lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: zorkshin at tampabay.rr.com (Justin Shin)
Subject: DCOM RPC exploit  (dcom.c)

Well people I guess this post, which was originally about me not being able to compile this (because I am stoooooopid :) is now about something completely different.

My opinion: released vulnerabilities are good. Why? Two reasons. One, they allow the security admins to take a look at how the vulnerability technically looks (as I did with this source) and configure their IDS and firewall systems to block dangerous net traffic. Second, released vulnerabilities create a "scare" atmosphere and that is truly what we need right now. I don't know if any of yall saw it, but on July 26 they were talking on CNN about a 'dangerous new Windows bug that is a hacker's dream.' Hopefully the scare from the media and press will be enough to convince users to patch their systems.

However, a worm is N-E-V-E-R good and A-L-W-A-Y-S malicious. What would be the "good" intent of releasing any program that self-replicates to other vulnerable system and wreaks havoc? Obviously none. I don't know when a worm is going to surface for this, but when it does ... and if the media and press and Microsoft do not absolutely make the users piss their pants ... the world's M$ users could all be in for a nasty little shocker. This exploit makes Nimda and Slammer look like minor threats.

Also, I think it is time to sue corporations that sell buggy/vulnerable software AND make little effort to make people aware of the problems. Microsoft is improving, actually, but in my opinion they should make security updates mandantory when connected to the net. Also, I should say that no one can sue the ASF (apache software foundation) for vulnerable software because it is free! It is like getting a free doorlock from a guy on the street, applying it to your door, and suing the guy because someone broke in.

-- Justin Shin

Free Mumia Abu-Jamal!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ