On 21 Oct 03 12:22:53AM mitch_hurrison@ziplip.com[mitch_hurrison@ziplip.com] wrote: : Again, what is it about your personality that makes you incapable : of taking part in an adult discussion of responsible disclosure : issues? Is it that anyone who has a different opinion than yours : is automatically not worth your time? That sounds kind of nazi-like : to me mr. Schmehl. In Paul's defense, some aspects of this thread did degrade to some pretty immature behaviour - some of it mine. For that I'll apologize to the list. I respect your point Mitch, but your e-mails can come off as pretty condescending... You don't seem to have much respect for people that don't code as well as you claim to, which is often a pretty big pill to swallow. As I said before, there are those of us who got into the security biz from other areas than programming, which means we *are* less capable of figuring out this exploit. The age old question really comes down to "should people just getting started in this area be treated like vermin?". From my perspective, I would hope not. Every so often this issue comes up - the seasoned programmers bashing the newer guy who asks for help. Not without reason, mind you. There is no way for you to know my motives - and assuming the worst of people is usually the best response (as sad as that is). If you recall, my original post did not request the code itself, but just asked if anyone had seen it. I had only heard rumours and not actually heard of anyone actually being compromised - which prompted my question to see if it truly existed. : It's quite saddening to see this list turn into a pack of hungry : saliving fools at even a hint of an exploit for this issue. You : seem to have more of a hardon for the "juarez" than any "kiddie" : I've ever met. Even when trying to debate some of the issues : surrounding the disclosure of such a potentially devastating : exploit all one gets is "yeah, yeah. Now make with the warez". I don't think it has progressed to this level. I asked if anyone had seen code for this exploit. You pretty much ran me over with "it's definitely exploitable, so STFU and patch", at which point other people chimed in asking for a bit more information. As I said in an earlier e-mail, my point was not to badger people for code, just information. In this e-mail, and a couple others from other folks, I have gathered as much as I need to point me in the right direction - for which I thank every one who contributed. <snip> : Now on a larger scale, I think it's rather foolish to cop an attitude : that assumes anything that doesn't exist in the public eye isn't : possible. I agree completely. I didn't make my original request to justify patching. : This is the year 2003. We aren't : the only ones reading these lists people. Do you really want to : be responsible for arming the more hostile elements in the world : with such a tool? I can't stress it enough. Noone should release : this exploit. And to be honoust in this day and age I think anyone : releasing exploits to the general public is losing sight of a : bigger picture that affects us all. Now I'm not talking about : the Nth trivial snosoft local stack overflow "exploit". I'm talking about the apaches, the openssh's and the ms rpc's. Time and time : again it's become apparent that full disclosure simply does not : function. And allthough I realise that there will always be people supporting : full disclosure, I think even with the disclosure of vulnerability : information releasing exploits is something that's not justifiable : in any way. So what is the solution? How can information be disseminated from those who know and those who don't? Not everyone can spend the time to learn how to understand vulnerabilities like this. Should they remain dependent upon people who they only know from lists to tell them what and where to patch? I realize there are other institutions like SecurityFocus and ISS X-Force, etc. that release advisories also, but that is still trusting an unknown entity. I don't have the answer, well, I know the answer for me is to learn this - but not everyone has that luxury. : There is simply no need for exploits, especially not one that would : affect people and nations around the globe. You have to look beyond : your own little egocentric world of friendly exploit dev and "but it's fun", : and take a look at the bigger picture. There are those of us who have a different bigger picture to look at. I am *not* coming from a "but it's fun" angle, but I can't speak for anyone else, nor can I expect the people who don't know me to believe me just because I said it. : So to you Paul, and to the rest of this list. I say once again : if you can't write the exploit. You don't..need.. the exploit. I really have a hard time following this logic - I'm no mechanic, so does that mean I don't have the right to drive a car? Again, the answer for me is to buckle down and learn this, which is fine w/ me (and I'll be sure not to ask the list for help), but like I stated previously, not everyone has that luxury. Consider IDS R&D groups. While they may have the resources to dig in and fully develop their own exploit code to write signatures from, doesn't this delay their ability to put out quality signatures? Or what if their code works, but not in the same way as the code in the field? Considering that this is ssh (i.e. encrypted) maybe IDS isn't the best example, but I think the point stands. There are people out there who are not interested in "0wning boxen", and have a valid need/desire for code. The problem is separating these folks from the so called "leeches". I understand this, which is why I respect people's right to refuse to help me if they don't know me. But it really would be nice to put the right tools in the hands of the folks that need it. -- aka Dolph Longhorn attica@stackheap.org GPG Key ID: 0xF8F859D0 http://pgp.mit.edu:11371/pks/lookup?search=0xF8F859D0&op=index "There is no such thing as right and wrong, there's just popular opinion." -Jeffrey Goines
Attachment:
pgp00101.pgp
Description: PGP signature