| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <108874.1235573952@turing-police.cc.vt.edu>
Date: Wed, 25 Feb 2009 09:59:12 -0500
From: Valdis.Kletnieks@...edu
To: Smoking Gun <pentesterkunt@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [NETRAGARD SECURITY ADVISORY] [Cambium Group,
LLC. CAMAS Content Management System -- Multiple Critical
Vulnerabilities][NETRAGARD-20070820]
On Wed, 25 Feb 2009 09:01:26 EST, Smoking Gun said:
> Snake oil at it's finest. You may recall Netragard has a pay for play
> scheme working where they never disclose any code. This works
> to anyone's advantage as a trump card when you think about it on
> a psychological warfare like scale. "We found a tumor somewhere
> in your body however, we're choosing not to tell you about how we
> found it, nor where it is."
You got that wrong in a subtle and important way. What Kevin said:
> Proof of concept code exists but is not provided as to not increase CAMAS
> users overall risk levels.
isn't like the doctor telling you "We found a tumor in you but we won't tell
*you* what it is". It's more like "We found a tumor, and we won't tell your
employer, because they might try to cancel your medical insurance when they
find out how much this is going to cost".
And *that* threat model (retaliation by employers/friends/society) is a
well-understood threat model, and is *why* medical records are in general
considered confidential.
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists