Here's where I call them "retarded"

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
http://www.securityfocus.com/news/11389/1 <--without VC money you can
say things like that in print.

I think there should be a maximum of 50K "damages" for any basic 'or
1==1;' SQL Injection bug found. Isn't that how much WebInspect/Appscan
go for these days? Hmm. You can get the trial for free, right? So
maybe the cost of "finding and fixing" the bug should be zero dollars
and they should let the dude off based on triviality and the less than
$5000 "go find more child porn instead of ruining this dude's life" rule.

I spent some time mucking around with mz's latest MSIE bug. So far, so
much null pointer exception fun, with regards to setting a container
StyleSheet to null and then forgetting to check the return value from
CStyleSheet::GetRootContainer() in CChangeStatus(). Doesn't mean it's
not exploitable yet. Just not easy, like he said. There's some wacky
GetLookahead() stuff in CStyleElement::Notify() I don't understand yet
there as well and if it's an un-initialized variable bug that's where
I'd expect to dig into. The weird thing is this: mz clearly has a much
better fuzzer than Microsoft does. One thing Microsoft has that mz
doesn't have is a billion dollars. Here's my suggestion: make IE
security the top priority for MS by giving mz one billion dollars for
his fuzzer. Maybe he'll settle for 500 million. :>

I guess the interesting lesson learned here is that fuzzers are wildly
different - and they are an interesting reflection on people's
personalities. The more different your own personality is, the more
different the bugs your fuzzer will find. So your fuzzer is only as
valuable as your eccentricities.

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)
 
iD8DBQFEUYcTtehAhL0gheoRAttDAKCHW1ojhT1OR7B/epKd0CFYjYR/FwCff1dP
GYE1RJcmbhJ3lEtPsJZ5pXI=
=U2Df
-----END PGP SIGNATURE-----