btw james love the documentation on your website massesy security at its finest eh...
----- Original Message ----- From: "James Riden" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, April 28, 2004 11:56 AM
Subject: Re: [Full-Disclosure] no more public exploits and general PoC gui de lines
"Poof" <[EMAIL PROTECTED]> writes:
Stupid question here...
So the entire point about the not releasing PoC code is so that admins don't
have to worry about patching?
[This isn't criticism of anyone; I grabbed a copy of Johnny's exploit for testing purposes as soon as it came out, and was glad to have it]
PoC is good in a lot of ways; but I need to test patches before they go out too. Unfortunately this vulnerability was present on two of our most important servers. So life is easier for me if the PoC doesn't come out in, say, the the first week following the patch announcement - regardless of whether there's another exploit underground, people will get, adapt and use the PoC.
Basically, I trust the security researchers to consider the time we need to test these patches when they're releasing PoC code. They may know that there's already an exploit out in the blackhat community, in which case publishing won't make any difference to someone's actual security - as opposed to their perceived security.
Isn't this anti-security?
A lot of us patch quickly. People who haven't patched after two to three weeks or so probably aren't going to at all. All other things being equal, two weeks after might be a good time to publish where the patch affects critical services.
Day 1 is probably too soon for comfort fo most of us. Day 60 is probably too late to make any effective difference. I'm sure people can work out a comfortable middle-ground for themselves.
FWIW, we saw attacks here on 25th April, 12 days after the patch was published. I don't know that they were the only attacks, or that they were the first ones.
I would personally prefer my computer in the middle minefield knowing where
the mines are rather than being in a minefield with only half the mines
active and my not knowing where they are.
I agree. Just as long as I can access it remotely :)
cheers, Jamie -- James Riden / [EMAIL PROTECTED] / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html