lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <ei8cci$uvn$1@sea.gmane.org>
Date: Tue, 31 Oct 2006 20:40:49 -0000
From: "Dave \"No, not that one\" Korn" <davek_throwaway@...mail.com>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Re: unreliable vulnerability reports en-masee
	[was:Re: vulnerability in Symantec products]

Gadi Evron wrote:

> Nothing really surprises me anymore. The quality of advisories and QA
> people do seems to be dropping, especially when it comes to File
> Inclusions. The level of false positives posted in the last couple of
> weeks is staggering.
>
> Folks use Google Code Search to find vulns, and don't notice they are
> fixed 3 lines above the "bug" and that three lines below, there is
> another one.
>
> Last week, one of these File Inclusion vulns worked only if you
> disabled two security functions that work by default...

> Up to this day, vulnerabilities and exploits would be researched to a
> level, and released AS-IS. This is fast becoming impracticle.

> If the S/N ratio of ADVISORIES rather than ML traffic becomes even
> lower
> due to unreliable submissions, our jobs will indeed become much, much
> harder.

  :)  Perhaps the antisec/bantown crew have developed a new strategy to try 
and shut-down FD by flooding it with useless-but-valid-seeming information? 
Just as spammers have moved on from random hashbuster strings to including 
chunks of real english text from news reports and books, so the antisec 
posters have moved on from furry pr0n and gay lames to real-yet-wrong bug 
reports.  Subtle, you'll never get even a really good bayesian filter to 
discriminate between valid and bogus bug reports!

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ