How does the 'sploit/security patches scene work?
Results 1 to 7 of 7

Thread: How does the 'sploit/security patches scene work?

  1. #1
    Senior Member
    Join Date
    Dec 2001
    Posts
    884

    How does the 'sploit/security patches scene work?

    I'm writing a paper about IT security, patching holes, and how I've contributed to this scene (under other aliases and this one). I'm putting things such as securityfocus's bugtraq and other mailing lists, contacting vendors directly, website forums, etc., as means that people use to publish their findings (hopefully legitimately). Thing is, I need to come up with a "hierarchy" of sorts. Or, rather, some way to better describe to a layperson how the security and patching world works, in the subject specifically of exploits/holes/bugs and contributions made by seemingly-random Internet users. Anyone have any input?

  2. #2
    hello jehnx,

    I don't think there is any real hierarchy to speak of.

    I'd probably approach it by explaining the various approaches to disclosure, from private disclosure to the vendor through to full disclosure, and everything in between (like iDefense's bounty for Microsoft vulns, or the various approaches to "responsible disclosure").

  3. #3
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003
    I would sugest following the sequence of events from the discovery of the bug ,exploit through to the deployment of the patch or update. That should allow you to give a description of the different people or organisations involved at the different stages. It should also allow you to adapt the techinical level to your audiance. Don't know if that helps but good luck with your paper.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    OK mate, I am no expert but:

    1. Define vulnerability and exploit and their relationship.
    2. Where do you learn of vulnerabilities?
    3. What do you then check to see if it has that vulnerability? say buffer overflows.........
    4. Who do you contact.............software suppliers?
    5. What software is affected?
    6. What media deal with this sort of stuff? (CERT, SANS etc..)
    7. Do you do a POC?

    Something along those lines?


  5. #5
    Senior Member
    Join Date
    Dec 2001
    Posts
    884
    You guys have been a HUGE help. Thanks so much for your contributions and steering.

    EDIT: and I'd green the two of you that I didn't if I didn't have to spread! Hehe

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hey Jehn~ please keep us informed, we may be able to add more.

    One question I have is what kind of audience is this aimed at?


  7. #7
    Senior Member
    Join Date
    Dec 2001
    Posts
    884
    I'm applying to a very prestigious house here at Cornell called Telluride House. It's basically a large house on campus that is focused primarily on intellectual growth, community-building, and self-government of the house (completely). Some notable members who have lived in Telluride House have been Paul Wolfowitz, Francis Fukuyama, and many others.

    One of the application questions is to engage in a topic of interest, and the point of the exercise is to see how I would be able to explain to a normal (albeit very smart) person on a topic about which they know nothing. That's why I'm doing this asking of you guys for help!

    Thanks again. :-D

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •