[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] no more public exploits and general PoC gui de lines

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] no more public exploits and general PoC gui de lines
From: James Riden <j.riden@xxxxxxxxxxxx>
Date: Wed, 28 Apr 2004 11:56:02 +1200

"Poof" <poof@xxxxxxxxxxxxx> writes:

> Stupid question here...
>
> So the entire point about the not releasing PoC code is so that admins don't
> have to worry about patching?

[This isn't criticism of anyone; I grabbed a copy of Johnny's exploit
for testing purposes as soon as it came out, and was glad to have it]

PoC is good in a lot of ways; but I need to test patches before they
go out too. Unfortunately this vulnerability was present on two of our
most important servers. So life is easier for me if the PoC doesn't
come out in, say, the the first week following the patch announcement
- regardless of whether there's another exploit underground, people
will get, adapt and use the PoC.

Basically, I trust the security researchers to consider the time we
need to test these patches when they're releasing PoC code. They may
know that there's already an exploit out in the blackhat community,
in which case publishing won't make any difference to someone's actual
security - as opposed to their perceived security.

> Isn't this anti-security?

A lot of us patch quickly. People who haven't patched after two to
three weeks or so probably aren't going to at all. All other things
being equal, two weeks after might be a good time to publish where the
patch affects critical services. 

Day 1 is probably too soon for comfort fo most of us. Day 60 is
probably too late to make any effective difference. I'm sure people
can work out a comfortable middle-ground for themselves.

FWIW, we saw attacks here on 25th April, 12 days after the patch was
published. I don't know that they were the only attacks, or that they
were the first ones.

> I would personally prefer my computer in the middle minefield knowing where
> the mines are rather than being in a minefield with only half the mines
> active and my not knowing where they are.

I agree. Just as long as I can access it remotely :)

cheers,
 Jamie
-- 
James Riden / j.riden@xxxxxxxxxxxx / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] no more public exploits and general PoC gui de lines
  - From: VeNoMouS

References:
- RE: [Full-Disclosure] no more public exploits and general PoC gui de lines
  - From: Poof

Prev by Date: Re: [Full-Disclosure] programming
Next by Date: Re: [Full-Disclosure] no more public exploits
Previous by thread: RE: [Full-Disclosure] no more public exploits and general PoC gui de lines
Next by thread: Re: [Full-Disclosure] no more public exploits and general PoC gui de lines
Index(es):
- Date
- Thread