[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] What the f*** is going on?



Michal hit the nail on it's head. The news isn't want some script kiddie
ring did to some supposedly info sec website as much as what the whole
industria is leading to.

So the public thinks the bad guys go around in suits and neckties with the
intent of "breaking the net" when the truth is there's a huge broken mess
out there.

Even worse, those paid to fix it do not give a hoot and often times make it
worse (re: HBGary).

The media of course follows the more sensational news, some supposedly
vigilantes (correction: vandals) attacking some sites.

Well, we've been saying the net's broken for how long, 10, 30 years? News is
kinda getting old. And where are we now?

Salute,
Pietro DeMedici




On Tue, Feb 22, 2011 at 11:42 PM, Michal Zalewski <lcamtuf@xxxxxxxxxxx>wrote:

> > Also, I would say that even though randomly prodding exec arguments
> > with As isn't so elite, the space of "the non-web" is much more deep
> > and much more complex than the space of "the web"..
>
> I think that sentiment made sense 8-10 years ago, but today, it's
> increasingly difficult to defend. I mean, we are at a point where
> casual users can do without any "real" applications, beyond just
> having a browser. And in terms of complexity, the browser itself is
> approaching the kernel, and is growing more rapidly.
>
> Yes, web app vulnerabilities are easier to discover. That's partly
> because of horrible design decisions back in the 1990s, and partly
> because we're dealing with greater diversity, more complex
> interactions, and a much younger codebase. Plus, we had much less time
> to develop systemic defenses.
>
> /mz
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/