A: "If they have already need an arbitrary read, can't the attacker just read the secret?"
B: "Look, this will break existing exploits, we're raising the bar."
A: 
-
-
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I hear that a lot, "not everyone knows how to write shellcode"...yeah, I don't know anything about plumbing but I still have hot and cold running water. If you added a one-off $50 development cost for a lifetime supporting more complexity, did you win?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I dunno, I figure a lot of attackers are lazy and/or script kiddies. You're right that it won't stop determined attackers, of course.
-
A script kiddie, by definition, uses the work of others. If you make them pay a one-off development fee of $50 to jump through a hoop, and in exchange increased complexity of your code...did you really win?
- 2 more replies
New conversation -
-
-
Where do you set the line between effective mitigations that make defense in depth better vs low quality mitigations that are simply another cute challenge to an attacker?
-
If it requires a new capability the attacker hasn't already demonstrated (another bug class, for example), great. If it requires some busy work or jumping through a few hoops, then you've just added significant complexity for questionable gains.
- 23 more replies
New conversation -
-
-
That’s actually really empowering to hear and makes the little efforts feel worthy even if in theory they are not hermetically sealed doors
-
When you’re in Ops and you have very little power, moving the bar a millimeter at a time is all you can do. You will never “solve” anything. Though I get your point, I think there are so many basics and the bar is so insanely low right now, it’s a worthy metaphor in some cases.
- 1 more reply
New conversation -
-
-
My problem is that anytime I hear "raising the bar" I can only think of limbo.
-
Yeah, that's lowering the bar.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
