-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm sorry, but when someone can't take the time to type out a message with some decent punctuation the validity goes out the window and I can't really pay attention to it. All I got from that is people who need money would report it and they would be flooded. But there are bounty systems out there and they can clearly handle the problem, so out goes that logic.
On 8/13/2015 3:31 PM, Shaf wrote: > No clue what 'clqames' means. > > Either way, your argument is flawed. That's like saying everybody > who wants a job shouldn't work for the money otherwise the job > market would be overloaded and employees wouldn't be filtered by > quality. > > > On 8/13/2015 8:25 PM, george b wrote: >> No I do not think so then all the people who need some money >> would be reporting these things just to get funds and overload >> their system andthen they would never be able to check the >> validity of all the clqames >> >> -----Original Message----- From: macvisionaries@googlegroups.com >> [mailto:macvisionaries@googlegroups.com] On Behalf Of Shaf Sent: >> Thursday, August 13, 2015 11:53 To: >> macvisionaries@googlegroups.com Subject: Re: Why you shouldn't >> freak out about scary sounding exploits >> >> That's good for you. A wealthy company such as Apple should pay >> those who find security holes and report to them. >> >> On 8/13/2015 7:36 PM, Littlefield, Tyler wrote: >>> Hello: A lot of companies do have bounties like this. For >>> example, the company I worked for works on Drupal. There was a >>> bounty offered through the association. I report stuff like >>> this I find when it is a problem, not because I want to get >>> paid but because that's the only way to fix things. I do it >>> because it's the right thing to do and it helps other people. >>> Any security holes that can be fixed, regardless of whether or >>> not I get paid helps me (as I'm obviously using the product) >>> and it helps others as well. >>> >>> Thanks, On 8/13/2015 2:27 PM, Shaf wrote: >>>> Why should I tell Apple of exploits if they don't pay me?? >>>> They should introduce a bug bounty program. Otherwise I have >>>> no interest in keeping their bugs confidential. >>> >>> >>>> On 8/13/2015 7:10 PM, 'Chris Blouch' via MacVisionaries >>>> wrote: >>>>> With the complexity of OSX and iOS I think if somebody >>>>> figures out the right combination of tweaks to bypass >>>>> security they should tell Apple right away and hold off a >>>>> bit before telling the world. At least give them a chance >>>>> to fix it before giving a free hand up to the bad guys. Of >>>>> course that lead time needs to be kinda short as the >>>>> vulnerability needs to be fixed before some bad folks find >>>>> it and/or continue to use it. With Apple's automatic >>>>> updates it can also be a while before a reasonable chunk of >>>>> the population has installed the patch. So I'd guess 90 >>>>> days would be pretty reasonable. If a patch hasn't been >>>>> released by then then it's time to put public pressure on >>>>> Apple. >>>>> >>>>> That said, the oasis of pulchritude hasn't entirely dried >>>>> up. Yes, there are issues and the popularity of the >>>>> platform has attracted unwanted attention from certain >>>>> quarters but at least there seems to be a reasonably good >>>>> attempt to put locks on all the doors. They just sometimes >>>>> forget and leave a window open. >>>>> >>>>> CB >>>>> >>>>> On 8/13/15 1:21 PM, Sabahattin Gucukoglu wrote: >>>>>> I don’t agree with the author. Of course, this is >>>>>> MacWorld—some amount of Apple butt-kissing is to be >>>>>> expected—but I find his attitude very worrying. >>>>>> >>>>>> First, “Responsible disclosure” vs “Full disclosure” is a >>>>>> choice of researchers, and privileged authors of the >>>>>> press shouldn’t be using their personal ethical >>>>>> judgements about it to suppress public information about >>>>>> flaws simply on that basis. That alone is reason enough >>>>>> to simply distrust any further writings of the author. I >>>>>> am personally of the opinion that we are well past the >>>>>> usefulness of “Responsible disclosure” as a strategy; >>>>>> giving companies rope, but not quite enough to hang >>>>>> themselves with, isn’t moving security forward any >>>>>> faster. >>>>>> >>>>>> Second, and more important, a privilege escalation >>>>>> vulnerability isn’t a problem for advanced users, who >>>>>> already know what Glen is suggesting, i.e. don’t run >>>>>> dodgy software. It is precisely those people who have >>>>>> been trained, per the standard advice, not to type in >>>>>> their passwords when they are suspicious who will be most >>>>>> hit by the root bypass. Obviously, better advice would be >>>>>> “Just don’t trust anyone”, but that’s not how the world >>>>>> works, sadly. I think it’s time for us to acknowledge >>>>>> that the Mac, once a peaceful neighbourhood with only the >>>>>> occasional bit of easily-preventable rogue badness that >>>>>> you could get rid of by just clicking “No” or “Cancel” or >>>>>> whatever, is now increasingly occupied by bad software >>>>>> that is well-advertised, easily installed and hard to >>>>>> recognise by a lot of inexperienced people, and anybody >>>>>> giving a Mac to somebody to keep them (the recipient) >>>>>> quiet and out of their (the donor’s) hair now needs to >>>>>> hold Apple’s once glorious patch turnaround times to >>>>>> account. This is *especially* true if the donor has >>>>>> delivered the Mac with a limited user account and all >>>>>> necessary software already installed or only accessible >>>>>> from the Mac App Store, because as soon as Flash becomes >>>>>> the vector, we’re all finished. >>>>>> >>>>>> Microsoft have learned their security lessons the hard >>>>>> and painful way, and now it’s Apple’s turn. Please don’t >>>>>> give apologists fodder for their absurd denials. >>>>>> >>>>> >>> >>> >>> >>> >> > - -- Take care, Ty twitter: @sorressean web:http://tysdomain.com pubkey: http://tysdomain.com/files/pubkey.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJVzPh2AAoJEAdP60+BYxejs1UH/jzzPKPQ4zMkRsIpVPvgsj6b zeyjqTsZ0KXjWLQ/Wgbe3kkjw+cjKgcqmtRUmSY5ao+onb7XPQYjW1c6ySuBYEw8 VjRNwomIkQfvXGq8X94DOD5x64oTJIXkRVEUlFUwgVcc1RGGmHEGWJTfUvR8eYsy k+611lFmiqGshr2d0godhbmWbkU3y7EwBbQZOKj37jzQab2HmjEHylVrYfqmJrlA MeTLxfEzqvpCOZt/q7rdOf61SRtHzhy1jadv5P/EEbqOSJa7Lt0gfy1rfq2HWND7 y3Kulu0yDpLKt6CiFyc37BLOH7vFplV0G1GL8s3JHbf+IrOQxwLuWrF1KkiCqgA= =L5fV -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to macvisionaries+unsubscr...@googlegroups.com. To post to this group, send email to macvisionaries@googlegroups.com. Visit this group at http://groups.google.com/group/macvisionaries. For more options, visit https://groups.google.com/d/optout.
