lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <BANLkTimgKUeKoUAS8w7t6EX10yo5anr4yA@mail.gmail.com> Date: Tue, 14 Jun 2011 19:42:37 -0700 From: coderman <coderman@...il.com> To: Georgi Guninski <guninski@...inski.com> Cc: full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu Subject: Re: Absolute Sownage (A concise history of recent Sony hacks) On Fri, Jun 10, 2011 at 11:29 PM, Georgi Guninski <guninski@...inski.com> wrote: >> if you eliminate 95% of the holes, it may be >> *effectively* secure, simply because it isn't worth the attacker's time to >> fight for the other 5% > > wtf? > > if someone has working exploit, the probability of breaking is 100% no matter what the constant 95% is claimed to be. consider it this way: when programming the "weird machine" to do your bidding some vectors to vuln are context-agnostic and readily repeatable. (the 95%) the other 5% are present in the specific configuration or context of system under attack and thus require actual technical ability and insight to traverse the vuln vectors. (or exploit chain, or attack tree, or whatever you want to call it.) cover the 95% and you won't be an HBGary, Sony, LulzSec target. however, don't interpret this as evidence you can't get hacked six ways to sunday by someone with the skillz. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists