[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM

To: Georgi Guninski <guninski@xxxxxxxxxxxx>
Subject: Re: [Full-disclosure] GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM
From: Jeffrey Walton <noloader@xxxxxxxxx>
Date: Wed, 14 Nov 2012 04:18:59 -0500

On Wed, Nov 14, 2012 at 3:43 AM, Georgi Guninski <guninski@xxxxxxxxxxxx> wrote:
> On Tue, Nov 13, 2012 at 05:47:28PM -0500, Jeffrey Walton wrote:
>> On Tue, Nov 13, 2012 at 4:56 PM, Thierry Zoller <Thierry@xxxxxxxxx> wrote:
>> >
>> > RANT
>> > ----
>> > The  world  of  mobile  applications  appear to have become one where 
>> > vulnerability
>> > disclosure    and   awareness  are  not  necessary.  Until  there  are 
>> > fully automated
>> > updates  and  refusal  of  service for outdated applications I see the
>> > need for disclosure.
>> Mobile is a step backwards in software security (back to about the
>> mid-1990s) due to patching. Or more correctly, lack thereof. I've been
>> bitching about it for years.
>>
>> I'm convinced the only way to fix it is through legislation and
>> software liability laws. Waiting for companies to "do the right
>> thing"
>
> liability laws might kill a lot of OSS warez as a side effect.
Perhaps. I believe it will improve those that remain (survival of the fittest?).

Folks like Google and Red Hat might have to take a proactive approach
to limit their liability. It might hurt folks like Dan Rosenberg, who
make their careers out of finding Comp Sci 101 bugs in the kernel.
(Nothing against Dan - he does a great job).

> btw, m$ lusers agree to "CLASS ACTION WAIVER":
> http://windows.microsoft.com/en-US/windows-live/microsoft-services-agreement
>
> ==============
> IF YOU LIVE IN THE UNITED STATES, SECTION 10 CONTAINS A BINDING ARBITRATION 
> CLAUSE AND CLASS ACTION WAIVER. IT AFFECTS YOUR RIGHTS ABOUT HOW TO RESOLVE 
> ANY DISPUTE WITH MICROSOFT. PLEASE READ IT.
> 10.4. Class action waiver. Any proceedings to resolve or litigate any dispute 
> in any forum will be conducted solely on an individual basis. Neither you nor 
> Microsoft will seek to have any dispute heard as a class action or in any 
> other proceeding in which either party acts or proposes to act in a 
> representative capacity. No arbitration or proceeding will be combined with 
> another without the prior written consent of all parties to all affected 
> arbitrations or proceedings.
> ===============
Its not just Microsoft.

The courts (in the US) are starting to limit those obscene Terms of
Service. 
http://www.topclassactions.com/lawsuit-settlements/lawsuit-news/2633-zapposcom-loses-arbitration-bid-in-data-breach-class-action-lawsuit.
Its another legal absurdity to me: you are given a protection, then
corporate america tries to get you to wave it. I guess that's why my
undergrad and grad degrees are computer science and not law.

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM
  - From: Thierry Zoller
- Re: [Full-disclosure] GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM
  - From: Jeffrey Walton
- Re: [Full-disclosure] GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM
  - From: Georgi Guninski

Prev by Date: Re: [Full-disclosure] GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM
Next by Date: [Full-disclosure] Skype account + IM history hijack vulnerability
Previous by thread: Re: [Full-disclosure] GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM
Next by thread: [Full-disclosure] XSS vulnerability in web applications with swfupload: Dotclear, XenForo, InstantCMS, AionWeb, Dolphin
Index(es):
- Date
- Thread