Re: Google Secure Access or "How to have people download a trojan."

[Yvan Boily <yboily () gmail com>]

Actually Paul, I decided to repost to address one of the things you said.

 I have never ever heard of you. What's the last security advisory that YOU
> have come out with?
  I'm sorry, but before you can go calling someone as 1337 as Skylined an
> "Ass-Clown", you need to build up some credibility for yourself. Until then,
> good-day sir.
 Because of people like Wevers I don't release any of the research I do to
the public because when I have identified vulnerabilities in applications I
review because I know that some consultant somewhere will use it as a reason
to bilk a client out of piles of money.

If I ever discover a serious flaw in a product that has significant market
penetration, and I receive approval from my employers, you can bet it would
be released to the public, but until I am convinced of the value I will not.


That is the way life is for the people who choose to have a career
practicing security rather than researching it; I am too busy finding and
assisting with the correction of flaws within the organizations that have
employed me in the past to spend time trying to punch holes in vendor xyz's
products.

What this really means though, is that instead of having hundreds of
security researchers pounding away at applications there is just me. One
single solitary person; this means that in my time with my previous employer
as a security consultant (god that sucked) I would have to take on
identifying and exploiting vulnerabilities by myself against completely
unique applications to resolve threats. Usually I would have one project at
a time, and it would last a few weeks. Now that I am employed in a
reasonably sized organization [12000 employees, ~400 developers, and
~1,200,00 customers] I frequently have multiple projects on the go, and
frequently find myself with an overwhelming number of threat vectors to
consider to worry about.

Before you go off patting people who manage to find holes in common off the
shelf software on the back, or systems that have exposure of millions of
users per minor version, take a moment to consider that, no, you do not know
me. You have not heard of me because no application that I have reviewed to
date has successfully been compromised provided the recommendations I made
were followed; if they had you can bet that my former employer would have
been sued for liability, and that I would be spending alot more time looking
for a job than antagonizing people on Full-Disclosure. Don't bark at me
about not having a long list of advisories from one of the most widely used
applications on the internet.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/