lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: venom at gen-x.co.nz (VeNoMouS)
Subject: no more public exploits and general PoC gui de lines

look at this way, you make 0day non disclosure it goes around in a small 
circle to a bigger circle, the developers of the problem never find out 
about it till its to late.

btw james love the documentation on your website massesy security at its 
finest eh...
----- Original Message ----- 
From: "James Riden" <j.riden@...sey.ac.nz>
To: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, April 28, 2004 11:56 AM
Subject: Re: [Full-Disclosure] no more public exploits and general PoC gui 
de lines


> "Poof" <poof@...subber.com> writes:
>
>> Stupid question here...
>>
>> So the entire point about the not releasing PoC code is so that admins 
>> don't
>> have to worry about patching?
>
> [This isn't criticism of anyone; I grabbed a copy of Johnny's exploit
> for testing purposes as soon as it came out, and was glad to have it]
>
> PoC is good in a lot of ways; but I need to test patches before they
> go out too. Unfortunately this vulnerability was present on two of our
> most important servers. So life is easier for me if the PoC doesn't
> come out in, say, the the first week following the patch announcement
> - regardless of whether there's another exploit underground, people
> will get, adapt and use the PoC.
>
> Basically, I trust the security researchers to consider the time we
> need to test these patches when they're releasing PoC code. They may
> know that there's already an exploit out in the blackhat community,
> in which case publishing won't make any difference to someone's actual
> security - as opposed to their perceived security.
>
>> Isn't this anti-security?
>
> A lot of us patch quickly. People who haven't patched after two to
> three weeks or so probably aren't going to at all. All other things
> being equal, two weeks after might be a good time to publish where the
> patch affects critical services.
>
> Day 1 is probably too soon for comfort fo most of us. Day 60 is
> probably too late to make any effective difference. I'm sure people
> can work out a comfortable middle-ground for themselves.
>
> FWIW, we saw attacks here on 25th April, 12 days after the patch was
> published. I don't know that they were the only attacks, or that they
> were the first ones.
>
>> I would personally prefer my computer in the middle minefield knowing 
>> where
>> the mines are rather than being in a minefield with only half the mines
>> active and my not knowing where they are.
>
> I agree. Just as long as I can access it remotely :)
>
> cheers,
> Jamie
> -- 
> James Riden / j.riden@...sey.ac.nz / Systems Security Engineer
> Information Technology Services, Massey University, NZ.
> GPG public key available at: http://www.massey.ac.nz/~jriden/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


Powered by blists - more mailing lists