lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <33602.212.113.187.169.1036678862.squirrel@webmail.pair.com>
From: joao at silvaneves.org (João Miguel Neves)
Subject: Security Industry Under Scrutiny: Part One

> * security advisories are rarely based on original concepts

Agreed.

> * most of them are filled with lots of crap used to build up the
> reputation of
>   the whitehat.

And sometimes enough information for me to repeat the test and check if
I'm also vulnerable.

> * whitehats should contact vendors and not public forums as only the
> vendors can
>   release an update.

Most do that. If you regularly read mailing-lists like bugtraq or
full-disclosure you'll find almost (if not all in the last year) have a
vendor status that describes how and when the vendor was contacted and
what was its reaction.

> * "proof of concept" toolz are used to fuel script kiddies so as to
> justify the
>   employment of security professionals.  kinda like the CIA bombing a
> sky scraper to get more funding.
>
This is a blatant lie. There are a lot of companies that won't correct a
problem in their software if there is not a "proof of concept". Personally
I like proof of concept tools - they speed up my testing of my computers,
my company computers and my clients' computers. They also help better
undestanding the vulnerability and identify if it's a real one or simply a
repetition of some old one.

> things we can do to make the security industry better:
>
> * dont post to public forums.  contact the vendor directly.  make
> vendors more
>   responsible for their products.

And what to do when they ignore you ? The mechanics of "full disclosure"
(or "posting to public foruns" as you put it) is that vendors will not
correct software problems just because they exist, but they'll do it to
protect theur image and reputation. Before "full disclosure" it wasn't
strange to have a software company like Sun to take years to produce a fix
for a security bug. I don't want to go back to that dark age.

> * stop producing "proof of concept" code/tools, as these are more often
> used to
>   harm, rather than to heal.
> * care more about security and less about money.
>
That's what I'm doing, unfortunately positions like yours make my job and
all of those in the security industry more difficult and more expensive,
making sure that we'll have less, not more security.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ