lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1f199161050922002413037d30@mail.gmail.com>
Date: Thu Sep 22 08:24:15 2005
From: yboily at gmail.com (Yvan Boily)
Subject: Google Secure Access or "How to have people
	download a trojan."

Actually Paul, I decided to repost to address one of the things you said.

 I have never ever heard of you. What's the last security advisory that YOU
> have come out with?
>
  I'm sorry, but before you can go calling someone as 1337 as Skylined an
> "Ass-Clown", you need to build up some credibility for yourself. Until then,
> good-day sir.
>
 Because of people like Wevers I don't release any of the research I do to
the public because when I have identified vulnerabilities in applications I
review because I know that some consultant somewhere will use it as a reason
to bilk a client out of piles of money.

If I ever discover a serious flaw in a product that has significant market
penetration, and I receive approval from my employers, you can bet it would
be released to the public, but until I am convinced of the value I will not.


That is the way life is for the people who choose to have a career
practicing security rather than researching it; I am too busy finding and
assisting with the correction of flaws within the organizations that have
employed me in the past to spend time trying to punch holes in vendor xyz's
products.

What this really means though, is that instead of having hundreds of
security researchers pounding away at applications there is just me. One
single solitary person; this means that in my time with my previous employer
as a security consultant (god that sucked) I would have to take on
identifying and exploiting vulnerabilities by myself against completely
unique applications to resolve threats. Usually I would have one project at
a time, and it would last a few weeks. Now that I am employed in a
reasonably sized organization [12000 employees, ~400 developers, and
~1,200,00 customers] I frequently have multiple projects on the go, and
frequently find myself with an overwhelming number of threat vectors to
consider to worry about.

Before you go off patting people who manage to find holes in common off the
shelf software on the back, or systems that have exposure of millions of
users per minor version, take a moment to consider that, no, you do not know
me. You have not heard of me because no application that I have reviewed to
date has successfully been compromised provided the recommendations I made
were followed; if they had you can bet that my former employer would have
been sued for liability, and that I would be spending alot more time looking
for a job than antagonizing people on Full-Disclosure. Don't bark at me
about not having a long list of advisories from one of the most widely used
applications on the internet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050922/47e5d5c3/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ