ more ] [ reply ]
Exploit Code on Trial
2003-11-25
Camel
Camel
"The set of users that would use exploit code to protect themselves... is probably much smaller than the set of people who would be put at risk by it,"
I personally used exploit code to verify that MS thin clients were also vulnerable to blaster. This was previously unpublished and the informatio...
[ more ] [ reply ]
I personally used exploit code to verify that MS thin clients were also vulnerable to blaster. This was previously unpublished and the informatio...
[ more ] [ reply ]
Loss of money
2003-11-29
bl0rf
bl0rf
Whether someone releases exploit code is entirely up to them, Microsoft has no business to negotiate.
An interesting thing is that thousands of people and millions of dollars are involved in virus-fighting efforts ( software ) and patch-writing. If people stop disclosing vulnerabilities all of th...
[ more ] [ reply ]
An interesting thing is that thousands of people and millions of dollars are involved in virus-fighting efforts ( software ) and patch-writing. If people stop disclosing vulnerabilities all of th...
[ more ] [ reply ]
Exploit Code on Trial
2003-12-02
Anonymous
Anonymous
The moment somebody releases an advisory that particular product has a flaw at whatever service (RPC exploit) the whole internet community concentrates to find the flaw. A significant portion of the bug hunting is to know where to look for. In any advisory (no code yet) the researchers release enoug...
[ more ] [ reply ]
[ more ] [ reply ]
Exploit Code on Trial
2003-12-02
Anonymous
Anonymous
I still remember 6 years ago when Microsoft would state each and every time that this a vulnerability discoverd was theoretical only.
Then people started releasing the actual exploit code, and all of a sudden Microsoft and other vendor's started fixing these 'only theoretical' issues with their p...
[ more ] [ reply ]
Then people started releasing the actual exploit code, and all of a sudden Microsoft and other vendor's started fixing these 'only theoretical' issues with their p...
[ more ] [ reply ]
Good on paper....bad in reality.
2003-12-03
MA
MA
Here's the problem, history has proven that until there is a major threat most companies don't care.
Basically there are no good options on releasing proof of concept, because even with crippled code, exploits are hitting hacker sites within 24-48 hours anyway, unless the code is so severely crip...
[ more ] [ reply ]
Basically there are no good options on releasing proof of concept, because even with crippled code, exploits are hitting hacker sites within 24-48 hours anyway, unless the code is so severely crip...
[ more ] [ reply ]
Having exploits to software that I'...
[ more ] [ reply ]