lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 14 Nov 2012 10:43:44 +0200
From: Georgi Guninski <guninski@...inski.com>
To: Jeffrey Walton <noloader@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: GOOD for Enterprise (GMA) below 2.0.2
 vulnerable to MITM

On Tue, Nov 13, 2012 at 05:47:28PM -0500, Jeffrey Walton wrote:
> On Tue, Nov 13, 2012 at 4:56 PM, Thierry Zoller <Thierry@...ler.lu> wrote:
> >
> > RANT
> > ----
> > The  world  of  mobile  applications  appear to have become one where vulnerability
> > disclosure    and   awareness  are  not  necessary.  Until  there  are fully automated
> > updates  and  refusal  of  service for outdated applications I see the
> > need for disclosure.
> Mobile is a step backwards in software security (back to about the
> mid-1990s) due to patching. Or more correctly, lack thereof. I've been
> bitching about it for years.
> 
> I'm convinced the only way to fix it is through legislation and
> software liability laws. Waiting for companies to "do the right
> thing"

liability laws might kill a lot of OSS warez as a side effect.

btw, m$ lusers agree to "CLASS ACTION WAIVER":
http://windows.microsoft.com/en-US/windows-live/microsoft-services-agreement

==============
IF YOU LIVE IN THE UNITED STATES, SECTION 10 CONTAINS A BINDING ARBITRATION CLAUSE AND CLASS ACTION WAIVER. IT AFFECTS YOUR RIGHTS ABOUT HOW TO RESOLVE ANY DISPUTE WITH MICROSOFT. PLEASE READ IT.
10.4. Class action waiver. Any proceedings to resolve or litigate any dispute in any forum will be conducted solely on an individual basis. Neither you nor Microsoft will seek to have any dispute heard as a class action or in any other proceeding in which either party acts or proposes to act in a representative capacity. No arbitration or proceeding will be combined with another without the prior written consent of all parties to all affected arbitrations or proceedings.
===============

> means will be waiting a very long time (given their track record)
> because "do nothing" is cost effective and maximizes profits,
> 
> > GMA failed to validate server authenticity when connecting through HTTPS
> The Security Architect for Good should be fired if that sort of thing
> is acceptable.
> 
> Jeff
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ