| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4D0FA5CE.9020101@extendedsubset.com> Date: Mon, 20 Dec 2010 12:51:58 -0600 From: Marsh Ray <marsh@...endedsubset.com> To: John Jester <watermonk@...out.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: adobe.com important subdomain SQL injection again! On 12/19/2010 09:32 PM, John Jester wrote: > > Sandboxing the plug-in from your system fixes it I believe. It's so > futile sandboxing it was key. OK, so if sandboxing works, then why not just let devs build x86/x64 code in the first place? In the same category as Native Client or ActiveX. Maybe because sandboxing isn't going to work so well? > And security, hell a multi-billion dollar company can't keep it from > gobbling up 100% cpu in some instances. Huge note: over the years has > been massive improvement in both performance and security. I wonder how much of that is the game or app itself in a tight loop. CPU is, after all, there to be used. > It's not hopeless or futile, but come on, it's like the titanic. Remember chapter 1 of the textbook when it said "The first rule of security is never try to retrofit security, _ever_!!" and underlined it three times? Well see back in 1996 there were these really popular animation and multimedia CD-ROM authoring packages and... the rest is history. - Marsh _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists