[262] in bugtraq
Re: Full vs. Partial Dsiclosure
daemon@ATHENA.MIT.EDU (Bruce Barnett)
Wed Nov 30 00:01:43 1994
Date: Tue, 29 Nov 1994 07:18:42 +0500
From: barnett@grymoire.crd.ge.com (Bruce Barnett)
To: spaf@cs.purdue.edu, nlawson@statler.csc.calpoly.edu
Cc: bugtraq@fc.net
I echo some of Nathan Lawson's words.
I am sorry if my comment about some crackers having half a brain is
taken the wrong way.
Nowadays there are very sophisticated and readily available tools
that allows tens of thousands of people to try hacking, just for the heck of it.
All a hacker has to do is
foreach machine in list of machines
1) try to break root using one of the exploitation scripts
2) if successful, install the sniffer program
3) optionally install bogus versions of programs that hid
the use of the sniffer program
4) optionally install a back door entrance
5) log off
6) come back later and harvest the passwords
Of course, if you have "legal" access to the machine, or if the
administrators are careless, you can eliminate steps 3 and 4, which are
the hard parts.
The sources of the sniffer program is available everywhere By
making sources of the exploitation scripts available, you allow people
who are completely ignorant of UNIX to start cracking systems.
This encourages anyone with free time to "try hacking", just
for the heck of it. Therefore the number of hacking attempts will
increase by at least one order of magnitude. This places an additional
burden on every administrator/owner of any machine on the Internet.
Many sites do not spent enough time and money on security. The
number one reason why security isn't fully implemented is because of
resources. Full disclosure will force every site to allocate $$$
to fix these problems.
