Re: Staying on the treadmill.

["Halvar Flake" <halvar () gmx de>]

In order to continue my tradition of mostly nonsensical posts:

Joanna wrote:
> No! I highly respect all the people who demonstrated how different things are
> possible. When you show an exploit that attacks things that have never been
> attacked before, it is extremely useful. Remember Solar Designer's JPEG Netscape
>  *first* public heap overflow? Now, that's what matters.
>
> But coming up with yet-another-one client-side exploit for Browser/PDF
> viewer/etc usually is meaningless. We have seen enough such exploits to
> understand that currently used mitigations do not work (apps code audit, apps
> fuzzing, ASLR, NX), and that we should assume any desktop application that takes
> untrusted input can be exploited. And we need to address the problem in a
> different way, with the assumption that even some applications on my desktops
> gets compromised that others still work. Today's OSes do not provide this feature.
>   
I wholeheartedly agree. It has long been my (and my employers) position
that there are way too many presentations of exploitation techniques. I
therefore propose that we alter this years' Blackhat schedule as follows:
 - Remove the John McDonald / Chris Valasek talk
 - Remove FX's talk
 - Remove the Dowd/Smith/Dewey talk
 - Remove Kostya's talk

Instead, I think we should substitute at least two of these with fundamental
talks about trusted computing, one with a talk about homomorphic encryption,
on smartcards and one with a talk about visual spoofing. I would like some
songs, too. And *plenty* of architecture diagrams please, perhaps with a
security proof thrown in.

:-P
> It was joked away, because we are not paid for having fun, but for (trying) to
> solve the actual problems our customers might have. I'm yet to find a company
> that would be advertising their services as "hire us, so *we* could have some
> fun". Have you seen one? Halvar's maybe? Or is it rather "hire us, we will help
> you *solve* your problems?"
>   
I would prefer to advertise: "You might have some problems that we would
have a ton of fun with. If you make sure we don't starve while having
fun with
these problems, we'll do an excellent job -- we love our work, and take
pride in
it. Would you prefer to hire someone that likes his work, or someone
that gets
paid to pretend to like it ?"

:-)

Holy crap, where has the lightheartedness gone ? Could we *please* all
quit taking
ourselves quite so seriously ?

I am looking forwards to seeing y'all in Vegas in 10 days.

Cheers,
Halvar
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave