Risky Business #243 -- Quickly! To Ecuador!
How to be a martyr in style...
Join the discussion
2 Comments
June 22, 2012 --
In this week's news segment we cover Julian Assange's attempt at martyrdom in style, claims of a Twitter outage, the cracking of 923-bit pairing-based encryption in Japan, the blackmailing of an American firm by hackers, Face.com's tragic fail, The Washington Post's stunning (not) revelation that Flame was the work of the US and Israel, AutoCAD worms, bug bounties and more!
Insomnia Security's Mark Piper tackles all that at the top of the show. He's filling in for Adam Boileau.
Also in this week's show we're chatting with Adobe's director of product security and privacy Brad Arkin. We're talking to him all about an opinion piece Bruce Schneier wrote for Forbes about twisted incentives in the vulnerability market. It's interesting stuff.
That's this week's sponsor interview.
There's no feature interview this week and possibly no podcast next week. Family stuff.
Comments
Hi Patrick, A feature/sponsored interview regarding "source code security analyzers" and their capabilities would be great. Would these tools have found last weeks MySql problem (of only validating the LSB from memcmp) or could they help spot subtle problems introduced by coders intentionally in order to make money from vulnerabilities? NIST has a long list free and commercial tools, but I'm at a loss what these tools can do (I prefer C/C++). What kind of value and at what cost do the commercial tools provide?
what about the situations where you can very covertly insert a bug that is reasonably straight-forward to exploit?
As an example, extremely subtly messing with crypto RNG's to reduce entropy, debian style.
Things that don't mess with memory corruption (which typically have defences that are expensive to exploit around)
Easy to implement, hard to detect the vulnerability introduction, easy to exploit, worth good cash, No?
Post new comment