What's wrong if security people focus on security, run after vulnerabilities and fix them asap.. like GUI people's focus on user interface related things. Nobody can be everybody. Why he keep telling to blame people who is only interested in security bugs? I don't understand what he is talking about. Or I get totaly wrong.. - Pınar Yanardağ
I think what he is saying is that security *bugs* get more attention than they deserve, that there are a lot of *other* bugs that are more challenging and crucial. It's tricky: by calling attention to security vulnerabilities, it may well be the case that patches get applied more promptly. OTOH, there are lots of other kernel bugs that need fixing. - ben lorica
I am totaly agree with you: there are (more) critical (but non-security related) bugs need fixing. But what I want to point out is, what's wrong if there are some kernel hackers who are, let's say "mad about security" and some kernel hackers who are fixing "normal" bugs? For example, I am an official developer of Pardus GNU/Linux and a member of Pardus Security Team and whatever critical a bug is, I first focus on security-related bugs while my co-workers focus on other bugs and leave security fixes to me. - Pınar Yanardağ
(continues..) And I know.. as an engineer, I shouldn't think like that. A bug is a bug and need fixing. But that's the faster way to keep your software safe against vulnerabilities. Btw, Larry Osterman has one or two interesting point of view about this: http://blogs.msdn.com/larryost... - Pınar Yanardağ
He offers to select some things that you like and some things that you dislike, both from a long list of available topics instead of answering high predictable-questions for the forgotten passwords. (According to me, it's better than the traditional method but still not quite effective for those who are too unstable about likes/dislikes.. meh.) - Pınar Yanardağ
Have you heard of Vidoop (http://www.vidoop.com/products)? I wonder if users are cognitively able to "pass" these password-reset challenges? That was my concern with Vidoop when I first saw it two years ago. - ben lorica
Vidoop seems quite complicated but people usually have stronger memory abilities in visual things.. maybe it can work easily after getting familiar with images. (I always prefer T-FA but I don't think I'd like to use such a painful way, though.) - Pınar Yanardağ
I was in the front-row sitting next the Dan's family at Black Hat when I first saw this cool viz. Thnx for posting! - ben lorica
aww, you're so.. lucky! i'll be in next Black Hat, too - maybe we can plan a meeting for all sec-room people? wait and see. but this room needs more interest =) - Pınar Yanardağ
Keyczar has been developed by members of the Google security team and aims to make cryptography more accessible to application developers. - Pınar Yanardağ