Dailydave mailing list archives
"The organization I belong to doesn't have initals" (that evil dude in Heroes)
From: "Dave Aitel" <dave.aitel () gmail com>
Date: Sun, 12 Nov 2006 10:52:09 -0500
So one thing that struck me this week was how most good hackers cannot tell you how they find vulnerabilities. I've asked both Kostya and Sinan how they find bugs, and there really isn't a process behind it, other than persistance, experience, and gut feel. I've been consulting for a bit to get my feet wet again. Consulting is an ego game. Do you think you can break this in one week? The answer is maybe, but your internal voice better be saying "hell yes" or you won't succeed. This week I was literally one hour out of a meeting telling my sponsor the app I was auditing was secure when I got remote code execution. But Immunity's consulting is somewhat different from most I've been involved with. We spend a lot less time telling people about their ICMP timestamps and a lot more time finding 0day. At the DoD Information Assurance conference 95% of the things discussed were compliance management. "We can't get our people to intall patches properly" was a popular refrain. But at Xcon it was 0day, 0day and 0day. It tells you a lot about the whether the DoD will be successful at information assurance in the face of assymetrical attacks (Answer: no). The solution, of course, is to focus only on the high end risk, rather than assuming you have to climb up the risk chain from the bottom. IMHO, of course. I don't work for the USG and haven't for a long time. But if you're focusing on patch and configuration compliance and your most likely opponents don't care then you gotta assume something's broken. Invest the majority of your cash in vulnerability research and hacking and leave the compliance management for later. Sometimes the best defense is a good offense, and with hacking that's nearly always true. But, of course, even the cost of experience is expensive in this game, because full time vulnerability research isn't profitable in a reliable way. You could spend a year auditing one large application and find only DoS's, epecially in this world of /GS, SafeSEH and W^X. Persistance, experience - these are monumentally expensive with no sure pay off. If even the researcher can't tell they're on the way to finding a bug until the second they find it, then how can you plan and budget for it? -dave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- "The organization I belong to doesn't have initals" (that evil dude in Heroes) Dave Aitel (Nov 12)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Tito Villalobos (Nov 13)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Pete Herzog (Nov 13)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Steve Manzuik (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Paul Melson (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Steve Manzuik (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Olef Anderson (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Nicolas RUFF (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) David Maynor (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Daniel (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Siim Põder (Nov 14)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Tito Villalobos (Nov 13)