Full Disclosure mailing list archives
Re: Google Secure Access or "How to have people download a trojan."
From: Yvan Boily <yboily () gmail com>
Date: Thu, 22 Sep 2005 02:24:04 -0500
Actually Paul, I decided to repost to address one of the things you said. I have never ever heard of you. What's the last security advisory that YOU
have come out with?
I'm sorry, but before you can go calling someone as 1337 as Skylined an
"Ass-Clown", you need to build up some credibility for yourself. Until then, good-day sir.
Because of people like Wevers I don't release any of the research I do to the public because when I have identified vulnerabilities in applications I review because I know that some consultant somewhere will use it as a reason to bilk a client out of piles of money. If I ever discover a serious flaw in a product that has significant market penetration, and I receive approval from my employers, you can bet it would be released to the public, but until I am convinced of the value I will not. That is the way life is for the people who choose to have a career practicing security rather than researching it; I am too busy finding and assisting with the correction of flaws within the organizations that have employed me in the past to spend time trying to punch holes in vendor xyz's products. What this really means though, is that instead of having hundreds of security researchers pounding away at applications there is just me. One single solitary person; this means that in my time with my previous employer as a security consultant (god that sucked) I would have to take on identifying and exploiting vulnerabilities by myself against completely unique applications to resolve threats. Usually I would have one project at a time, and it would last a few weeks. Now that I am employed in a reasonably sized organization [12000 employees, ~400 developers, and ~1,200,00 customers] I frequently have multiple projects on the go, and frequently find myself with an overwhelming number of threat vectors to consider to worry about. Before you go off patting people who manage to find holes in common off the shelf software on the back, or systems that have exposure of millions of users per minor version, take a moment to consider that, no, you do not know me. You have not heard of me because no application that I have reviewed to date has successfully been compromised provided the recommendations I made were followed; if they had you can bet that my former employer would have been sued for liability, and that I would be spending alot more time looking for a job than antagonizing people on Full-Disclosure. Don't bark at me about not having a long list of advisories from one of the most widely used applications on the internet.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Google Secure Access or "How to have people download a trojan." Berend-Jan Wever (Sep 21)
- <Possible follow-ups>
- re:Google Secure Access or "How to have people download a trojan." Yvan Boily (Sep 21)
- Re: Google Secure Access or "How to have people download a trojan." Paul Nickerson (Sep 21)
- Re: Google Secure Access or "How to have people download a trojan." Valdis . Kletnieks (Sep 21)
- Re: Google Secure Access or "How to have people download a trojan." Ill will (Sep 21)
- Re: Google Secure Access or "How to have people download a trojan." Yvan Boily (Sep 21)
- Re: Google Secure Access or "How to have people download a trojan." Ill will (Sep 21)
- Re: Google Secure Access or "How to have people download a trojan." Valdis . Kletnieks (Sep 21)
- Re: Google Secure Access or "How to have people download a trojan." Paul Nickerson (Sep 22)
- Re: Google Secure Access or "How to have people download a trojan." Paul Nickerson (Sep 21)
- Re: Google Secure Access or "How to have people download a trojan." Yvan Boily (Sep 22)
- Re: Google Secure Access or "How to have people download a trojan." Jorrit Kronjee (Sep 22)
- Re: Google Secure Access or "How to have people download a trojan." Valdis . Kletnieks (Sep 22)
- Re: Google Secure Access or "How to have people download a trojan." Stan Bubrouski (Sep 22)
- Re: Google Secure Access or "How to have people download a trojan." Yvan Boily (Sep 22)