NGS Researchers to Continue Sharing Code | eWeek

NGS Researchers to Continue Sharing Code

Écrit par
Dennis Fisher
Dennis Fisher
Feb 5, 2003
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

The brief crisis of conscience that led researchers at Next Generation Security Software Ltd. to reconsider whether to release exploit code with their vulnerability reports has passed.

David Litchfield, the companys co-founder, on Wednesday said he and his brother, Mark, will continue to publish sample exploits in an effort to give administrators and security specialists a level playing field in their battle against crackers. The decision was not one that they made lightly, Litchfield said, but it was made easier by the hundreds of e-mails they received encouraging them to keep publishing exploits.

“There are people out there with a high level of intelligence developing, sharing and actively using exploits against [insecure] systems,” he said in a lengthy e-mail explaining his thoughts on the subject. “Regardless of motive, there is much to be learnt from these people and their exploits. But if this was the only source of information for those working in the security industry, then the bad guys would always be one step ahead of the good guys; and if theyre one step ahead, we lose and so do the organizations were trying to protect.”

Litchfield and NGS Software are well-known for finding vulnerabilities. The company often publishes so-called proof-of-concept code along with their advisories as a way for administrators to test their systems for the flaw.

But such code can also be used to attack vulnerable systems. In fact, code that Litchfield included with his bulletin warning of the SQL Server 2000 flaw that the Slammer worm exploits was used by the worms creator as a template. This led Litchfield to write a message on the BugTraq mailing list wondering whether the practice of releasing exploit code did more harm than good.

But after considering the alternative and looking closely at the long-range consequences of each choice, Litchfield decided to maintain the status quo.

“Often, CXOs are blind to security issues and it is only when their network administrator proves to them the severity, with the use of the proof-of-concept code, that they understand the impact a vulnerability can have to the business and organization,” he said. “Clients expect the very best from their security professionals—and their best security pros need to know the current state of security affairs. Only through education and diligent learning can this be achieved. Without the publication of proof-of-concept code and vulnerability details this educational gain would be lost—and this in the long run would have a negative impact on the state of computer and Internet security.”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.