Dear d3fault, d3fault wrote: > Nah. "WILL" is too strong a statement. More like: very very very very likely > ;-)
Cras in mi ut mi auctor tincidunt. Vestibulum volutpat lorem eget ligula egestas vehicula. Mauris in nisi et ligula accumsan accumsan vitae at erat. Etiam vitae leo risus. Vivamus placerat turpis lectus, eget gravida neque. Suspendisse id nunc ipsum, vel pellentesque dolor. Nam in lorem eu sapien tincidunt mollis. Nullam nec massa id risus commodo blandit. > The number isn't very relevant because they are crackers instead of > script kiddies. The number of crackers is also a question mark. You > simply cannot know how many crackers have gained access to the > information. It's better to know that everyone knows than to think* > you and your peers are the only ones who know (and to keep the rest of > us in the dark). You do not have to fear the script kiddies a single > bit if you are armed with the same information as them (because you > shut down). Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Sed viverra aliquet mauris nec rutrum. Donec faucibus leo sit amet ligula convallis dignissim. Nam eu mattis metus. Ut egestas turpis ut dui bibendum convallis. Vivamus sed arcu sem, vel pretium arcu. Mauris lacinia consectetur lectus. Fusce sit amet ultricies felis. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam tortor quam, congue ut posuere sed, sagittis sed urna. Nunc adipiscing, tortor at congue lacinia, felis nunc tincidunt mauris, in faucibus mauris neque at ligula. > * = erroneously Praesent non risus nisi, cursus euismod nibh. Sed vel nisi ut lorem tristique tristique eget eget velit. Praesent eu neque ut orci consectetur molestie. Praesent sit amet arcu vel eros gravida ullamcorper at vel lacus. Duis libero nisi, tempor sit amet accumsan vel, auctor sed nibh. Cras euismod consectetur mollis. In dignissim purus eget lacus hendrerit sed suscipit magna egestas. Fusce faucibus est lobortis dui ullamcorper quis vehicula orci commodo. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Suspendisse nibh mauris, condimentum id mattis bibendum, porta pulvinar tellus. Etiam sem nulla, pretium quis imperdiet tristique, faucibus sed mauris. Vestibulum ut leo vitae elit vulputate tincidunt. Etiam pellentesque orci a augue luctus mollis. In eget eros nibh, eget aliquet mi. Proin augue massa, placerat id elementum a, pretium ac sapien. > EXACTLY. > -A few crackers armed with knowledge you don't have > -A ton of script kiddies with knowledge you also have Aenean mauris augue, ornare dignissim tempor quis, fermentum vestibulum nisl. Nam ipsum augue, hendrerit sed venenatis a, vestibulum vitae tortor. Duis rhoncus mi ut odio rutrum ullamcorper fermentum diam tempor. Fusce sed velit purus. Pellentesque eget nisl mi, sed posuere eros. Maecenas vitae turpis augue. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Pellentesque tortor dui, volutpat non tempor eu, mollis sed justo. Donec facilisis neque ac est dictum id euismod nibh adipiscing. Mauris suscipit, urna non sodales auctor, diam mauris pulvinar elit, id condimentum ligula dolor ut nibh. Nullam viverra orci non urna pretium non porta diam luctus. Pellentesque sem enim, cursus in tempus ut, varius id est. > The lesser of two evils is the latter. Aenean eu metus turpis. Donec rhoncus leo non nibh mattis ut vestibulum sapien mattis. Fusce quis massa eu enim consequat porttitor ut vel erat. Vivamus vitae tortor turpis, quis pulvinar ligula. Donec commodo consectetur lorem quis adipiscing. Pellentesque pellentesque fringilla mi at egestas. Sed vitae dui a augue tempus gravida. Nam sapien sem, adipiscing eu placerat at, lacinia ut nibh. > BECAUSE *copies from above*: > You do not have to fear the script kiddies a single bit if you are > armed with the same information as them (because you shut down). Morbi non semper purus. In turpis leo, lacinia sit amet consequat id, mattis vel eros. Proin auctor lobortis est, vel elementum dui convallis id. Cras nec felis lorem. Proin porttitor, mi vitae tristique laoreet, nisl libero rhoncus mauris, vitae euismod urna mi sed nunc. Cras fermentum mauris non neque venenatis ut facilisis metus fermentum. Donec id eros orci. Praesent volutpat sodales faucibus. Sed commodo rutrum neque, in blandit diam aliquam at. Curabitur ante quam, malesuada sed gravida eu, lobortis vitae massa. Mauris tempor, nulla at lobortis lacinia, turpis neque molestie justo, at posuere erat eros vitae libero. > If I can convince you then you might be able to convince him. Since, > you know, he actually respects you and all (brought that upon myself > xD). Quisque mollis laoreet malesuada. Mauris magna mauris, adipiscing sed vehicula eget, lobortis eu ligula. Nam et tortor quis turpis semper hendrerit. Ut consectetur porttitor purus a fringilla. Curabitur elementum sodales luctus. Proin bibendum magna nec lacus placerat fermentum. Maecenas ac ultricies quam. Vestibulum pellentesque sodales augue, eget suscipit justo sodales id. Curabitur dictum velit sit amet sapien lacinia dignissim. Proin non bibendum sapien. Aliquam erat volutpat. Aliquam scelerisque, purus ac ornare luctus, est erat dictum lectus, et fringilla nulla sapien id magna. > We should handle it like OpenBSD, erring on the side of caution. If > it's definitely a buffer overflow, it should be fixed. The QML people > don't have to pay attention to the Security discussions and can > continue being oblivious (note: if you are oblivious, you are not > secure). Duis tincidunt, massa eu accumsan tempor, metus enim interdum eros, eu cursus mauris metus eu elit. Donec ac nisi nec felis sagittis sagittis. Mauris fringilla, ante varius vulputate adipiscing, lorem ligula euismod leo, sed vulputate eros ligula sed augue. Etiam eget tempor ligula. Integer vel quam a erat tempus eleifend. Etiam sagittis auctor ipsum nec porta. Quisque varius ipsum ligula. Etiam consectetur faucibus eros molestie dignissim. Quisque rutrum imperdiet adipiscing. Morbi vel libero sed massa suscipit laoreet. Nunc id urna quis lacus varius sodales non eget tortor. Aenean condimentum sollicitudin pharetra. Cras laoreet odio ut enim sodales non mattis orci commodo. > "During our ongoing auditing process we find many bugs, and endeavor > to fix them even though exploitability is not proven. We fix the bug, > and we move on to find other bugs to fix. We have fixed many simple > and obvious careless programming errors in code and only months later > discovered that the problems were in fact exploitable. (Or, more > likely someone on BUGTRAQ would report that other operating systems > were vulnerable to a `newly discovered problem', and then it would be > discovered that OpenBSD had been fixed in a previous release)" ( > http://openbsd.org/security.html ). Nullam commodo viverra tortor, sed congue massa egestas a. Integer in ipsum id elit sollicitudin vulputate. Etiam suscipit placerat diam, vitae commodo justo scelerisque id. Mauris sit amet diam turpis, a porta diam. Suspendisse sodales dapibus sem, sed scelerisque turpis dictum vitae. Aenean ornare lorem a ligula varius non luctus dui tristique. Vivamus sed ligula dui, tincidunt varius mi. Nullam tortor arcu, posuere non mattis at, cursus a lorem. Proin euismod, nunc sed convallis tempus, nunc arcu ultricies mauris, ac euismod odio augue eleifend nulla. Praesent a felis velit. In et ipsum augue, sed luctus libero. Vivamus arcu dolor, varius sagittis aliquet sed, rhoncus id orci. Morbi consectetur faucibus congue. Duis in quam vitae elit cursus tristique ac in sem. Praesent fringilla, tortor ac consequat ullamcorper, est dolor vulputate nisi, quis fringilla sapien sem eu felis. Aliquam arcu ante, elementum nec euismod ornare, vestibulum sit amet neque. > I would like Qt to be ahead of the game like OpenBSD is. I'd even like > to see a minimal/hardened version of Qt where code must first pass > extensive auditing. I would happily contribute to that process as it > serves me directly. Morbi mollis sagittis diam et rutrum. Praesent blandit turpis et lectus rhoncus euismod. Cras ac lectus mi. Mauris sollicitudin dui molestie enim blandit id sollicitudin libero consequat. Vestibulum at felis sodales felis euismod fermentum. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Sed a elit est. Sed at consectetur dolor. Vivamus ac lacus urna, vitae feugiat neque. Lorem ipsum dolor sit amet, consectetur adipiscing elit. In condimentum, diam ut molestie blandit, massa velit blandit ipsum, vitae laoreet magna tortor vel tortor. Quisque vitae felis dapibus massa tempus viverra sit amet vulputate leo. Morbi at arcu eros. Integer porttitor purus at ipsum sagittis eu ornare dolor suscipit. Aliquam urna mauris, molestie in lacinia ac, ullamcorper eget lacus. > Similarly, they could handle "You are vulnerable. You should shut down > to protect yourself" and "Here's a fix, apply it like this and you > should be ok to bring yourself back online". Mauris mi ligula, condimentum id condimentum a, sollicitudin ac diam. Nulla nec dolor eu est molestie viverra. Morbi eleifend ante non quam bibendum vulputate. Suspendisse sit amet lacus ac urna sagittis imperdiet. Praesent nisi sapien, ullamcorper et dictum in, sollicitudin a dui. Nunc tincidunt pellentesque lacinia. Etiam vel nisi est, sit amet eleifend lacus. Phasellus cursus tristique vehicula. Praesent consectetur imperdiet tortor, a tempor elit hendrerit ac. Maecenas nec velit vitae erat feugiat pharetra. Nullam enim turpis, auctor eleifend imperdiet non, pretium eu mauris. Cras ut nunc vel eros varius tristique porta vel dolor. In hac habitasse platea dictumst. In vulputate nisi lectus, id mattis eros. Curabitur ac mollis risus. Proin at arcu orci. > Yes, but we should not simultaneously force those who are competent to suffer. Cras lorem urna, lacinia semper rutrum adipiscing, congue nec nisi. Fusce ullamcorper viverra diam. Maecenas nibh tellus, lobortis at condimentum sit amet, fringilla dictum orci. Maecenas pretium, lorem vel convallis vehicula, nulla urna posuere ipsum, ut suscipit sapien sapien eu ligula. Etiam mattis sapien quis quam luctus ullamcorper. Quisque tempus nisi ac massa tristique bibendum. Pellentesque pretium auctor quam, ultrices ultrices nibh pharetra at. Fusce vulputate nunc eu turpis rutrum vel pulvinar magna egestas. Quisque a ipsum vel lectus gravida accumsan. Duis facilisis accumsan lacinia. Praesent id tempor magna. Praesent adipiscing nisl ut neque aliquet vel accumsan nulla rhoncus. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Quisque cursus tincidunt dictum. Nullam scelerisque felis quis orci dictum ac lobortis elit dapibus. > They wouldn't have to hack their way in if you gave them access. > You've already shown that it's relatively easy for someone to join the > security team. Fusce vehicula semper vulputate. Ut ultricies, metus in lobortis gravida, velit urna scelerisque dolor, eget auctor ligula arcu ac nunc. Vivamus tortor leo, vulputate id accumsan sed, accumsan interdum libero. Integer nunc orci, vestibulum in dictum ac, elementum nec magna. Nunc et porttitor neque. Nam porttitor hendrerit eros, sollicitudin porta felis interdum vestibulum. Vestibulum vitae turpis vitae sapien suscipit aliquam. Cras pretium ullamcorper turpis vel tincidunt. Aenean lacinia dapibus lectus eu congue. Nam facilisis magna a turpis congue sed gravida massa aliquet. > lol. We cannot attain perfection, but we should still strive for it. > Yes having your systems online is a risk... and so is going outside. > But if you ***KNOW*** there's a man with a gun standing outside your > door, you aren't going to go outside. The same is true for knowing of > a vulnerability's existence: don't go online until you know it's been > dealt with. Praesent consequat, nisl quis aliquet ultricies, velit dolor interdum arcu, at accumsan lorem eros ac leo. Duis et ipsum nisl, sed dictum nunc. Quisque laoreet nibh ac felis consequat quis aliquam velit consectetur. Nullam a elit et diam vulputate tempor. Proin congue, arcu vitae pulvinar pharetra, orci turpis commodo nibh, at tristique ligula massa faucibus turpis. Etiam molestie, magna porttitor sagittis iaculis, nisi ante pharetra metus, sed hendrerit dolor sem in dolor. Aliquam molestie lectus vitae lorem placerat consequat. Ut egestas tincidunt eros ac pretium. Donec convallis posuere tellus id posuere. > See above about a hardened Qt. Moving to Full Disclosure would be a > first step towards that. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Nam faucibus mi eget arcu aliquet tristique. Morbi sem purus, volutpat sit amet pretium ac, suscipit nec odio. Suspendisse rhoncus mattis neque, sed accumsan magna luctus non. Ut quam magna, ornare ut porttitor vel, scelerisque nec augue. Nullam eleifend, odio et facilisis varius, mi lacus pretium libero, vel pharetra est augue at leo. Sed congue augue sed tortor scelerisque vel tincidunt dui varius. Ut eget ligula elit. Pellentesque iaculis sagittis ligula facilisis bibendum. Praesent et lobortis nulla. Suspendisse nec orci diam. Ut ac lorem sapien. Mauris ligula orci, rutrum in vulputate ut, gravida eget sem. Sed non tortor sit amet nibh dictum viverra. > Leftover corporate policy and a bunch of opinions and other > non-arguments. Honestly, this discussion we're having right now has > been the only productive one. I think the above pretty much invalidates all your arguments. Now, to put it politely, fuck off. João _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
