There are basically two types of disclosure: 1) Disclosure of the existence vulnerability and 2) Disclosure of an exploit for a vulnerability. They are, of course, related. But type 1 doesn't immediately put users at serious risk. Hackers would still need to pick apart the underlying execution code and then work on developing a functional exploit. This can take several hours to (hopefully) several days or longer. At least in this case, the presumably embarassed and harassed-by-customers vendor gets motivated to quickly issue a patch. Type 2 disclosures should be shunned by everyone. These present an immediate hazard to end users and provide no conceivable benefit to anyone (except PR to the group that issued the exploit).
Responsible researchers should always give software vendors a "final warning" and 1 - 2 weeks notice before releasing a type 1 disclosure.
I remember back in the early days of Netscape. I naively thought, "This browser is going to make operating systems irrelevant. People are going to write all of their applications in HTML or more advanced scripting languages, and Windows is going to schrivel up." Needless to say, it wasn't many years more until Microsoft "cut off Netscape's air supply", and Netscape all but disappeared.
So when I hear of some new technology, web-based or other, that's going to make operating systems irrelevant, I just smile. We've been there before, and we've seen that.
Show me one US economist, journalist, or op-ed writer who has lost a job because of outsourcing, and gone on to write an opinion in favor of outsourcing. For that matter, find me one engineer who has lost his or her job through outsourcing - there are hundreds of thousands to choose from - who has gone on to find a better job because of the experience. Why is it that only people who have never lost a job this way are for more outsourcing?
Good free ones: nessus, nmap, nikto. Besides Retina, look at Foundstone. There is also Qualsys, nCircle and several others (search for vulnerability assessment tools).
Make sure that you understand the network topology, especially if firewalls & routers are involved.
There are also host-based scanning tools designed to be run on individual systems, primarily to harden them.
I understand the X11 paradigm. [In fact, I was an X11 developer back in the days of R4.] What I would like to do is be able to click a button and release it, but have the action (mouse event) be that the button is "held down" until I click again (at which point a button up event is generated). This is possible on many programmable mice on MS PCs (using a vendor driver). The reason I want this is that holding down a mouse button can (and does) cause RSI pain.
I have communicated with the vendor. All they say is that the mouse will be detected as a "two button" mouse. None of the programability (available via the Windows driver) will be present. So while the mouse would "work", it wouldn't have the feature set I want.
Slashdot Mirror
There are basically two types of disclosure: 1) Disclosure of the existence vulnerability and 2) Disclosure of an exploit for a vulnerability. They are, of course, related. But type 1 doesn't immediately put users at serious risk. Hackers would still need to pick apart the underlying execution code and then work on developing a functional exploit. This can take several hours to (hopefully) several days or longer. At least in this case, the presumably embarassed and harassed-by-customers vendor gets motivated to quickly issue a patch. Type 2 disclosures should be shunned by everyone. These present an immediate hazard to end users and provide no conceivable benefit to anyone (except PR to the group that issued the exploit). Responsible researchers should always give software vendors a "final warning" and 1 - 2 weeks notice before releasing a type 1 disclosure.
I remember back in the early days of Netscape. I naively thought, "This browser is going to make operating systems irrelevant. People are going to write all of their applications in HTML or more advanced scripting languages, and Windows is going to schrivel up." Needless to say, it wasn't many years more until Microsoft "cut off Netscape's air supply", and Netscape all but disappeared. So when I hear of some new technology, web-based or other, that's going to make operating systems irrelevant, I just smile. We've been there before, and we've seen that.
Show me one US economist, journalist, or op-ed writer who has lost a job because of outsourcing, and gone on to write an opinion in favor of outsourcing. For that matter, find me one engineer who has lost his or her job through outsourcing - there are hundreds of thousands to choose from - who has gone on to find a better job because of the experience. Why is it that only people who have never lost a job this way are for more outsourcing?
Good free ones: nessus, nmap, nikto. Besides Retina, look at Foundstone. There is also Qualsys, nCircle and several others (search for vulnerability assessment tools). Make sure that you understand the network topology, especially if firewalls & routers are involved. There are also host-based scanning tools designed to be run on individual systems, primarily to harden them.
I understand the X11 paradigm. [In fact, I was an X11 developer back in the days of R4.] What I would like to do is be able to click a button and release it, but have the action (mouse event) be that the button is "held down" until I click again (at which point a button up event is generated). This is possible on many programmable mice on MS PCs (using a vendor driver). The reason I want this is that holding down a mouse button can (and does) cause RSI pain.
I have communicated with the vendor. All they say is that the mouse will be detected as a "two button" mouse. None of the programability (available via the Windows driver) will be present. So while the mouse would "work", it wouldn't have the feature set I want.
Do you want to teach at a university, or work in a research environment (e.g., Bell labs)? If so, get your Ph.D. If not, get a job.