Full Disclosure mailing list archives
Re: no more public exploits and general PoC gui de lines
From: "VeNoMouS" <venom () gen-x co nz>
Date: Wed, 28 Apr 2004 14:09:29 +1200
look at this way, you make 0day non disclosure it goes around in a small circle to a bigger circle, the developers of the problem never find out about it till its to late.
btw james love the documentation on your website massesy security at its finest eh... ----- Original Message ----- From: "James Riden" <j.riden () massey ac nz>
To: <full-disclosure () lists netsys com> Sent: Wednesday, April 28, 2004 11:56 AMSubject: Re: [Full-disclosure] no more public exploits and general PoC gui de lines
"Poof" <poof () fansubber com> writes:Stupid question here...So the entire point about the not releasing PoC code is so that admins don'thave to worry about patching?[This isn't criticism of anyone; I grabbed a copy of Johnny's exploit for testing purposes as soon as it came out, and was glad to have it] PoC is good in a lot of ways; but I need to test patches before they go out too. Unfortunately this vulnerability was present on two of our most important servers. So life is easier for me if the PoC doesn't come out in, say, the the first week following the patch announcement - regardless of whether there's another exploit underground, people will get, adapt and use the PoC. Basically, I trust the security researchers to consider the time we need to test these patches when they're releasing PoC code. They may know that there's already an exploit out in the blackhat community, in which case publishing won't make any difference to someone's actual security - as opposed to their perceived security.Isn't this anti-security?A lot of us patch quickly. People who haven't patched after two to three weeks or so probably aren't going to at all. All other things being equal, two weeks after might be a good time to publish where the patch affects critical services. Day 1 is probably too soon for comfort fo most of us. Day 60 is probably too late to make any effective difference. I'm sure people can work out a comfortable middle-ground for themselves. FWIW, we saw attacks here on 25th April, 12 days after the patch was published. I don't know that they were the only attacks, or that they were the first ones.I would personally prefer my computer in the middle minefield knowing wherethe mines are rather than being in a minefield with only half the mines active and my not knowing where they are.I agree. Just as long as I can access it remotely :) cheers, Jamie -- James Riden / j.riden () massey ac nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: no more public exploits and general PoC gui de lines kquest (Apr 27)
- Re: no more public exploits and general PoC gui de lines Jedi/Sector One (Apr 27)
- RE: no more public exploits and general PoC gui de lines Poof (Apr 27)
- Re: no more public exploits and general PoC gui de lines James Riden (Apr 27)
- Re: no more public exploits and general PoC gui de lines VeNoMouS (Apr 27)
- RE: no more public exploits and general PoC gui de lines Poof (Apr 27)
- Re: no more public exploits and general PoC gui de lines Eric LeBlanc (Apr 28)
- Re: no more public exploits and general PoC gui de lines Valdis . Kletnieks (Apr 28)
- Re: no more public exploits and general PoC gui de lines Eric LeBlanc (Apr 28)
- Re: no more public exploits and general PoC gui de lines Jedi/Sector One (Apr 27)