Dailydave mailing list archives
Re: Re: This mornings Security Wire Perspectives - Ira's proof of concept code article.
From: Julio Patel <smerdyakovv () gmail com>
Date: Tue, 30 Nov 2004 08:42:47 -0500
On Tue, 30 Nov 2004 12:01:48 +0100, pete <lists () isecom org> wrote:
> So, Ira was right. An automated scanner *can* often test for exploits > via the network (without exploit code) and even more often if the > scanner is configured to do the checks locally. Ira was almost half right if in the real-world it actually worked like that and those in charge of security conveniently had root and admin rights on all the boxes they had to do local tests on. Politics makes local checks a moot point in most of the world.
Sure, but not every network-based test requires actual exploit code. I took issue with the two extremes being presented (with respect to scanning). The reality of scanning effectiveness (local, remote, or hybrid) falls somewhere between "works all the time" (Ira) and "is useless" (Robert).
> This is pretty much what Robert already said....he needs exploits (or > at least detailed tech info) to do better pen-tests. OK, > Full-disclosure fits your business model...what's your point? You've I guess all those those MBA classes has paid off for you and thankfully, now, for all of us. Was it in an advanced class where you learn that a system where as a vendor, you control both product and maintenance of that product (which people must pay for) is an even better business model? Imagine a system where any third party could make an analysis of a product that is not sanctioned by the vendor of that product. I know big Pharma has also found the whole clinical trials thing to be pretty pesky too. It really cuts into their preferred business model.
you completely missed what I was saying, but that's allright since you've seen fit to give me an honourary degree. I'm not for either extreme...my ideal model would probably lie somewhere in between (relative to me and different for each situation). _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: RE: This mornings Security Wire Perspectives - Ira'sproof of concept code article., (continued)
- Re: RE: This mornings Security Wire Perspectives - Ira'sproof of concept code article. halvar (Dec 02)
- Message not available
- RE: This mornings Security Wire Perspectives - Ira's proof of concept code article. robert (Nov 29)
- Re: This mornings Security Wire Perspectives - Ira's proof of concept code article. Julio Patel (Nov 29)
- Mandatory Access Control (Was: Re: RE: This mornings Security Wire Perspectives - Ira's proof of concept code article.) Peter Busser (Dec 03)
- Re: Mandatory Access Control robert (Dec 03)
- Message not available
- RE: This mornings Security Wire Perspectives - Ira's proof of concept code article. robert (Nov 29)
- Re: This mornings Security Wire Perspectives - Ira's proof of concept code article. Julio Patel (Nov 29)
- Re: This mornings Security Wire Perspectives - Ira's proof of concept code article. robert (Nov 29)
- Re: Re: This mornings Security Wire Perspectives - Ira's proof of concept code article. Julio Patel (Nov 29)
- Re: Re: This mornings Security Wire Perspectives - Ira's proof of concept code article. pete (Nov 30)
- Re: Re: This mornings Security Wire Perspectives - Ira's proof of concept code article. Julio Patel (Nov 30)
- RE: Last post.. please, this thread is killing me =) robert (Nov 30)
- Re: RE: Last post.. please, this thread is killing me =) Matt Hargett (Nov 30)