About
From Frequently Asked Questions
From Frequently Asked Questions
"Our only security is our ability to change."
- John Lilly
Packet Storm Security, herein referred to as "Packet Storm", is a threat intelligence feed that encompasses a vast cross section of information related to vulnerabilities (both historical and current), and free tooling to better enable the information security industry. For seasoned professionals, we work to ensure all relevant details become available in a timely fashion. For those just starting out, Packet Storm offers an understanding into the constant flow of new problems that the tech industry needs to address and how they are exploited.
Our ethos
The software and service industries are not held to the same standards as other industries. If a car continuously keeps blowing up, there's a recall. But when software suffers from a vulnerability, many times a customer is often left waiting on a vendor to not only tell them they're vulnerable, but to also provide a patch. Corporations do not like admitting to vulnerabilities, as doing so reflects poorly on their image and can affect their bottom line — money. Doing the morally correct thing usually isn't in the equation. It is not uncommon for corporations to take an excessive amount of time to patch vulnerabilities, to threaten researchers to mitigate disclosure, and to ignore issues altogether. The behavior is embarrassing. Worse, it gives the information security industry unnecessary stress. This has been a common theme we have witnessed for decades. Packet Storm exists to level the playing field for everyone on the internet.
Nobody is going to fix your security issues for you, but knowing they exist is the first step. That's where Packet Storm comes in. We are here to help the greater good through education and awareness.
Primary goal
First and foremost, Packet Storm works to post all relevant data related to vulnerabilities as they are discovered and reported upon. The more data a security professional has when making decisions to protect their domain, the better. Ignorance is not an option in this industry. For years, we have seen not-so-competent security leaders say silly things like: "is there an exploit for it?" with an internal hope to ignore triage and pretend it is a non-issue. Let's be clear on this — it does not matter if there is a working exploit publicly available. What matters is that the issue exists. The exploit exists, even if you don't know about it.
Putting to bed responsible versus full disclosure
To us, the topic of disclosure has always been a discussion rooted in arrogance, naivety, and disillusion. There is a long-standing argument in the information security community as to whether it's better to release all details regarding an issue (full disclosure) versus reporting it to the vendor who owns the software and working with them on a date to release any details (responsible disclosure). Naming the latter responsible disclosure is a convenient misnomer. And in Packet Storm's view, it is irresponsible. How can you make something that is horrifically irresponsible appear responsible? Put the word "responsible" in the name.
Many security researchers take this route to mitigate legal threats from software vendors. In their minds, they believe that they are the only person who knows about the issue until the details are released. Unfortunately, that's where arrogance and ego come into play. If you found an issue, odds are you are not the first to find it, though you may get credit for bringing it to light first. Researchers also may play ball for the sake of bug bounties and getting paid for their work. This is fair, but it also does a disservice to the greater good because the public may never learn about an issue and could be compromised.
An explanation in a story
When "responsible disclosure" discussions were ramping up a couple of decades ago, a well-respected researcher put out an advisory noting an overflow in a popular repository software. Packet Storm saw the advisory and posted it. The researcher was reticent to provide any exploitation details, worried that he would cause the next big problem on the internet. He worked with the vendor and awaited for them to release a patch.
Within the next hour after we posted the advisory, an email showed up in our spool with a note: "Well, I guess my zero days are burned," or something to that effect. Attached were two remote root exploits for two different architectures, exploiting the same vulnerability noted in the earlier advisory. In a twist, we noticed the mail came from root at the software maker's domain. We saw in the email headers that it came from the repository software servers themselves. We reached out to the compromised company and explained the implications, as they were a huge entity. Not only were their systems compromised, but it was unknown how long their software may have been completely backdoored. Any seasoned hacker will tell you that attackers don't just get root on a system and say, "neat. I got in." No, they ensure persistence through various rootkits and even legitimate access flows. The more subtle and easy it is to miss in forensics, the better. They sniff any traffic possible and exfiltrate every bit of data they can. They backdoor any distributed software itself to extend their foothold to customers. They branch out and compromise more and more of your network. They may pull other attackers in to help. Before you know it, your entire network is overrun by crime gangs that you'll never 100% remove. This is reality.
When a flaw comes to light, wasting time on whether or not it should be known publicly is like watching a house burn and bickering over whether or not you should alert the neighbors before calling the fire department. Trying to suppress vulnerability information from coming out is akin to book burning — it may benefit your ideology and personal agenda, but you shouldn't be a special flower who gets to decide for the rest of us on Earth.
But why do we need live exploits?
If you're asking this question, you probably don't work in a very technical capacity in the security industry. That's okay — we will explain. Understanding the exact and full details of how a vulnerability operates is paramount to finding the proper solution, and exploits provide that level of detail. If a vendor fails to provide a patch, you may have to create one yourself and test it. In order to test your mitigation, you need to know the vector of attack as is provided in an exploit. Without exploitation details, it can be much harder, if not impossible, to do your job. When all you know is that a vulnerability results in remote code execution, but you do not have enough details to create your own mitigations, you can get pushed to a hard decision.
One such instance we witnessed was a large antivirus firm losing millions of future dollars from a subscription customer because they refused to patch a vulnerability that could have allowed for code execution. They felt they were too big to fail and there was no way they could be easily replaced — not by a company with hundreds of thousands of employees that was massive in scale. However, leaving the entire network at risk was a non-starter for the customer. The antivirus firm lost all future revenue due to arrogance and negligence. It was a failure that is probably used in their internal business training courses today.
And what about script kiddies?
Twenty years ago, prior to nation states and ransomware gangs being in the data security forefront, script kiddies were a big topic. As the narrative went – by putting exploits in the public domain, Packet Storm was enabling script kiddies to wreak havoc on the internet. Let us be perfectly clear on our stance. If your primary concern is script kiddies rooting your network, you probably have not spent any time in the trenches with real hackers or giving thought to why you are a target and who has you as a target — and that's not a great position to be in. Although script kiddies may increase the noise ratio of attacks when something becomes known, they're rarely going to inflict the most damage. They will leave fingerprints everywhere and they should be easily detected. Well-educated security engineers know that skilled attackers work to not be detected, to not be noticed, and to traverse deeper into your network. Exploits can privately change hands for months (if not years) before they end up in the public domain.
If your focus is on script kiddies, you aren't focused on the real problem. In fact, let's hope you aren't in a position of power and just guessing your way through critical decisions. When focusing on a flaw that just came to your attention, you are hopefully not spending all of your time bickering with a business unit about how they need to upgrade their software before the script kiddies find it. If your security program is that far behind, you might as well not be funded.
If your system is internet-accessible and vulnerable, a proper approach may be to quarantine it for forensics, take things offline as appropriate (even if it affects revenue), and assess what further damage beyond the perimeter may have occurred. Most companies just focus on patching and hope they haven't been compromised yet, but if the vulnerability existed and you're a prominent target, you've most likely already let some attackers in. This is why most people in this industry rarely sleep well — they know how the cycle works.
Isn't Packet Storm just a hacker site?
When this term is spoken, it usually has a negative connotation. The term "hacker" has been manipulated for years with sensational media stories and movies portraying hackers as more dangerous than anyone on Earth. In truth, hackers are the reason you have any security, what-so-ever, in any tech space. The most qualified security professionals you will ever meet usually spent time in the gray areas of the hacker world. It does not make them bad people, nor attackers in any way — it makes them people who pay attention. Paying attention and learning is critical to evolving. As we learn how to manipulate and change the behavior of something meant to operate in a different capacity, we identify mistakes and can change behavior in the future. From our perspective, anyone who isn't aspiring to be a hacker of some sort in this day and age is going to be left behind as technology continues to progress. Education is path-critical. Science is path-critical. Math is path-critical. You cannot pretend problems do not exist because it is inconvenient to address them.
Big tech makes it worse
We have seen a multitude of poor behaviors in big tech, such as "secret" mailing lists where vulnerabilities are disclosed between a set group of security types working to secure their companies from a given vulnerability before the details go public. By having these exclusive channels with faux "embargoes" on sharing, many turn a blind eye to their own behavior as long as they feel important enough to be included. This comes back to ego and arrogance again, and it harms the greater good. The handful of large tech companies should not be the only ones with this information, and it demonstrates their monopolistic behavior in real time. As long as the entire internet is operating under the same set of technologies, the information should be shared with everyone. Everyone needs to protect their domain.
Fortunately, others think like us
Over the years, Packet Storm has received support from places we never expected, and we cannot thank everyone enough for getting involved. There are quite a few people in important places who quietly worked in the background to help keep us moving forward, and that is by design. Packet Storm has always operated in a fashion where no one is involved for name recognition, but rather a constant focus on the mandate. And that's what has attracted much of the help we have received over the years. We are thankful to be a part of one of the most interesting and necessary communities in modern society — the security community.
In summary
Companies love playing up how much they care about security. But when you pull the curtains back, you usually find very different conduct internally. We are not here to save the tech industry, but we are here to make our best effort to provide the security industry with the information it needs to make critical decisions to protect their systems and networks. As long as big tech makes big investments in their security organizations, they will inherit a better posture and the benefits of Packet Storm. We exist as the only intelligence source of its kind that has been operating for over a quarter of a century. It's a free service to everyone and we think that's pretty nice too. People seem to generally like free.
- John Lilly
Packet Storm Security, herein referred to as "Packet Storm", is a threat intelligence feed that encompasses a vast cross section of information related to vulnerabilities (both historical and current), and free tooling to better enable the information security industry. For seasoned professionals, we work to ensure all relevant details become available in a timely fashion. For those just starting out, Packet Storm offers an understanding into the constant flow of new problems that the tech industry needs to address and how they are exploited.
Our ethos
The software and service industries are not held to the same standards as other industries. If a car continuously keeps blowing up, there's a recall. But when software suffers from a vulnerability, many times a customer is often left waiting on a vendor to not only tell them they're vulnerable, but to also provide a patch. Corporations do not like admitting to vulnerabilities, as doing so reflects poorly on their image and can affect their bottom line — money. Doing the morally correct thing usually isn't in the equation. It is not uncommon for corporations to take an excessive amount of time to patch vulnerabilities, to threaten researchers to mitigate disclosure, and to ignore issues altogether. The behavior is embarrassing. Worse, it gives the information security industry unnecessary stress. This has been a common theme we have witnessed for decades. Packet Storm exists to level the playing field for everyone on the internet.
Nobody is going to fix your security issues for you, but knowing they exist is the first step. That's where Packet Storm comes in. We are here to help the greater good through education and awareness.
Primary goal
First and foremost, Packet Storm works to post all relevant data related to vulnerabilities as they are discovered and reported upon. The more data a security professional has when making decisions to protect their domain, the better. Ignorance is not an option in this industry. For years, we have seen not-so-competent security leaders say silly things like: "is there an exploit for it?" with an internal hope to ignore triage and pretend it is a non-issue. Let's be clear on this — it does not matter if there is a working exploit publicly available. What matters is that the issue exists. The exploit exists, even if you don't know about it.
Putting to bed responsible versus full disclosure
To us, the topic of disclosure has always been a discussion rooted in arrogance, naivety, and disillusion. There is a long-standing argument in the information security community as to whether it's better to release all details regarding an issue (full disclosure) versus reporting it to the vendor who owns the software and working with them on a date to release any details (responsible disclosure). Naming the latter responsible disclosure is a convenient misnomer. And in Packet Storm's view, it is irresponsible. How can you make something that is horrifically irresponsible appear responsible? Put the word "responsible" in the name.
Many security researchers take this route to mitigate legal threats from software vendors. In their minds, they believe that they are the only person who knows about the issue until the details are released. Unfortunately, that's where arrogance and ego come into play. If you found an issue, odds are you are not the first to find it, though you may get credit for bringing it to light first. Researchers also may play ball for the sake of bug bounties and getting paid for their work. This is fair, but it also does a disservice to the greater good because the public may never learn about an issue and could be compromised.
An explanation in a story
When "responsible disclosure" discussions were ramping up a couple of decades ago, a well-respected researcher put out an advisory noting an overflow in a popular repository software. Packet Storm saw the advisory and posted it. The researcher was reticent to provide any exploitation details, worried that he would cause the next big problem on the internet. He worked with the vendor and awaited for them to release a patch.
Within the next hour after we posted the advisory, an email showed up in our spool with a note: "Well, I guess my zero days are burned," or something to that effect. Attached were two remote root exploits for two different architectures, exploiting the same vulnerability noted in the earlier advisory. In a twist, we noticed the mail came from root at the software maker's domain. We saw in the email headers that it came from the repository software servers themselves. We reached out to the compromised company and explained the implications, as they were a huge entity. Not only were their systems compromised, but it was unknown how long their software may have been completely backdoored. Any seasoned hacker will tell you that attackers don't just get root on a system and say, "neat. I got in." No, they ensure persistence through various rootkits and even legitimate access flows. The more subtle and easy it is to miss in forensics, the better. They sniff any traffic possible and exfiltrate every bit of data they can. They backdoor any distributed software itself to extend their foothold to customers. They branch out and compromise more and more of your network. They may pull other attackers in to help. Before you know it, your entire network is overrun by crime gangs that you'll never 100% remove. This is reality.
When a flaw comes to light, wasting time on whether or not it should be known publicly is like watching a house burn and bickering over whether or not you should alert the neighbors before calling the fire department. Trying to suppress vulnerability information from coming out is akin to book burning — it may benefit your ideology and personal agenda, but you shouldn't be a special flower who gets to decide for the rest of us on Earth.
But why do we need live exploits?
If you're asking this question, you probably don't work in a very technical capacity in the security industry. That's okay — we will explain. Understanding the exact and full details of how a vulnerability operates is paramount to finding the proper solution, and exploits provide that level of detail. If a vendor fails to provide a patch, you may have to create one yourself and test it. In order to test your mitigation, you need to know the vector of attack as is provided in an exploit. Without exploitation details, it can be much harder, if not impossible, to do your job. When all you know is that a vulnerability results in remote code execution, but you do not have enough details to create your own mitigations, you can get pushed to a hard decision.
One such instance we witnessed was a large antivirus firm losing millions of future dollars from a subscription customer because they refused to patch a vulnerability that could have allowed for code execution. They felt they were too big to fail and there was no way they could be easily replaced — not by a company with hundreds of thousands of employees that was massive in scale. However, leaving the entire network at risk was a non-starter for the customer. The antivirus firm lost all future revenue due to arrogance and negligence. It was a failure that is probably used in their internal business training courses today.
And what about script kiddies?
Twenty years ago, prior to nation states and ransomware gangs being in the data security forefront, script kiddies were a big topic. As the narrative went – by putting exploits in the public domain, Packet Storm was enabling script kiddies to wreak havoc on the internet. Let us be perfectly clear on our stance. If your primary concern is script kiddies rooting your network, you probably have not spent any time in the trenches with real hackers or giving thought to why you are a target and who has you as a target — and that's not a great position to be in. Although script kiddies may increase the noise ratio of attacks when something becomes known, they're rarely going to inflict the most damage. They will leave fingerprints everywhere and they should be easily detected. Well-educated security engineers know that skilled attackers work to not be detected, to not be noticed, and to traverse deeper into your network. Exploits can privately change hands for months (if not years) before they end up in the public domain.
If your focus is on script kiddies, you aren't focused on the real problem. In fact, let's hope you aren't in a position of power and just guessing your way through critical decisions. When focusing on a flaw that just came to your attention, you are hopefully not spending all of your time bickering with a business unit about how they need to upgrade their software before the script kiddies find it. If your security program is that far behind, you might as well not be funded.
If your system is internet-accessible and vulnerable, a proper approach may be to quarantine it for forensics, take things offline as appropriate (even if it affects revenue), and assess what further damage beyond the perimeter may have occurred. Most companies just focus on patching and hope they haven't been compromised yet, but if the vulnerability existed and you're a prominent target, you've most likely already let some attackers in. This is why most people in this industry rarely sleep well — they know how the cycle works.
Isn't Packet Storm just a hacker site?
When this term is spoken, it usually has a negative connotation. The term "hacker" has been manipulated for years with sensational media stories and movies portraying hackers as more dangerous than anyone on Earth. In truth, hackers are the reason you have any security, what-so-ever, in any tech space. The most qualified security professionals you will ever meet usually spent time in the gray areas of the hacker world. It does not make them bad people, nor attackers in any way — it makes them people who pay attention. Paying attention and learning is critical to evolving. As we learn how to manipulate and change the behavior of something meant to operate in a different capacity, we identify mistakes and can change behavior in the future. From our perspective, anyone who isn't aspiring to be a hacker of some sort in this day and age is going to be left behind as technology continues to progress. Education is path-critical. Science is path-critical. Math is path-critical. You cannot pretend problems do not exist because it is inconvenient to address them.
Big tech makes it worse
We have seen a multitude of poor behaviors in big tech, such as "secret" mailing lists where vulnerabilities are disclosed between a set group of security types working to secure their companies from a given vulnerability before the details go public. By having these exclusive channels with faux "embargoes" on sharing, many turn a blind eye to their own behavior as long as they feel important enough to be included. This comes back to ego and arrogance again, and it harms the greater good. The handful of large tech companies should not be the only ones with this information, and it demonstrates their monopolistic behavior in real time. As long as the entire internet is operating under the same set of technologies, the information should be shared with everyone. Everyone needs to protect their domain.
Fortunately, others think like us
Over the years, Packet Storm has received support from places we never expected, and we cannot thank everyone enough for getting involved. There are quite a few people in important places who quietly worked in the background to help keep us moving forward, and that is by design. Packet Storm has always operated in a fashion where no one is involved for name recognition, but rather a constant focus on the mandate. And that's what has attracted much of the help we have received over the years. We are thankful to be a part of one of the most interesting and necessary communities in modern society — the security community.
In summary
Companies love playing up how much they care about security. But when you pull the curtains back, you usually find very different conduct internally. We are not here to save the tech industry, but we are here to make our best effort to provide the security industry with the information it needs to make critical decisions to protect their systems and networks. As long as big tech makes big investments in their security organizations, they will inherit a better posture and the benefits of Packet Storm. We exist as the only intelligence source of its kind that has been operating for over a quarter of a century. It's a free service to everyone and we think that's pretty nice too. People seem to generally like free.
Help Section
About |
Terms |
Copyright |
Privacy |
BlueSky |
X |
Mastodon
© 2024 - 2025
All Rights Reserved Packet Storm Security, LLC
| Hosting provided by: RokaSecurity
© 2024 - 2025
All Rights Reserved Packet Storm Security, LLC
| Hosting provided by: RokaSecurity