Dailydave mailing list archives
Re: Remember The Titans
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Fri, 31 Jul 2015 09:52:42 -0700
I went back a couple days ago and re-read the latest Qualys exploit, as you should: http://seclists.org/oss-sec/2015/q3/185 .
Interestingly, history sorta repeats itself: https://lwn.net/Articles/6137/ Now... while I generally agree with you that some of the most-publicized work is usually just a distraction and that it gets picked up by the press based primarily on how much effort is put into marketing the research and whether it superficially touches one of the "cool" topics (IoT, mobile, privacy), this one snippet caught my eye:
[...rant about P0...] Why would you have all your best hackers working on random external companies and not securing the stuff you deliver to customers and depend on for your business? Where's all the hard core XSS work against Inbox.google.com that needs to be publicized?
While folks tend to have strong opinions about P0 and I don't really want to change yours, this bit seems a bit harsh. The vast majority of our security folks are indeed working on other things, including some really phenomenal work on systemic XSS mitigations (or multiple containment layers for AppEngine, so that breaking one is not a game-ending situation). P0 is a comparatively small effort, given the overall size of our security team, and it caters specifically to people who don't want to do anything but vuln research, full-time. Heck, I like breaking stuff and I'm not on P0. /mz _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Remember The Titans Dave Aitel (Jul 31)
- Re: Remember The Titans Michal Zalewski (Jul 31)
- Re: Remember The Titans Andreas Lindh (Jul 31)
- Re: Remember The Titans Ben Hawkes (Jul 31)
- Re: Remember The Titans Michal Zalewski (Jul 31)