Except when they’re not. The fact that weak crypto and hashing are viable channels for exploitation is proven through history (WEP, MSCHAP/LEAP, and so on). You go on to excuse these flaws through mitigation strategies. At the same time, buffer overflows can be prevented by implementing a host-agent product like Entercept or kernel patches or through any number of other mitigation strategies.

You’ve failed to substantiate the difference between the two because in the end there’s no difference between one attack that leads to a system compromise and another.

PS – I got a good laugh when you accused Thomas Ptacek and Chris Wysopal of lacking experience. You’re a funny man! Keep up the good work!

I would characterize my “appreciation” more as ambivalent than appreciative. You are welcome to try to equate the two to make yourself feel better, but they simply don’t equate. More later on tradeoffs and cost/benefit analysis in security.

Never mind the fact that, all meandering about “by design” and “functional use” aside, the end result is the same. Or the fact that, in the “implementation weakness, not bug” case, the solution requires rearchitecting, and in the “just a bug” case, the solution is simply a patch.

In other words: two pieces of information with the same effect (a problem, previously unknown, now exposed to black-hat attackers), with the only difference being the difficulty of solving the Lindstrom-approved disclosure.