| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: venom at gen-x.co.nz (VeNoMouS) Subject: no more public exploits and general PoC gui de lines look at this way, you make 0day non disclosure it goes around in a small circle to a bigger circle, the developers of the problem never find out about it till its to late. btw james love the documentation on your website massesy security at its finest eh... ----- Original Message ----- From: "James Riden" <j.riden@...sey.ac.nz> To: <full-disclosure@...ts.netsys.com> Sent: Wednesday, April 28, 2004 11:56 AM Subject: Re: [Full-Disclosure] no more public exploits and general PoC gui de lines > "Poof" <poof@...subber.com> writes: > >> Stupid question here... >> >> So the entire point about the not releasing PoC code is so that admins >> don't >> have to worry about patching? > > [This isn't criticism of anyone; I grabbed a copy of Johnny's exploit > for testing purposes as soon as it came out, and was glad to have it] > > PoC is good in a lot of ways; but I need to test patches before they > go out too. Unfortunately this vulnerability was present on two of our > most important servers. So life is easier for me if the PoC doesn't > come out in, say, the the first week following the patch announcement > - regardless of whether there's another exploit underground, people > will get, adapt and use the PoC. > > Basically, I trust the security researchers to consider the time we > need to test these patches when they're releasing PoC code. They may > know that there's already an exploit out in the blackhat community, > in which case publishing won't make any difference to someone's actual > security - as opposed to their perceived security. > >> Isn't this anti-security? > > A lot of us patch quickly. People who haven't patched after two to > three weeks or so probably aren't going to at all. All other things > being equal, two weeks after might be a good time to publish where the > patch affects critical services. > > Day 1 is probably too soon for comfort fo most of us. Day 60 is > probably too late to make any effective difference. I'm sure people > can work out a comfortable middle-ground for themselves. > > FWIW, we saw attacks here on 25th April, 12 days after the patch was > published. I don't know that they were the only attacks, or that they > were the first ones. > >> I would personally prefer my computer in the middle minefield knowing >> where >> the mines are rather than being in a minefield with only half the mines >> active and my not knowing where they are. > > I agree. Just as long as I can access it remotely :) > > cheers, > Jamie > -- > James Riden / j.riden@...sey.ac.nz / Systems Security Engineer > Information Technology Services, Massey University, NZ. > GPG public key available at: http://www.massey.ac.nz/~jriden/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists