OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Geo. (georgerNLS.NET)
Date: Mon Aug 20 2001 - 19:59:52 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    While I've learned to respect David's opinion over the years, I'm not sure I
    agree with the below quote.

    When I was learning to secure webservers (I'm still learning every day btw)
    one of the things I figured out by seeing how exploits worked was that it's
    really bad to pick the default install paths. Many of the exploits fail if
    the default paths have been renamed.

    If instead of understanding how the exploits worked all I was given was a
    program that told me I was vulnerable then I would have learned nothing and
    would not have been able to come up with setup modifications that have
    allowed me to escape being vulnerable to some of the exploits.

    I guess what I'm trying to say is that to be good at securing a server you
    have to understand how to hack one. The complaint with full disclosure it
    that it teaches the black hats how to hack, but at the same time it teaches
    the white hats how to hack and at the same time how to defend against
    different types of hacks instead of just one specific exploit. I suspect it
    also teaches programmers who read the list how to program to avoid being
    exploited.

    I guess my point is if we are just to depend on the ISV's for our security,
    they will provide us with a test program and they will provide us with a
    patch and we really don't need to know what the exploit was, well then what
    do we need security experts for? If that's not true, then full disclosure is
    required in order to further train the experts, to allow them to share their
    knowledge and in order to create new experts.

    Geo.

    ----- Original Message -----
    From: "David LeBlanc" <dleblancMINDSPRING.COM>

    > The issue here is that a scanning tool needs only to distinguish a
    > vulnerable system from one that is not. It isn't always required to
    actually
    > execute the exploit. Exploit code is notoriously unreliable, and often
    > misses certain platforms or service pack revisions.

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net