Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cyber attacks "escalating" on irresponsible Tavis Ormandy disclosure

From: Jacky Jack <jacksonsmth698 () gmail com>
Date: Wed, 7 Jul 2010 12:53:22 +0630
All right.
Whatever it is.

As all know, Security Vulnerability Disclosure  as well as security
tools have double-edge sword.


Dangerous tools are out frequently. Why published?
Will there no responsible publishing in releasing such tools?

Why did you disclosure X vulnerability in Y product?
What's your intention in the reason of disclosure?
To let public know? To let vendor fix it? Or to just let the world
know how good you are?
or just to release for commercial advantage?

To let geek know and protect themselves?
We'll never end up reaching consensus.

Releasing vulnerability info is better than hiding it.
Releasing vulnerability info after vendor has fixed is BEST, reducing
potential exploiters'  taking advantage.

It's needless to say that to find an exploitable flaw, a great deal of
research time and resources must be devoted.
Simply publishing a serious flaw will definitely save time for
blackhats who haven't found the flaw.
Every time a security researcher releases a flaw, he always tends to
say that this flaw is being actively exploited in the
wild or it's already known by attackers, which may or may not be correct.
Before he released the info to public, a few group of blackhats might
already know it.
After he released it, a great number of blackhats would know it and
try to code it to do mass exploit.

As you know,  most major mass worms or attacks come sharp after
researchers have released the vulnerability info in mailing list or
conferences. Blackhats have already had skills. The best time to
exploit when public is waiting for vendor to release a fix.
Whether it's short or longer, the exploits do work. The behavior is
the same for now till future.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: