OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Strategic Reconnaissance Team (recon_at_snosoft.com)
Date: Wed Jan 29 2003 - 13:29:05 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    We are considering nessus as an option. When we make our final decision
    I will make it a point to send a notification message to full
    disclosure.

    On Wed, 2003-01-29 at 11:48, Georgi Guninski wrote:
    > Personally don't care whether you release exploits or not.
    >
    > But will you use nessus and such?
    > Because someone filled the nessus db imho.
    >
    > Georgi Guninski
    > http://www.guninski.com
    >
    > Strategic Reconnaissance Team wrote:
    > > All,
    > >
    > > I have been following the subject of full disclosure for a while, and as
    > > most of you know, have dealt with some of the issues that full
    > > disclosure can cause (HP/Secure Network Operations/DMCA). While the
    > > idea of full disclosure is a good idea, and while we support it, we feel
    > > that the exploit source code should not be released to everyone.
    > >
    > > It is possible to prove a vulnerability exists by releasing well written
    > > advisories. Because of this fact, proof of concept code (exploit
    > > source) is not a requirement for the education of the possibly
    > > vulnerable. Releasing non-malicious exploit code is also not an option
    > > as any local script bunny/kiddie can easily render it functional.
    > >
    > > Proof of concept code is useful for legitimate contract based
    > > penetration tests. It is also useful for study as it demonstrates
    > > fundamental flaws computers today (not built in security). But again,
    > > proof of concept code is not for everyone.
    > >
    > > I am interested in hearing the opinions of the people on this list. If
    > > you are for exploit source disclosure, I would like to hear arguments
    > > supported by facts, that explain why. I am equally interested in
    > > reasons why not to disclose information.
    > >
    > > With that said, Secure Network Operations, Inc. will no longer be
    > > releasing functional proof of concept code. We may release sufficiently
    > > detailed advisories.
    > >
    > > 

    -- 
Strategic Reconnaissance Team <reconsnosoft.com>
Secure Network Operations, Inc.

    -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org

    iD8DBQA+OCuANpS+GkWHNygRApV+AJ4/1DvxApyD6i3uVpiFiGqhTxdZ9gCfQ67r ki8vWgjb/lP8J39UWrqfzaE= =h2L4 -----END PGP SIGNATURE-----

    _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html