On Tue, 27 Apr 2004, Jedi/Sector One wrote:
On Tue, Apr 27, 2004 at 04:05:13PM -0400, [EMAIL PROTECTED] wrote:
Are you saying that unless there's an exploit
that gives you access to the target machine
your company wouldn't patch
It's a matter of priority.
For most PHBs, proactive
On Wed, 28 Apr 2004 09:35:43 EDT, Eric LeBlanc [EMAIL PROTECTED] said:
Just to tell your boss that the
worm/DoS/exploit/wathever-that-will-cause-a-severe-damage-on-machines-and-network
will cost them more than keeping their system up to date (with proof).
That would be easy enough to do,
On Wed, 28 Apr 2004 [EMAIL PROTECTED] wrote:
On Wed, 28 Apr 2004 09:35:43 EDT, Eric LeBlanc [EMAIL PROTECTED] said:
So you're left with:
1) Install the patch during the regular patching schedule, with known cost $X
and additional unknown cost $Y if the patch is bad. In addition, this
To: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] no more public exploits and general PoC
gui de lines
On Tue, 27 Apr 2004, Jedi/Sector One wrote:
On Tue, Apr 27, 2004 at 04:05:13PM -0400, [EMAIL PROTECTED] wrote:
Are you saying that unless there's an exploit
that gives you access to the target
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Yo Kenneth!
On Wed, 28 Apr 2004, Ng, Kenneth (US) wrote:
... the general line of thought seems to be until there is an active
exploit that is blowing away machines on my network, we will do nothing.
Same goes for the vendors. They deny there is
Having proof of concept code is always valuable
(and the sooner the better),
but I question releasing exploits that execute code
on the target machine. Having a DoS PoC is enough...
The legitimate pentesters will be able to modify the
PoC to execute code on the target while, at the same
time, the
... to say the least.
kcq
-Original Message-
From: Harlan Carvey [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 27, 2004 3:37 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] no more public exploits and general PoC
gui de lines
Well, then the hole
Well, then the hole you get stuck in with that
particular situation is systems going unpatched, b/c
there is no exploit for the vulnerability.
A company I used to work for was that way. Regardless
of what security strongly recommended, patches weren't
being installed in a timely manner...largely
On Tue, Apr 27, 2004 at 04:05:13PM -0400, [EMAIL PROTECTED] wrote:
Are you saying that unless there's an exploit
that gives you access to the target machine
your company wouldn't patch
It's a matter of priority.
For most PHBs, proactive security must be very low priority because
keeping
Stupid question here...
So the entire point about the not releasing PoC code is so that admins don't
have to worry about patching?
Isn't this anti-security?
I would personally prefer my computer in the middle minefield knowing where
the mines are rather than being in a minefield with only half
Poof [EMAIL PROTECTED] writes:
Stupid question here...
So the entire point about the not releasing PoC code is so that admins don't
have to worry about patching?
[This isn't criticism of anyone; I grabbed a copy of Johnny's exploit
for testing purposes as soon as it came out, and was glad to
: James Riden [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, April 28, 2004 11:56 AM
Subject: Re: [Full-Disclosure] no more public exploits and general PoC gui
de lines
Poof [EMAIL PROTECTED] writes:
Stupid question here...
So the entire point about the not releasing PoC code is so
12 matches
Mail list logo