...it's easier to know how to break into a system/box/whatever, than it is to learn exactly what happened and take measures to prevent it.
Sure, some items are fairly obvious, but I'm willing to wager that there are a lot of exploits that even dedicated security officials aren't aware of, simply because the exploit was found and put to use, but never reported.
As it applies to 9/11, I'm fairly certain that OBL and his boys are more willing to shell out the cash for the folks who can find undiscovered vulns
"Sure, some items are fairly obvious, but I'm willing to wager that there are a lot of exploits that even dedicated security officials aren't aware of, simply because the exploit was found and put to use, but never reported."
These have a name. They are called 0 day exploits. This sort of thing is what the Mozilla Foundation is trying to prevent with their bounty program: Find a bug, and instead of saving it for later you get enough money for your new video card for Doom 3. Easy choice. Other systems of tr
Yep, they're zero-day exploits, but I was thinking of folks who, instead of holding it in their back pocket, offer the use of that vulnerability for sale... and for a lot more cash than the MSRP of a new video card.
In Mozilla's case, it would be possible to track an exploit and write your own patch, thanks to F/OSS.
Open source brings up another point - how can an agency prepare for an attack, even knowing how they'll get attacked, if the OS/proggie vendor hasn't a patch out for it yet...
Open source brings up another point - how can an agency prepare for an attack, even knowing how they'll get attacked, if the OS/proggie vendor hasn't a patch out for it yet...
It depends on the vulnerability, now, doesn't it? For example, If you knew about a problem with a particular library that, for example, handled PNG files, and you were using any software whether open or closed with no patch in the forseable future, you can do things like have your web proxies drop PNG images.
Just one thing that very few learn... (Score:5, Interesting)
Sure, some items are fairly obvious, but I'm willing to wager that there are a lot of exploits that even dedicated security officials aren't aware of, simply because the exploit was found and put to use, but never reported.
As it applies to 9/11, I'm fairly certain that OBL and his boys are more willing to shell out the cash for the folks who can find undiscovered vulns
Re:Just one thing that very few learn... (Score:1)
Re:Just one thing that very few learn... (Score:2)
In Mozilla's case, it would be possible to track an exploit and write your own patch, thanks to F/OSS.
Open source brings up another point - how can an agency prepare for an attack, even knowing how they'll get attacked, if the OS/proggie vendor hasn't a patch out for it yet...
Re:Just one thing that very few learn... (Score:1)
It depends on the vulnerability, now, doesn't it? For example, If you knew about a problem with a particular library that, for example, handled PNG files, and you were using any software whether open or closed with no patch in the forseable future, you can do things like have your web proxies drop PNG images.
There are often ways o