|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Alert: Cart32 secret password backdoor (Full Disclosure Debat e)
From: Steve (Steve
SECURESOLUTIONS.ORG)Date: Thu Apr 27 2000 - 11:43:38 CDT
- Next message: Weld Pond: "Cartfix Secret Backdoor Patch tool for cart32"
- Previous message: John Howie: "Re: Alert: Cart32 secret password backdoor (CISADV000427)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I hate to put in the last word then kill a thread, but lets take this
discussion off of the list and stick to what is relevant. The lists full
disclosure policy has always been clear.
>Please do NOT publish explicit details of how to exploit a security
>vulnerability on this, or any other list. Many people will champion full
>disclosure and freedom of speech but the harsh reality is that between
>disclosure and action by a vendor or site that uses a vendor's product
>there
>is a window of opportunity for exploitation. I am not talking about
>hackers,
>but by script kiddies and wannabee hackers. For true security
>professionals
>(and not those pretend profesionals) it creates nothing short of a
>nightmare
What is a larger nightmare, knowing the exact details of an exposure along
with a way to fix it or, just knowing in general terms that there is
something wrong. Not knowing the details and trying to serve your clients
is impossible. How can you comment to your clients or protect your clients
without knowing the full picture?
>for us, and gives our profession a bad name, when some irresponsible
>individual or group decides to expose in detail the steps required to
>break
>into a site and to give examples of the range of privileged information
>that
>can be obtained.
What gives our profession a bad name is people that hype vulnerabilities and
make comments on things without knowing the full details. The advisory as
released was perfect, it supplied full details of the exploit along with
ways to protect yourself.
>Apart from the professional argument there is the legal one. In some
>jurisdictions merely making a vulnerability public along with details of
>how
>to exploit it can render those responsible liable for prosecution if any
>individual or company suffers harm or loss as a result, including the
>vendor
Anyone lawyer that wants to take a crack at me, feel free. I cannot be held
liable for something that some script kiddie did because they read it here.
Chances are, the "community" already knew or based on a more general,
uninformative advisory (like you have suggested) would be able to figure the
exploit out.
It is not like the black/greyhat community is a bunch of idiots, they are
some of the smartest people I have ever met, and any type of advisory would
be enough information for them to work with. So, to protect the security
professionals, it is best to release ALL the information and a fix.
-Steve
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: Weld Pond: "Cartfix Secret Backdoor Patch tool for cart32"
- Previous message: John Howie: "Re: Alert: Cart32 secret password backdoor (CISADV000427)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]