|
Just a quick update on the password process. I’ve raised this within the team and it something that they will be looking at this week. We are in the middle of a release so it may take
a few days to make any changes if we decide to change the process. Thanks again for your input on this.
From: T.Rob [mailto:
]
Sorry for the double email, this occurred to me after hitting [send]. What I said before about being friendly to the list was serious. Had the site come to the attention of someone like Pauldotcom,
Dark Tangent, Moxie Marlinspike or any of the security crowd who cultivate a "rogue hacker" reputation, the result would have been more of a scorched earth campaign and any request for retraction would result in more intensely focused attention from that community,
big media attention of the wrong sort, and possibly widespread DOS attacks on password resets and other mischief. These guys don't post to your community list. They expose you in featured presentations at a security conference. So if my post here and on my tiny little blog can have the significant negative effects described, imagine what someone who truly takes an adversarial approach and has a massive following on their
blog and podcast can cause, including attention from WSJ, NYT, The Register, etc. (I can provide lots of examples where this has happened in the past.) Also, if that level of negative coverage is associated with VRM it taints the entire community. This is why I stir up a little dust in the VRM community. If people are worried about what *I* might say in public, they are more likely to get involved with OWASP, design to those standards
and avoid popping up on the radar of the Pauldotcom's of the world. But, unlike those guys, I'm not doing it to sell my services (I do security but not web site pen tests) or build my reputation at the expense of unwitting victims as many security people
do, but rather because I'd like to see more VRM services I'd actually want to use and entrust with my data. Anyone here who thinks I'm dangerous needs to recalibrate what they consider hostile or high profile. -- T.Rob From: T.Rob [
">mailto:
]
Point taken, James. That's the opposite of what I intended so I've removed all but the security aspects of the post and reworded those to remove a bit of what Schnier would call "security theatre."
Chances are high that nobody is really going to reset your password during a keynote. On the other hand, I still would refrain from logging in from the Defcon event.
-- T.Rob From: James Varga [
">mailto:
]
Thanks. Not having had benefit of your recent rants maybe I took it out of context. Personally I don’t believe we need to resort to naming and shaming in a first attempt. Especially on a community like this we should
be able to offer a suggestion and for it to be taken seriously – its why I’ve signed up…to get this sort of feedback and insight. Again thanks for taking the time. It may have a more negative effect than you had hopped for given your blog post is public and ‘names and shames’ some of our key investors. We have a board meeting this week and I will do doubt have to defend
the situation now and given that we are in the process of trying to raise more money – timing isn’t so great. A retraction or update on the public blog post would be great. If the vulnerability is indeed a false – negative a retraction on that would also be helpful. Users not signing up because the site isn’t secure (I know this isn’t the truth but it’s the tone of your post) isn’t
again helpful. Thanks again for taking the time to reply. Stuart or I will reply on the BEAST vulnerability early in the week and I’ll come back to you on the password management myself. Have a great weekend.
No virus found in this message. |
Archive powered by MHonArc 2.6.19.
