On 9/6/13 5:29 PM, Parks, Raymond wrote:
I did a quick search through my data and there haven't been any major
Skype vulns in a while. There's a local privilege escalation from
this last spring and URL snooping, but neither should result in
massive Skype usage. The Dark Comet Remote Access Tool (RAT) uses the
Skype port and protocol to "phone home", so you might have a pest
problem. Even worse, a vulnerability was published last fall for
getting in to the Dark Comet RAT via it's use of Skype - so if you
have Dark Comet, someone could be breaking it to get into your computer.
Where do the folks selling zero day exploits seem to invest effort when
it comes to Linux? Do they work against versions that are in wide
distribution (2.6.32), or try to get in early and sell bugs early in the
hopes the lifetime of the work will be relatively longer (3.12)? Is
bleeding edge kernel and system software any better or worse security
wise than a service contract for RHEL, etc. (and immediate updates).
If there are bad statistics, that would suggest to me some benefit from
security from obscurity?
It still blows me a way that governments trust vendors that use
international development teams, but do not disclose source code. Why
not more of a push toward systems that can _really_ be audited? It
seems to me like using medicine that has no systematic study or peer
review.
If this is accurate, it looks to me like the databases on exploits tends
to be against old software?
http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/year-2013/opgpriv-1/Linux-Linux-Kernel.html
Marcus
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
