| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Oct 2013 22:28:26 -0700 From: coderman <coderman@...il.com> To: "paul.szabo@...ney.edu.au" <paul.szabo@...ney.edu.au> Cc: cpunks <cypherpunks@...nks.org>, Full Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Foreign Intelligence Resistant systems [was Re: reasonable return on investment; better investments in security [....]] i must amend this prior advice. in addition to legal protections, educational support, and competitive programs, also provide: - direct and unrestricted backbone access to various individuals or groups who demonstrate competence in either the educational or competitive realms, in order for them to mount additional attack strategies against any reach-able target. this access must consist of both passive taps of backbone traffic as well as injection taps for raw packet transmission at core rates. this should be available on the Internet backbone at internet exchanges, private fiber through public right of way, and core networks of operators of licensed wireless spectrum. a side benefit of implementing these reforms would be the de-facto de-funding of offensive network operations by third parties or governments. the cost to keep ahead of such a widespread, popular, and distributed effort would be enormous, and provide continually decreasing returns. ... getting there is much more complicated of course. *grin* --- On Sun, Apr 21, 2013 at 1:29 PM, coderman <coderman@...il.com> wrote: > On Fri, Apr 19, 2013 at 1:26 PM, <paul.szabo@...ney.edu.au> wrote: >> ... >> > 2012-02-15 - Vulnerability Discovered by VUPEN >> > 2013-03-06 - Vulnerability Exploited At Pwn2Own 2013 and Reported to Adobe... >> >> Is a delay of a year before reporting to the vendor, acceptable? > > > three years or more is better of course! i would not be disappointed > with a dozen months, however. > alas external factors (especially when licenses are non-exclusive) > complicate longevity of weaponized exploits... > > > if you really want to improve security: > a) remove all criminal and civil liability for "hacking", computer > trespass, and all related activities performed over data networks; > establish proactive "shield" legislation to protect and encourage > unrestricted security research of any subject on any network. extend > to international agreements for blanket protection in all > jurisdictions. > b) establish lock picking, computing, and hacking curriculum in pre > school through grade school with subsidized access to technical > resources including mobile, tablet, laptop test equipment, grid/cloud > computing on-demand, software defined radios with full > receive/transmit, and gigabit internet service or faster. > c) organize a program of blue and red teaming challenges for > educational and public participation at the district, regional, and > national level cultivating expertise and rewarding it with hacking > toys, access, and monies. > > if implemented, i can guarantee a significant and measurable > improvement in the security posture of the systems that remain in > such an environment. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists