On Fri, Dec 19, 2008 at 3:36 PM, Bipin Gautam <[email protected]> wrote: > stop putting so much of attention to 0-day and possible use of it by > government to get into a terrorist pc. > > if breaking into someones pc was a matter of national security > importance 0-day may provide a easy leverage but you really dont need > a 0-day to get into someones pc, neither you'd need a already > existing/known backdoor, neither you'd need to bruteforce into the > advisory or a physical access to it. > > all they need to do is poison a unsigned executable/plugin/update with > a backdoor instead, that is being downloaded to the advisory computer > over an unencrypted connection if you can control the network gateway > or have isp level access. such attacks "could" work regardless of the > OS or patch level. >
You're giving the bad guys clues on what to avoid or will the bad guys be aware of all the possible attack vectors the government might be using already? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
