• CHEF-KOCH
    link
    fedilink
    arrow-up
    6
    arrow-down
    2
    ·
    edit-2
    3 years ago

    We have already systems to notify users.

    • Most IT Professionals are aware that Kerberos, SMB and Co. is a hole for issues, it is nothing new to them.
    • We have social media, Reddit or your linked HN Website, what makes you think people are faster submitting new stuff to GitHub, well there is no difference, if you post it on Twitter, GitHub or what, people need to find that first.
    • We already have CVE databases you can look up for years.
    • On huge events, even TV news will do.
    • People exploit the moment the ghost is out of the bottle, it is all about preventation as well as management. News alone is not enough.
    • Notify users about each new attack and leak will result that people care less because they feel helpless and think … oh okay, just another daily attack.
    • Log4j was over-hyped, like most things, most software that normal people use like Browser were never affected, using a hyped problem as example how slow something is, is seriously no real argument because IT-Professionals need time to review the findings before coming to conclusions.
    • High reputation software such as Thunderbird are less to be affected, because they patch things first, they have huge user-base. You see this in every changelog when they fix security issues.
    • Saying that SMS or what is maybe expensive is weird, if you target professionals, no professional will reg via SMS or in other words his phone number. Typical use case is RSS which is cheap.
    • There are 0-days sold on the black market that are being used for months, you never hear from them and they have much bigger impact, usually because people who code them keep their source closed or even if they sell them, people have no interest to pay a lot of money and then leak it for free to the public, in most scenarios, there are white-hats of course, they abuse it. The argumentation that just because something is out for hours is unprofessional. Google, MS etc. have disclose time between 60 and 90 DAYS before they do something.

    I like that you try to do something, but it would be better joining existent solutions instead of creating another services that might vanish into the void like half of the rest who tried. GitHub is also pretty unchill regarding malware, if you post something that can directly used to exploit GitHub or others, they will close your repo without any warning in advance.

    If your target are admins then consider making this more clear, otherwise people will use this information and use it to exploit others.

    Bugalert does not look so hot