lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040427193714.22129.qmail@web41610.mail.yahoo.com>
From: keydet89 at yahoo.com (Harlan Carvey)
Subject: no more public exploits and general PoC gui de lines

Well, then the hole you get stuck in with that
particular situation is systems going unpatched, b/c
there is no exploit for the vulnerability.

A company I used to work for was that way.  Regardless
of what security strongly recommended, patches weren't
being installed in a timely manner...largely b/c there
were no reports of actual exploit code being released.
 However, a customer insisted that the patches be
installed ASAP...the logic used by the sysadmins
didn't jive.

> Having proof of concept code is always valuable 
> (and the sooner the better),
> but I question releasing exploits that execute code
> on the target machine. Having a DoS PoC is enough...
> The legitimate pentesters will be able to modify the
> PoC to execute code on the target while, at the same
> time, the "kiddies" will be stuck with something of 
> little or no use to them. This way everybody is
> happy.
> Some of you might say that some "kiddies" will be
> able
> to modify the DoS PoC to execute code for their
> malicious
> needs. Well, if this is the case, then we are no
> longer
> dealing with "kiddies"... If they can do this then
> they
> are capable of creating their own exploits... 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ