Full Disclosure mailing list archives

RE: RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release

From: "Geo" <geoincidents () getinfo org>
Date: Wed, 29 Jan 2003 16:10:01 -0500

- Customers can test for themselves whether a patch works or was applied
correctly.


I think this is a very important point. Customers need to be able to test to
see if applying a second, later patch has made them vulnerable to an earlier
patched exploit. An example with this worm was where a later patch once
again left you vulnerable. How are we to know if we don't have something to
test with? We obviously can't trust the vendors, and with the range of
different configurations of machines I'm not even sure that's a reasonable
requirement of a vendor to test every possible combination.

We have beta testers for software, how can we put patch code thru the same
sort of tests if we have nothing to test with to see if it's actually
patched the systems we run?

We may not need code to exploit, but what about code to prove we are
patched?

Geo.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: RE : [Secure Network Operations, Inc.] Full Disclosure != Exploit Release, (continued)
- - - Re: RE : [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
    - Re: RE : [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Blue Boar (Jan 29)
    - RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
    - RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Day Jay (Jan 29)
    - RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
    - [Secure Network Operations, Inc.] Full Disclosure Conclusion? ATD (Jan 29)
    - Re: [Secure Network Operations, Inc.] Full Disclosure Conclusion? yossarian (Jan 29)
    - RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release hellNbak (Jan 29)
    - Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Blue Boar (Jan 29)
    - Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Rick Updegrove (security) (Jan 29)
    - RE: RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Geo (Jan 29)
    - RE: RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release David Howe (Jan 29)
  - Re: Full Disclosure != Exploit Release Paul Schmehl (Jan 29)
    - Re: Re: Full Disclosure != Exploit Release hellNbak (Jan 29)
    - RE: Re: Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
    - Re: Re: Full Disclosure != Exploit Release Georgi Guninski (Jan 29)
    - Re: Re: Full Disclosure != Exploit Release KF (Jan 29)
    - Re: Re: Full Disclosure != Exploit Release Blue Boar (Jan 29)
  - Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release ATD (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Georgi Guninski (Jan 29)

(Thread continues...)