lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: l8km7gr02 at sneakemail.com (l8km7gr02@...akemail.com)
Subject: The role of explicit advisories (was: MS03-039 has been released
 - critical)

 > Marc Maiffret:
 >
> Just to cut off any stupid debate, that I promise anyone stepping to will
> lose... ;-) Giving details of where a flaw is does not make exploits/worms
> happen any more often. The "bad guys" do not need details in order to write
> exploits and worms. That is apparent when you look at the first RPC flaw and
> how NO details were released yet an exploit and worm were. However, with
> details, we can all audit our networks for the flaws, to know systems we
> need to fix, and setup IDS/IPS systems to monitor for attackers, whereas we
> couldn't without details. Also, we can check to make sure vendors did not
> (yet again) screw up and release a patch that does not truly fix a system.

Hi Marc,

You and your ilk obviously have to field accusations like the above
frequently, but repetition doesn't necessarily make something true.

Yes, even without cookbooks, master chefs can and do create extravagant
desserts -- but the rest of us novice bachelors just sort of stumble
around making a mess.

Would you say that the majority of viruses/worms are written by masters
or novices?

*Of course* explicit advisories help in the creation of exploits.  To
claim otherwise flies in the face of reality.  Aren't well-documented
libraries infinitely more useable than obscure, undocumented code?
The caveat is, as you mention, explicit advisories also help admins
audit our own networks *and* light a fire under the vendors to get a fix
out immediately.

I'd wager just about everyone on this list would agree that the benefits
of detailed advisories greatly outweigh the costs -- but it's a bit
naive to suggest that there /are no costs/.  Take another look at eEye's
AD20030910 advisory and reconsider from the perspective of a young
black-hat.

That said, both Full-Disclosure and eEye are infinitely valuable
resources for the good guys.  Keep up the great work.

take care,

Cael

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ