Domain: hexview.com
Stories and comments across the archive that link to hexview.com.
Comments · 7
-
Here is how vunlerability disclosure should work
This process was developed/implemented by HexView a few years ago (I worked for them at that time): Whoever finds the vulnerability likely has enough knowledge to roughly estimate what it takes to fix it and test the fix. He/she supplies all details to the vendor and gives them a hard time frame, e.g.: "I will release this data to the public 30 days from now". At the same time, vulnerability alert without details to prevent/delay re-discovery may be released to the public. If the vendor fails to resolve the vulnerability in a timely manner -- too bad, you were given enough time for fixing and testing.
-
Works for sales, but does not secure your data
There is a catch-22 -- you either have compatibility , but key management is handled by the HDD, or you have security, but you need external software and BIOS integration. I bet, Fujitsu decided to go with the compatibility. In this case, the encryption key could be recoverable. HexView published an advisory about it back in 2006.
-
Tough times... People are plagiarizing bug reports
This (or similar) bug was reported by HexView in 2005 and they also received no word from MS. http://www.hexview.com/docs/20050331-1.txt
-
Re:The problem with thisThis is addressed -- somewhat less that satisfactorily, I think, but, then, this is a first proposal -- in the linked article under the "One-To-Many" junk mail scenario heading:
Unless you are a large ISP or an official mass-mailing source (for example, an organization sending periodical newsletters to customers), there is no need for you to send thousands of messages within minutes. Official bulk mail sources can be exempted (whitelisted) if necessary. Large SMTP sources (ISPs or webmail providers) with more or less constant traffic volumes can also be statistically identified. But if a source suddenly appears and starts sending hundreds of messages in all directions, it is likely a junk mail transmitter.
The problem is whitelisting involves additional work.
For Source Trust Prediction (STP) filtering to work, you not only have to get an STP score, but you also have to check whether that score should be discounted because the sending IP is a known legitimate mass mailer. What about a legitimate mass mailer (including not just mailing lists, banks, online stores, political organizations, and social networking sites, but also services that handle mailings for these entities) that's ramping up -- either adding additional IPs to its network or changing IPs -- for sending mail or adding new clients? What's the process for getting whitelisted, and what's to keep spammers from using and abusing that process (either getting themselves somehow listed or DOSing the whitelist request process -- assuming shared/centralized whitelists, shared/centralized being less work than if every mail admin maintains his/her own whitelists.)
For that matter, imagine a scenario it which a news site or blog posts something of particularly bursty interest and that site lets users e-mail the article to a friend? Suddenly a site that historically hasn't looked anything like a spammer may look statistically similar to a spammer. No need for that site to have been whitelisted before, but suddenly the need is there.
Interesting idea, though, and I could certainly see STP being useful in combination with other tests (bayesian, pattern matching, dnsbl, etc.), but I'm much more skeptical about usefulness (avoiding false positives) in terms of actually blocking mail. And: a test that's used for filtering but not blocking spam means even more work for the filtering mail server (or client) to do.
-
Reward program for vulnerabilities?
Why MS does not have a program to acquire vulnerabities directly from security researchers? Wouldn't such reward program benefit us all: security researchers would be encouraged to look for vulnerabilities in MS software; the information about the vulnerabilities would not make it to the public before patches are available; and MS would have a list of contacts, code samples, and industry analysis data from security people all over the world? Is it true that MS cashes in every time there is a buzz caused by publicly released vulnerability (see this analysis)?
-
Decline in MS patch count affects MSFT price
See this analysis for more information.
-
The study proves MS benefits from vulnerabilities
Here is a simple analysis I did. It proves that MS makes more money when there are more vulnerabilities.