Concurrency

[Dave Aitel <dave () immunitysec com>]

I want to be able to put notes next to my email. Sometimes someone sends 
me an attachment and it says something  vague like "Contract" or 
whatever. I want to put notes in the margin of that email and have them 
get saved. Maybe in "digital ink" or whatever the latest buzzword is. 
Also, I don't see why Mozilla doesn't create a .mozilla imap folder and 
store my filters there so I don't need to create them over and over 
again. There should be a big company that has fingers in all of the 
major open source projects that you can outsource dev projects to. 
Someone you could have under NDA so you can pass your corporate 
spreadsheets to them and say "This doesn't work in OpenOffice 2.0. Go 
make it work in 3.0, please". Also it's funny that Mozilla's spell 
checker doesn't recognize "Mozilla".

If you haven't read this, then it's worth the 10 seconds it takes.
http://wired.com/news/privacy/0,1848,69488-3,00.html?tw=wn_story_page_next2

"""
Jeff Moss: Some researchers now just think that it's too much effort. 
They have to play politician now (with the companies) when all they want 
to do is play researcher.... There are some vulnerability-assessment 
tools that have come out ... that (uncover) five or six vulnerabilities 
(in software) that have never been announced. The (product) vendors 
don't know about them. The people who write the tools are just busy 
writing them, and they don't want to spend time holding the hand of all 
these manufacturers. That's kind of interesting, because the first 
chance that these vendors have of knowing there's a problem with their 
product is when somebody calls them up and says, "Hey, I just downloaded 
this tool and found five problems (in your product)."

"""

There are many fuzzers, but this one is mine. Without my fuzzer, I am 
nothing; without me, my fuzzer is nothing. Annoyingly, the term 
"Vulnerability Assessment" means many things to many people.

There are some people out there saying that finding bugs is worthless 
and doesn't help anyone. I encourage this thought because if it succeeds 
then anyone with SPIKE from 1999 will be a one eyed man in the land of 
the blind. And just for the record, it's certainly possible that lots of 
bugs are found by multiple people at once. I dunno where people who've 
never written exploits or found vulns get off saying that all vulns are 
found once uniquely. If two people with similar skill levels audit the 
same piece of software they're likely to find at least some of the same 
bugs. That just makes intuitive sense. There's not an infinite supply of 
bugs, just lots of them. Like oil or "sea bass". Eventually you run out. 
We're pretty near this point on Linux - the cost for writing a remote 
exploit for bob_ftp server.exe on Windows is about 500 bucks. The cost 
of doing the same against a modern Linux is 50K. It's doable, but it's a 
10 month investment and by the time your finished product comes out the 
other end, the bug has been found by someone else and it's patched.

-dave