Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Nate Lawson (nateroot.org)
Date: Mon Apr 20 2009 - 19:36:53 CDT
Jeffrey Czerniak wrote:
> On Mon, Apr 20, 2009 at 11:45 AM, Andre Gironda <andreggmail.com> wrote:
>> Every 0-day threat is different. Imagine telling doctors that they
>> can't allow disease, infections, et al to spread in a dying patient in
>> order to determine root-cause (ala House, the TV show). If you are
>> interested in understanding the problem, then you should also be
>> interested in "hacking into other people's computers" (or at least
>> your own computers).
> Ok, I'll accept the premise. So let's say I buy CANVAS with all the
> extra toppings, and use it to hack into my own machine. From the
> self-administered pen test, I discover that I'm vulnerable to x remote
> root exploits, and that my browser can be exploited via y different
> heap overflows in Firefox.
> If I am a rational decision-maker, what do I do with this information?
> My first instinct would be to tell the vendors, "fix this stuff
> now!" But according to immunitysec.com, I can't do that since
> CANVAS et al. are protected via NDA.
> So how do I leverage this new information to make myself safer and/or
> more secure?
"switch from acrobat reader to preview" or "add Diehard to PDF reader in
addition to browsers") and apply it to your desktops. Then you re-test
and make sure you've fixed the problem.
If this doesn't make sense to you or sounds too hard, then you're
probably not in an organization where 0-day matters. Relax and wait for
vendor patches that will appear some year.
Dailydave mailing list