lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: eric.lauzon at abovesecurity.com (Eric Lauzon)
Subject: Seriously IE/FAME/BASHING

Security dosent mean functionality.

You have to make a choice.

Like when you vote for an election. 

Now as with any os windows/IE will be 
secure if you cut down functionality.

If you think everyone's windows desktop should be 
secured as lets say with irony, *bsd or linux or *nix even.
(LOL as if its been so flawless and so innovative),
Do you think every one would be using computers as
it is today. 


So if your not smart enough to secure your self
to prevent problems dont assume software vendors
to take your hand and remove functionality so you 
can be secure.

Whinning about a simple bug eventho it can have 
alot of impact is not whats gonna get you protected.
What about those N other bugs in all other software
that exist.

Functionality VS SECURITY (PERIOD)

The industry of security is pushing,
software vendor are not following,
some people want to have part in the
industry only for the money and the fame,
most of them post on ML so they get attention
you see people trying to scare you with funky
client side bugs as if other client software
for other purpose are immuned ... :) its
all about trust.

I think they should lay back and try some test
senario before saying its the ultimate bug 


yet ive not seen a variation of the IE exploit
being able to exploit IE without scripting enabled

And im not taking about cross-zone where it would
go into the intranet zone and then exploit the bug
using IFRAME exploit. Because if you do that
but scripting is disabled in the INTRANET zone
you will hit a dead end also. Im only writing this
because ive seen hype and scared people arround the subject
but ive yet to see an analysis if the situation that explain
why that bug do not work when the web site IS NOT TRUSTED.


Anyone want to prove the opposite?!




-elz


ps: dont exploit my grammar :)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ