[Dailydave] Exploits matter.
security curmudgeon
jericho at attrition.org
Wed Oct 7 14:39:49 EDT 2009
On Wed, 7 Oct 2009, dave wrote:
: This raises an interesting question. What is a "public" exploit? Buying
: CANVAS costs less than four thousand dollars and is (thankfully :>) a
: reasonably common thing for companies to have. If a working, 100%
: reliable exploit is in the hands of the ten thousand people who care,
: shouldn't that be considered "public"?
:
: It just seems weird to me that all the news articles on SMBv2 focus so
: much on whether or not you can download a working version of the exploit
: over the Internet, when all the people who could actually do anything
: with it already had it.
Ten thousand or not, I cannot download the exploit from Immunity's web
site, milw0rm or anywhere else, correct? To me, and to OSVDB who tracks
that metric, that is flagged as 'rumored/private'.
Can our industry really put a numeric line on public vs private in the
scenario you describe? Do 9,999 CANVAS customers = private, but 10,000
CANAVAS customers = public?
.b
More information about the Dailydave
mailing list