Dailydave mailing list archives
Re: The old speak: Wassenaar, Google, and why Spender is right
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Sat, 1 Aug 2015 21:14:24 -0700
Anyways, both sides of the disclosure fence suffer from one fatal flaw. A flaw that Brad Spengler AKA Spender has been incessantly pointing out for years and it's that bugs don't matter. Bugs are irrelevant. Yet our industry is fatally focused on what is essentially vulnerability masturbation.
To be very frank... I think you're a bit guilty of the same oversimplification that you attribute to the 0-day crowds :-) Containment and detection matters. So does proper system design. And yup, every enterprise should plan for getting owned, instead of assuming that the AV software on their workstations will be able to stop bad guys in their tracks. But squashing bugs matters, too - not on an individual scale, but because all other principles aren't worth much if any attacker is likely to have a cache of trivial 0-days for *every* single layer of defense that you have in place. I'm sure that neither you nor Brad are running 15-year old copies of Apache and OpenSSH, or browsing the web with Netscape Navigator, and then putting all your faith in containment frameworks. Now, that aside... I don't really follow parts of your argument against vulnerability disclosure as a concept - or more specifically, I don't see the inherent connection to privacy worries, to government oppression, to black hat mercenaries, or to flashy conference showmanship. That said, I think it's hard to have a perfectly rational discussion about such deeply-held beliefs, and I recognize that my own views are hopelessly subjective =)
Having said that, if you gave me a billion dollars today, what percentage of the Google security team could I employ tomorrow?
Here, I'd just say what I mentioned to Dave in an earlier thread: people have strong beliefs about P0, and I think it's fine. But from what I recall, P0 amounts to somewhere under 5% of Google's security & privacy headcount - so projecting these beliefs onto the entire security org just doesn't seem right. /mz _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- The old speak: Wassenaar, Google, and why Spender is right Bas Alberts (Aug 01)
- Re: The old speak: Wassenaar, Google, and why Spender is right Michal Zalewski (Aug 02)
- Message not available
- Re: The old speak: Wassenaar, Google, and why Spender is right Michal Zalewski (Aug 05)
- Re: The old speak: Wassenaar, Google, and why Spender is right Michal Zalewski (Aug 05)
- Message not available
- Re: The old speak: Wassenaar, Google, and why Spender is right Michal Zalewski (Aug 02)