[cryptography] "There is something Google can do. So they should do it."

Greg greg at kinostudios.com
Sat Nov 28 00:23:47 EST 2015


If you insist on wasting both our time…

> You are literally using it as a pretext to go after Google.

No, I talked about Dell, then I talked about Google. Both share blame.

>  Can you point to a single time in the past you've mentioned Dell's involvement in this incident without mentioning Google?

Umm… that was my first time mentioning the incident.

And why focus on solely Dell when Google is to blame for breaking HPKP? Dell had nothing to do with that.

Your logic is nonexistent.

> Why do you never mention this? Your blog post doesn't mention Firefox once.

First you’re upset with me for going after more than one entity, now you’re upset with me for not going after three entities.

Make up your mind Tony.

FWIW, I didn’t mention Firefox in the post because:

1. The article was already long enough.
2. Google is responsible for the RFC.

I did mention Firefox on twitter:

https://twitter.com/taoeffect/status/670366573761138688

And I had the turtles mention Firefox as well:

https://twitter.com/okTurtles/status/670370569087352832

Now let me ask you: why are you not mentioning either Firefox or Google? Rhetorical question, I know your answer already, and it’s bullshit.

> Threat: an attacker with local system administrator privileges can override HPKP.

This is Dell and Lenovo we’re talking about.

> This is what you're worried about. You are trying to defend against an attacker with local system administrator privileges.

Dell and Lenovo and anyone who is capable of compromising Dell or Lenovo or any other computer manufacturer.

Let’s see, over one hundred THOUSAND people have been compromised, and if I’m not mistaken, they are still compromised because of that second cert? And I’m guessing 90% probably haven’t applied the fix for the first.

That’s the world’s infrastructure being compromised right there—open for ANYONE to exploit.

And you don’t give two shits? F*ck off. You’ve lost your infosec club membership.

As the subject says: "There is something Google can do. So they should do it."

- Greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20151127/94e79748/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20151127/94e79748/attachment-0001.asc>


More information about the cryptography mailing list