lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20110324111332.GA18593@1wt.eu>
Date: Thu, 24 Mar 2011 12:13:32 +0100
From: Willy Tarreau <w@....eu>
To: "J. Oquendo" <sil@...iltrated.net>
Cc: Theo de Raadt <deraadt@....openbsd.org>,
	Jim Harrison <jim@...tools.org>,
	"'Luigi Auriemma'" <aluigi@...istici.org>,
	"'Michal Zalewski'" <lcamtuf@...edump.cx>, bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in some SCADA server softwares

On Wed, Mar 23, 2011 at 02:36:38PM -0400, J. Oquendo wrote:
> On 3/23/2011 2:13 PM, Theo de Raadt wrote:
> >> If *any* threat exists,
> >> that threat is increased by public exposure of unmitigated attack
> >> methodology
> > I think you have it wrong.
> >
> > Public exposure increases the visibility, and therefore customers
> > install the patches quicker.
> >
> > Without public visibility, they will keep running the old code.
> 
> You're flawed in your response: "Public exposure increases the
> visibility, and therefore customersinstall the patches quicker." ...
> When someone "full discloses" a vulnerability, there is no patch to
> install quicker.

That does not change the fact that the bug might already have been
exploited for a long time. Without the disclosure, the vendor has
the possibility to guess that it's not the case and take a long time
to fix it. After the disclosure, this possibility vanishes and he has
to work for a fix.

Also, if vulnerabilities were waiting for disclosure to be exploited
in such environments, Stuxnet would not have existed *before* Luigi's
post, only after. Recent facts have proven you wrong here.

Granted now there's emergency and we'll possibly get poor quality
patches or workarounds in the first time. At least if some of these
vulns are currently actively being exploited, we can expect those
exploits to quickly stop from now on.

Willy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ