Dailydave mailing list archives
What Car Does Dave Drive?
From: Joanna Rutkowska <joanna () invisiblethings org>
Date: Sun, 07 Oct 2007 19:55:48 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you want to know the answer: http://www.darkreading.com/document.asp?doc_id=135564&WT.svl=news1_2 One thing I don't quite get though: <quote> "We'll analyze a random printer DLL you have installed, write an exploit, and use that on your network," he says, to help companies better secure their environments. </quote> While I greatly respect skills needed to write sophisticated exploits, I still don't see how exploit writing could be used to secure anything...? You can, of course, use exploits to test some security products (e.g. an IPS), but here we're talking about exploits for bugs in some custom code. Many of us will agree that IPS are useless in this case, almost by definition, and I think that Dave is one that will agree most eagerly (search for IDS-related threads on this list). So, testing an IPS against custom exploits for bugs in the custom code seems pretty much useless, no? The question is then: how you convince a client to pay you not only for code audit (no doubt it's useful) but also to write an exploit for each bug you find? I *really* would love to know the answer :) Having said that all, I need to stress that I can't overestimate the (educational) value of exploit writing for the whole IT security field - -- one might not be following the latest trends in heaps exploits for RPC thingis, but if one never wrote and understood an exploit there's quite a big change that they simply "don't get it all". It's just I don't see how individual companies would be interested in paying somebody for preparing "educational material" for other researchers? joanna. -----BEGIN PGP SIGNATURE----- iQEVAwUBRwkdoswG7MOLAMOlAQLddAf8C+woO44zTf08jiQX4w09QxTfekf81IfP V8fUIb7MiDbtQAGIWGr65eJDS2AEEaPx4BlxUHVQe5pHLKVlzxlUa7J3XVNtLz2V BCaBtiiNPJK/CZNTdQWtCE97uusrHIEcYGJ7eLH+SkotmAQjEHV2bSxGIpuk4qQw r9KhAFh9+BgMCINBR9KITVm5QunLTuuCpV7ZuzjSApYfR3Y0nK0Z8pry9FjMtc2D dCBrXOPXMaRFJ+HoUBE+0ZvRBD1iQb+cXh2UTwUN3KDORS2UqjXS2YbHekwYA8nF lo+mEbXzhspLLa1ydBijgOL8ge5fOq7jRdecrh4awOE35edrO6SYdQ== =RcnY -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- What Car Does Dave Drive? Joanna Rutkowska (Oct 07)
- Re: What Car Does Dave Drive? shadown (Oct 08)
- Re: What Car Does Dave Drive? Kurt Grutzmacher (Oct 09)
- Re: What Car Does Dave Drive? Paul Wouters (Oct 09)
- Re: What Car Does Dave Drive? shadown (Oct 08)