Full Disclosure mailing list archives

Re: Gates: 'You don't need perfect code' for good security

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 03 Nov 2003 17:15:51 +1300

For all his usual intelligence, Valdis.Kletnieks () vt edu oddly felt the 
need to ad:

And for bonus points, explain how you fix the scheme so the poor sysadmin who
has to run stuff at startup is able to find the folder, but an exploit running
with 'administrator' or 'system' can't find it?


Re-read what I wrote.

I explained all that.

Like all security efforts, it is not a "perfect" solution.

It also does not work against all methods of exploitation or in all 
cases of exploitation using any given method.

However, it would have saved you from a bunch of once common IE 
exploits and will still save you from a huge amount of "work" done by 
thousands of next-to-clueless skiddies who take overly simple PoC 
exploits and are limited to altering them to simply gluing in the 
delivery of their preferred RAT/bot-net agent/etc.

As I already explained all that _and_ answered your question before you 
asked it, I gladly accept your bonus points...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Gates: 'You don't need perfect code' for good security, (continued)
- - - Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 03)
    - Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 03)
    - Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 04)
    - Re: Gates: 'You don't need perfect code' for good security Valdis . Kletnieks (Nov 04)
    - Re: Gates: 'You don't need perfect code' for good security Dave Howe (Nov 04)
    - Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 04)
    - Re: Gates: 'You don't need perfect code' for good security Nick FitzGerald (Nov 02)
    - Re: Gates: 'You don't need perfect code' for good security Valdis . Kletnieks (Nov 02)
    - Re: Gates: 'You don't need perfect code' for good security Frank Knobbe (Nov 02)
    - Re: Gates: 'You don't need perfect code' forgood security Lan Guy (Nov 03)
    - Re: Gates: 'You don't need perfect code' for good security Nick FitzGerald (Nov 02)
    - Re: Gates: 'You don't need perfect code' for good security Darren Reed (Nov 02)
    - Re: Gates: 'You don't need perfect code' for good security Cedric Blancher (Nov 02)
  - RE: Gates: 'You don't need perfect code' for good security Ron DuFresne (Nov 03)
    - Re: Gates: 'You don't need perfect code' for good security Valdis . Kletnieks (Nov 03)
- Re: Re: Gates: 'You don't need perfect code' for good security Geoincidents (Oct 31)
  - Re: Re: Gates: 'You don't need perfect code' for good security Gary E. Miller (Oct 31)
    - Re: Re: Gates: 'You don't need perfect code' for good security Geoincidents (Oct 31)
    - Re: Re: Gates: 'You don't need perfect code' for good security Gary E. Miller (Oct 31)
    - Re: Re: Gates: 'You don't need perfect code' for good security Geoincidents (Oct 31)
    - Re: Re: Gates: 'You don't need perfect code' for good security Cesar (Oct 31)

(Thread continues...)