1. I'm sorry your software got hacked but I'd be willing to bet that the individuals that did it weren't the ones that posted it to BugTraq. 2. As a pen tester I actually use the POCs and updated POCs. I can't tell a customer that they *may* be vulnerable to this and that. I sometimes have to show them by using POC code. Also, if you think the first/only place this stuff is posted to is BugTraq, you are wrong. 3. If an updated exploit is out there, I want to see it so I can figure out how to protect my (and my customers') systems. Waiting for a patch is the wrong answer as this takes waayy too long. 4. I agree 100% that if a Whitehat finds the vulnerability then he should notify the manufacturer first. That's his/her responsibility but I don't think it's the moderator's job to determine if a manufacturer has been notified or created a patch. How would a moderator verify notification? Or even want to? That'd be an ugly job! Swimming through voice and email systems trying to find a human at each company... Ugh... -----Original Message----- From: Alun Jones [mailto:alun@texis.com] Sent: Sunday, January 18, 2004 10:47 PM To: bugtraq@securityfocus.org Subject: What is the point here? I've been meaning to say something about this for some considerable time now, on various exploits and "proofs of concept" that have been posted to this list. Fine, I get the idea of posting a sample exploit, or a POC, as a means to spurring on developers (and administrators) to fix and patch systems against attack. But really, unless there's a 'fix' that turns out not to be a fix, what is the point of posting a "second version" of a sample exploit or POC? [Maybe there's a good example in this case, but the poster never mentioned what the change was from the standpoint of getting the hole fixed] What is the point of cleaning up a sample exploit? What is the point of posting more and "better" POCs? What is the point of admitting such to this list? I know it's a moderated list, because I've seen my own share of rejected messages, so I'm going to ask what the point is of the moderation? We've seen several POCs posted to this list with absolutely no attempt made to contact the developers, and we've seen people take other POCs and "fix them", so that they install a remote shell without alerting the administrators of the machine. Why? If full disclosure in the name of protecting systems is what we're about, then we need to be contacting vendors of systems we breech, and we need to be posting code that goes only as far as is necessary to demonstrate the breech - _not_ far enough to be the source for the next root kit. And the moderators for this mailing list need to take some responsibility (ooh, that's going to get my post rejected, for sure!), and start rejecting "updated" POCs unless they serve some security _improvement_ purpose. For instance, if the vendor disclaims the presence of the bug, downplays it, or uses the POC's tie to one OS or another to claim that other OSes are safe. Quite honestly, many of the "second stab" POCs that I've seen to date appear to be nothing more than an attempt to get some misplaced sense of glory, and/or to say "here's the start of a root-kit, play with it now, kiddies, I'm washing my hands of the whole affair, it's not my fault if you turn it into the next Blaster / SoBig / whatever." Posting exploits is _not_ a measure of first-resort. Exploits should be used as proof of concept in the last-resort, when vendors or admins have entirely ignored a problem that you have tried to warn them about. Exploits should be released as proof of concept _after_ a successful patch has been released, so that admins can test that the patch fixes the hole (of course, that would mean they'd want to test the exploit on an unpatched machine first), or so that they can verify that the patch applies a full fix. Exploits should not be released in a form that practically screams "okay, crackers, hackers and evil scum, come and play with this - the vendors don't know about it yet". Was it necessary for this "proof of concept" to provide a remote _shell_ as their "proof"? Never mind _this_ PoC, when posting your next one, or when you're a moderator approving the posting of a PoC, ask yourself if the systematic wide publication of this message will serve to improve security, or will serve as a root-kit for pimply wastrels? Is the content of this discussion substantially different from the sort of discussion you'd find in cracker IRC chats? Other than a nod to posturing that might place this as a Bugtraq posting, what I see quite often in here contains technically the same content as: Hey, d00dz, I jus g0t a GPF in da server. [Instructions] Woah, man, yeah, like, totally, I turned it into a sneaky remote shell. Don' tell my teacherz or nuffin. [Binary attachment] I really don't know why _you_ signed up for Bugtraq. Me, I signed up because someone posted an exploit for my software here some time ago, and didn't bother to tell me about it first. I'd like to think that isn't Bugtraq's purpose. I'd like to think that Bugtraq positions itself as something more than a semi-sneaky, behind-the-back-of-the-vendors rant group, or an assembly point for root-kit starters. Moderators, please stop accepting posts where the poster has stated specifically that they have not yet notified the vendor, or where the only new thing that is contributed is a more insidious version of an existing exploit. And posters, please consider carefully before you post whether what you post is going to contribute to an increase in security or a decrease in security. If you cannot claim that your post will help to improve security, then do us a favour and take it somewhere else. Alun Jones, MS MVP (Security, Windows SDK) -- Texas Imperial Software | Find us at http://www.wftpd.com or email 1602 Harvest Moon Place | alun@texis.com. Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
