Dailydave mailing list archives
Re: Staying on the treadmill.
From: Joanna Rutkowska <joanna () invisiblethingslab com>
Date: Wed, 15 Jul 2009 17:40:05 +0200
Matthew Wollenweber wrote:
My point is that you can have a fetish for esoteric attacks where the hotel maid is stealing fde passwords and spend years developing mitigations.
You got it backwards! The example of hotel maid stealing your FDE password was a *simple* attack, for which we already have off-the shelve solutions (e.g. Bitlocker).
The much more probable attacks are that the researchers laptop is lost, stolen, or that while online it's compromised be a heap-overflow ninja with an IE/Firefox/whatever exploit.
But when designing your security, you should assume that this will always happen on your daily-use browser. It is a mistake to think otherwise.
So with FDE and understanding heap-overflow ninjitsu he's probably better off than waiting for trusted computing.
So, how's the heap-overflow nija can help mitigate those browser attacks? By spending 4543523444234533 days looking at the code of all the applications that your company uses and finding all possible overflows and other bugs there? ;)
Then again, I much preferred the portion of the tour with the room size speaker that shook satellites to see what would fall off and break. When it did, they determined the problem and fixed it... much like the exploit writers. When an exploit is part of a process then it's much more than simply demonstrating a problem -- it's iteratively finding and fixing the weak spots.
So, you're saying that fuzzing is the "much preferred" way? Even if we assumed this to be true (which is not, of course), then still, I'm asking you, why do an organization need heap overflow ninja? To operate the shaking speaker, errm, fuzzer? ;) joanna.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Staying on the treadmill. dave (Jul 14)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 14)
- Re: Staying on the treadmill. nnp (Jul 14)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 14)
- Re: Staying on the treadmill. Don Bailey (Jul 14)
- Re: Staying on the treadmill. Matthew Wollenweber (Jul 15)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 15)
- Message not available
- Message not available
- Re: Staying on the treadmill. Halvar Flake (Jul 15)
- Re: Staying on the treadmill. nnp (Jul 14)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 14)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 14)
- Re: Staying on the treadmill. Halvar Flake (Jul 14)