lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAJVRA1Tmr1ZFCjBBxfxT8stTrfjN5jD5gAXQ4jQnTjTOjQ4+MA@mail.gmail.com>
Date: Sun, 21 Apr 2013 13:29:03 -0700
From: coderman <coderman@...il.com>
To: "paul.szabo@...ney.edu.au" <paul.szabo@...ney.edu.au>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: reasonable return on investment;
 better investments in security [was Re: VUPEN Security Research -
 Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555)]

On Fri, Apr 19, 2013 at 1:26 PM, <paul.szabo@...ney.edu.au> wrote:
> ...
> > 2012-02-15 - Vulnerability Discovered by VUPEN
> > 2013-03-06 - Vulnerability Exploited At Pwn2Own 2013 and Reported to Adobe...
>
> Is a delay of a year before reporting to the vendor, acceptable?


three years or more is better of course!  i would not be disappointed
with a dozen months, however.
  alas external factors (especially when licenses are non-exclusive)
complicate longevity of weaponized exploits...


if you really want to improve security:
 a) remove all criminal and civil liability for "hacking", computer
trespass, and all related activities performed over data networks;
establish proactive "shield" legislation to protect and encourage
unrestricted security research of any subject on any network. extend
to international agreements for blanket protection in all
jurisdictions.
 b) establish lock picking, computing, and hacking curriculum in pre
school through grade school with subsidized access to technical
resources including mobile, tablet, laptop test equipment, grid/cloud
computing on-demand, software defined radios with full
receive/transmit, and gigabit internet service or faster.
 c) organize a program of blue and red teaming challenges for
educational and public participation at the district, regional, and
national level cultivating expertise and rewarding it with hacking
toys, access, and monies.

if implemented, i can guarantee a significant and measurable
improvement in the security posture of the systems that remain  in
such an environment.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ