lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200404272245.i3RMjU911429@netsys.com>
From: poof at fansubber.com (Poof)
Subject: no more public exploits and general PoC gui de lines

Stupid question here...

So the entire point about the not releasing PoC code is so that admins don't
have to worry about patching?

Isn't this anti-security?

I would personally prefer my computer in the middle minefield knowing where
the mines are rather than being in a minefield with only half the mines
active and my not knowing where they are.

I personally think that companies need to look at changing their outlook on
patching their boxes. Yes- I know that a 3 second downtime will kill
productivity, however I also know that when the kiddy(or otherwise) that
breaks in to that box and rm -f /'s everything there will be more downtime.

It's just security through obscurity. It's not going to help anything. Just
give people/businesses a false sense of security. Do you think that
DCOM(Yes, I know it was a disaster) would have been patched half as 'fast'
if it didn't have the POCC? I don't.

~

> 
> On Tue, Apr 27, 2004 at 04:05:13PM -0400, kquest@...layer.com wrote:
> > Are you saying that unless there's an exploit
> > that gives you access to the target machine
> > your company wouldn't patch
> 
>   It's a matter of priority.
> 
>   For most PHBs, proactive security must be very low priority because
> keeping systems up to date doesn't bring any money to the company.
> 
> > (even if there's
> > an exploit that crashes the target)?
> 
>   A DoS will usually not be enough to get some press. Unless most PHBs
> have
> read on ZDNet and Yahoo that "a critical flaw has been found in xxx and is
> actively being exploited by black hats", they will consider patching as a
> waste of time. They may even yell at you if patching systems implies a
> small downtime, even if it'ss a critical patch, as long as it has not been
> covered by for-PHBs press.
> 
>   Best regards,
> 
> --
>  __  /*-    Frank DENIS (Jedi/Sector One) <j at 42-Networks.Com>    -*\
> __
>  \ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \'
> /
>   \/  <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2813 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040427/cf3b5385/smime.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ