Stupid question here... So the entire point about the not releasing PoC code is so that admins don't have to worry about patching? Isn't this anti-security? I would personally prefer my computer in the middle minefield knowing where the mines are rather than being in a minefield with only half the mines active and my not knowing where they are. I personally think that companies need to look at changing their outlook on patching their boxes. Yes- I know that a 3 second downtime will kill productivity, however I also know that when the kiddy(or otherwise) that breaks in to that box and rm -f /'s everything there will be more downtime. It's just security through obscurity. It's not going to help anything. Just give people/businesses a false sense of security. Do you think that DCOM(Yes, I know it was a disaster) would have been patched half as 'fast' if it didn't have the POCC? I don't. ~ > > On Tue, Apr 27, 2004 at 04:05:13PM -0400, kquest@xxxxxxxxxxxx wrote: > > Are you saying that unless there's an exploit > > that gives you access to the target machine > > your company wouldn't patch > > It's a matter of priority. > > For most PHBs, proactive security must be very low priority because > keeping systems up to date doesn't bring any money to the company. > > > (even if there's > > an exploit that crashes the target)? > > A DoS will usually not be enough to get some press. Unless most PHBs > have > read on ZDNet and Yahoo that "a critical flaw has been found in xxx and is > actively being exploited by black hats", they will consider patching as a > waste of time. They may even yell at you if patching systems implies a > small downtime, even if it'ss a critical patch, as long as it has not been > covered by for-PHBs press. > > Best regards, > > -- > __ /*- Frank DENIS (Jedi/Sector One) <j at 42-Networks.Com> -*\ > __ > \ '/ <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a> \' > / > \/ <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a> \/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html
Attachment:
smime.p7s
Description: S/MIME cryptographic signature