|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-disclosure] Publishing exploit code - what is it good for
From: KF (lists) (kf_lists
digitalmunition.com)
Date: Thu Jun 30 2005 - 15:10:46 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Change control policy at one of my jobs put me in an identical
situation. I flat out could not patch a machine unless I could produce a
cmd.exe or /bin/sh prompt remotely.
Putting that stuff aside how about the vendors that like to try to hide
things from you? Vendors love Jedi Mind tricks..."these aren't the
droids you are looking for." If PoC is not produced you are never hip to
the things that leave your OS vulnerable. For example...
http://news.com.com/2100-1023-947325.html
-KF
Kenneth Ng wrote:
>I have had administrators refuse to patch systems until I could prove
>that I could break in using an exploit right in front of them. I've
>been told that they need to balance my theoritical risk against their
>actual outlay of resources (yet, for some reason, they bet the
>lottery).
>
>On 6/30/05, Jason Coombs <jasoncscience.org> wrote:
>
>
>>>What I need is a security administrator, CSO, IT manager or sys admin
>>>that can explain why they find public exploits are good for THEIR
>>>organizations. Maybe we can start changing public opinion with regards
>>>to full disclosure, and hopefully start with this opinion leader.
>>>
>>>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]