lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ILEPILDHBOLAHHEIMALBMEMPEKAA.jasonc@science.org>
From: jasonc at science.org (Jason Coombs)
Subject: Sapphire worm POC that fulldisclosure policies hurt everyone

Hogwash.

When your box gets destroyed mysteriously and you call your vendor to ask
why, you're going to be happy with the answer "you don't need to know, and
we're not going to tell you because it's a secret" ??

Ridiculous drivel. But thanks for sharing.

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of
methylketone@...hmail.com
Sent: Saturday, January 25, 2003 1:10 PM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Sapphire worm POC that fulldisclosure
policies hurt everyone



-----BEGIN PGP SIGNED MESSAGE-----

THE FULLDISCLOSURE PHILOSOPHY:
Vulnerability gets released on mailing lists
Admins patch machines <- IMPORTANT PART!
Internet is secure!

I hear alot of arguments put out by the naive in favor of fulldisclosure of
vulnerability information. But the fact is, fulldisclosure policies hurt
everyone, and this time, they have wreaked havoc across the entire internet.
The ms-sql vulnerability has been known to the public for six months. If the
fulldisclosure philosophy were correct, the vulnerability would have been
patched by the vast majority of admins out there. However, that isn't what
happened. Thousands of machines were compromised and it lead to a massive
internet-wide loss of service.

There are alot of attacks against the competency of administrators who
failed to put their databases behind their firewall, and also failed to
patch their machines, but fulldisclosure operates on the assumption that all
administrators are going to find out about the bug and patch their machines.
The fulldisclosure philosophy is flawed.

The vast majority of those reading this message probably won the
scriptkid/admin race of patching vs being compromised. But today, that
didn't stop the destructive power of this worm. Today's denial of service
was mostly caused by smaller enterprises with less competent administrators.
The message is "pay up to the security consultants or your machines get
owned". I would be more okay with this if it were just the machine's owners
that got affected, but it's the entire internet. Get a clue, your actions
have consequences.

If the ms-sql bug had never been disclosed, and was slipped quietly to
Microsoft, this never would have happened, and the same responsible
administrators would have upgraded their software. The odds are, those same
responsible administrators have had their database servers behind a firewall
anyways, so this is all irrelavant. This catastrophe was caused solely by
the disclosure of vulnerability information.

I urge you to be more responsible with your actions in the future. The
stability of the entire internet is at stake.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wmEEARECACEFAj4zGT0aHG1ldGh5bGtldG9uZUBodXNobWFpbC5jb20ACgkQsX0pyCcw
k+BI0ACgh/KwGDbK2C2EH7rszBKQ+yHKOp4AoLPlppnkMg1Tw2pB7dqq46pWGQox
=ym30
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ