lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: kquest at toplayer.com (kquest@...layer.com)
Subject: no more public exploits and general PoC gui
	 de lines

Are you saying that unless there's an exploit
that gives you access to the target machine
your company wouldn't patch (even if there's
an exploit that crashes the target)? 

I don't know what company that was, but I'm
glad I'm not working for them... Ignoring DoS
exploits is irresponsible... to say the least.

kcq

-----Original Message-----
From: Harlan Carvey [mailto:keydet89@...oo.com]
Sent: Tuesday, April 27, 2004 3:37 PM
To: full-disclosure@...ts.netsys.com
Cc: kquest@...layer.com; johncybpk@....net
Subject: RE: [Full-Disclosure] no more public exploits and general PoC
gui de lines


Well, then the hole you get stuck in with that
particular situation is systems going unpatched, b/c
there is no exploit for the vulnerability.

A company I used to work for was that way.  Regardless
of what security strongly recommended, patches weren't
being installed in a timely manner...largely b/c there
were no reports of actual exploit code being released.
 However, a customer insisted that the patches be
installed ASAP...the logic used by the sysadmins
didn't jive.

> Having proof of concept code is always valuable 
> (and the sooner the better),
> but I question releasing exploits that execute code
> on the target machine. Having a DoS PoC is enough...
> The legitimate pentesters will be able to modify the
> PoC to execute code on the target while, at the same
> time, the "kiddies" will be stuck with something of 
> little or no use to them. This way everybody is
> happy.
> Some of you might say that some "kiddies" will be
> able
> to modify the DoS PoC to execute code for their
> malicious
> needs. Well, if this is the case, then we are no
> longer
> dealing with "kiddies"... If they can do this then
> they
> are capable of creating their own exploits... 


Powered by blists - more mailing lists