Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
This Year's Pwn2Own Hackfest Will Offer Up to $2 Million in Rewards
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/29/2018 | 11:11:31 PM
Re: The rewards of virtue?
@Dr.T: Is that necessarily so, though?

Depends on the bad guy. Your run-of-the-mill thief deals with volume -- and is therefore looking for low-hanging fruit. A nation-state, on the other hand, operates under an entirely different "business model" -- and therefore has both the incentive and the resources to do this kind of in-depth research.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 7:04:16 PM
Re: The rewards of virtue?
"Probabilities aside, the vulnerability underlying M/S was found and made known by researchers.  That they were well intentioned doesn't alter the fact that the results have been disruptive and costly"

This makes sense. Maybe software vendors should be hold more accountable.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 7:01:50 PM
Re: The rewards of virtue?
"there was a substantial probability that "bad guys" were about to discover it anyway."

I would agree with this. Bad guys have more incentive than good guys.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:59:14 PM
Re: The rewards of virtue?
"the case with the Meltdown/Spectre"

my understanding is that Intel got enough time to fix the bug, they were not quick enough.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:57:30 PM
Re: The rewards of virtue?
"But consider what happens when the discoveries leak out before the mitigations and fixes are ready"

This is a good point. We would want to avoid this part of it one way or another.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:55:14 PM
Re: The rewards of virtue?
"Malware is just software - which can be used to do bad things; and what's bad or good will always be a judgement call. "

I say intention is important. If it tries to hurt people than it is bad.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:27:40 PM
Re: Exploit hunting for fun and profit?
"Exploit hunting for fun and profit? "

This would be a good thing I would say, both earing money and having fun.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:24:16 PM
Re: Exploit hunting for fun and profit?
" other words: they are looking for the exploitable.  Is it always a good thing, that they find it? "

I see, I say yes, it is better to find it as early as possible.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:23:12 PM
Re: Exploit hunting for fun and profit?
"Without denying the positives of cybersecurity research (and researchers), we should also look at the negative consequences, both realized and unanticipated. "

What type of negative consequences could there be?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:21:31 PM
Re: Exploit hunting for fun and profit?
"Remember when  a programming "bug" was first rebranded as "an undocumented feature"?  That was a clever way to spin a half-truth"

I hear you. If it was a TDD approach, bug may be considered a featuire. :--))
Page 1 / 2   >   >>


Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28971
PUBLISHED: 2020-12-01
An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie, because of insufficient validation of URI paths.
CVE-2020-28993
PUBLISHED: 2020-12-01
A Directory Traversal vulnerability exists in ATX miniCMTS200a Broadband Gateway through 2.0 and Pico CMTS through 2.0. Successful exploitation of this vulnerability would allow an unauthenticated attacker to retrieve administrator credentials by sending a malicious POST request.
CVE-2020-6880
PUBLISHED: 2020-12-01
A ZXELINK wireless controller has a SQL injection vulnerability. A remote attacker does not need to log in. By sending malicious SQL statements, because the device does not properly filter parameters, successful use can obtain management rights. This affects: ZXV10 W908 all versions before MIPS_A_10...
CVE-2020-28940
PUBLISHED: 2020-12-01
On Western Digital My Cloud OS 5 devices before 5.06.115, the NAS Admin dashboard has an authentication bypass vulnerability that could allow an unauthenticated user to execute privileged commands on the device.
CVE-2020-28970
PUBLISHED: 2020-12-01
An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie. (In addition, an upload endpoint could then be used by an authenticated adm...