Just as an FYI, I also reported this exact bug to Yahoo! in November on
11/21/2013 as part of the BugBash at OWASP AppSecUSA 2013 through
BugCrowd, prior to your December 13th disclosure date to Yahoo.
As part of my discussions with Yahoo! Security on this issue I was told
that it was reported to
to your inbox! See
the top right of the magazine for the subscription box.
Thanks for your time. I look forward to hearing from you.
Kenneth F. Belva
Publisher Editor-in-Chief, bloginfosec.com
___
Full-Disclosure - We believe in it.
Charter: http
I've been defending Virtual Trust as an enabler for the past three days
on the full-disclosure list. So far, fairly successfully.
Here's the challenge: How creative are you *for* VT, *against* VT and
determining the *impact* of VT?
Here's your chance to figure out what works and what doesn't
DaveK,
I've been defending Virtual Trust as an enabler for the past three
days on the full-disclosure list. So far, fairly successfully.
An enabler *of* anything in particular? Or just some kind of magic
enabling pixie dust, good for all purposes?
An enabler of business.
Here's the
Glenn,
Thanks for your reply. My response:
Most of your argument below does not get to the heart of the issue. It
seems to be an issue of semantics. You do not like the term Virtual Trust.
You write:
Many of us have argued for at least decades now that more trustworthy
systems and
more
Tom,
No I don't mind answering your objections. I find this debate very
healthy and it helps me to further clarify these ideas. After all, I am
the challenger to a very entrenched perspective (loss prevention). I'd
better be able to discuss the differences to people's satisfaction.
Your
Paul,
Let me say that the reason I published this paper is because of
anti-enablement arguments such as this which call me a joker:
http://securityincite.com/TDI-2006-09-25#TBP4
This has been a very thoughtful discussion. I think we are closer in
thinking than you realize. I hope you do not mind
[From: http://www.bloginfosec.com]
Our current way of viewing information security is loss prevention. It
is an insurance model. And, although insurance is useful and necessary,
senior managers are not likely to spend one dollar more than necessary
to obtain the needed protection. After all,
Paul,
Thanks for your comments.
Unless you can demonstrate concrete revenue generationg directly
attributable to security, I don't think you can overcome that perception
(and loss avoidance through trust building does not generate revenue.)
I believe the purpose of the paper is to move away
Paul,
Thanks for your comments.
Unless you can demonstrate concrete revenue generationg directly
attributable to security, I don't think you can overcome that perception
(and loss avoidance through trust building does not generate revenue.)
I believe the purpose of the paper is to move
://www.ftusecurity.com/pub/VT-belva-dekay-final.pdf
We have set up a website for your feedback. Please register if you are
interested in participating in the dialogue. The site is:
http://bbs.ftusecurity.com
Thanks for your interest. We look forward to a productive discussion.
Sincerely,
Kenneth F. Belva
://www.att.com/isnn/
Thank you for your interest.
Sincerely,
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
http://www.ftusecurity.com/blog/
___
Full-Disclosure - We believe
is released
and the company does not credit me with the initial report.
Sincerely,
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored
opinions on the matter.
Sincerely,
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
In the paper I ask: If 40 million customer credit card numbers are
exposed in a security breach at the credit card processor CardSystems, why
do a significant number of people not cancel their Visa and/or
Mastercard?
Simple .. because Mastercard/Visa got to avoid having to notify their
/FiTechSummit_final_paper.pdf
This paper should be regarded as a starting point for further, positive
discussion.
Sincerely,
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full
16 matches
Mail list logo