As Dave seems to have his ongoing NZ filtering going on again on the DailyDave list, I post it here..
Anybody wants create a list mirroring DD but letting replies through even if those are against your views? ===8<=================== Original Nachrichtentext =================== Hi Aaron, >The 'shades of grey' only exist to security people. Define "security poeple" ? A complete branch of corporate risk management is formed of "security poeple". So does this make it "less of a problem" ? >To no one else is it important >that a bug disclose information, allow invalid root access, or escalate >privileges. You obviously have not worked with or within a company that has to balance all sorts of risks. If a kernel bug is slipped upstream because it was not properly marked as a security issue, it means potential loss. So since when is loosing money "only important" to "security poeple". Security = Risk of loss, and Sir this is important for everybody in the company. I am astounded how narrow minded some developers have become. Some apparently never see the complete picture of how a business operates how potential risks/losses are mitigated and how this impacts the developers. SDL training seems to need an intruduction on the fundementals of security, operational and others. A birds-eye view, maybe if the interconnections are understood some will understand why it is important. It's not a technical issue - at all. PS. Dave - I am not writing comments for you to sent to dev/null, I consider my time more usefull. -- http://blog.zoller.lu Thierry Zoller ===8<============== Ende des Original Nachrichtentextes =============
--- Begin Message ---Hi Aaron, >The 'shades of grey' only exist to security people. Define "security poeple" ? A complete branch of corporate risk management is formed of "security poeple". So does this make it "less of a problem" ? >To no one else is it important >that a bug disclose information, allow invalid root access, or escalate >privileges. You obviously have not worked with or within a company that has to balance all sorts of risks. If a kernel bug is slipped upstream because it was not properly marked as a security issue, it means potential loss. So since when is loosing money "only important" to "security poeple". Security = Risk of loss, and Sir this is important for everybody in the company. I am astounded how narrow minded some developers have become. Some apparently never see the complete picture of how a business operates how potential risks/losses are mitigated and how this impacts the developers. SDL training seems to need an intruduction on the fundementals of security, operational and others. A birds-eye view, maybe if the interconnections are understood some will understand why it is important. It's not a technical issue - at all. PS. Dave - I am not writing comments for you to sent to dev/null, I consider my time more usefull. -- http://blog.zoller.lu Thierry Zoller
--- End Message ---
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
