lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070718113532.B52810@home.ephemeron.org>
Date: Wed, 18 Jul 2007 11:37:02 -0700 (PDT)
From: Bigby Findrake <bigby@...emeron.org>
To: Chris Stromblad <cs@...post24.com>
Cc: Gadi Evron <ge@...uxbox.org>, bugtraq@...urityfocus.com,
	seclists@...holm.com
Subject: Re: Internet Explorer 0day exploit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 18 Jul 2007, Chris Stromblad wrote:

<deletia>

> One more thing about "advisories". I think it would be better to release
> them immediately and let people know what they are facing. With public
> dissemination of a vulnerability perhaps someone will release a 3rd
> party patch or another inventive way of protecting oneself. Holding it
> "secret" really doesn't help anyone.

With regards to your last statement, I would like to believe that that's 
so, or at least that if there is some harm in "early release" of 
information that that harm is mitigated (if not outright outweighed) by 
the potential good that's done by alerting the community and thereby 
allowing them to develop their own responses.

I guess what we're really talking about here is the perceived potential 
negative impact of letting the bad guys know that a vulnerability exists 
in space X (that they might then attempt to exploit where without that 
knowledge, they wouldn't try to exploit it even if it could be argued that 
they would attempt to find it) vs. the perceived potential good of 
allowing the good guys to attempt to formulate their own defenses 
tangential to some sort of "official" response.

It seems to me that without metrics (how many early release advisories 
turned into exploits that wouldn't have been created without said 
advisory?) that all discussion on this topic is either philosophical or 
academic (which is not to imply "without merit").

> Anyways, enough ranting.

I, for one, enjoyed your rant.



- -- 
Making files is easy under the UNIX operating system.  Therefore, users
tend to create numerous files using large amounts of file space.  It
has been said that the only standard thing about all UNIX systems is
the message-of-the-day telling users to clean up their files.
                -- System V.2 administrator's guide

finger://ephemeron.org/bigby
http://www.ephemeron.org/~bigby/
irc://irc.ephemeron.org/#the_pub
news://news.ephemeron.org/alt.lemurs


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQA/AwUBRp5dzuG50ohcWywfEQIaGwCdFvAHqttbczpDKBmJXkJZrDf1/BgAnRzh
tNxtwD2MTu+qYgDY0EpRCuC0
=xb3M
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ