Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The Week of Oracle Database Bugs

From: dan () geer org
Date: Tue, 21 Nov 2006 18:50:42 -0500

Joel Eriksson writes:
 | 
 | Vulnerabilities are often known and (ab)used long before they
 | are publicly known. It's the existence of a security bug that
 | is the real danger, not whether the bug is known by the public
 | at large, by a small group or by noone (so far). Actually, the
 | bug can do far more damage during the time it's known only by
 | a few.
 | 

I will assume, then, that you agree the conservative
position for the researcher to take is that any vuln
s/he discovers is always a re-discovery, that no one
here ever discovers anything truly new?

If so, would you have any good ideas on how to confirm
this fact?  Is the HoneyMonkey web crawling the best
we have or could have?  Is there some kind of, shall
we say, blotter paper that we could use to record take
overs of random sorts that are otherwise unexplained
until such time as some research later re-discovers the
vuln that was used?  In criminal cases, one stores DNA
in the hopes of someday finding a match.  Is there any
analog in our world here to that meme?

--dan

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: