On Mon, Jan 19, 2004 at 05:49:15PM -0500, ken kousky wrote: | But with all that as background, showing off with better exploits isn't | helping the cause or our defense strategies. I've cut things down not because I disagree, but because I think that this particular claim isn't usually examined, and I'd like to do so. Good exploit code is fundamental to research. Not only the research of "Is system X that I've deployed vulnerable to some form of attack Y," but rather research of the form "Does this tool I've invented to block attack vector A effective against a zoo of attack code?" That's an important question which vexes researchers building things like stack smashing defenses--there is no high quality repository of "vulnerable code, exploit code, fixed code" which allows you to decide what fraction of exploits your tool prevents. If the POC code is poor quality, then it can not be used in such a test. If we're going to move away from being bug hunter-gatherers and patch distributors, we need to test the tools that take us away from there. (Quick demonstration: There are about half a dozen StackGuard-inspired systems out there. Which is best? Prove it.) Now, does quality POC code need to come out in the days after the bug? Probably not, based on the argument I've outlined above. (I'm taking no position right now on its use by admins to test their own systems.) However, there's the question of motivation: Why does someone spend time to fix or improve the POC? There's reputation issues, they may be paid to do so, or they might be altruistic. If there's reputation at stake, then first to release wins. If someone's being paid, it makes broad sense to split the work, and share the exploits--everyone (in the club) gets exploit code for less money. But companies don't like forming such clubs, while hackers do. So they argue for disclosure policies that allow them to share the code. Thus, I think it's unlikely that we'll see improved POC released later, as attractive as that is to some sysadmins. (There are ways to structure a market to make that later release more attractive to the participants, but that's getting off topic.) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
