lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: venom at (VeNoMouS)
Subject: no more public exploits and general PoC gui de lines

look at this way, you make 0day non disclosure it goes around in a small 
circle to a bigger circle, the developers of the problem never find out 
about it till its to late.

btw james love the documentation on your website massesy security at its 
finest eh...
----- Original Message ----- 
From: "James Riden" <>
To: <>
Sent: Wednesday, April 28, 2004 11:56 AM
Subject: Re: [Full-Disclosure] no more public exploits and general PoC gui 
de lines

> "Poof" <> writes:
>> Stupid question here...
>> So the entire point about the not releasing PoC code is so that admins 
>> don't
>> have to worry about patching?
> [This isn't criticism of anyone; I grabbed a copy of Johnny's exploit
> for testing purposes as soon as it came out, and was glad to have it]
> PoC is good in a lot of ways; but I need to test patches before they
> go out too. Unfortunately this vulnerability was present on two of our
> most important servers. So life is easier for me if the PoC doesn't
> come out in, say, the the first week following the patch announcement
> - regardless of whether there's another exploit underground, people
> will get, adapt and use the PoC.
> Basically, I trust the security researchers to consider the time we
> need to test these patches when they're releasing PoC code. They may
> know that there's already an exploit out in the blackhat community,
> in which case publishing won't make any difference to someone's actual
> security - as opposed to their perceived security.
>> Isn't this anti-security?
> A lot of us patch quickly. People who haven't patched after two to
> three weeks or so probably aren't going to at all. All other things
> being equal, two weeks after might be a good time to publish where the
> patch affects critical services.
> Day 1 is probably too soon for comfort fo most of us. Day 60 is
> probably too late to make any effective difference. I'm sure people
> can work out a comfortable middle-ground for themselves.
> FWIW, we saw attacks here on 25th April, 12 days after the patch was
> published. I don't know that they were the only attacks, or that they
> were the first ones.
>> I would personally prefer my computer in the middle minefield knowing 
>> where
>> the mines are rather than being in a minefield with only half the mines
>> active and my not knowing where they are.
> I agree. Just as long as I can access it remotely :)
> cheers,
> Jamie
> -- 
> James Riden / / Systems Security Engineer
> Information Technology Services, Massey University, NZ.
> GPG public key available at:
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:

Powered by blists - more mailing lists