| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 25 Jun 2013 00:44:54 -0700 (PDT)
From: terry white <twhite@...ota.com>
To: bugtraq@...ketstormsecurity.org
cc: bugtraq@...urityfocus.com
Subject: Re: Facebook Information Disclosure
... ciao:
: on "6-24-2013" "Jeffrey Walton" writ:
: On Fri, Jun 21, 2013 at 5:40 PM, Packet Storm
: <bugtraq@...ketstormsecurity.org> wrote:
: >From the write-up:
: ]] It was clear that Facebook attacked the disclosure flaw properly, but
: ]] concerns still remain about the fact that dossiers are being built
: If you don't want your data analyzed, inspected, shared, mishandled,
: lost or stolen, then don't provide to social networking experiments,
: clouds and drop boxes in the first place.
that advice is as sage, as it is misplaced. preaching to the choir
comes to mind. my concern, is the congregation that has no clue as to the
implications of the message.
for example: the thought of someone running 'arbitrary code' is a
really scary prospect to me, but to most, 'arbitrary' means, "doesn't
matter". i am at something of a loss in understanding 'why' the "user"
community less concerned than it is. it would be partially correct to
'blame' it for its addiction to fluff.
however, 'pdf', 'js', et al, have a robust history as attack vector.
'that' is not the user's fault, but it is "our" dilemma. i have a hunch,
any meaningful solution, is going to put the 'middlemen', between a rock
and a hard place. the 'i ching' warns against 'blaming someone' for what
they do not know. that suggests 'we' either "educate", or "protect" if
we're serious in what we'er doing ...
--
... it's not what you see ,
but in stead , notice ...
Powered by blists - more mailing lists