Dailydave mailing list archives

Herps

From: Dave Aitel <dave () immunitysec com>
Date: Fri, 27 Feb 2004 20:01:15 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So I just finished a week-long assessment of a software product and
didn't even find a way to crash it. This sort of thing is very
depressing to me, but does occasionally happen. It's like another
assessment I did recently of a web application where the most
interesting thing I found was cross-site-scripting.

I occasionally hear people say "We always find something in our
assessments. We've never failed to get in." Usually the way they
justify this is by putting ICMP timestamp on their deliverables (or
the equivalent - can we just take that out of Nessus now and stop
having to see it ever again? So many other protocols (SMB and RSYNC
for example) give you the current time that it's really not an issue.
It's really not. Please, please take it out of your vulnerability
database, nessus team, if you read this).

I have to think that if you find something major on everything you
assess that you are:
1. Way ahead of your time, skill-wise...like the ADM/ISS X-Force
people, various people on this list who hate being named, MaXX, etc.
or
2. Fooling yourself. Most likely you need to do harder projects (Peter
Winter-Smith - shareware.com will run out of windows servers
eventually...why not try to find something in Redhat 9?). One fun game
is to look at something that just had an advisory released on it. Then
go find something on that. This is also a very productive game,
because everyone will have just updated, and so they will all have the
same version. If the product was really buggy, whoever looked at it
the first time might have found five or six bugs, and then given up.
The vendor probably only fixed four of those.

- -dave
P.S. A "Herp" is short for a "reptile". It's funny how owning reptiles
is a "hobby" - often linked with doing scientific experiments on
insects (the latest copy of Reptiles magazine had a whole article on
ant breeding) whereas owning a cat or dog is just having a pet. What's
up with that?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAP+hbzOrqAtg8JS8RAqo1AKDqgVMv2iM1fVjQroKdxdu5GSVJ3wCg/ATi
gC+lTDvGr18WO8/NBdWAvug=
=V1MH
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:

Herps Dave Aitel (Feb 27)
- Re: Herps wirepair (Feb 27)
- Re: Herps Nexus (Feb 28)
- Re: Herps Max Vision (Feb 28)