[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
- To: Full Disclosure <full-disclosure@lists.netsys.com>
- Subject: Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
- From: Nick FitzGerald <nick@virus-l.demon.co.uk>
- Date: Mon, 03 Nov 2003 17:15:51 +1300
For all his usual intelligence, Valdis.Kletnieks@vt.edu oddly felt the
need to ad:
> And for bonus points, explain how you fix the scheme so the poor sysadmin who
> has to run stuff at startup is able to find the folder, but an exploit running
> with 'administrator' or 'system' can't find it?
Re-read what I wrote.
I explained all that.
Like all security efforts, it is not a "perfect" solution.
It also does not work against all methods of exploitation or in all
cases of exploitation using any given method.
However, it would have saved you from a bunch of once common IE
exploits and will still save you from a huge amount of "work" done by
thousands of next-to-clueless skiddies who take overly simple PoC
exploits and are limited to altering them to simply gluing in the
delivery of their preferred RAT/bot-net agent/etc.
As I already explained all that _and_ answered your question before you
asked it, I gladly accept your bonus points...
Regards,
Nick FitzGerald
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html