Slashdot Mirror


User: QuantumG

QuantumG's activity in the archive.

Stories
0
Comments
11,687
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 11,687

  1. Re:Shocking on Segway Recalling 23,000 Scooters · · Score: 1

    Yeah, maybe someone who was working on the software thought it would be funny to throw a few of these swells off their fancy scooters.

  2. Re:Responsible Disclosure == hiding vulnerabilitie on Responsible Disclosure — 16 Opinions · · Score: 1

    If you announce it to the public and it still takes a year to patch then those people who are using the product in question should not be using that product. From a security point of view they are a lost cause. That said, it really depends how you announce it. If you say "I have found a serious vulnerability in product X, I recommend people don't use it until a patch for this issue has been released" then you have in no way reduced the time it will take a blackhat to find the vulnerability and produce an exploit for it.. and even when he does, he is unlikely to hand out the exploit as it will reduce the amount of time he has to utilize the exploit (as widespread use will put pressure on the vendor to release a patch faster, as customers flee from their product). Obviously if you say "I have found a serious vulnerability in product X, at this file:line or at this address in the binary" that will shorten the time that it takes a blackhat to find the vulnerability and it will also encourage more blackhats to look, and as such weaken their resolve not to distribute the exploit, so don't do that. Similarly, don't give out exploit tools yourself, even if they just "demonstrate" that there is a vulnerability and need to be modified to be used as hacking tools.

    But doing nothing is worse and contacting only the vendor, who will take 120 days to release a patch, just as bad.

  3. Re:Responsible Disclosure == hiding vulnerabilitie on Responsible Disclosure — 16 Opinions · · Score: 1

    Are you trying to suggest that we shouldn't provide the right information for people who effectively manage their risk because some people are incapable of doing so? If an independant security analyst can find a vulnerability with no special tools or knowledge, then it is equally likely that a blackhat has found it. In fact, it's a lot more likely, as we suspect their are a hell of a lot more "bad guys" than there are "good guys".

  4. Re:Responsible Disclosure == hiding vulnerabilitie on Responsible Disclosure — 16 Opinions · · Score: 1

    Two weeks ok, fine, take your time and test it, cause maybe no-one is being broken into right now. Four months? No-one should be exposed for that long. It's guarenteed to be found and exploited. And what if we know people are exploiting this vulnerability right now? Does that change our response? It should. There should be a hot fix or at least an advisory to disable the service (or the relevant portions) put out immediately. And how about releasing a signature all those people running intrusion detection systems or protocol level firewalls? Shouldn't that be done immediately in any case?

  5. Re:Why there is no entry for 'responsible disclosu on Responsible Disclosure — 16 Opinions · · Score: 3, Insightful

    Sorry, no, that's bullshit. If you wanna make stupid analogies, at least get them right. Calling "Fire!" in a crowded theatre is absolutely perfectly ok, if there is a fire. However, if you know there is a fire and know that people will, sooner or later, get burnt, going for a stroll to the front office and asking to talk to the manager, tell him there is a fire, and have him say "Yeah, we'll get to that in about 120 days, on average" is not ethical. It's not responsible. It's participating in a conspiracy that belittles the people in the theatre and hampers their ability to make a valid risk assessment.

  6. Re:If I were Microsoft on Responsible Disclosure — 16 Opinions · · Score: 1, Interesting

    I happen to know some people who have exactly that relationship with Microsoft.. except for the whole credit part.. they sell the rights to that along with their soul. Of course, seeing as I'm not about to give up the names of these people, you'll just have to take my word for it (or call me a lier, whichever you prefer). Microsoft doesn't make this policy public because it is out and out unethical. People have a right to know the risk of running Microsoft software, but so many security flaws are fixed in service packs without even a mention as to their existence.. therefore customers have only a vague idea of how important it is to upgrade.

  7. Responsible Disclosure == hiding vulnerabilities on Responsible Disclosure — 16 Opinions · · Score: 4, Interesting

    The responsible vendor takes time to vet the problem within their own lab. They have to develop a patch, [they] Quality Control it and then publish the patch. Microsoft and Oracle average about 120 days to do this.

    So, in order to be "responsible" you have to keep the vulnerability secret for 120 days. Four months. You're kiding right? Say I'm an independant researcher. I find this vulnerability using no special skills and publically available tools. Clearly a highly skilled blackhat could just as likely have found the same vulnerability as me. Let's suppose that I've found this vulnerability in the first 2 days of a new release of the product under inspection. The blackhat could well have discovered it in the same number of days, but let's say it takes him a month longer than me, just to be generous. I'm supposed to sit on this vulnerability and let the blackhat break into systems using it for how long? 3 months? This is responsible? Wouldn't it be more responsible if I were to go public immediately? Obviously publishing tools which script kiddies can use to attack people is not a good idea, that's not what we're talking about. Surely I should at least tell people that I have found a vulnerability and that the software in question is not, in my opinion, something that you should be using if you care about security. Isn't my failure to do this just make me complacent in a conspiracy to hide that fact that people may be breaking into systems using this vulnerability?

    What if I'm an IDS manufacturer? I start getting alarms that shell code has been detected in a protocol stream that has never before seen shell code in it. Analysing the incident I discover that there is a vulnerability in a particular daemon which these attackers are using to gain unauthorised access. Who should I inform? The vendor of that daemon? My customers? Or the general public? This is no longer a theoretical "the bad guys might know too" situation, this is a widespread pattern of attack that I have detected indicating that real harm is being done. If I fail to inform the public immediately, am I not complacent in helping nto more computers? Doesn't sound very responsible to me.

  8. Re:How about both? on Is 'Safe' Gaming The Best Kind Of Gaming? · · Score: 1

    Thing is, you get to retry those quests as much as you like. Even in MMORPGs the quest system will happily hand you the same quest over and over if you continue to fail. As such, anyone can get through them because they get the knowledge from their failures to guide them in later attempts. The problem here is that getting to "the end" is not a fantastic feat. There's no reverence for people who do it, so there's no reason for people to try, plus there's no reason for people who have done it to stick around.. unless you add more and more content to keep them happy that is, and that just makes the journey even more meaningless.

  9. Re:This is like playing tabletennis alone on New Record Prime Found · · Score: 1

    Or, ya know, estimating protein folding, something that could contribute to medical research and thus save lives one day.

  10. Re:Rubbish! on The Drawbacks of Anonymous Surfing · · Score: 1

    Keep thinking that, Tony.

  11. Re:Rubbish! on The Drawbacks of Anonymous Surfing · · Score: 1

    besides which, I know who you are!

  12. Re:Homework assignment on Banned Books published by Google · · Score: 1

    Duh. Personally I don't know why anyone puts up with the trouble of adding non-pointer types to stl structures. Yes, it's nice to have a std::map blah; and do blah[5].bar = "hello"; but is it really that much more trouble to do blah[5].bar = new Foo("hello"); it's cleaner to have required fields like bar in the constructor anyway!

  13. and remember son.. on The Drawbacks of Anonymous Surfing · · Score: 1

    if something is hard, it's not worth doing.

  14. Re:Homework assignment on Banned Books published by Google · · Score: 4, Funny

    Similarly, explain the difference between formal and implicit polymorphism in C++.

    HINT: both involve overloading of terms.

  15. Re:The solution on EU And Microsoft Clash Over Vista Security · · Score: 1

    network firewall != application firewall. Get a clue.

  16. Re:Reverse Engineer the Game on No Patch for Dead Rising Fans · · Score: 1

    Of course that would have been nice. It'd also be nice if companies were held responsible for their products, but hey, I can't do anything about that, can I?

  17. Re:The solution on EU And Microsoft Clash Over Vista Security · · Score: 1

    and absolutely none of that will help you monitor and protect yourself from what arbitary code can do as your user.

  18. Re:Reverse Engineer the Game on No Patch for Dead Rising Fans · · Score: 0, Troll

    Making a PC port is something else you could do. Of course, I'm thinking that where the article says "Dead Rising Fans", it really means "Dead Rising Players" because I doubt many of the people we're talking about are "fans" in the sense of "I'm willing to dedicate weeks of my life to making this game more playable". Guess we'll need to wait 10 years before the real "fans" of this game show us what they're willing to do to make it so others can enjoy the game.. and that's likely to render this particular issue the most easiest to fix (lots of luck finding a compatible display for an XBOX 360 in 10 years time).

  19. Re:Reverse Engineer the Game on No Patch for Dead Rising Fans · · Score: 1

    lawyers and exec types see one thing and one thing only, the bottom line, and if there's no money to be gained by suing you, they don't.

  20. Re:The solution on EU And Microsoft Clash Over Vista Security · · Score: 1

    No, I'm not.

  21. Re:Reverse Engineer the Game on No Patch for Dead Rising Fans · · Score: 2, Funny

    Yes, because you'll be taking money away from them by encouraging people to play their game. Oh wait.

  22. Reverse Engineer the Game on No Patch for Dead Rising Fans · · Score: 1

    Write your own patch. You can also improve the gameplay. Make new levels/mods, etc. Wouldn't it be nice if we had tools that could make this easier?

  23. Re:The solution on EU And Microsoft Clash Over Vista Security · · Score: 0, Troll

    It's not like the concept of an application firewall even exists on Linux. If you download random binaries you find on the internet and run them using root, or your regular user account, it is considered your own damn fault if said program contains a trojan which DDOSs someone or deletes everything in your home directory. Linux application security consists of "run it as 'nobody'" or "just don't do that." Clearly this is not a realistic option on Windows, where regular day to day usage of your computer includes exploring the massive catalog of software available on the Internet, and so an application firewall is a sensible precaution. Personally I see absolutely no reason why this should be a third party product. The operating system should enable the user to mediate and control what programs do for them.. that's one of the reasons we have operating systems (the other major one being to abstract and share the hardware). Just because Microsoft has been ignoring the need for this level of control for years doesn't mean that it should remain provided by third parties for ever. If they can do it better than Microsoft, and surely they can, then Microsoft should certainly be prohibited from interfering with them providing this software, and the third party security software developers really have nothing to worry about, do they?

  24. Re:dtrace is a great peice of software on Sun Wins Top Tech Innovation Award · · Score: 1

    Thank you Solaris marketing man. I am aware what dtrace is.

  25. Re:dtrace is a great peice of software on Sun Wins Top Tech Innovation Award · · Score: 1

    Ya know, it's not exactly hard to get dtrace onto Linux. It's not a big system, simply rewrite it. The only hard part would be not improving it as you did. (That's not a dig at dtrace, I mean that you would inevitably find ways to customize it to Linux that may make your reimplementation incompatible with the Solaris version and it would take some discipline to avoid those changes). And as for GUIs, yes, as many others have pointed out, there are some in development.