lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <AANLkTim1Hzy5ue5=KD+yuWNns5RDZ49+s1oXwg2=8sbw@mail.gmail.com>
Date: Tue, 22 Feb 2011 16:35:31 -0800
From: Chris Evans <scarybeasts@...il.com>
To: Michal Zalewski <lcamtuf@...edump.cx>
Cc: full-disclosure@...ts.grok.org.uk, Charles Morris <cmorris@...odu.edu>
Subject: Re: What the f*** is going on?

On Tue, Feb 22, 2011 at 2:42 PM, Michal Zalewski <lcamtuf@...edump.cx>wrote:

> > Also, I would say that even though randomly prodding exec arguments
> > with As isn't so elite, the space of "the non-web" is much more deep
> > and much more complex than the space of "the web"..
>
> I think that sentiment made sense 8-10 years ago, but today, it's
> increasingly difficult to defend. I mean, we are at a point where
> casual users can do without any "real" applications, beyond just
> having a browser. And in terms of complexity, the browser itself is
> approaching the kernel, and is growing more rapidly.
>
> Yes, web app vulnerabilities are easier to discover.


Web app security is beginners' security -- surely everyone knows that?
Those with talent graduate on to low-level vulns (mem corruptions, kernel
vulns, etc).

</troll>


Cheers
Chris

That's partly
> because of horrible design decisions back in the 1990s, and partly
> because we're dealing with greater diversity, more complex
> interactions, and a much younger codebase. Plus, we had much less time
> to develop systemic defenses.
>
> /mz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ