Given how much Thomas contributes to this community, it seems fair to give him the benefit of the doubt and assume he has good reasons to say no more than what he has said. Also, this comment alone probably counts for thousands of
dollars worth of value to people running business on nginx. Thanks Thomas.
As to the average hacker, yes we want to know everything, but there are valid reasons not to be told everything. In this case, the information given is useful and sufficient, and the implications of what he said and how he said it are very clear indeed.
I think everyone has given him the benefit of the doubt, but this particular thread could have been much shorter if tptacek had just explicitly stated, "It's important and I won't help attackers by elaborating on the details." If that's not made clear then it's only natural for someone to ask for the specifics.
As to the average hacker, yes we want to know everything, but there are valid reasons not to be told everything. In this case, the information given is useful and sufficient, and the implications of what he said and how he said it are very clear indeed.