Friday, November 03, 2006 12:50 PM
To: Gary McGraw
Cc: SC-L@securecoding.org
Subject: Re: [SC-L] On exploits, hubris, and software security
Gary McGraw wrote:
> The main thing I wonder is, what do you think? When you have a hot
> demonstration of an exploit, how do you responsibly releas
Gary McGraw wrote:
> The main thing I wonder is, what do you think? When you have a hot
> demonstration of an exploit, how do you responsibly release it? What
> role do such demonstrations play in moving software security forward?
To pick one extreme, I believe there are times when intentionally
Gary McGraw wrote:
> Later, we could disclose the problems responsibly, keeping a short leash
> on Microsoft, Netscape, and Sun without ever resorting to FULL
> disclosure. Our goal was to get the problems fixed with no nonsense.
> The companies also allowed the press to be responsibly involved.
Gary McGraw [mailto:[EMAIL PROTECTED] writes:
> The main thing I wonder is, what do you think? When you have a hot
> demonstration of an exploit, how do you responsibly release it?
This isn't so much about that, in the usual sense. This was, as you say, a
well-known vulnerability, one screamingl
Hi all,
We all know that there is nothing more powerful for causing software
security change than a flashy exploit demonstration. Once again, this
has come to the fore in the actions of an IU student who took a well
known boarding pass vulnerability and wrote a script to make it real.
Just after
