lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 10 Jul 2012 17:15:37 -0400
From: Григорий Братислава <musntlive@...il.com>
To: "Gary E. Miller" <gem@...lim.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: How much time is appropriate for fixing

On Tue, Jul 10, 2012 at 4:37 PM, Gary E. Miller <gem@...lim.com> wrote:
> Yo Thor!
>
> On Tue, 10 Jul 2012 19:58:16 +0000
> "Thor (Hammer of God)" <thor@...merofgod.com> wrote:
>
>> People do not disclose their research to make
>> the world a better place.  They do it for recognition or for money.
>
> I would argue there is a 3rd reason.  Self defense.  I and others have
> had issues of our servers being attacked by unkown evil doers.  To keep
> our servers running we need to reverse engineer the hack and get the
> bug fixed or the attack vector blocked.  Until '* Disclosure' in its many
> aspects was common it was virtually impossible to get vendors to fix
> open holes being actively used by attackers.  The public shaming of
> '* Disclosure' large companies found denial a very easy and cheap
> resonse to bugs that were killing us.
>

Poor argument. If you is smart enough to is reverse engineer the
threat, why can't you forward engineer a fix and post it publicly so
that is others don't get hacked.

E.G (using my Bejtlich is accent: "We are being attacked from China
obviously. This is how they are attacking, this is what they are
affecting, this is what we did to get it fixed. Patch yourself before
is evil Chinese attack you too! Otherwise, wait for vendor to post
next patch Tuesday fixes and in is meantime, allow them to roam along
your network like is Travelocity Gnome"

Public shaming of not only is vendor of shoddy software, but is
attacker, is key no one is think about.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ