| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Dec 2008 20:23:57 +0000 From: n3td3v <xploitable@...il.com> To: "Bipin Gautam" <bipin.gautam@...il.com>, full-disclosure@...ts.grok.org.uk Cc: n3td3v <n3td3v@...glegroups.com> Subject: Re: Microsoft issues out-of-band patch On Fri, Dec 19, 2008 at 3:36 PM, Bipin Gautam <bipin.gautam@...il.com> wrote: > stop putting so much of attention to 0-day and possible use of it by > government to get into a terrorist pc. > > if breaking into someones pc was a matter of national security > importance 0-day may provide a easy leverage but you really dont need > a 0-day to get into someones pc, neither you'd need a already > existing/known backdoor, neither you'd need to bruteforce into the > advisory or a physical access to it. > > all they need to do is poison a unsigned executable/plugin/update with > a backdoor instead, that is being downloaded to the advisory computer > over an unencrypted connection if you can control the network gateway > or have isp level access. such attacks "could" work regardless of the > OS or patch level. > You're giving the bad guys clues on what to avoid or will the bad guys be aware of all the possible attack vectors the government might be using already? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists