lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: geoincidents at getinfo.org (Geo)
Subject: [Secure Network Operations, Inc.] FullDisclosure != Exploit Release

> - Customers can test for themselves whether a patch works or was applied
> correctly.

I think this is a very important point. Customers need to be able to test to
see if applying a second, later patch has made them vulnerable to an earlier
patched exploit. An example with this worm was where a later patch once
again left you vulnerable. How are we to know if we don't have something to
test with? We obviously can't trust the vendors, and with the range of
different configurations of machines I'm not even sure that's a reasonable
requirement of a vendor to test every possible combination.

We have beta testers for software, how can we put patch code thru the same
sort of tests if we have nothing to test with to see if it's actually
patched the systems we run?

We may not need code to exploit, but what about code to prove we are
patched?

Geo.

Powered by blists - more mailing lists