| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dcopley at eeye.com (Drew Copley) Subject: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... > -----Original Message----- > From: full-disclosure-admin@...ts.netsys.com > [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of > Paul Tinsley > Sent: Wednesday, February 11, 2004 10:57 PM > To: Drew Copley > Cc: full-disclosure@...ts.netsys.com > Subject: Re: [Full-Disclosure] Re: Re: <to various > comments>EEYE: Microsoft ASN.1 ... > > Drew Copley wrote: > > >Without replying to each troll, individually, I thought maybe some > >people would like to see some answers to some notes. > > > > > Most of these are from me, so I will personally respond to > those that apply. And believe it or not, this is not a > troll, I really wanted to see people's viewpoints on this > subject. Somehow, I find this hard to believe. > >These are my own comments, I speak for myself. > > > >Question: "Why release all of the details" > > > > > This statement is not an accurate paraphrase, I didn't say > why release them all. I said why release them all on day 0 > of the patch release. > > >Answer: Polls show this is what administrators what. This is > one reason > >we do this. Another reason we do this is simple, we use the details > >ourselves. We use the details to create signatures for our > >vulnerability assessment tool and firewall. Security administrators > >then download these signatures and use them to check for > patches or to > >protect systems which can not yet be patched. > > > > > Administrators don't need this crap to fix their boxes, they > simply need the exploit vectors, the possible mitigation > steps, and the potential severity of the vulnerability. <snip> I have gone over this a few times with some others. I believe I already said it here. You seem to be unable to either hear it or believe it. In no particuliar order: One, the polls show that more want it then not. Two, we sell products which secure their boxes. We have a lot of customers. Our competitors do the same thing. Altogether, we are the industry. We have to know what the security hole was, so do our competitors. Then, we can protect against this. So can they. Three, we don't give out exploit code. You can't make an exploit from our advisory. I don't know you, I don't know who you are. But, frankly, not that many people can even write exploit code. With these bugs, you would have to be able to not only write the exploit code but also understand the cryptographic references and their implementations in the Window's OS. It isn't all that hard. But, it turns out, that the guys who can write exploit code also can reverse engineer patches... They can also understand our advisories, but they can also find their own bugs. Okay? Real world. But, I don't think you understand that. Why should I go on. It isn't rocket science. But, you are saying, "I know, I know". And, you do not know. That is when people can neither learn nor understand. Now, as a brief disclaimer... Security, being able to do these things is not something that requires someone to have a tumor in their brain that makes their IQ magically go up a thousand points. It requires only desire. This means a predisposition. You have to be willing and wanting to sit there and work through these things. So, you really have no excuse not to understand these things. You are a Monday morning quarterback.
Powered by blists - more mailing lists