Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
This Year's Pwn2Own Hackfest Will Offer Up to $2 Million in Rewards
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/29/2018 | 11:11:31 PM
Re: The rewards of virtue?
@Dr.T: Is that necessarily so, though?

Depends on the bad guy. Your run-of-the-mill thief deals with volume -- and is therefore looking for low-hanging fruit. A nation-state, on the other hand, operates under an entirely different "business model" -- and therefore has both the incentive and the resources to do this kind of in-depth research.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 7:04:16 PM
Re: The rewards of virtue?
"Probabilities aside, the vulnerability underlying M/S was found and made known by researchers.  That they were well intentioned doesn't alter the fact that the results have been disruptive and costly"

This makes sense. Maybe software vendors should be hold more accountable.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 7:01:50 PM
Re: The rewards of virtue?
"there was a substantial probability that "bad guys" were about to discover it anyway."

I would agree with this. Bad guys have more incentive than good guys.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:59:14 PM
Re: The rewards of virtue?
"the case with the Meltdown/Spectre"

my understanding is that Intel got enough time to fix the bug, they were not quick enough.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:57:30 PM
Re: The rewards of virtue?
"But consider what happens when the discoveries leak out before the mitigations and fixes are ready"

This is a good point. We would want to avoid this part of it one way or another.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:55:14 PM
Re: The rewards of virtue?
"Malware is just software - which can be used to do bad things; and what's bad or good will always be a judgement call. "

I say intention is important. If it tries to hurt people than it is bad.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:27:40 PM
Re: Exploit hunting for fun and profit?
"Exploit hunting for fun and profit? "

This would be a good thing I would say, both earing money and having fun.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:24:16 PM
Re: Exploit hunting for fun and profit?
" other words: they are looking for the exploitable.  Is it always a good thing, that they find it? "

I see, I say yes, it is better to find it as early as possible.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:23:12 PM
Re: Exploit hunting for fun and profit?
"Without denying the positives of cybersecurity research (and researchers), we should also look at the negative consequences, both realized and unanticipated. "

What type of negative consequences could there be?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:21:31 PM
Re: Exploit hunting for fun and profit?
"Remember when  a programming "bug" was first rebranded as "an undocumented feature"?  That was a clever way to spin a half-truth"

I hear you. If it was a TDD approach, bug may be considered a featuire. :--))
Page 1 / 2   >   >>


Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27314
PUBLISHED: 2021-03-05
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
CVE-2019-18630
PUBLISHED: 2021-03-04
On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.
CVE-2021-25344
PUBLISHED: 2021-03-04
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.
CVE-2021-25345
PUBLISHED: 2021-03-04
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
CVE-2021-25346
PUBLISHED: 2021-03-04
A possible arbitrary memory overwrite vulnerabilities in quram library version prior to SMR Jan-2021 Release 1 allow arbitrary code execution.