Right,
We don't want all of the kids to have guns. Same argument here in a
way.On Wed, 2003-01-29 at 12:58, Andrea Vecchio wrote: > > Da: [EMAIL PROTECTED] > > > > Good points, > > One question remains however. If we are to attach > > exploit code to our > > advisories, how do we protect the innocent from attacks by malicious > > people using our exploit code? I honestly believe that exploits are > > digital munitions that should be distributed under > > restrictions. Do you > > agree that a vulnerability can be clearly demonstrated in an > > advisory by > > showing debugger output and explaining the output? If proof of concept > > code needs to be made, it could be generated from the detail in the > > advisory. Why is that not a solution? > > Sorry, but I think that full disclosure, by definition, is > telling something without careing a think about consequences. > I'm not telling whether it's right or not, but so it is. > If we believe in full disclosure (as i do) we have (silently) > accepted that what we're saying can be used in different ways. > "full disclosure" != "exploit release", but > "exploit release" C "full disclosure" > ( C -> belongs to :) > By! A. -- Strategic Reconnaissance Team <[EMAIL PROTECTED]> Secure Network Operations, Inc.
signature.asc
Description: This is a digitally signed message part
