Full Disclosure mailing list archives

Re: Fwd: Rate Stratfor's Incident Response

From: Valdis.Kletnieks () vt edu
Date: Tue, 17 Jan 2012 09:20:45 -0500

On Tue, 17 Jan 2012 14:09:13 +0100, Martijn Broos said:

If programmers are aware of security consequences, they would fix them in the
first place or try to avoid them.


Unfortunately, there's this problem called "already announced ship date".

Go take a look at Skyrim - they announced 11/11/11 ship date like *months*
beforehand. And yes, it shipped that day - with lots of glitches.  The fact
that lots of the glitches were fixed in patches released whithin days after
release indicates that the programming staff knew full well what caused the
glitch and what to do to fix it - they just didn't have time to actually *do*
it before their freeze date to get stuff onto the DVD.

And security bugs are identical to other bugs as far as making a deadline goes
- at soome point somebody has to say "delay it" or "ship it anyhow".  Usually,
neither choice is a really good option...

So I vote for the use of kiddies (only in a controlled test environment).
This could even be a public test site where this list could try to break the
stuff as long as you tell me how you did it:)


This sort of public test is almost never a good idea.  One of two things happens:

1) The kiddies who do it for a lark break it.  Yes, now you know you have
holes. But the rest of the world now knows you couldn't even find the easy
stuff. So you're gonna be dead meat for the vultures once you fix the easy
stuff.

2) The kiddies who do it for a lark don't break it.  Doesn't prove squat,
because they almost certainly didn't check the entire attack surface, or try
very hard to break it. A good professional pen test company could still break
it - as could a really good black hat.  But neither of them are going to
participate in your public test unless you offer a lot bigger prize (equivalent
to what they'd make for a several-week actual engagement).

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Fwd: Rate Stratfor's Incident Response, (continued)
- - - Re: Fwd: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 12)
    - Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 12)
    - Re: Fwd: Rate Stratfor's Incident Response doc mombasa (Jan 12)
    - Re: Fwd: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 12)
    - Re: Fwd: Rate Stratfor's Incident Response doc mombasa (Jan 12)
    - Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 12)
    - Re: Fwd: Rate Stratfor's Incident Response Paul Schmehl (Jan 13)
    - Re: Fwd: Rate Stratfor's Incident Response Jeffrey Walton (Jan 16)
    - Re: Fwd: Rate Stratfor's Incident Response E M (Jan 17)
    - Re: Fwd: Rate Stratfor's Incident Response Martijn Broos (Jan 17)
    - Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 17)
    - Re: Fwd: Rate Stratfor's Incident Response Kurt Buff (Jan 07)
    - Re: Fwd: Rate Stratfor's Incident Response Jeffrey Walton (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Elazar Broad (Jan 12)
  - Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 12)