lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3a166c090604271251s1da61115j7ab11847218ef2d9@mail.gmail.com>
Date: Thu Apr 27 20:51:45 2006
From: n3td3v at gmail.com (n3td3v)
Subject: Internet Explorer User Interface Races, Redeux

> Georgi Guninski wrote:
> > dear "Matthew",
> >
> > are you by any chance MCSE, MVP or something like this?

The folks I know at Yahoo and Google started being engineers when they
were like 24 and are still in the security industry at 30.
thirty-something is the prime age for corporate security, Its the age
you're in your prime. You can't beat it. The guys I know find hundreds
of bugs a year in Google and Yahoo and don't blink an eye lid about
the most serious of vulnerabilities. They report them to Yhaoo, Google
and forget. Some of them get released as patches, some don't.
Professionals don't care, they are doing a job. And these guys I know
aren't exactly whitehats, but while they're at work, they treat it as
a professional job, and whatever is found at work, stays at work. They
have a contract before they are allowed to be a security engineer,
that they need to keep it private, until the time is chosen for patch
release. And even then, they don't declare they found a particular
vulnerability, through choice. Its not being a whitehat, half the
folks I know are rogue employees, who work on seperate projects out of
work, and are blackhat happy, thats the difference between a mailing
list vulnerability researcher, and a researcher who isn't interested
in fame. Its about telling the vendor, sure, you can tell a mailing
list, like most mailing list folks do, but don't expect corporate
security policy to change or be rushed because you've typed up a
convincing "Vendor Response" article at the bottom of your advisory.
There is a clear distinction between fame hungry folks and folks who
just want to tell a vendor about something,a dn don't care if its
patched, and like I've said already, blackhat or whitehat doesn't come
into it, because theres folks working as security engineers ona 
professional level who also work in the underground on malicious
projects. which also they never disclose in public as being related to
them.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ