| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: yabby at softhome.net (Yabby) Subject: no more public exploits > systems. Haven't all the recent worms taught people anything? > > However, Johnny I'm sorry to see that people who can't control themselves on > the Internet have forced you to stop publishing code. Can't say I blame > you, but I don't have to like it. >From what I am noticing arround me, the worms of the past (especially blaster on the windows front) have moved a lot of people to improve patching procedures and take security a lot more seriously. What I notice a lot when performing audits, for instance, is a system being nicely patched with MS03-026, but MS03-039 being absent... A substancial part of the sysadmin population (no, not the serious ones stefan ;-) shrug when their server suddenly reboots (it came back up, didn't it) and won't even notice an additional listener on their system. This last thing is not surprising, because when you keep 20 unnecessary default services running, it is not likely you will notice one more.... However, they initiate immediate action as soon as their director starts complaining that he can't use his spreadsheet because of the fact his workstation keeps rebooting... Got a question for you all. What is more harmfull: 1. exploit code that can be used to convince people that these vulnerabilities pose a realy threat. Yeah, it might evolve into a worm, but this worm will only hit the people that refuse to do what they are payed for anyway, creating awareness for the need of applying security patches at the same time. 2. no exploit code is publicly realeased, causing a lot of administrators not to take the threat seriously. Exploits are only present to parties developing them for themselfes. These parties silently use the exploits on financial instituations, that won't notice or (when finding out) are too embarrassed to make the event public. OR, private exploits are used by foreign countries or multinationals in order to gain a competitative edge... I'll go for the first one if you don't mind... Fact remains that I think that releasing exploit code two weeks after the patch has been made available is a bit quick. Responsible researchers would do everyone a favor on waiting at least a month to allow for full regression testing in testing and pre-production environments... maarten (Who knows that choosing between two wrongs doesn't make one right, but still... you have to make a choice)
Powered by blists - more mailing lists