lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: yabby at softhome.net (Yabby)
Subject: no more public exploits

> systems.  Haven't all the recent worms taught people anything?
>
> However, Johnny I'm sorry to see that people who can't control themselves
on
> the Internet have forced you to stop publishing code.  Can't say I blame
> you, but I don't have to like it.

>From what I am noticing arround me, the worms of the past (especially
blaster on the windows front) have moved a lot of people to improve patching
procedures and take security a lot more seriously. What I notice a lot when
performing audits, for instance, is a system being nicely patched with
MS03-026, but MS03-039 being absent...

A substancial part of the sysadmin population (no, not the serious ones
stefan ;-) shrug when their server suddenly reboots (it came back up, didn't
it) and won't even notice an additional listener on their system. This last
thing is not surprising, because when you keep 20 unnecessary default
services running, it is not likely you will notice one more.... However,
they initiate immediate action as soon as their director starts complaining
that he can't use his spreadsheet because of the fact his workstation keeps
rebooting...

Got a question for you all. What is more harmfull:
1. exploit code that can be used to convince people that these
vulnerabilities pose a realy threat. Yeah, it might evolve into a worm, but
this worm will only hit the people that refuse to do what they are payed for
anyway, creating awareness for the need of applying security patches at the
same time.
2. no exploit code is publicly realeased, causing a lot of administrators
not to take the threat seriously. Exploits are only present to parties
developing them for themselfes. These parties silently use the exploits on
financial instituations, that won't notice or (when finding out) are too
embarrassed to make the event public. OR, private exploits are used by
foreign countries or multinationals in order to gain a competitative edge...

I'll go for the first one if you don't mind...

Fact remains that I think that releasing exploit code two weeks after the
patch has been made available is a bit quick. Responsible researchers would
do everyone a favor on waiting at least a month to allow for full regression
testing in testing and pre-production environments...

maarten
(Who knows that choosing between two wrongs doesn't make one right, but
still... you have to make a choice)


Powered by blists - more mailing lists