[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Vulnerability in reCAPTCHA for Drupal
- To: Valdis.Kletnieks@xxxxxx
- Subject: Re: [Full-disclosure] Vulnerability in reCAPTCHA for Drupal
- From: Charles Morris <cmorris@xxxxxxxxxx>
- Date: Fri, 18 Feb 2011 13:40:47 -0500
>> It is my personal belief that all vulnerabilities should be patched
>> regardless of existence of a known attack vector or exploit.
>
> Let me fix that for you:
>
> All vulnerabilities should be evaluated as to whether patching them
> makes sense. If it's a one-liner fix for a stupid logic error, yes
> it probably should be patched whether or not there's a known exploit.
>
...
>
> So yes, evaluation is needed. But patching it may not make any realistic
> sense, depending on the nature of the issue and who is potentially affected.
>
I agree Valdis, and I personally used shatter when it was popularized..
resulting in tons of fun here at the university with my colleagues.
However, I'm simply stating a belief in a more abstract sense,
I agree beliefs are not always realistic, but personally I /do/ make
that guarantee whenever I write a piece of code.
I am very aware I must compromise this belief when working in the market,
like most of my other beliefs and morals, and I do so daily.
Then I go home and cry myself to sleep.
Charles
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/