lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: ggilliss at netpublishing.com (Gregory A. Gilliss)
Subject: Re: Second critical mremap() bug found in all Linux kernels

Paul,

It's "full disclosure" for God's sake. WTF is this "proper grace period"
crap?

Who decides what constitutes a "proper grace period"? You? Me? The vendors?

There's a hole. Here's how you test/exploit the hole. The script k1dd13z 
have it now. Fix it quick. Don't wait! Full disclosure. Not necessarily
"responsible" disclosure, but hey, the vendors released the code with the
hole in it. Was *that* responsible? I mean, what are we talking about here,
security or some kind of standards body that decides who gets what info?

You may object to my position. How can a responsible security professional
advocate this, you ask? Simply because I recognize that the vendors will
not fix security holes unless they are forced to by expediency. Security
is a revenue drain, and unless there is a viable threat security remains
a very low priority  on organizations' list of things to do today. The
release of the PoC code or exploit into the wild creates the viable threat
that results in vendors getting off their collective asses and doing the
work to patch the hole.

If the vendors would do more than adequate testing in the first place
the damned hole would have been found and fixed before the product
shipped. Instead people like you and I and Christophe Devine perform free
security auditing for the vendors.

Full Disclosure. Read the list charter. It's about putting it out there
regardless of the consequences, because information should be free and
vendors don't give a shit unless there's some fire being held to their
feet.

G

On or about 2004.02.18 15:52:15 +0000, Paul Starzetz (ihaquer@...c.pl) said:

> please do not post any exploit code(s) before a proper grace period.

-- 
Gregory A. Gilliss, CISSP                              E-mail: greg@...liss.com
Computer Security                             WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ