| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Sep 22 08:24:15 2005 From: yboily at gmail.com (Yvan Boily) Subject: Google Secure Access or "How to have people download a trojan." Actually Paul, I decided to repost to address one of the things you said. I have never ever heard of you. What's the last security advisory that YOU > have come out with? > I'm sorry, but before you can go calling someone as 1337 as Skylined an > "Ass-Clown", you need to build up some credibility for yourself. Until then, > good-day sir. > Because of people like Wevers I don't release any of the research I do to the public because when I have identified vulnerabilities in applications I review because I know that some consultant somewhere will use it as a reason to bilk a client out of piles of money. If I ever discover a serious flaw in a product that has significant market penetration, and I receive approval from my employers, you can bet it would be released to the public, but until I am convinced of the value I will not. That is the way life is for the people who choose to have a career practicing security rather than researching it; I am too busy finding and assisting with the correction of flaws within the organizations that have employed me in the past to spend time trying to punch holes in vendor xyz's products. What this really means though, is that instead of having hundreds of security researchers pounding away at applications there is just me. One single solitary person; this means that in my time with my previous employer as a security consultant (god that sucked) I would have to take on identifying and exploiting vulnerabilities by myself against completely unique applications to resolve threats. Usually I would have one project at a time, and it would last a few weeks. Now that I am employed in a reasonably sized organization [12000 employees, ~400 developers, and ~1,200,00 customers] I frequently have multiple projects on the go, and frequently find myself with an overwhelming number of threat vectors to consider to worry about. Before you go off patting people who manage to find holes in common off the shelf software on the back, or systems that have exposure of millions of users per minor version, take a moment to consider that, no, you do not know me. You have not heard of me because no application that I have reviewed to date has successfully been compromised provided the recommendations I made were followed; if they had you can bet that my former employer would have been sued for liability, and that I would be spending alot more time looking for a job than antagonizing people on Full-Disclosure. Don't bark at me about not having a long list of advisories from one of the most widely used applications on the internet. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050922/47e5d5c3/attachment.html
Powered by blists - more mailing lists