[Dshield] Security Firm May Stay Mum on Vulnerabilities intheFuture

Roger A. Grimes roger at banneretcs.com
Tue Aug 9 11:45:32 GMT 2005

On Mon, 08 Aug 2005 23:24:08 EDT, "Roger A. Grimes" said:
> I don't want to start a flame war, but I'm in the small camp that 
> doesn't necessarily see the big benefit of public disclosure. I found 
> dozens of serious bugs over the years and reported them to vendors who

> usually fixed them. Some fixed them right away, some took awhile, and 
> a few have never been closed.

And how many would have been closed if the vendor didn't have at least
the threat of "fix it or I go public with your idiocy" hanging over
them?  Or even "if you patch it soon, maybe it won't be re-discovered by
somebody who *will* go public"?

-No, you're right. That is the trade off. I'm fully aware of it. That's
a valid argument and concern. I just weigh it against which really makes
more risk. One guy hacking with his private exploit, which happens daily
regardless of what little drips and drabs are released to the public,
isn't nearly the threat that a world known POC is.  Those hurt everyone

So you'd rather have a world where the black hats have exploits, and we
don't have any clue what's whacking the machines?  

-You don't think that is what is happening anyway?  Blackhats are
sitting on dozens of exploits for each platform and are hacking them at
will.  What I'm saying is that public disclosure does close holes, but
that blackhat holes stay open regardless, public exploits probably close
only a small fraction of them but cause me the most work.

Also - be honest with yourself.  Are you *qualified* to be able to be
sure if a 0-day got used on your systems?  What would you use as a
fingerprint to know it happened?

-As is its nature, no, I can't always be sure I (or my clients) have
been exploited, but yes, I am qualified to forensic analysis. I do it
for a living. I run many honeypots as well (last book was Honeypots for
Windows), and I'm pretty clued into the scene. I teach Ultimate Hacking
Expert for Foundstone, which is still relatively easy, low hanging fruit
stuff...and I consult for many Fortune 100 firms on the topic. I'm not
sure if I'm a "expert", but yes, I'm qualified in forensic analysis. The
exploit used to do the break in is one thing, but what the hacker did
after the break in is another problem altogether and one that is hard to
mask if you've got the right monitoring systems in place.  

-I'm not completely against public disclosure.  People that do it are
not my enemies, but if I look at what causes me the most work and the
most risk, it's public disclosure hands down. Just based on my own
experiences.  The hundred or so professional blackhats aren't being
affected all that much by what little is released in the public arena.
I've known exploits for years before they were closed...and I'm probably
only a mid-level hacker.  When an exploit is publicly disclosed even the
low-level hackers start breaking in easy. So for every public exploit,
I've got to worry about the black hats and a million other people who
want their time in the spotlight.  If it was disclosed to the public,
I've only got to worry about the talented guys (who are there
regardless).  Just my opinion.

More information about the list mailing list