The brief crisis of conscience that led researchers at Next Generation Security Software Ltd. to reconsider whether to release exploit code with their vulnerability reports has passed.
David Litchfield, the companys co-founder, on Wednesday said he and his brother, Mark, will continue to publish sample exploits in an effort to give administrators and security specialists a level playing field in their battle against crackers. The decision was not one that they made lightly, Litchfield said, but it was made easier by the hundreds of e-mails they received encouraging them to keep publishing exploits.
“There are people out there with a high level of intelligence developing, sharing and actively using exploits against [insecure] systems,” he said in a lengthy e-mail explaining his thoughts on the subject. “Regardless of motive, there is much to be learnt from these people and their exploits. But if this was the only source of information for those working in the security industry, then the bad guys would always be one step ahead of the good guys; and if theyre one step ahead, we lose and so do the organizations were trying to protect.”
Litchfield and NGS Software are well-known for finding vulnerabilities. The company often publishes so-called proof-of-concept code along with their advisories as a way for administrators to test their systems for the flaw.
But such code can also be used to attack vulnerable systems. In fact, code that Litchfield included with his bulletin warning of the SQL Server 2000 flaw that the Slammer worm exploits was used by the worms creator as a template. This led Litchfield to write a message on the BugTraq mailing list wondering whether the practice of releasing exploit code did more harm than good.
But after considering the alternative and looking closely at the long-range consequences of each choice, Litchfield decided to maintain the status quo.
“Often, CXOs are blind to security issues and it is only when their network administrator proves to them the severity, with the use of the proof-of-concept code, that they understand the impact a vulnerability can have to the business and organization,” he said. “Clients expect the very best from their security professionals—and their best security pros need to know the current state of security affairs. Only through education and diligent learning can this be achieved. Without the publication of proof-of-concept code and vulnerability details this educational gain would be lost—and this in the long run would have a negative impact on the state of computer and Internet security.”