lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: BlueBoar at thievco.com (Blue Boar)
Subject: [Secure Network Operations,
 Inc.] Full Disclosure != Exploit Release

Richard M. Smith wrote:
>  >>> One problem with anyone making private exploits is that 
>  >>> they always seem to get leaked, no matter who it is. 
> 
> I've written at least a dozen proof-of-concept examples for security
> holes.  I've given these examples to vendors and shared them with
> friends and other security researchers.  

Then you're pretty much guaranteed that some of them made it to people you 
didn't want them to.  Not only are people pretty poor about keeping secrets 
to themselves, but they could have been stolen from any of those people.

> I'm not aware of any of them
> being made public.  

I didn't say "public", but there are obviously many degrees of public. 
Obviously, I say "always" in the same sense that "software always has 
holes" or "hackers always get in."  Plus, I specifically said that I don't 
know if this "fact" is pro or con exploit release.

> In addition, I serious doubt that any of the
> examples are of much use to anyone except to the vendor who messed up in
> the first place.

Does that mean the vulnerabilities were also not made public, and so the 
vendor slipstreamed the fixes?

> Vendors probably find the bulk of security holes and I seriously doubt
> many of these problems have proof-of-concept code published for them.

So are we better or worse off for not knowing?

> OTOH we know that public proof-of-concept examples are going to get into
> the wrong hands.

Yes, and I maintain that private ones will as well.  So why did you find 
and exploit the problems to begin with?  Why not just let the vendor find 
them and silently patch them?

						BB

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ