Full Disclosure mailing list archives
Re: Gates: 'You don't need perfect code' for good security
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 03 Nov 2003 17:15:51 +1300
For all his usual intelligence, Valdis.Kletnieks () vt edu oddly felt the need to ad:
And for bonus points, explain how you fix the scheme so the poor sysadmin who has to run stuff at startup is able to find the folder, but an exploit running with 'administrator' or 'system' can't find it?
Re-read what I wrote. I explained all that. Like all security efforts, it is not a "perfect" solution. It also does not work against all methods of exploitation or in all cases of exploitation using any given method. However, it would have saved you from a bunch of once common IE exploits and will still save you from a huge amount of "work" done by thousands of next-to-clueless skiddies who take overly simple PoC exploits and are limited to altering them to simply gluing in the delivery of their preferred RAT/bot-net agent/etc. As I already explained all that _and_ answered your question before you asked it, I gladly accept your bonus points... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Gates: 'You don't need perfect code' for good security, (continued)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security Valdis . Kletnieks (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security Dave Howe (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security Nick FitzGerald (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Valdis . Kletnieks (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Frank Knobbe (Nov 02)
- Re: Gates: 'You don't need perfect code' forgood security Lan Guy (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security Nick FitzGerald (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Darren Reed (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Cedric Blancher (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Valdis . Kletnieks (Nov 03)
- Re: Re: Gates: 'You don't need perfect code' for good security Gary E. Miller (Oct 31)
- Re: Re: Gates: 'You don't need perfect code' for good security Geoincidents (Oct 31)
- Re: Re: Gates: 'You don't need perfect code' for good security Gary E. Miller (Oct 31)
- Re: Re: Gates: 'You don't need perfect code' for good security Geoincidents (Oct 31)
- Re: Re: Gates: 'You don't need perfect code' for good security Cesar (Oct 31)