lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110323225124.91298.qmail@cgisecurity.net>
Date: Wed, 23 Mar 2011 17:51:24 -0500 (EST)
From: bugtraq@...security.net
To: deraadt@....openbsd.org (Theo de Raadt)
Cc: jim@...tools.org (Jim Harrison),
	aluigi@...istici.org ('Luigi Auriemma'),
	lcamtuf@...edump.cx ('Michal Zalewski'),
	sil@...iltrated.net ('J. Oquendo'), bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in some SCADA server softwares

> > If *any* threat exists,
> > that threat is increased by public exposure of unmitigated attack
> > methodology
> 
> I think you have it wrong.
> 
> Public exposure increases the visibility, and therefore customers
> install the patches quicker.
> 
> Without public visibility, they will keep running the old code.

Actually both are true.

More systems will be owned by these unmitigated issues since more attackers will be aware of their existence. While it is true
that others knew about these issues (always assume so), many more will know about them now, and more systems likely will be exploited. This was certainly the case when tavis published an unmitigated windows vuln http://www.theregister.co.uk/2010/06/30/windows_exploit_spike/ .

To your point people who 'are paying attention' will patch once a patch is available, and others who wouldn't normally know
will see this in the news and become more aware of the issue/s. I don't think people on this list are arguing that
the public shouldn't be made aware of problems in these devices, they are arguing that POC shouldn't be published for
unmitigated issues as it doesn't benefit users.

If you can provide real world statistics to the list demonstrating proof that people are safer by being aware of unmitigated
threats with working PoC's, please send it to the list. I don't ask this to flame you, I think that this is data that people 
would be genuinely interested in learning from.


Regards,
- Robert
http://www.qasec.com/
http://www.webappsec.org/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ