|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] Re: Hacking's American as Apple Cider
From: Marcus J. Ranum (mjr
ranum.com)
Date: Wed Sep 21 2005 - 11:12:14 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
pageexecfreemail.hu wrote:
>now, users don't become vulnerable because of disclosure (i know
>that the 'responsible' disclosure guys like to mislead the public
>with that, no idea why you picked up their line...), they become
>vulnerable by running buggy apps (or using weak crypto in the
>analogy).
I didn't pick up their line; they picked up mine. My involvement in
that particular debate goes back a long way. :)
Anyhow, I completely disagree with your assertion that
"users don't become vulnerable because of disclosure"
I believe that users become vulnerable through a combination
of events:
- choice of what code the user will be running
- pre-existence of a flaw in the code
- discovery of the flaw
- exploitation of the flaw
All four of these things must happen (in approximately that order)
for a user to become vulnerable. If any single one of those four
does not happen, the user is not vulnerable to a particular flaw.
Now, anyone involved in any of those four steps must assign
or accept moral onus for the consequences of their actions
or inactions, if they result in someone being victimized. How
you chose to do so depends on your personal value system,
if you have one.
mjr.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]