May 16th, 2005, 10:17 AM
Proof Of Concept - Evil or not ?
Ok, first off- drunk rambling. Had a couple tonight, but I think I can keep it all on a linear track of thought. This is a subject I was thinking about in depth earlier tonight.
I was thinking about POCs and the responsability of it all. Not sure if this should go in Cosmos or here.
Now, Normally a POC is written to light a fire under the ass of software manufacturers, right ? Then posted to a skiddie site like packetstorm (I have no beef with them, I would just rather be an inept than a skiddie). I was thinking that while a POC does light the proverbial fire, at the same time, it also encourages irresponsible computer use, i.e, skiddies. I mean, what kind of threat is that ? Fix this is pay for it... ? How is that 'responsible' ? I was thinking that how can one claim to be a responsible user while encouraging this type of behavior ?
I mean, yes, (you may be) trying to encourage patches and updates, but sometimes huge software companies don't have time for every single complaint , so you threaten them with a POC (which is really what you are doing, is threatening them) in essence saying that every single skiddie is going to attack you if you don't do this.
So you raise the bar a little (in the cource code, changing this or that). But in all honesty, how hard is it to locate the sub-routine 'PAM-AUTH-MODULE' or 'SSH-CHANNELS' ? So you gcc it, get an error, and fix it easily enough. How is that a 'responsible' POC release ? You are really encouraging skiddies, even if it was done in good faith ... I was just thinking that (Most of you) are more knowlegable about security than me, wondering what you thought. For now I think that there is no such thing as a responsible POC release.
... But then again, I'm kinda drunk ....
The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare
May 16th, 2005, 10:51 AM
It is generally common professional cuortesy to not publicly relase a POC before the patch is released. Most people who do the POC (Many of which are actually employed by the company who created the software) will inform the software producer and THEN once a a patch is available the POC is made avail to explain WHY the patch was needed and exactly what it fixed.
Think about it...if you were a smalltime software developer and foud something wrong with MS code you would not want to get on their bad side and publicly release a POC before informing them. With the kind of weight they have in the business, and political world, you would have hell to pay should they chose to target you.
May 16th, 2005, 12:29 PM
I would say that POCs are frequently the best way, if not required to get the software vendor to take the problem seriously.
Where I have a problem is with people trying to gain fame and glory before the vendor has had chance to develop and distribute a fix. Remember that the software developers are using structured methodologies and a development cycle. This takes time.
Furthermore, responsible administrators will test the patch before rolling it out. This also takes time.
IIRC CERT give one month's grace. I guess that is reasonable.
I don't go along with that, a fair few seem to be written purely for the self-gratification of the writer, which is why they are sometimes irresponsible in releasing them early.
Now, Normally a POC is written to light a fire under the ass of software manufacturers, right ?
May 16th, 2005, 03:23 PM
Software companies should be grateful that so many people out there
are willing to do their debuggung for them. If I found a juicy exploit,
I would demand ransom (in unmarked bills).
I came in to the world with nothing. I still have most of it.