Security Basics mailing list archives
Re: Cyber attacks "escalating" on irresponsible Tavis Ormandy disclosure
From: Jacky Jack <jacksonsmth698 () gmail com>
Date: Wed, 7 Jul 2010 12:53:22 +0630
All right. Whatever it is. As all know, Security Vulnerability Disclosure as well as security tools have double-edge sword. Dangerous tools are out frequently. Why published? Will there no responsible publishing in releasing such tools? Why did you disclosure X vulnerability in Y product? What's your intention in the reason of disclosure? To let public know? To let vendor fix it? Or to just let the world know how good you are? or just to release for commercial advantage? To let geek know and protect themselves? We'll never end up reaching consensus. Releasing vulnerability info is better than hiding it. Releasing vulnerability info after vendor has fixed is BEST, reducing potential exploiters' taking advantage. It's needless to say that to find an exploitable flaw, a great deal of research time and resources must be devoted. Simply publishing a serious flaw will definitely save time for blackhats who haven't found the flaw. Every time a security researcher releases a flaw, he always tends to say that this flaw is being actively exploited in the wild or it's already known by attackers, which may or may not be correct. Before he released the info to public, a few group of blackhats might already know it. After he released it, a great number of blackhats would know it and try to code it to do mass exploit. As you know, most major mass worms or attacks come sharp after researchers have released the vulnerability info in mailing list or conferences. Blackhats have already had skills. The best time to exploit when public is waiting for vendor to release a fix. Whether it's short or longer, the exploits do work. The behavior is the same for now till future. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Cyber attacks "escalating" on irresponsible Tavis Ormandy disclosure andrew.wallace (Jul 02)
- Re: Cyber attacks "escalating" on irresponsible Tavis Ormandy disclosure Al MailingList (Jul 05)
- Re: Cyber attacks "escalating" on irresponsible Tavis Ormandy disclosure andrew.wallace (Jul 05)
- Re: Cyber attacks "escalating" on irresponsible Tavis Ormandy disclosure Al MailingList (Jul 05)
- RE: Cyber attacks "escalating" on irresponsible Tavis Ormandy disclosure Murda (Jul 06)
- Re: Cyber attacks "escalating" on irresponsible Tavis Ormandy disclosure John Morrison (Jul 06)
- Re: Cyber attacks "escalating" on irresponsible Tavis Ormandy disclosure murdamcloud (Jul 07)
- Re: Cyber attacks "escalating" on irresponsible Tavis Ormandy disclosure Jeffrey Walton (Jul 06)
- Re: Cyber attacks "escalating" on irresponsible Tavis Ormandy disclosure Jacky Jack (Jul 07)
- Re: Cyber attacks "escalating" on irresponsible Tavis Ormandy disclosure fyne_ugo (Jul 07)
- Re: Cyber attacks "escalating" on irresponsible Tavis Ormandy disclosure iamherevivek (Jul 07)
- Re: Cyber attacks "escalating" on irresponsible Tavis Ormandy disclosure Ansgar Wiechers (Jul 07)
- RE: Cyber attacks "escalating" on irresponsible Tavis Ormandy disclosure Murda (Jul 13)
- Re: Cyber attacks "escalating" on irresponsible Tavis Ormandy disclosure andrew.wallace (Jul 05)
- Re: Cyber attacks "escalating" on irresponsible Tavis Ormandy disclosure Al MailingList (Jul 05)