Rational Survivability

Brilliant…utterly brilliant
Your Twittering ability far exceeds your poetic talent though
Paul

Two questions for you Hoffster!
1) So I assume you feel this same way about every POC or exploit code that comes out?
2) Now that exploit code for what is not a terribly complex vulnerability is out, does this make us all that much more at risk?
I dunno…this vulnerability is not amazingly difficult to weaponize…so I'm not sure we were diverting much risk just because someone hadn't publically released exploit code.

It's always easy to tear things down.
Building things requires more effort.

@hoff: your comment is not only irresponsible but also insulting. The only writer that is being a dick here is the blogpost writer

Ahah, I am not the one to accuse of singing ¨we are the world¨, your Live Aid argument is not in me, some people in security – vulnerability "researchers" included- do not just do it out of a supersized ego and the self-righteousness that you'd like to pin on them, get over it. I do not pretend to be saving the babies, the whales or the penguins all I am saying is there are legitimate purposes for exploit code and making it available to the public is not equivalent to handing it to skript kiddies or SPAMing millions of users worldwide.
Rich may be smarter and better looking but he doesn't take brazilian dance lessons and then pretends to be a tough guy.
Besides, I am less than nobody I post comments in nobody's blog.

Apologies on not following this thread, I've been sooo busy. 🙁 Of course, this is where forums are so much more apt than various comments and blog posts being splintered all over…
Have you ever seen a puzzle or had a challenge, and then tried to be the first one to solve it? Not everyone views a computer exploit as negatively as some evil zombie-making virus that could kill mankind. Some see it as a simple challenge, puzzle, solution. Not saying that's right, but as long as not everyone thinks alike, someone somewhere will release code for a vuln that is simple enough like this…no matter how 'white hat' they consider themselves. And no amount of wrangling the security researchers together under some ethical umbrella will work.
The "when" and "how" of releasing exploit code or details enough to create exploit code, I would posit, are not possible to agree upon.
When: I don't even know how to answer this question. Should it be released before, at the same time, just after, 2 months later, 6 months later, when some entity determines that 80% of those affected are patched…? Any stipulation on how long to wait will fail, unfortunately. And certainly bad guys don't abide by such expectations. My only conclusions would be: never or whenever. I choose "whenever" as I don't think I want to forever be upset because "never" will never happen.
How: I think this can be more formalized, but it certainly cannot be all-encompassing. There will be people who just don't care and will release whatever whenever and however they want, even if it is just to dump it on FD and move on. There will be plenty others who won't know the right way to release exploits. I would find such an endeavor to be less amusing but just as frustrating as herding cats. Anything else is the beginning of making security research more elitist, or less accessible for the grassroots people who have given us much to build upon.
That's me, though. I guess I look at it as something that is just not going to be widely possible just like it hasn't been for the last 20 years. So I'd rather spend energy on things more possible. 🙂
(btw Hoff, if I thought so horribly of you and your opinions, I wouldn't read your blog let alone bother to post. And it's ok to disagree)
And back to work…

@Hoff: Do you realize that your stance is completely unfair? I will explain why bear with me for a few lines I will get to your request for empirical statistics later on.
You are asking me to prove that the users of Metasploit (or similar tools) are not criminals and at the same time you are telling me that it is not acceptable for me to first ask you to prove that they are criminal. These are not symmetrical requests and I agree that they shouldn't be.
My initial assumption on this mater is that all users of Metasploit (and similar tools) are not guilty of committing a crime unless proven otherwise. *You* are required to prove otherwise, I am not.
The burden of proof is on your end and there is good reason for it, that reason has less to do with my personal bias or stance and a lot more with the way modern societies apply the laws (and we are talking about criminal activities here are we not?).
Nonetheless, lets analyze your request a bit further: You ask for empirical statistics that prove something. To which I will say that I can't definitely prove (in the formal sense) that "something" with empirical statistics.
However, what I could do is provide a falseable theory about that "something". That means that it must be possible for you or anybody else to determine on the basis of factual data that my theory is false. To facilitate this, my theory should avoid the use of ambiguous concepts such as "used mostly by" or moral judgment ("good guys" vs. "bad guys") unless I disambiguate them. I am assuming that you agree that's how an empirical discipline that pretends to be rooted in modern science should present its theories.
So how about this statement:
"Less than 10% of the users of Metasploit use the tool for criminal purposes."
Note that I've disambiguated "used mostly by" to mean 90% of users and replaced an ambiguous moral dichotomy (users are either "good" or "evil") with disambiguation by application of the rule of any law that deals with "computer crimes".
Still, I cannot prove the above statement to be true but I could prove it false if I knew the number of unique users of Metasploit and the number of security incidents that have been tracked and directly linked to use of the tool or its exploits.
According to The 451 Group as of July 2006 there were 48,000 registered users of Metasploit (http://blogs.the451group.com/opensource/2006/08/28/metasploit-30beta-2-and-new-msf-website-launches/) and I would assume that there are at least 2 or 3 times as many users today considering that 2 years have passed, that Metasploit ships by default in a handful of Linux distributions and that it is also quite likely that there are as many unregistered users as registered ones, but lets be conservative and just stick to 48,000 users.
I am yet to see a incident report or forensic analysis that directly links a security breach to the use of Metasploit by any given number of unique users. This shouldn't be so hard to find or to determine: out of the box Metasploit does not cover its tracks and most big-vendor security firms do track down exploitation in the wild to specific malware artifacts yet as of today and to the extent of my knowledge no smoking gun indicates that at least 4,800 unique users of Metasploit are criminals.
To be fair, the closest thing to that is Andrew Jaquith's December 2005 blogpost where he showed one instance of correlation (not causality) between the release of a Metasploit exploit and a spike in visible network port scans (not actual penetration incidents) of the vulnerable service in the wild. Unfortunately Andrew derived causality from one particular instance of event correlation (he could had also correlated the spike with the release of the advisory 3 days earlier rather than with the release of the Metasploit plugin but he choosed not to do so) and ended up with 4 general conclusions using flawed logical reasoning (a flawed form of inductive reasoning): http://www.securitymetrics.org/content/Wiki.jsp?p…
Since then I haven't seen any attempt at a serious study or analysis that supports your hypothesis that Metasploit exploits are mostly used by criminals.
Incidentally, in the case of the DNS exploits recently released for Metasploit. Have you actually read the code?