Re: [Full-disclosure] Yahoo Bug Bounty Program Vulnerability #2 Open Redirect

Just as an FYI, I also reported this exact bug to Yahoo! in November on 11/21/2013 as part of the BugBash at OWASP AppSecUSA 2013 through BugCrowd, prior to your December 13th disclosure date to Yahoo. As part of my discussions with Yahoo! Security on this issue I was told that it was reported to

[Full-disclosure] bloginfosec.com: We're looking for a few good columnists!

to your inbox! See the top right of the magazine for the subscription box. Thanks for your time. I look forward to hearing from you. Kenneth F. Belva Publisher Editor-in-Chief, bloginfosec.com ___ Full-Disclosure - We believe in it. Charter: http

[Full-disclosure] Security as an Enabler - Virtual Trust: An Open Challenge to All InfoSec Professionals

I've been defending Virtual Trust as an enabler for the past three days on the full-disclosure list. So far, fairly successfully. Here's the challenge: How creative are you *for* VT, *against* VT and determining the *impact* of VT? Here's your chance to figure out what works and what doesn't

[Full-disclosure] Security as an Enabler - Virtual Trust: An Open Challenge to All InfoSec Professionals

DaveK, I've been defending Virtual Trust as an enabler for the past three days on the full-disclosure list. So far, fairly successfully. An enabler *of* anything in particular? Or just some kind of magic enabling pixie dust, good for all purposes? An enabler of business. Here's the

Re: [Full-disclosure] Security as an Enabler - Virtual Trust: An Open Challenge to All InfoSec Professionals

Glenn, Thanks for your reply. My response: Most of your argument below does not get to the heart of the issue. It seems to be an issue of semantics. You do not like the term Virtual Trust. You write: Many of us have argued for at least decades now that more trustworthy systems and more

Re: [Full-disclosure] Rothman: Belva's a Joker (was Could InfoSec beWorse than Death?)

Tom, No I don't mind answering your objections. I find this debate very healthy and it helps me to further clarify these ideas. After all, I am the challenger to a very entrenched perspective (loss prevention). I'd better be able to discuss the differences to people's satisfaction. Your

[Full-disclosure] Rothman: Belva's a Joker (was Could InfoSec be Worse than Death?)

Paul, Let me say that the reason I published this paper is because of anti-enablement arguments such as this which call me a joker: http://securityincite.com/TDI-2006-09-25#TBP4 This has been a very thoughtful discussion. I think we are closer in thinking than you realize. I hope you do not mind

[Full-disclosure] Could InfoSec be Worse than Death?

[From: http://www.bloginfosec.com] Our current way of viewing information security is loss prevention. It is an insurance model. And, although insurance is useful and necessary, senior managers are not likely to spend one dollar more than necessary to obtain the needed protection. After all,

[Full-disclosure] Could InfoSec be Worse than Death?

Paul, Thanks for your comments. Unless you can demonstrate concrete revenue generationg directly attributable to security, I don't think you can overcome that perception (and loss avoidance through trust building does not generate revenue.) I believe the purpose of the paper is to move away

Re: [Full-disclosure] Could InfoSec be Worse than Death?

Paul, Thanks for your comments. Unless you can demonstrate concrete revenue generationg directly attributable to security, I don't think you can overcome that perception (and loss avoidance through trust building does not generate revenue.) I believe the purpose of the paper is to move

[Full-disclosure] InfoSec Paper: Creating Business Through Virtual Trust

://www.ftusecurity.com/pub/VT-belva-dekay-final.pdf We have set up a website for your feedback. Please register if you are interested in participating in the dialogue. The site is: http://bbs.ftusecurity.com Thanks for your interest. We look forward to a productive discussion. Sincerely, Kenneth F. Belva

[Full-disclosure] Presentation: ATT ISNN - Case Studies in Finding Previously Unknown Vulnerabilities in Web Applications.

://www.att.com/isnn/ Thank you for your interest. Sincerely, Kenneth F. Belva, CISSP http://www.ftusecurity.com http://www.ftusecurity.com/blog/ ___ Full-Disclosure - We believe

[Full-disclosure] What's Up Professional Spoofing Authentication Bypass

is released and the company does not credit me with the initial report. Sincerely, Kenneth F. Belva, CISSP http://www.ftusecurity.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored

[Full-disclosure] Is the Bottom Line Impacted by Security Breaches?

opinions on the matter. Sincerely, Kenneth F. Belva, CISSP http://www.ftusecurity.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Is the Bottom Line Impacted by Security Breaches?

In the paper I ask: If 40 million customer credit card numbers are exposed in a security breach at the credit card processor CardSystems, why do a significant number of people not cancel their Visa and/or Mastercard? Simple .. because Mastercard/Visa got to avoid having to notify their

[Full-disclosure] Paper - How It's Difficult to Ruin a Good Name: An Analysis of Reputational Risk

/FiTechSummit_final_paper.pdf This paper should be regarded as a starting point for further, positive discussion. Sincerely, Kenneth F. Belva, CISSP http://www.ftusecurity.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full