| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: joao at silvaneves.org (João Miguel Neves) Subject: Security Industry Under Scrutiny: Part One > * security advisories are rarely based on original concepts Agreed. > * most of them are filled with lots of crap used to build up the > reputation of > the whitehat. And sometimes enough information for me to repeat the test and check if I'm also vulnerable. > * whitehats should contact vendors and not public forums as only the > vendors can > release an update. Most do that. If you regularly read mailing-lists like bugtraq or full-disclosure you'll find almost (if not all in the last year) have a vendor status that describes how and when the vendor was contacted and what was its reaction. > * "proof of concept" toolz are used to fuel script kiddies so as to > justify the > employment of security professionals. kinda like the CIA bombing a > sky scraper to get more funding. > This is a blatant lie. There are a lot of companies that won't correct a problem in their software if there is not a "proof of concept". Personally I like proof of concept tools - they speed up my testing of my computers, my company computers and my clients' computers. They also help better undestanding the vulnerability and identify if it's a real one or simply a repetition of some old one. > things we can do to make the security industry better: > > * dont post to public forums. contact the vendor directly. make > vendors more > responsible for their products. And what to do when they ignore you ? The mechanics of "full disclosure" (or "posting to public foruns" as you put it) is that vendors will not correct software problems just because they exist, but they'll do it to protect theur image and reputation. Before "full disclosure" it wasn't strange to have a software company like Sun to take years to produce a fix for a security bug. I don't want to go back to that dark age. > * stop producing "proof of concept" code/tools, as these are more often > used to > harm, rather than to heal. > * care more about security and less about money. > That's what I'm doing, unfortunately positions like yours make my job and all of those in the security industry more difficult and more expensive, making sure that we'll have less, not more security.
Powered by blists - more mailing lists