lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3E3421B5.2080000@snosoft.com>
From: dotslash at snosoft.com (KF)
Subject: Sapphire worm POC that fulldisclosure policies
 hurt everyone

 >If the ms-sql bug had never been disclosed, and was slipped quietly to 
 >Microsoft, this never would have happened, and the same responsible 
 >administrators would have upgraded their software.

*cough* bulls$#t *cough*...

even if this bug was not disclosed to the public there is the same 
posibility that a worm would be released by some random blackhat 
community that found the bug and whored it amongst themselves for a while.

blackhats can find and write exploits for worms just as quickly as 
whitehats can find them and disclose them to the public. The bottom line 
is some developer made an error that caused a security hole. ANYONE 
could find and exploit that hole and write a worm for it or admin 1000's 
of boxes by hand with their uber ./ skills... the disclosure is not the 
issue.

the damage would be no more or no less that what was already caused had 
someone released a worm for a bug that microsoft silently fixed. For 
that matter was code red not just a modification for a similar hole with 
a similar worm that ms just silently patched a year prior?
-KF


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ