lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3E3E66F3.102@guninski.com>
From: guninski at guninski.com (Georgi Guninski)
Subject: Re: David Litchfield talks about the SQL Worm in the Washington Post

David Litchfield wrote:
..snip...
 > With this in mind I am questioning the benefits of publishing proof of
 > concept code. I am due to present a paper on the remotely exploitable buffer
 > overrun in the Microsoft Locator service at Blackhat this February but
 > should I then also publish the code used to demonstrate the problem? Should
 > I even be discussing the problem in a public arena?
 >
 > Some will argue that full disclosure is a good thing. Others will abhor it.
 > There is no one correct answer - it must be a personal decision and for the
 > moment I am undecided.
 >

So Litchfield, snosoft and others are "uncertain" whether they should disclose
PoC, seems because of a worm.
Does this impact the availability of PoC for bugs in the past month?
I think the answer is clearly "no" - cf "[Full-Disclosure] locator exploit" and
"[Full-Disclosure] Exploit for CVS double free() for Linux pserver".
IMHO this proves the author not releasing PoC does not impact significantly the
availability of the exploit (there are more examples in the past year).
Which reminds me of a poem by an author I can't remember which is taught in .bg
schools - "I fell, another one comes in my place, what the fsck does one person
matter" (very roughly translated to english, don't remember exactly even the .bg
version).

Georgi Guninski
http://www.guninski.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ