lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.64.1306250007400.11145@yossarian>
Date: Tue, 25 Jun 2013 00:44:54 -0700 (PDT)
From: terry white <twhite@...ota.com>
To: bugtraq@...ketstormsecurity.org
cc: bugtraq@...urityfocus.com
Subject: Re: Facebook Information Disclosure

... ciao:

: on "6-24-2013" "Jeffrey Walton" writ:
: On Fri, Jun 21, 2013 at 5:40 PM, Packet Storm
: <bugtraq@...ketstormsecurity.org> wrote:
: >From the write-up:
 
: ]] It was clear that Facebook attacked the disclosure flaw properly, but
: ]] concerns still remain about the fact that dossiers are being built

: If you don't want your data analyzed, inspected, shared, mishandled,
: lost or stolen, then don't provide to social networking experiments,
: clouds and drop boxes in the first place.
 
   that advice is as sage, as it is misplaced.  preaching to the choir 
comes to mind.  my concern, is the congregation that has no clue as to the 
implications of the message.
 
    for example: the thought of someone running 'arbitrary code' is a 
really scary prospect to me, but to most, 'arbitrary' means, "doesn't 
matter".  i am at something of a loss in understanding 'why' the "user" 
community less concerned than it is.  it would be partially correct to 
'blame' it for its addiction to fluff. 

however, 'pdf', 'js', et al, have a robust history as attack vector.  
'that' is not the user's fault, but it is "our" dilemma.  i have a hunch, 
any meaningful solution, is going to put the 'middlemen', between a rock 
and a hard place.  the 'i ching' warns against 'blaming someone' for what 
they do not know.  that suggests 'we' either "educate", or "protect" if 
we're serious in what we'er doing ...

-- 
... it's not what you see ,
    but in stead , notice ...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ