We clearly disagree on this
Providing POCs helps defenders more than attackers. Defenders often use POCs to build detections and develop new solutions to mitigate not just the big but also exploit techniques.
-
-
Replying to @Fox0x01 @maddiestone
Ok but even without public PoC code attackers can simply bindiff beta releases or take crash PoCs from public source code repos (see https://googleprojectzero.blogspot.com/2019/08/jsc-exploits.html …) and possibly develop an exploit before the patch even ships to users...
2 replies 0 retweets 17 likes -
There's a fundamental difference between busy work and forcing new original research. If this is your position, how do you rationalize exploitation training? I think exploitation training is valuable, but it seems incompatible with the idea that public research is harmful, no?
1 reply 1 retweet 17 likes -
Wouldn't it be harder if bad guys didn't have easy access to exploitation training, surely some nso engineers have taken your course? I don't understand why some speed bumps are good and some are bad.
1 reply 3 retweets 14 likes -
I think exploitation training is so valuable that it's worth the risk that a bad guy learns how to write exploits from you, and public exploits are so valuable that it's worth the risk that a bad guy spends a few hours less in bindiff.
2 replies 4 retweets 47 likes -
I saw Azeria deactivated/deleted her Twitter account. I don't know what exactly she said. I'm more inclined to your side on this discussion. But I don't think she deserved all the criticism she received from many people. I think she is a great security researcher and teacher.
2 replies 0 retweets 1 like
Sorry to hear that, we chatted over dm, we're on good terms. Absolutely respect and appreciate her work.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.