lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200405152307.14972.james.bliss@comcast.net>
From: james.bliss at comcast.net (James Bliss)
Subject: Support the Sasser-author fund started

> Imagine you own a home and installed a security system on all the doors
> and windows.  You set the alarm and leave for a weekend.

OK

> A thief comes up to your house, breaks a window, and slides through the
> opening.  The alarm does not go off because the thief found a
> vulnerability in the security system.
>
> Do you blame the security company that installed your intrusion
> detection system?

Yes, and then I sue the security company for failure to provide what was 
paid for.  I believe this would be a warranty provision which the security 
company breached.

> Plus, most of the software is released to the public in the form of
> Betas or Release Candidates months ahead of the release date.  If
> identifying security holes was that easy then why aren't there more
> vulnerabilities reported before the 'gold' release of products.

The primary purpose for this realease is to allow a specific group of 
developers and software companies the opportunity to prepare for the new 
release.  It is not specifically released for security testing although I 
am certain that this is performed to a limited extent (although it would 
be more fruitful if they paid for security audits rather than assume they 
are performed gratuitously)

> I do expect that any computer user should have fundamental security
> training before using it.  After all, the computer is a tool.  Nobody
> should operate a microwave or chainsaw without reading the safety
> instructions.  The same care should be taken for computers.

Therefore we should license computer users and require tests before they 
are allowed to buy and/or use a computer?  Something along the lines of a 
drivers license?  Also, have you seen some of the absurd warning in the 
operating manuals - 'Do not touch the chain saw blade while in motion'.  
Perhaps all computers sould have a warning - 'Do not use if you are an 
idiot'.  But then most internet commerce would cease...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ