| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: macmanus at hushmail.com (macmanus@...hmail.com) Subject: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 bothered that you were giving people a road map to the exploit. > >Here I was wondering why a security vendor would be increasing the >risk >model Increasing the "risk model" by giving people more information? Are you kidding? Are you lost? On the wrong list maybe? by releasing details which will save the "bad guys" weeks >of >research on the day of the patch release, giving the "good guys" >even >less time to regression test this patch in their environment and >> >mitigate any harmful side effects. > >Seriously, I think as a firm in the security industry that touts >> >themselves as an enterprise network protector you owe the community >an >explanation as to what value the information in these bulletins >have. If by that you mean the community owes them thanks for publishing these findings... >How many of your customers have been directly affected by worms >which >have spawned from information you have provided? Your good guys/bad guys logic is very convincing... you're right clearly it is better keep it all a secret so no one knows the problems and no one can fix them or implement work arounds until these companies finally get around to issueing patches. Nothing in this bulletin helps me mitigate >> >this vulnerability, unless I am writing my own IDS rules Wow! you are quick! With information like this you can write ids rules and firewall rules and all kinds of magic fixes. > >I am all for full-disclosure, but that doesn't have to mean immediate >> >disclosure, understanding the potential harm in what you are doing >and >adjusting your ego boosting email release cycle to match it would >do us >all some good. Do I want you to stop releasing bulletins about >> >vulnerabilities? No. Do I want you to wait to release academically >> >valuable research info which might help others either avoid creating >> >such flaws in their code or find such flaws that already exist? >Yes. You're very demanding, there Paul. Full disclosure, no. Partial disclosure when its already too late to do anything about it, yes. (Yeah that would be a great world.) Do this do that. How about you do something useful and quit whining when you end up having to do a little more work. -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAkAqTfIACgkQMqw+bEM+0IzoygCdHKgX7VC40za2fWmYiHtqwYruiwkA mwaP/zp/x5fR7NnKqm/SsrhXDQKk =0s4u -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Powered by blists - more mailing lists