lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4D8A3DB6.700@infiltrated.net>
Date: Wed, 23 Mar 2011 14:36:38 -0400
From: "J. Oquendo" <sil@...iltrated.net>
To: Theo de Raadt <deraadt@....openbsd.org>
Cc: Jim Harrison <jim@...tools.org>,
	"'Luigi Auriemma'" <aluigi@...istici.org>,
	"'Michal Zalewski'" <lcamtuf@...edump.cx>, bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in some SCADA server softwares

On 3/23/2011 2:13 PM, Theo de Raadt wrote:
>> If *any* threat exists,
>> that threat is increased by public exposure of unmitigated attack
>> methodology
> I think you have it wrong.
>
> Public exposure increases the visibility, and therefore customers
> install the patches quicker.
>
> Without public visibility, they will keep running the old code.

You're flawed in your response: "Public exposure increases the
visibility, and therefore customersinstall the patches quicker." ...
When someone "full discloses" a vulnerability, there is no patch to
install quicker. This is obvious because there is no patch until either
the vendor releases one, or staff using the product are capable of
creating a work-around. In the case of the SCADA environment, we (again)
are not talking about the potential of a defacement, blue screen, silly
shell, we're talking about sensor, gears and often so much automation
that it would be absurd for a SCADA engineer to "go it alone" and try
create their own patch. Many of these systems don't have the option of
failing or being taken offline. You also state: "Without public
visibility, they will keep running the old code" the reality is, no one
is going to outright replace some of these systems in these
environments. These are not applications and or systems one can plop
onto donated boxes. They have no choice BUT to run the code.

 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ