lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200506301818.j5UIIqMN018801@mira.taygeta.com>
Date: Thu, 30 Jun 2005 11:18:52 -0700
From: Skip Carter <skip@...geta.com>
To: Aviram Jenik <aviram@...ondsecurity.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Publishing exploit code - what is it good for




> I recently had a discussion about the concept of full disclosure with one of 
> the top security analysts in a well-known analyst firm. Their claim was that 
> companies that release exploit code (like us, but this is also relevant for 
> bugtraq, full disclosure, and several security research firms) put users at 
> risks while those at risk gain nothing from the release of the exploit.

> reluctant. Their claim was that based on their own work experience, a 
> security administrator does not have a need for the exploit code itself, and 
> the vendor information is enough. The analyst was willing to reconsider their
 

I think its a question of what the role of the 'security administrator' is within
the enterprise.  If their job is primarily threat evaluation and appropriate
patching/updating in response, then I agree that the publication of an exploit
is not very helpful.  If, however, the job is firewall/IDS management or
incident investigation, then having access to actual exploit code is
extremely valuable to have.



-- 
 Dr. Everett (Skip) Carter           Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Network Security Services   email: skip@...geta.net
 1340 Munras Ave., Suite 314         WWW: http://www.taygeta.net/
 Monterey, CA. 93940            











_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ