| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <002001c22ebd$92808cb0$6401a8c0@Laptop2> From: steve at entrenchtech.com (Steve) Subject: Symantec Buys SecurityFocus, among others. > Release exploits with the vaguest of descriptions as to how they work > (lost for examples -- just copy'n'paste the "technical bits" of some > of the security bulletins from MS...). Have the _only_ PoC code a > compiled binary loaded with copyright notices forbidding reversing, > etc. Be sure to use some "encryption" (extremely trivial is OK as > complexity doesn't matter; can you say XOR?) in the PoC to "protect" > the important secret (generally the overflow "string" itself). Be > capricious in who you prosecute under the DMCA for incoporating > vulnerability detection of this flaw into their products. (Many > other "pro-reversing" laws allow reversing if doing so is the only > (practical) way to ensure compatibility or system inter-operation -- > this should not be a defense against reversing a security > vulnerability exploit...) But how could you stop one from simply setting up a sniffer to "see" what the exploit does on the network or monitor the local system to see what is done? I am all for people releasing exploit code, I see no reason not to, but trying to protect it is a waste of time as there are a million ways, legal ways, around it.
Powered by blists - more mailing lists