Can you point me to any disclosures for security vulnerabilities you found? Or were they patched silently?
-----Original Message----- From: disco jonny [mailto:[email protected]] Sent: Wednesday, March 31, 2010 8:14 AM To: Larry Seltzer Cc: [email protected] Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Thats alright then. good to know i didnt look for or find any bugs. I wonder why they paid me. On 28 March 2010 23:45, Larry Seltzer <[email protected]> wrote: > I know because I asked them and they gave me an actual response. In the last > 18 months they found exactly 1 vulnerability themselves, and they found it > ancillary to looking into the Kaminsky DNS bug after Dan Kaminsky reported > that to them. > > Larry Seltzer > Contributing Editor, PC Magazine > http://blogs.pcmag.com/securitywatch/ > Sent from my BlackBerry > > ----- Original Message ----- > From: disco jonny <[email protected]> > To: Larry Seltzer > Cc: [email protected] <[email protected]> > Sent: Sun Mar 28 16:45:51 2010 > Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to > find their own bugs > >> But once the product ships they stop looking. > > rubbish. I have worked there and seen that they do continual vuln > assessment through out a products lifetime. [well for the products i > worked on. (office 2k3 & 2k7)] > > They just dont beat their chest when they patch [they do it silently > and push it out with the disclosed vulns] - reverse a few patches and > see how many issues are fixed. You seem to often think how it is then > state that it is like that - as a fact. it really annoys me. > > How do you know what ms does and doesnt do? > > > On 27 March 2010 12:58, Larry Seltzer <[email protected]> wrote: >> I wrote about this myself a little while ago: >> http://blogs.pcmag.com/securitywatch/2009/12/does_microsoft_look_for_vul >> ner.php >> >> Microsoft puts a lot of effort into security research for products under >> development. But once the product ships they stop looking. Alex Sotirov >> pointed out that Microsoft's customers, by paying iDefense and >> TippingPoint and the like, end up paying for research Microsoft should >> be doing. Perhaps Microsoft is also a customer of these companies, I >> don't know. >> >> LJS >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] >> On Behalf Of Juha-Matti Laurio >> Sent: Saturday, March 27, 2010 7:24 AM >> To: [email protected] >> Subject: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to >> find their own bugs >> >> http://www.computerworld.com/s/article/9174120/Pwn2Own_winner_tells_Appl >> e_Microsoft_to_find_their_own_bugs >> >> "The only researcher to "three-peat" at the Pwn2Own hacking contest said >> today that security is >> such a "broken record" that he won't hand over 20 vulnerabilities he's >> found in Apple's, >> Adobe's and Microsoft's software. >> >> Instead Charlie Miller will show the vendors how to find the bugs >> themselves. >> >> Miller, who yesterday exploited Safari on a MacBook Pro notebook running >> Snow Leopard to win $10,000 in the hacking challenge, >> said he's tired of the lack of progress in security. "We find a bug, >> they patch it," said Miller. >> "We find another bug, they patch it. That doesn't improve the security >> of the product." >> >> Juha-Matti >> _______________________________________________ >> Fun and Misc security discussion for OT posts. >> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >> Note: funsec is a public and open mailing list. >> >> _______________________________________________ >> Fun and Misc security discussion for OT posts. >> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >> Note: funsec is a public and open mailing list. >> > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
