lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <166523.1326810045@turing-police.cc.vt.edu>
Date: Tue, 17 Jan 2012 09:20:45 -0500
From: Valdis.Kletnieks@...edu
To: Martijn Broos <martijn.broos@...xion.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Fwd: Rate Stratfor's Incident Response

On Tue, 17 Jan 2012 14:09:13 +0100, Martijn Broos said:

> If programmers are aware of security consequences, they would fix them in the
> first place or try to avoid them.

Unfortunately, there's this problem called "already announced ship date".

Go take a look at Skyrim - they announced 11/11/11 ship date like *months*
beforehand. And yes, it shipped that day - with lots of glitches.  The fact
that lots of the glitches were fixed in patches released whithin days after
release indicates that the programming staff knew full well what caused the
glitch and what to do to fix it - they just didn't have time to actually *do*
it before their freeze date to get stuff onto the DVD.

And security bugs are identical to other bugs as far as making a deadline goes
- at soome point somebody has to say "delay it" or "ship it anyhow".  Usually,
neither choice is a really good option...

> So I vote for the use of kiddies (only in a controlled test environment).
> This could even be a public test site where this list could try to break the
> stuff as long as you tell me how you did it:)

This sort of public test is almost never a good idea.  One of two things happens:

1) The kiddies who do it for a lark break it.  Yes, now you know you have
holes. But the rest of the world now knows you couldn't even find the easy
stuff. So you're gonna be dead meat for the vultures once you fix the easy
stuff.

2) The kiddies who do it for a lark don't break it.  Doesn't prove squat,
because they almost certainly didn't check the entire attack surface, or try
very hard to break it. A good professional pen test company could still break
it - as could a really good black hat.  But neither of them are going to
participate in your public test unless you offer a lot bigger prize (equivalent
to what they'd make for a several-week actual engagement).


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ