On Tue, Jul 22, 2014 at 1:48 AM, coderman wrote:
> ...
> perhaps someone to help answer the question is Google, if they felt inclined.
more context, although less sophisticated than TAO tech:
"When Governments Hack Opponents: A Look at Actors and Technology"
- http://www.icir.org/vern/papers/go
On Fri, Jul 18, 2014 at 12:22 PM, Denis 'GNUtoo' Carikli
wrote:
> ...
> If the adversary looses one exploit each times he attacks someone, then...
perhaps someone to help answer the question is Google, if they felt inclined.
per "re:publica 2014 - Morgan Marquis-Boire: Fear and Loathing on the I
On Thu, Jul 17, 2014 at 12:32:26PM -0700, coderman wrote:
> On Thu, Jul 17, 2014 at 12:19 PM, Andy Isaacson wrote:
> > ...
> > And once you've patched this bug, FOXACID will update to issue another
> > 0day.
> >
> > It's worth doing, for sure! Patching bugs makes us all incrementally
> > safer.
>
On 07/18/2014 06:12 AM, coderman wrote:
[...]
i approve of this timeline, and am anxious to see if NSL's are used to
trump some exploits. (how would you know? good question :)
* U.S. National Security Letters
* U.S. National Exploit Stockpile
* Effective public bug-quashing program in U.S.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, 17 Jul 2014 12:19:31 -0700
Andy Isaacson wrote:
> But don't pretend that patching the specific attack your adversary is
> currently using will disable or even seriously inconvenience the
> adversary.
Well, going public about it is important s
On Fri, Jul 18, 2014 at 1:40 AM, Wasa Bee wrote:
> if Google start actively looking for bugs, aren't they going to have a
> ranking per vendor every year to incentive "bad vendors" to improve?
you'll be able to read the vendor responses yourself in the Project
Zero blog. two timelines were stated
if Google start actively looking for bugs, aren't they going to have a
ranking per vendor every year to incentive "bad vendors" to improve?
What are the other means they can incentive vendors, without making too
much of a fuss that users don't loose confidence in web security overall?
On Thu, Jul
On 07/17/2014 05:57 PM, Griffin Boyce wrote:
> Andy Isaacson wrote:
>>> this is exactly why some who have received these payloads are
>>> sitting on them, rather than disclosing.
>
>> Hmmm, that seems pretty antisocial and shortsighted. While the
>> pool of bugs is large, it is finite. Get bugs
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andy Isaacson wrote:
>> this is exactly why some who have received these payloads are
>> sitting on them, rather than disclosing.
>
> Hmmm, that seems pretty antisocial and shortsighted. While the
> pool of bugs is large, it is finite. Get bugs fixe
On 07/17/2014 04:11 PM, coderman wrote:
On Thu, Jul 17, 2014 at 12:41 PM, Andy Isaacson wrote:
...
this is exactly why some who have received these payloads are sitting
on them, rather than disclosing.
Hmmm, that seems pretty antisocial and shortsighted. While the pool of
bugs is large, it i
On Thu, Jul 17, 2014 at 1:11 PM, coderman wrote:
> ...
> - if you want to thwart FOXACID type attacks there are ways to do it
> without knowing specific payloads. (architectural and broad
> techniques, not fingerprints on binaries or call graphs)
some specific examples:
A: exploit reuse to arbi
On Thu, Jul 17, 2014 at 1:11 PM, coderman wrote:
> ...
>> Forcing deployments to move to more interesting bugs will also give
>> insight into IAs' exploit sourcing methodologies.
>
> this is absolutely true and useful,
> and does not require making specific exploits public.
i have high hopes for
On Thu, Jul 17, 2014 at 12:41 PM, Andy Isaacson wrote:
> ...
>> this is exactly why some who have received these payloads are sitting
>> on them, rather than disclosing.
>
> Hmmm, that seems pretty antisocial and shortsighted. While the pool of
> bugs is large, it is finite.
consider, having rec
On Thu, Jul 17, 2014 at 12:32:26PM -0700, coderman wrote:
> > And once you've patched this bug, FOXACID will update to issue another
> > 0day.
> >
> > It's worth doing, for sure! Patching bugs makes us all incrementally
> > safer.
>
> this is exactly why some who have received these payloads are
On Thu, Jul 17, 2014 at 12:19 PM, Andy Isaacson wrote:
> ...
> And once you've patched this bug, FOXACID will update to issue another
> 0day.
>
> It's worth doing, for sure! Patching bugs makes us all incrementally
> safer.
>
> But don't pretend that patching the specific attack your adversary is
On Thu, Jul 17, 2014 at 03:14:32PM -0400, Jonathan Wilkes wrote:
> We know something about the selectors that could trigger
> Foxacid attacks, and we can record the data sent to a machine
> running Tor Browser Bundle. So has anyone set up a sitting duck to
> trigger and record the payload of
Hello list,
We know something about the selectors that could trigger Foxacid
attacks, and we can record the data sent to a machine running Tor
Browser Bundle. So has anyone set up a sitting duck to trigger and
record the payload of the attack?
Once the payload is known then Firefox coul
17 matches
Mail list logo