Hello, Well now I imagine that most who fell victim to the script kiddies have patched now, so in the short term sure, systems will be comprimised, but I think on the whole people learn lessons and we end up with a more secure internet.
In a weird kind of way, script kiddies (and worms) help security by making holes obvious to the oblivious. If Gobbles had not disclosed apache and ssh bugs... what do you think would have happned. IMHO Full Disclosure is a good thing. -nonme. At 09:35 PM 10/11/02 -0500, you wrote: >Dear Len, > >your argument is self-sealing. it lacks substance. if most of the attacks on >systems are coming from script kiddies, who have found these holes NOT by >themselves but from the security industry and all the 'proof of concept' tools >that come out of it, then how does full disclosure protect the interests of the >admin? > >it doesn't. > >disclosing bugs to a public forum makes them known not only to system admins but >also malicious users. and whereas an admin can only patch one system, a script >kiddy can attack many many systems. > >take the recent attacks on XMB by Mike Parniak and his so called "hacking crew". >this script kiddy developed a tool based on a well known md5 exploit in XMB v1.6 >Magic Lantern that gives a user admin priviledges. he then distributed that >tool to lesser skilled script kiddies and the end result was a week of rage >against XMB boards around the web (oops did i just say that aloud?). only about >20% of the boards had been patched. and i restate: the bug had been in public >circulation for a long while and had even been in full view on XMB's software >update page. > >it even appeared on vuln-dev in mid _May_ this year! > >how did full disclosure work in this case? by your argument, Len, 6 months >would have been more than enough for all the board admins to update their >system (all that was required was to change a file name). why such a low >success rate? why didn't the security industry's system work in this case (and >so many others)? > >plz reply as i am very interested in your answers. > ><3 sockz > > >----- Original Message ----- >From: Len Rose <[EMAIL PROTECTED]> >Date: Thu, 7 Nov 2002 08:45:34 -0500 >To: [EMAIL PROTECTED] >Subject: Re: [Full-Disclosure] Security Industry Under Scrutiny: Part One > > >> >> Let's also not forget the systems people who would rather know about problems >> so they can at least mitigate the situation by finding work-arounds, apply firewall >> or router filters, and/or disable services. >> >> It's unacceptable to be left in the dark, no matter what the cost because the people >> who aren't aware of a problem can't defend their hosts or networks. >> >> Complaining about so-called whitehats, and the security community doesn't address >> the above. >> >> People have a right to know about problems, assuming that the researcher is kind >> enough to share the information. >> >> Len >-- >_______________________________________________ >Sign-up for your own FREE Personalized E-mail at Mail.com >http://www.mail.com/?sr=signup > >Single & ready to mingle? lavalife.com: Where singles click. Free to Search! >http://www.lavalife.com/mailcom.epl?a=2116 > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
