Thursday, November 8, 2012

Security & Hacking: Sophos Vulnerabilities & Tavis Ornmandy

Sophos comments: http://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/

Tavis Ormandy's Full Disclosure on Exploits or Vulnerabilities he found in Sophos:  http://lists.grok.org.uk/pipermail/full-disclosure/2012-November/088813.html

Tavis' Blog http://taviso.decsystem.org/

His Twitter, according to his Full Disclosure paper, published Mon Nov 5 15:14:17 GMT 2012 is http://twitter.com/taviso [but the link on his site doesn't work because he got the period in it "http://twitter.com/taviso." is direct copy and paste, as a blogger I have run into this myself T_T]

It seems to me that a lot of the drama in this situation basically boils down to a good White Hat Hacker being upset at Sophos for not patching vulnerabilities as fast as he thinks they should.


Seems to be a question of Opportunity Cost, http://en.wikipedia.org/wiki/Opportunity_cost, and without full information on all projects and threats Sophos is dealing with currently, really not possible to say they are doing a bad job in that sense.

I suspect based on how Sophos keeps emphasizing that they have not seen any of these exploits in the wild, and that they appreciate Tavis  Ornmandy's work, that they are probably putting more resources to fixing vulnerabilities that are currently being exploited.

Or that for some other reason, are considered a higher threat to them.

But that is mere speculation on my part.

I will note that I currently use Sophos on one of my machines, I have less than a year of personal experience so far with it, but it is what I use and recommend for certain applications currently.

I also want to note, that Security is not EVER about a single unbrakable wall, but rather on multiple layers or strong walls.

We know any defense can be compromised, and must plan accordingly.





No comments:

Post a Comment