The CrateMaster2000 of Security.

[Dave Aitel <dave () immunityinc com>]

So I'm too tired to go see the ocelots or whatever at the Singapore
night "safari". This is what happens during classes. You think "I'm in a
far away place I'll go do cool things!" and then you go back to your
hotel to check email and sleep.

Recently I was reading a lot about metrics, in particular "security
metrics", in preparation for the upcoming Mini-Metricon that happens
right before RSA. Here's my thought on metrics today: If your metric is
somehow perfectly satirized by Old Man Murray's CrateMaster2000
(http://www.oldmanmurray.com/features/39.html), then it's time to go
back to the drawing board. CVSS, we're looking at you here.

I've gotta wonder at stories like this:
http://valleywag.com/tech/cia/facebook-exposes-wannabe-spooks-231130.php
. I think pages like that are what you get when you read "The Company"
(http://www.amazon.com/Company-Robert-Littell/dp/0142002623/) backwards.
(Ignore the obvious typo on the book excerpt there. It's really quite
well written - and I don't just mean it has a nice typeface like some
Amy Tan book. That dude clearly knows how to string the right words
together for long periods of time in a row. I was reading it last time I
came to Singapore, and this time I'm reading a book on Oysters. Turns
out there used to be a lot more of them, like stack overflows.)

Anyways, assuming I can work the email client and Mailman lets the image
go through, below you should see a graphic from the latest version of
VisualSploit. It's a working version of the 3com tftp exploit that is
Windows version and SP independent. In the near future you'll just build
the packet, and SPIKE will fuzz it, and ImmDBG and VS will cooperate to
write the exploit for you.

-dave


VisualSploit Screenshot
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave