[Dailydave] Remember The Titans

Andreas Lindh andreas at haxx.ml
Fri Jul 31 14:55:48 EDT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't want to come off as some Google fanboi or anything, and I
don't always agree with P0's methods, but Google's business model
pretty much starts and ends with people using the internet (and not
just Google's own services). Making (or appearing to make, whatever
your opinion is) the internet safer by finding and getting bugs fixed
seems like a pretty good start in that regard.

Andreas


On 07/31/2015 06:52 PM, Michal Zalewski wrote:
>> I went back a couple days ago and re-read the latest Qualys
>> exploit, as you should: http://seclists.org/oss-sec/2015/q3/185
>> .
> 
> Interestingly, history sorta repeats itself: 
> https://lwn.net/Articles/6137/
> 
> Now... while I generally agree with you that some of the 
> most-publicized work is usually just a distraction and that it
> gets picked up by the press based primarily on how much effort is
> put into marketing the research and whether it superficially
> touches one of the "cool" topics (IoT, mobile, privacy), this one
> snippet caught my eye:
> 
>> [...rant about P0...] Why would you have all your best hackers
>> working on random external companies and not securing the stuff
>> you deliver to customers and depend on for your business? Where's
>> all the hard core XSS work against Inbox.google.com that needs to
>> be publicized?
> 
> While folks tend to have strong opinions about P0 and I don't
> really want to change yours, this bit seems a bit harsh. The vast
> majority of our security folks are indeed working on other things,
> including some really phenomenal work on systemic XSS mitigations
> (or multiple containment layers for AppEngine, so that breaking one
> is not a game-ending situation). P0 is a comparatively small
> effort, given the overall size of our security team, and it caters
> specifically to people who don't want to do anything but vuln
> research, full-time.
> 
> Heck, I like breaking stuff and I'm not on P0.
> 
> /mz _______________________________________________ Dailydave
> mailing list Dailydave at lists.immunityinc.com 
> https://lists.immunityinc.com/mailman/listinfo/dailydave
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJVu8S0AAoJEI415gQuBbe0og4QAIm11CflTFBgg6fup0GJhmaS
JvkXBXVLZnJ7wf3BlL75Jf3ehOXuGhSFyc8nsQs7WqBnchVpkz+JW8/CfIsXITIp
mO/eN+yDGrNJO3lceC2XY0hEOp8rwfiWt1o3ztSnbKWKyuSXrOL+2pE7dy0QUFbv
k+Lq2LmJoJAn/zZQmDVG/GXug0TpRDOK8zuPpcR9MaZ8jgdl1dW78arvAoonYCrv
CsrY3HSIZimA8KEschBu8PyrCDnQ15v5aFNG7dML/POw6KHDz/myZjHlLPueCUtS
l1xiyx8gmfxFmMRqnE/9hSfOVZJ7Osl1JL8YmcIzi8ytcY2rNBeeoWc0fZJ8EV2T
MQ901cywuJuZF27goYjq6nj8b2QsPYiXgdjH5IKf/vNhrjDG+h/vsoKuL08V262u
wtUrWdWvLd+xe88EpEukdy7keA5wMDSkafwEjTbdafmSA7JNBeyRO9JpD6PEJ9F7
L7+bjTfbYT2LaC09v8yEAn0Z5Fo2S0EH7ctitz4VCYfSmYNmPptLSN/1h3kgLQO5
QmNm9yz6p8Lsg69zsqHIu8mHsyzG5kRTPxlgsENpytaZ1hd7Ft2iGUTuU0GiZdkB
Webep2xzaCPWrBhj+HLnjkA93bLPB4Lbdtw8pISCQ4IOQKPxhE78YtVip0F1h9hX
OLuecrT92lTxfxnZn3Xv
=JIPb
-----END PGP SIGNATURE-----



More information about the Dailydave mailing list