Free Vulnerabilities Database

[KRL]

Free Internet Security Database Goes Live

The Open Source Vulnerability Database, which got its start nearly three years ago at a pair of security conferences, currently lists over 2,000 vulnerabilities, with another 2,800 waiting to be categorized.

http://www.osvdb.org/

[KRL]

Thinking about this some more. Isn't that kind of crazy to list every security vulnerability openly like that? Hackers will have a field day getting info from that site.

[cluck]

There's nothing wrong with proof of concept.

If I was under 18 again I'd go on an owning rampage.

[bringer]

Quote:

Originally posted by KRL
Thinking about this some more. Isn't that kind of crazy to list every security vulnerability openly like that? Hackers will have a field day getting info from that site.

hackers already know about them, releasing it like that lets the peons understand whats out there and how to protect themselves.

[Myst]

Quote:

Originally posted by cluck
There's nothing wrong with proof of concept.

If I was under 18 again I'd go on an owning rampage.

dont u mean 17?

[erehwon]

Quote:

Originally posted by KRL
Thinking about this some more. Isn't that kind of crazy to list every security vulnerability openly like that? Hackers will have a field day getting info from that site.

Your head would spin if you saw all the outlets of information for all the crackers out there to compromise your security.

KRL, trust me on this one, if your admin/security goons aren't keeping your sites properly locked down, you should be more concerned about the MetaSploit Project over the OSVB.

Soon Packetstorm will be operational again and all the 0-day root-kits sitting in the PSS staff inboxes will be archived for everyone to see and play with.

[notjoe]

Quote:

Originally posted by KRL
Free Internet Security Database Goes Live

The Open Source Vulnerability Database, which got its start nearly three years ago at a pair of security conferences, currently lists over 2,000 vulnerabilities, with another 2,800 waiting to be categorized.

http://www.osvdb.org/

If there that many known vulnerabilities i'm willing to bet that another 1000 exist which this site doesnt even know about.

These "security" sites out of date when it comes to this shit. Hackers are always 2 or 3 steps ahead of these sites.

[fuzebox]

Quote:

Originally posted by KRL
Thinking about this some more. Isn't that kind of crazy to list every security vulnerability openly like that? Hackers will have a field day getting info from that site.

Security Through Obscurity has been proven not to work (notice every time a new hahahahahahas-affecting worm is released half the Internet goes down)...

The open source development model had worked well for years for securing software. All the code is on the table, all the bugs are publically discussed among thousands of developers and administrators, and holes and plugged quickly. As soon as a vulnerability is released a patch is usually released with it. The exploit code can be used to test your own systems just as it can be used to crack into other systems.

Online security databases are as much a help to administrators as they are to crackers, if not more.

[TheFrog]

thanks for the link

[fuzebox]

Quote:

Originally posted by notjoe



If there that many known vulnerabilities i'm willing to bet that another 1000 exist which this site doesnt even know about.

These "security" sites out of date when it comes to this shit. Hackers are always 2 or 3 steps ahead of these sites.

Some yes, some no... The script kiddies who cause the majority of the problems (defaced websites, stolen adult passwords, etc) can usually be easily stopped by a competent administrator who keeps on top of security bulletins.

[com]

Quote:

Originally posted by erehwon


Your head would spin if you saw all the outlets of information for all the crackers out there to compromise your security.

KRL, trust me on this one, if your admin/security goons aren't keeping your sites properly locked down, you should be more concerned about the MetaSploit Project over the OSVB.

Soon Packetstorm will be operational again and all the 0-day root-kits sitting in the PSS staff inboxes will be archived for everyone to see and play with.

Ermm one common misconception I'm seeing here is that there is that you all feel an enterpreted threat caused by this type of information being readily available to "hackers" or "crackers". As a matter of fact it's quite the oposite. We are the ones finding these vulnerabilities, writing proof of concept code, and releasing advisories with or without code is irrelevant. We have now come full circle, in the early 90s if you weren't in with the security underground, you didn't hear about vulerabilities untill you realised you were compromised, or some idiot kid got his hands on some code and wreaked havok. Then for several enjoyable years, security became a more openly spoken about side of the industry, vulnerabilities and exploit code alike were handed out freely giving security "proffessionals" the oportunity to understand and see first hand what was causing them to be vulnerable and how it affected them and their deployment. Since certain laws have been passed making anyone who distributes such source code a criminal, the truly proffessional side has been fucked proper. Once again, no one is realeasing source code, or sharing any such information with the public... so once again welcome to the early 90s. If you don't have associations with certain types of people and groups, you're out in the cold untill it becomes a public problem. ;)

[goBigtime]

Quote:

Originally posted by KRL
Thinking about this some more. Isn't that kind of crazy to list every security vulnerability openly like that? Hackers will have a field day getting info from that site.

I don't think there is much of an increased risk to getting hacked because of something like this.

It's already been done basically with bugtraq and other whitehat security lists.... all this will do (if it takes off) is consolidate everything more.

[com]

Quote:

Originally posted by goBigtime


I don't think there is much of an increased risk to getting hacked because of something like this.

It's already been done basically with bugtraq and other whitehat security lists.... all this will do (if it takes off) is consolidate everything more.

The more publicized these things are the better off everyone is. It is then up to the systems admin to do their job and keep on top of known and potential vulnerabilities. When nothing is published, you may never know you?ve been compromised and your unwanted visitor may just be watching everything you do and collecting what he/she finds intriguing. Regardless, a better informed public is far more desirable then a blind flock of sheep.