forum.opennet.ru

Составление сообщения

Исходное сообщение

"В OpenSSH подозревают наличие опасной уязвимости"
Отправлено rob pike, 13-Апр-14 21:29

..the fact is that the last 10 years have changed the community
- whereas bugs used to be shared ahead of time among a group of peers
(including Free operating system authors) who were trusted to, and
generally allowed for a certain amount of time for mitigations to
happen before announcement, The fact is that now big dollars are spent
by all of the players on bug bounties and other such crap, with
sponsors having privileged access to the information (in other words
they aren't donors, they are paying for early access.)
So just as a hypothetical example, 10 years ago,  if certain
organizations knew about an endemic problem,  that would have been
shared ahead of time with the security community, (we all know who we
are) ahead of time and everyone would work to get their mitigations in
place in a controlled manner before disclosure so patches were
available immediately - and that used to happen pretty darn fast.
That doesn't happen any more now that most of this is monetized -
they're too busy being told to sit on it by their "sponsors" so full
disclosure actually seems to happen a lot later.
So, the short answer is, if you know about a problem and want to
monetize it - this is great news for you - there are many places with
organizations behind them with deep pockets that will buy your bug.
They organizations
with the money behind it get early access.  Finding bugs in that
environment is not about making software better anymore. You probably
don't *want* better software - you want more bugs. more bugs equals
more money. You probably *want* to keep things like the exploit
mitigation countermeasures in OpenSSL in the software - You certainly
don't want the code base to be easily auditable, and you certainly
don't want the tools that find the bugs
automatically and just get them fixed to find them.
Who loses? well, the rest of us.
So, if you know of a bug in such an organization (that itself sits on
bugs), what would you do? Tell the world for free? Monetize it? or Sit
on it?
I don't have an answer for you. All I can do is tell you the state of
the world :)  In the immortal words of a recently deceased friend of
mine, Life is Hard, Wear a Helmet.
--http://article.gmane.org/gmane.os.openbsd.tech/35744

Исходное сообщение
"В OpenSSH подозревают наличие опасной уязвимости" Отправлено rob pike, 13-Апр-14 21:29
..the fact is that the last 10 years have changed the community - whereas bugs used to be shared ahead of time among a group of peers (including Free operating system authors) who were trusted to, and generally allowed for a certain amount of time for mitigations to happen before announcement, The fact is that now big dollars are spent by all of the players on bug bounties and other such crap, with sponsors having privileged access to the information (in other words they aren't donors, they are paying for early access.) So just as a hypothetical example, 10 years ago, if certain organizations knew about an endemic problem, that would have been shared ahead of time with the security community, (we all know who we are) ahead of time and everyone would work to get their mitigations in place in a controlled manner before disclosure so patches were available immediately - and that used to happen pretty darn fast. That doesn't happen any more now that most of this is monetized - they're too busy being told to sit on it by their "sponsors" so full disclosure actually seems to happen a lot later. So, the short answer is, if you know about a problem and want to monetize it - this is great news for you - there are many places with organizations behind them with deep pockets that will buy your bug. They organizations with the money behind it get early access. Finding bugs in that environment is not about making software better anymore. You probably don't want better software - you want more bugs. more bugs equals more money. You probably want to keep things like the exploit mitigation countermeasures in OpenSSL in the software - You certainly don't want the code base to be easily auditable, and you certainly don't want the tools that find the bugs automatically and just get them fixed to find them. Who loses? well, the rest of us. So, if you know of a bug in such an organization (that itself sits on bugs), what would you do? Tell the world for free? Monetize it? or Sit on it? I don't have an answer for you. All I can do is tell you the state of the world :) In the immortal words of a recently deceased friend of mine, Life is Hard, Wear a Helmet. --http://article.gmane.org/gmane.os.openbsd.tech/35744

Ваше сообщение
Имя*:
EMail:	Для отправки ответов на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email). Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:	> ..the fact is that the last 10 years have changed the community > - whereas bugs used to be shared ahead of time among a > group of peers > (including Free operating system authors) who were trusted to, and > generally allowed for a certain amount of time for mitigations to > happen before announcement, The fact is that now big dollars are spent > by all of the players on bug bounties and other such crap, > with > sponsors having privileged access to the information (in other words > they aren't donors, they are paying for early access.) > So just as a hypothetical example, 10 years ago, if certain > organizations knew about an endemic problem, that would have been > shared ahead of time with the security community, (we all know who > we > are) ahead of time and everyone would work to get their mitigations > in > place in a controlled manner before disclosure so patches were > available immediately - and that used to happen pretty darn fast. > That doesn't happen any more now that most of this is monetized > - > they're too busy being told to sit on it by their "sponsors" > so full > disclosure actually seems to happen a lot later. > So, the short answer is, if you know about a problem and > want to > monetize it - this is great news for you - there are > many places with > organizations behind them with deep pockets that will buy your bug. > They organizations > with the money behind it get early access. Finding bugs in > that > environment is not about making software better anymore. You probably > don't want better software - you want more bugs. more bugs equals > more money. You probably want to keep things like the exploit > mitigation countermeasures in OpenSSL in the software - You certainly > don't want the code base to be easily auditable, and you certainly > don't want the tools that find the bugs > automatically and just get them fixed to find them. > Who loses? well, the rest of us. > So, if you know of a bug in such an organization (that > itself sits on > bugs), what would you do? Tell the world for free? Monetize it? > or Sit > on it? > I don't have an answer for you. All I can do is > tell you the state of > the world :) In the immortal words of a recently deceased > friend of > mine, Life is Hard, Wear a Helmet. > --http://article.gmane.org/gmane.os.openbsd.tech/35744
	Введите код, изображенный на картинке:

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру