| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: BlueBoar at thievco.com (Blue Boar) Subject: Fwd: fuck symantec & boycott bugtraq Brian McWilliams wrote: > Like folks said earlier, the "Exploit" tab is missing, but that doesn't > mean the exploit is gone. You just have to dig, starting with the stuff > in the "Credit" tab, to find the SF mailing list message that spawned > the BID in the first place. > > E.g., the BID 1780 exploit is in the original Bugtraq message from NSFOCUS > > http://online.securityfocus.com/archive/1/139490/2003-01-07/2003-01-13/2 Go to this page: http://216.239.33.100/search?q=cache:9Fbx2EFZanAC:online.securityfocus.com/bid/1780/exploit/ Scroll to the bottom, notice there are two other exploits: http://online.securityfocus.com/data/vulnerabilities/exploits/sharehack2.zip http://online.securityfocus.com/data/vulnerabilities/exploits/netbios.tar.gz Take "sharehack2", for example. Google shows exactly one other site on the Web that has a copy, and only because it shows up in their download stats. It doesn't seem to be on PacketStorm, at least not by that name. The other exploit seems to be slightly more widely available, but not much. I don't really think that whether you can find it elsewhere or not is the point. I believe the point is that you've got 2 additional exploits that were created outside of the main discussion of the issue on Bugtraq, and I'm guessing that at least one of them was submitted by the author directly to SF to that it would be placed on the exploit section for that vuln. If someone were looking at BID 1780 on the site now, how would they even know to go looking for those missing exploits? > No conspiracy here ... just laziness by SF/Symantec. It's inconvenient, > but there's always Packetstorm if you're in a hurry. I'm not sure how this qualifies as "laziness". They went out of their way to intentionally remove a feature from the public database. It's not like they've decided it's too much work to keep maintaining or something, they've got paying customers for the commercial version. I can only imagine that this was a policy decision because Symantec didn't want to be seen as hosting the exploits they are trying to protect their customers against. Same reason they don't make malicious code samples available to the public. BB
Powered by blists - more mailing lists