We just published an article that counters a lot of the FUD surrounding zero-day exploits, risks and sales. Granted its not 100% on topic but I think there are some aspects of it that are. Feel free to give it a read (or not).
http://pentest.netragard.com/2012/08/13/selling-zero-days-doesnt-increase-your-risk-heres-why/ On 8/14/12 1:09 PM, Loose Tweets wrote: >> I get it now! If we just patch *all* the bugs, then there will be no >> bugs left for anyone else to exploit. Guys, this is brilliant. How did >> we get scooped by a few lawyers at the EFF when we've been working on >> this for years? > It seems that people continue to misunderstand my earlier point > (https://twitter.com/0xcharlie/status/235402152716152834), so let me > re-iterate it without also attempting to troll. > > It is a widely held assumption by people who are not on the front > lines of defense that increased access to vulnerability information > will make everyone more secure. > >> Setting aside the question of who gets to make the 'bad regime' >> determination... from everything we know, that's just crap. They send >> their targets stock malware and say 'please install by clicking on >> this photo, love, er... not the government, srsly'. Or, they leverage >> the fact that they have physical access to the carrier, the internet >> cafes and so forth. (Or probably they just use humint cause it's >> easier). What those guys really need is better opsec, and I hope they >> continue to get it.[2] > ... >> As others have said, let's go after the _real_ tools used by 'bad >> regimes', wherever in the world they may hide! Let's see, we need >> Metasploit, Backtrack, FinFisher, Northropp, Raytheon, EnCase, the >> Root CAs, BlueCoat, Cisco, Nortel (for the LI capacity in their >> carrier gear)... Oh wait, most of those guys have lobbyists, forget >> it. > Does it? Does increased access to vulnerability information solve any > problems here or elsewhere? Further, how many vulnerabilities would we > have to fix for it to have an impact on these threats? > > That the EFF has so blatantly forsaken their own beliefs is a problem, > but of greater concern to me is that they appear to rely on snap > decisions and emotional judgements rather than competency to do their > jobs. > > I already had misgivings about the EFF's ability to represent my > interests, but now I believe their incompetence may end up hindering > the progress of privacy and security on the internet. I'm with Dave > and I won't be giving even passive support to the EFF from this point > forward. > > -LT > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
