On Tue, Jul 22, 2014 at 1:48 AM, coderman coder...@gmail.com wrote:
...
perhaps someone to help answer the question is Google, if they felt inclined.
more context, although less sophisticated than TAO tech:
When Governments Hack Opponents: A Look at Actors and Technology
-
On Fri, Jul 18, 2014 at 12:22 PM, Denis 'GNUtoo' Carikli
gnu...@no-log.org wrote:
...
If the adversary looses one exploit each times he attacks someone, then...
perhaps someone to help answer the question is Google, if they felt inclined.
per re:publica 2014 - Morgan Marquis-Boire: Fear and
if Google start actively looking for bugs, aren't they going to have a
ranking per vendor every year to incentive bad vendors to improve?
What are the other means they can incentive vendors, without making too
much of a fuss that users don't loose confidence in web security overall?
On Thu, Jul
On Fri, Jul 18, 2014 at 1:40 AM, Wasa Bee wasabe...@gmail.com wrote:
if Google start actively looking for bugs, aren't they going to have a
ranking per vendor every year to incentive bad vendors to improve?
you'll be able to read the vendor responses yourself in the Project
Zero blog. two
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, 17 Jul 2014 12:19:31 -0700
Andy Isaacson a...@hexapodia.org wrote:
But don't pretend that patching the specific attack your adversary is
currently using will disable or even seriously inconvenience the
adversary.
Well, going public about
On 07/18/2014 06:12 AM, coderman wrote:
[...]
i approve of this timeline, and am anxious to see if NSL's are used to
trump some exploits. (how would you know? good question :)
* U.S. National Security Letters
* U.S. National Exploit Stockpile
* Effective public bug-quashing program in U.S.
Hello list,
We know something about the selectors that could trigger Foxacid
attacks, and we can record the data sent to a machine running Tor
Browser Bundle. So has anyone set up a sitting duck to trigger and
record the payload of the attack?
Once the payload is known then Firefox
On Thu, Jul 17, 2014 at 03:14:32PM -0400, Jonathan Wilkes wrote:
We know something about the selectors that could trigger
Foxacid attacks, and we can record the data sent to a machine
running Tor Browser Bundle. So has anyone set up a sitting duck to
trigger and record the payload of the
On Thu, Jul 17, 2014 at 12:32:26PM -0700, coderman wrote:
And once you've patched this bug, FOXACID will update to issue another
0day.
It's worth doing, for sure! Patching bugs makes us all incrementally
safer.
this is exactly why some who have received these payloads are sitting
on
On Thu, Jul 17, 2014 at 1:11 PM, coderman coder...@gmail.com wrote:
...
Forcing deployments to move to more interesting bugs will also give
insight into IAs' exploit sourcing methodologies.
this is absolutely true and useful,
and does not require making specific exploits public.
i have
On Thu, Jul 17, 2014 at 1:11 PM, coderman coder...@gmail.com wrote:
...
- if you want to thwart FOXACID type attacks there are ways to do it
without knowing specific payloads. (architectural and broad
techniques, not fingerprints on binaries or call graphs)
some specific examples:
A:
On 07/17/2014 04:11 PM, coderman wrote:
On Thu, Jul 17, 2014 at 12:41 PM, Andy Isaacson a...@hexapodia.org wrote:
...
this is exactly why some who have received these payloads are sitting
on them, rather than disclosing.
Hmmm, that seems pretty antisocial and shortsighted. While the pool of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andy Isaacson wrote:
this is exactly why some who have received these payloads are
sitting on them, rather than disclosing.
Hmmm, that seems pretty antisocial and shortsighted. While the
pool of bugs is large, it is finite. Get bugs fixed and
On 07/17/2014 05:57 PM, Griffin Boyce wrote:
Andy Isaacson wrote:
this is exactly why some who have received these payloads are
sitting on them, rather than disclosing.
Hmmm, that seems pretty antisocial and shortsighted. While the
pool of bugs is large, it is finite. Get bugs fixed and
14 matches
Mail list logo