lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: j.riden at (James Riden)
Subject: no more public exploits and general PoC gui
 de lines

"Poof" <> writes:

> Stupid question here...
> So the entire point about the not releasing PoC code is so that admins don't
> have to worry about patching?

[This isn't criticism of anyone; I grabbed a copy of Johnny's exploit
for testing purposes as soon as it came out, and was glad to have it]

PoC is good in a lot of ways; but I need to test patches before they
go out too. Unfortunately this vulnerability was present on two of our
most important servers. So life is easier for me if the PoC doesn't
come out in, say, the the first week following the patch announcement
- regardless of whether there's another exploit underground, people
will get, adapt and use the PoC.

Basically, I trust the security researchers to consider the time we
need to test these patches when they're releasing PoC code. They may
know that there's already an exploit out in the blackhat community,
in which case publishing won't make any difference to someone's actual
security - as opposed to their perceived security.

> Isn't this anti-security?

A lot of us patch quickly. People who haven't patched after two to
three weeks or so probably aren't going to at all. All other things
being equal, two weeks after might be a good time to publish where the
patch affects critical services. 

Day 1 is probably too soon for comfort fo most of us. Day 60 is
probably too late to make any effective difference. I'm sure people
can work out a comfortable middle-ground for themselves.

FWIW, we saw attacks here on 25th April, 12 days after the patch was
published. I don't know that they were the only attacks, or that they
were the first ones.

> I would personally prefer my computer in the middle minefield knowing where
> the mines are rather than being in a minefield with only half the mines
> active and my not knowing where they are.

I agree. Just as long as I can access it remotely :)

James Riden / / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at:

Powered by blists - more mailing lists