Dailydave mailing list archives
Herps
From: Dave Aitel <dave () immunitysec com>
Date: Fri, 27 Feb 2004 20:01:15 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So I just finished a week-long assessment of a software product and didn't even find a way to crash it. This sort of thing is very depressing to me, but does occasionally happen. It's like another assessment I did recently of a web application where the most interesting thing I found was cross-site-scripting. I occasionally hear people say "We always find something in our assessments. We've never failed to get in." Usually the way they justify this is by putting ICMP timestamp on their deliverables (or the equivalent - can we just take that out of Nessus now and stop having to see it ever again? So many other protocols (SMB and RSYNC for example) give you the current time that it's really not an issue. It's really not. Please, please take it out of your vulnerability database, nessus team, if you read this). I have to think that if you find something major on everything you assess that you are: 1. Way ahead of your time, skill-wise...like the ADM/ISS X-Force people, various people on this list who hate being named, MaXX, etc. or 2. Fooling yourself. Most likely you need to do harder projects (Peter Winter-Smith - shareware.com will run out of windows servers eventually...why not try to find something in Redhat 9?). One fun game is to look at something that just had an advisory released on it. Then go find something on that. This is also a very productive game, because everyone will have just updated, and so they will all have the same version. If the product was really buggy, whoever looked at it the first time might have found five or six bugs, and then given up. The vendor probably only fixed four of those. - -dave P.S. A "Herp" is short for a "reptile". It's funny how owning reptiles is a "hobby" - often linked with doing scientific experiments on insects (the latest copy of Reptiles magazine had a whole article on ant breeding) whereas owning a cat or dog is just having a pet. What's up with that? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAP+hbzOrqAtg8JS8RAqo1AKDqgVMv2iM1fVjQroKdxdu5GSVJ3wCg/ATi gC+lTDvGr18WO8/NBdWAvug= =V1MH -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave