Dailydave mailing list archives
Re: The old speak: Wassenaar, Google, and why Spender is right
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Tue, 4 Aug 2015 08:12:41 -0700
and how does finding/fixing bugs change that? are you saying that p0 efforts resulted (or have a chance to result) in a *complete* extermination of security bugs that affect a *single* layer at least? either that or your bug squashing doesn't matter (for security).
I am fairly confident that many core components that we depend on have gotten a lot harder to compromise over the years; we are obviously not at a point where there are no bugs left (and we're certainly not at a point where optimal design practices or mitigation frameworks are bulletproof, either), but at least subjectively, I feel that at any given time, far fewer people would be able to compromise my web server than in the 90s, and far fewer are likely to have a 0-day exploit for my browser, compared to 2000s. Some of this comes down to mitigations, sandboxing, and better design practices - although their adoption by non-security engineers is driven largely by the cold and hard evidence of failures. And in my view, a lot of it also comes down just to relentless fuzzing and manual code audits. Now, of course, it's hard to truly quantify such opinions, and if you think otherwise, I think it's quite fine to disagree :-)
I'm sure that neither you nor Brad are running 15-year old copies of Apache and OpenSSH, or browsing the web with Netscape Navigator, and then putting all your faith in containment frameworks.we don't run new software because of the security bugs fixed in them but because that's how the whole stack evolves
Interesting; so the knowledge of an RCE in OpenSSH would not factor into your decision to stay on a particular version? That sounds like a bold move. /mz _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- The old speak: Wassenaar, Google, and why Spender is right Bas Alberts (Aug 01)
- Re: The old speak: Wassenaar, Google, and why Spender is right Michal Zalewski (Aug 02)
- Message not available
- Re: The old speak: Wassenaar, Google, and why Spender is right Michal Zalewski (Aug 05)
- Re: The old speak: Wassenaar, Google, and why Spender is right Michal Zalewski (Aug 05)
- Message not available
- Re: The old speak: Wassenaar, Google, and why Spender is right Michal Zalewski (Aug 02)