if Google start actively looking for bugs, aren't they going to have a ranking per vendor every year to incentive "bad vendors" to improve? What are the other means they can incentive vendors, without making too much of a fuss that users don't loose confidence in web security overall?
On Thu, Jul 17, 2014 at 11:07 PM, Richard Brooks <r...@g.clemson.edu> wrote: > On 07/17/2014 05:57 PM, Griffin Boyce wrote: > > Andy Isaacson wrote: > >>> this is exactly why some who have received these payloads are > >>> sitting on them, rather than disclosing. > > > >> Hmmm, that seems pretty antisocial and shortsighted. While the > >> pool of bugs is large, it is finite. Get bugs fixed and get > >> developers to write fewer bugs going forward, and we'll rapidly > >> deplete the pool of 0day and drive up the cost of FOXACID style > >> deployments. > > > >> Forcing deployments to move to more interesting bugs will also > >> give insight into IAs' exploit sourcing methodologies. > > > > Solidarity is really important here. "Increased security for those > > who actively set honeytraps" doesn't really scale at all, and most > > people will never reap the rewards of this work. =/ Forcing the > > government and defense contractors to burn through 0day at a high rate > > is far, FAR better than coming across one or two on your own and > > hiding it. These backdoors need to be revealed if we're to protect > > ourselves. > > > > Let's sunburn these motherfuckers. > > > > You are forgetting moral hazard. > > Why are there so many bugs? The laws relieve software manufacturers > of liability for the flaws of their programs. It is cheaper to > let clients do the testing for you. > > If a 3rd party like Google takes over the software testing for > free, there is even less incentive to make the slightest effort > to test pre-release software and make non-faulty products. > > You will not exterminate all the bugs, you will give the bug > makers (software manufacturers) more incentive to flood the > world with faulty products. > > Which I think is why the open source/free products are more reliable > than the commercial ones. The economic incentives are to build > crap quickly. If you are not doing the work for profit motives, > you can afford to make a decent product. > > > -- > Liberationtech is public & archives are searchable on Google. Violations > of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > compa...@stanford.edu. > >
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
