Dailydave mailing list archives
Re: What Car Does Dave Drive?
From: shadown <shadown () gmail com>
Date: Mon, 08 Oct 2007 11:09:36 +0200
Hi Joanna, This is an interesting topic. (not the car thing of course :P) Some customers (if not most of them) know that security is something critical for them, but in the end most of them just don't really get it. I mean, they don't realize how bad things could go, and they use to under-rate security problems because there's no public exploit, or just because they think that exploiting the issue is whether impossible or so difficult that they underestimate and low the bar to the point that they don't even fix the problem. I do believe that developing custom exploits makes people understand that they have to fix the problems with no excuses. Actually this is very valid when it comes to demo 'pown'ability and pivoting of/from: - Network Printers - Appliances - DSL routers - Voip devices - a large etc As many of them are developed on different CPUs and modified OSs (some of them proprietary), showing what could be done is very eyes-opening for the customers. My 2 cents. Cheers, Sergio Joanna Rutkowska wrote:
If you want to know the answer: http://www.darkreading.com/document.asp?doc_id=135564&WT.svl=news1_2 One thing I don't quite get though: <quote> "We'll analyze a random printer DLL you have installed, write an exploit, and use that on your network," he says, to help companies better secure their environments. </quote> While I greatly respect skills needed to write sophisticated exploits, I still don't see how exploit writing could be used to secure anything...? You can, of course, use exploits to test some security products (e.g. an IPS), but here we're talking about exploits for bugs in some custom code. Many of us will agree that IPS are useless in this case, almost by definition, and I think that Dave is one that will agree most eagerly (search for IDS-related threads on this list). So, testing an IPS against custom exploits for bugs in the custom code seems pretty much useless, no? The question is then: how you convince a client to pay you not only for code audit (no doubt it's useful) but also to write an exploit for each bug you find? I *really* would love to know the answer :) Having said that all, I need to stress that I can't overestimate the (educational) value of exploit writing for the whole IT security field -- one might not be following the latest trends in heaps exploits for RPC thingis, but if one never wrote and understood an exploit there's quite a big change that they simply "don't get it all". It's just I don't see how individual companies would be interested in paying somebody for preparing "educational material" for other researchers? joanna.
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave -- Sergio Alvarez Security, Research & Development IT Security Consultant email: shadown () gmail com _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- What Car Does Dave Drive? Joanna Rutkowska (Oct 07)
- Re: What Car Does Dave Drive? shadown (Oct 08)
- Re: What Car Does Dave Drive? Kurt Grutzmacher (Oct 09)
- Re: What Car Does Dave Drive? Paul Wouters (Oct 09)
- Re: What Car Does Dave Drive? shadown (Oct 08)