Like what? I’m curious what kinds of non-cryptographic bugs are NOBUS like Dual EC.
-
-
Replying to @matthew_d_green @halvarflake and
Umm, stack buffer overflow parsing https://vendor/latestversion.txt? Nobody else can exploit that, right?
2 replies 0 retweets 2 likes -
Replying to @taviso @halvarflake and
I’m confused now. I thought you were arguing that there were vulns that could only be exploited by one side, a la Dual EC.
1 reply 0 retweets 0 likes -
Replying to @matthew_d_green @halvarflake and
Yes, you understand correctly. Who else can exploit the example I gave other than the vendor?
2 replies 0 retweets 0 likes -
Replying to @taviso @halvarflake and
Ah. But that’s a capability that degrades rapidly. And if every latest version is riddled with new bugs, eventually you’ll ring people’s alarms.
1 reply 0 retweets 0 likes -
Replying to @matthew_d_green @halvarflake and
So if the second Tuesday of every month, Microsoft published dozens of new bugs, people might stop using Windows?
1 reply 1 retweet 8 likes -
-
Replying to @matthew_d_green @halvarflake and
OK, but I'm guessing you still use an OS that has regular security updates of bugdoor-equivalent vulnerabilities? So the point remains, right? There would be no penalty for getting caught shipping a bugdoor.1 reply 0 retweets 1 like -
Replying to @taviso @halvarflake and
This is a Henry Ford fallacy. Like saying “what if a medication had side effects and people still took it, wouldn’t that imply any medicine could have serious side effects and people would take it?” Let medication1 be Insulin. Let medication2 be that weird eyelash-growing stuff.
1 reply 1 retweet 0 likes -
Replying to @matthew_d_green @taviso and
People can’t live without Windows but apparently the DoD can live without certain videoconferencing platforms.
2 replies 0 retweets 1 like
Ah, so you're saying that Microsoft is too important, if something like Signal had something that *could* have been a bugdoor, people would abandon it? Then how do you explain this: https://bugs.chromium.org/p/project-zero/issues/detail?id=1943 …
-
-
Replying to @taviso @halvarflake and
I was talking about the scenario where an app just kept spewing vulnerabilities as fast as the old ones were found. Not sure Signal has done this.
1 reply 0 retweets 3 likes -
Replying to @matthew_d_green @halvarflake and
But you agree the reproducible build isn't a factor? Doesn't that mean I've convinced you?
1 reply 0 retweets 0 likes - 16 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.