I am absolutely certain that Sourcefire had the information they published in their blog post prior to making the post. Although with enough time a bunch of monkeys hacking away at keyboards could theoretically come up with the post with no information at all, I guarantee that Sourcefire is a sharp company and the poster knew exactly what he was writing before he hit “post”.

Your reassertion of my strawman argument highlights the power of the “insider view”. The time spent monitoring anything is not free from an economic perspective.

Think of things this way — if there are a thousand places where this information might be, there is a much higher likelihood that an attacker will come across it sooner if it is published in 500 places rather than if it is published in 5 places.

This is even more apparent if you agree with me that new “bad guys” are being added to the Internet population all the time.

It would be interesting to know how you leveraged the information in Sourcefire’s post personally, but also consider whether your customers, friends, and family could have done anything with it.

Jon – I am not saying the effect is huge, I am asserting that the ratio of exploitation:protection in this situation is higher than it would have been without the post, although perhaps only slightly.

“And of course Sourcefire had the info or they wouldn’t have been able to blog what they did.”

Orly?

http://twitter.com/mroesch/status/1253491039

You shouldn’t assume with such certainty, Pete.

It seems to me that some of the good guys and bad guys were near parity on acquisition costs. So, we have a case where vendors are selective to whom they distribute information, which to me is a very early 90′s mentality. Sourcefire worked hard and smart to protect their customers at least at the same level that their competitors offered. And, if you don’t think “bad guys” aren’t monitoring open source projects and their repositories for security bug fixes or detection code, then you’re being silly. As you know, the acquisition cost is basically free in this case. Seems like a good thesis paper or something…

Anywho, to restart #1 and #2 above:

1. The bad guys already have this information
2. The good guys need the information to protect themselves

Yep, sounds right to me…

I don’t intend to leave out third party detection/prevention at all. According to reports, Symantec, McAfee, Trend, etc. all had samples. And of course Sourcefire had the info or they wouldn’t have been able to blog what they did.

Good point about open source, but once again this boils down to distribution – how many places an attacker has available with the applicable information.

Your argument does not take into account detecting successful attacks against assets. Your argument seems to be towards preventative controls, such as a vendor-supplied patch. In lieu of a patch, I think an organization would like to know if an attacker was actively exploiting this vulnerability against their assets.

I’m inferring from the Sourcefire VRT blog postings that Sourcefire was not privy to the information as a “good guy”, so while many “large security companies” had access to the information, maybe not all of them. And, a vendor that provides information to an open source project will just inevitably leak the information anyway…