[liberationtech] Foxacid payload
Wasa Bee
wasabee18 at gmail.com
Fri Jul 18 01:40:19 PDT 2014
if Google start actively looking for bugs, aren't they going to have a
ranking per vendor every year to incentive "bad vendors" to improve?
What are the other means they can incentive vendors, without making too
much of a fuss that users don't loose confidence in web security overall?
On Thu, Jul 17, 2014 at 11:07 PM, Richard Brooks <rrb at g.clemson.edu> wrote:
> On 07/17/2014 05:57 PM, Griffin Boyce wrote:
> > Andy Isaacson wrote:
> >>> this is exactly why some who have received these payloads are
> >>> sitting on them, rather than disclosing.
> >
> >> Hmmm, that seems pretty antisocial and shortsighted. While the
> >> pool of bugs is large, it is finite. Get bugs fixed and get
> >> developers to write fewer bugs going forward, and we'll rapidly
> >> deplete the pool of 0day and drive up the cost of FOXACID style
> >> deployments.
> >
> >> Forcing deployments to move to more interesting bugs will also
> >> give insight into IAs' exploit sourcing methodologies.
> >
> > Solidarity is really important here. "Increased security for those
> > who actively set honeytraps" doesn't really scale at all, and most
> > people will never reap the rewards of this work. =/ Forcing the
> > government and defense contractors to burn through 0day at a high rate
> > is far, FAR better than coming across one or two on your own and
> > hiding it. These backdoors need to be revealed if we're to protect
> > ourselves.
> >
> > Let's sunburn these motherfuckers.
> >
>
> You are forgetting moral hazard.
>
> Why are there so many bugs? The laws relieve software manufacturers
> of liability for the flaws of their programs. It is cheaper to
> let clients do the testing for you.
>
> If a 3rd party like Google takes over the software testing for
> free, there is even less incentive to make the slightest effort
> to test pre-release software and make non-faulty products.
>
> You will not exterminate all the bugs, you will give the bug
> makers (software manufacturers) more incentive to flood the
> world with faulty products.
>
> Which I think is why the open source/free products are more reliable
> than the commercial ones. The economic incentives are to build
> crap quickly. If you are not doing the work for profit motives,
> you can afford to make a decent product.
>
>
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140718/367bae6e/attachment.html>
More information about the liberationtech
mailing list