[Dailydave] Remember The Titans
Michal Zalewski
lcamtuf at coredump.cx
Fri Jul 31 12:52:42 EDT 2015
> I went back a couple days ago and re-read the latest Qualys exploit, as you
> should: http://seclists.org/oss-sec/2015/q3/185 .
Interestingly, history sorta repeats itself:
https://lwn.net/Articles/6137/
Now... while I generally agree with you that some of the
most-publicized work is usually just a distraction and that it gets
picked up by the press based primarily on how much effort is put into
marketing the research and whether it superficially touches one of the
"cool" topics (IoT, mobile, privacy), this one snippet caught my eye:
> [...rant about P0...]
> Why would you have all your best hackers working on random external
> companies and not securing the stuff you deliver to customers and depend on
> for your business? Where's all the hard core XSS work against
> Inbox.google.com that needs to be publicized?
While folks tend to have strong opinions about P0 and I don't really
want to change yours, this bit seems a bit harsh. The vast majority of
our security folks are indeed working on other things, including some
really phenomenal work on systemic XSS mitigations (or multiple
containment layers for AppEngine, so that breaking one is not a
game-ending situation). P0 is a comparatively small effort, given the
overall size of our security team, and it caters specifically to
people who don't want to do anything but vuln research, full-time.
Heck, I like breaking stuff and I'm not on P0.
/mz
More information about the Dailydave
mailing list