Dailydave mailing list archives
Re: Some Sums
From: "Olef Anderson" <olef.anderson () gmail com>
Date: Thu, 8 Feb 2007 09:48:36 -0800
About this whole fuzzer business, how about putting some cold hard cash where the corporate mouthpiece is at ? Since obviously you happen to have some VC money, a booth at the RSA floor is a sign, you can back your claims with real currency. I would love to give you the opportunity. Lets take the latest Microsoft Exchange release (2007) and 2 weeks of your time running your PROTOS fuzzer. At the end of the 2 weeks if you can find the existing remote root hole in it, I am offering to pay you the bugs worth of $150 000.00. However If you are not successful, I should be payed the very same amount which in return I shall present you the exploit. From that point you will be free to coordinate vendors, release advisories whatever it takes. Just to clarify a point though, no DoSes are acceptable, should be an overflow that leads to clear code execution ( the mailing list subscribers could be the judge of that). Wouldn't that be nice to prove that you actually know what you are talking about ? On 2/7/07, Ari Takanen <ari.takanen () codenomicon com> wrote:
Hmmm, distantly related to this: Maybe us fuzzer developers should save hashes of some millions of attacks somewhere also, so that we can prove our tools were used to find the flaws in the first place... Looking at past iDefence disclosures for example, I am beginning to doubt that they reward for publishing flaws instead of finding flaws (this is like patent system in Europe which rewards first to file, not first to invent)... More and more flaws are found using tools, and pre-packaged attacks. If a flaw is found using a product like Codenomicon/PROTOS or CANVAS, I supposed the reward should also be paid to the tool developer and not the tool user. ;) Tongue-in-the-cheek-greetings, /Ari > Date: Wed, 7 Feb 2007 02:11:16 -0500 (EST) > From: "Steven M. Christey" <coley () mitre org> > Subject: Re: [Dailydave] Some Sums > To: dailydave () lists immunitysec com > Message-ID: <200702070711.l177BGJw026300 () faron mitre org> > > > > I take it that's going to be the hash of some file or other data > > you're > going to produce for someone at sometime in the future? > > Couldn't you just > have used a ZK protocol and left us all out of > > it? ;-) If you're going to use > our inboxes as substitutes for > > escrow/notarisation centres, you could perhaps > tell us just a > > little bit more about what you're doing! > > MD5/SHA-1 crackability issues aside*, the next question that > immediately comes to mind is why there isn't a central place for > researchers to do exactly this - make a claim about knowledge that's > provably fixed in a certain place and time. Oh, wait, we're all > individuals and we don't need anybody else. There's no need to > organize in any way, shape, or form. After all, when Ilfak posted > that third-party patch, ABSOLUTELY EVERYBODY knew who he was and > immediately trusted him, so why not Halvar? Sorry, I forgot about the > outside world for a second. > > > Snarkily and respectfully, > Steve > > > * crypto is my kryptonite, I defer to the geniuses. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Some Sums Steven M. Christey (Feb 07)
- <Possible follow-ups>
- Re: Some Sums Ari Takanen (Feb 08)
- Re: Some Sums Dave Aitel (Feb 08)
- Re: Some Sums Olef Anderson (Feb 08)
- Re: Some Sums Ari Takanen (Feb 11)
- Re: Some Sums Thomas Ptacek (Feb 11)
- Re: Some Sums Roland Dobbins (Feb 11)
- Re: Some Sums Paul Melson (Feb 12)
- Re: Some Sums Olef Anderson (Feb 13)
- Re: Some Sums Thomas Ptacek (Feb 11)
- Re: Some Sums Steven M. Christey (Feb 12)
- Re: Some Sums Jared DeMott (Feb 12)