lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <21881.1217962645@turing-police.cc.vt.edu>
Date: Tue, 05 Aug 2008 14:57:25 -0400
From: Valdis.Kletnieks@...edu
To: n3td3v <xploitable@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Media backlash begins against HD Moore and
	I)ruid

On Tue, 05 Aug 2008 18:40:32 BST, n3td3v said:

> Are you suggesting HD Moore had prior knowledge that the Austin Texas
> AT&T servers were vulnerable?

No - simply saying that either they were vulnerable, or they weren't.  If
they weren't vulnerable, HD didn't have to do anything.  And even if they
*were*, somebody would still have to actually *attack* them.

And even if they *got* attacked, it's quite possible that the upsides of not
bothering to do something outweighed the risks.  If you estimate that the
cost (including "things you could have spent your time doing") is more than
the losses, why bother?  "Even if we *got* whacked, we'd lose maybe $500. But
in the time I'd waste dealing with the issue, I could generate something that
will get us $2,000 in revenue.  So if I fix it, I lose $1500, and if I ignore
it, I come out $1,500 ahead if we get hit, and $2,000 if we don't".



Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ