Off-list maybe? I see dead horses with strange welt - like marks on their flanks.
> -----Original Message----- > From: Elver Loho [mailto:[EMAIL PROTECTED] > Sent: Friday, April 23, 2004 10:41 AM > To: Oliver.C.Rochford; [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] THCIISSLame exploit > > Okay, I'll bite. > > : 1. the code is given as is, if it doesn't work for > you...learn to code > > The whole idea was binaries vs source code. My point, which > you seem to have missed, was that it's better to have source > code than a binary. Plus the release of a binary along with > the source code is redundant. And, as someone pointed out, > might also create problems with the authorities. And I can > code quite well, thank you for being concerned. > > : 2. As for the free speech etc etc...the bug is fixed, if > you are unable to > : patch the system you are responsible for, get a new job, if > you didn't > : know about the bug/fix, get a new job, if you want to bitch about > : releasing exploit code/binaries on a security mailinglist...go do it > : somewhere else. > > Source code might fall under freedom of speech. Binaries > definitely don't. If he released that in a country where > compiled exploits might get you more attention from the > authorities, he's still going to have problems even if he did > release the binary on the Internet. As for getting a new job, > etc, I, again, thank you for taking interest in my life, but > that won't be an issue. > > Also, I think it's more interesting if exploit code is > released before a patch. The reactions of people are much > more interesting to observe. Plus it gives you something to > look for instead of just sitting and praying to whatever > deity you worship that you don't get hacked. Of course, > that's assuming the original advisory isn't informative enough. > > : 3. If you don't like people posting exploits for bugs, get > a new hobby/job > > Again, this was about binaries vs source code. I prefer the > latter. I have no problem with people releasing exploits. I > much enjoy seeing clever code. > > : 4. If it is illegal in your country, good for you!! It > isn't in the FREE > : world, thank god. Firewall you nation off, it helps us all > > No, it's quite legal around here. I don't know what the laws > are there in the UK, but I did however hear that the DMCA > might create problems for some avid exploit coders in parts > of the world usually classified as "the free world". > Didn't HP pull it on SnoSoft once? And, of course, there are > the computer crime laws which can usually be wrapped around > just about any exploit release. It's very hard to prove that > you didn't have malicious intent. > > : 5. The bug has been reported, a fix has been issued, > where's the darn > : problem?? > > There's a problem? Other than, according to one security > researcher on this list, the author of this exploit walking > on thin ice because he released the binary as well, there is > no problem to speak of. Well, there's that of internet > censorship, but that's a dead horse which would require some > medical attention from real lawyers before it can be beaten again. > > : I for one am glad to be able to test it, to have a binary > to make a snort > : sig etc etc > > Yes, but you are able to compile the exploit code yourself, > are you not? I assume you are. I also assume that you are > capable of writing your own exploits if you really had the > need for them. And let's not bring up the need for Snort > after patching. That horse started stinking a long time ago already. > > > elver > > : On Thu, 22 Apr 2004, Elver Loho wrote: > : > : >Publishing the binary is VX-ing and is criminal. That > is very clear. > : > : > : > : Again, you assume this is illegal in every country. This is the > : > : Internet, there are no laws here. ;) > : > > : > Do you think the Internet should be regulated by laws? Or > do you think we > : > should rely on self-regulation in the form of moderation > and common > : > decency? Because the latter isn't working out as you can > see. I'd like to > : > take Ian Clarke's view of freedom of speech and say that > I don't mind > : > seeing kiddy porn on the net, but hell, some of that > stuff truly IS sick. > : > Cultivating it by giving it the status of freedom of > speech would just > : > have unfortunate effects on the society as a whole and on > the well-being > : > of its various current and future members. While I don't think the > : > Internet should (or indeed, could) be regulated as a > whole, I believe > : > that it would be possible and good to apply laws of the > poster's country > : > of origin. What it comes down to in this case: is the > release of (binary) > : > exploits allowed in Germany or not? > : > > : > : >To share knowledge with security researchers does not require > : > : >releasing binary executables, professional testers can > compile the > : > : >source code for themselves. > : > : > : > : Not everyone has a C/C++ compiler. Even if you do have a C/C++ > : > : compiler, you may have to port the code to your OS > which takes time. If > : > : you also compile the exploit, everyone can test it. You > assume a script > : > : kiddie can't compile an exploit and that the script > kidde can't use any > : > : of the exploits sent to this list if it's only in > source form. Nice > : > : protection, but it doesn't work. > : > > : > I think you missed the point here. C/C++ compilers are > available for free > : > and anyone doing any kind of professional computer > security work will > : > have one. You also assume that porting the code to one's > OS of choice > : > takes time. However, if the exploit is released as a > binary, porting the > : > code to someone's OS of choice is impossible with the > exception of being > : > able to run some Windows binaries on Linux and a few > other OSes. Besides, > : > this is what we have standards for. Writing source code > that will compile > : > on a multitude of operating systems is easy. And with the > advent of good > : > interpreted languages such as Python and Perl, it's trivial. > : > As for script kiddies, then they are an unfortunate > by-product of our > : > society. They will eventually grow up and join the ranks > of blackhats, > : > whitehats or leave the computer security field entirely. > Having been one > : > in the past myself, and not being proud of it, I can tell you that > : > nothing will protect such exploits from script kiddies. > Some of them have > : > big brains on them and if one of them figures it out, > everyone will > : > figure it out. It's a society where the only currency is > respect earned > : > by showing other members your level of intelligence. > Surprisingly, people > : > like that fit nicely into Eric S. Raymond's mindset of an > open-source > : > hacker as portrayed in his collection of essays titled > "The Cathedral and > : > the Bazaar." > : > > : > : >Avoid releasing binaries and you will not have > problems with the > : > : >authorities. > : > : > : > : I assume you meant to say "Avoid releasing EXPLOIT binaries ..." > : > > : > That sentence was in context. Ripping it out of context > to point out such > : > things is pointless. > : > > : > > : > Elver Loho > : > > : > _______________________________________________ > : > Full-Disclosure - We believe in it. > : > Charter: http://lists.netsys.com/full-disclosure-charter.html > : > : _______________________________________________ > : Full-Disclosure - We believe in it. > : Charter: http://lists.netsys.com/full-disclosure-charter.html > > -- > Elver Loho > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
