lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3E1DE1AA.5060102@thievco.com>
From: BlueBoar at thievco.com (Blue Boar)
Subject: Fwd: fuck symantec & boycott bugtraq

ohnonono@...hmail.com wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> I am sorry I was not clear because i was angry.  Symantec has conviently removed all the exploits from the database.  How can you trust someone who lies?
> 
> http://online.securityfocus.com/bid
> 
> Where are the exploits?  Not like that is going to really stop any script kiddies or hackers anyway.  It just goes to shows you cant trust symantec (something most of us knew anyway).
> 

Thanks for clarifying.  Indeed you are correct. The "exploit" tab has been 
entirely removed.  Interestingly, at least some of the exploit files are 
still there:
http://216.239.33.100/search?q=cache:9Fbx2EFZanAC:online.securityfocus.com/bid/1780/exploit/
http://216.239.33.100/search?q=cache:Qjh1bVr7VFYC:online.securityfocus.com/bid/4485/exploit/

I wonder if the files being left available is simply an oversight that 
hasn't been addressed yet.  I wonder if they were left available 
intentionally because the commercial vulnerability database customers still 
get access to the exploits, and possibly their version of the vulnerability 
database entries still include the exploit section that links to those files.

When I was working there, we would occasionally be accused of "selling 
exploits".  Other people's exploits, to be more specific.  I never felt 
that the accusation was accurate, because of the fact that the exploits 
were made available to the public, and SecurityFocus was simply acting as 
an archive.  If they have removed them from public view, and are still 
keeping them around for the paying customers, then perhaps that accusation 
is now valid.

Used to be that if an exploit writer didn't want their exploit saved for 
posterity on securityfocus.com, they could ask, and it would be removed.  I 
guess now one will have no way of knowing if it's there or not.

						BB

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ