Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Two thoughts for the day:

From: "val smith" <valsmith () offensivecomputing net>
Date: Fri, 25 Apr 2008 11:09:39 -0600
I'll have to be honest, I don't really WANT Microsoft to change their
patch methodology, even if the dramatic (probably incorrect)
conclusions people seem to be drawing from this paper are true. Bear
with me for a moment and Ill explain why. Lets be honest here, there
are researchers (many on this list) who can rapidly find and exploit
vulnerabilities. Patches help speed things up but BinDiff (and
similar) things have been available for many years and the people who
can write exploits understand this process and those with a financial
stake in it have automated much of the process by now. If patches were
to be obfuscated, or the process changed how long would it really take
for someone to circumvent it? A binary has to exist somewhere at some
point right? Someone smart enough will eventually send input to it, or
reverse it or accidentally crash it eventually.

Many of us make use of exploits and vulnerabilities in some way for a
living whether we are pen testers, IDS sig developers, vuln
researchers, framework builders or whatever. At this point security is
such a tangled, many layered labyrinth that I no longer possess the
self righteous fury required to shout from the pulpit: "Patch your
systems! Configure security! Use an IDS! Educate your users!"

I'm in it for the fun.

There I said it. If everyone did everything securely, I wouldn't have
much to do and I'd have to pour coffees or flip burgers for a living.
I like showing up for a pen test and finding unpatched boxes, or users
sharing admin passwords. I love finding web apps with null byte file
inclusion bugs, or passwordless ssh keys with sudo permissions on
every server. Its FUN. I suspect other security researchers have
reached this conclusion (even if they haven't admitted it to
themselves yet) that security is probably too hard a problem to
"solve" and all our ranting really doesn't make anyone more secure in
the long run. At this point, broken things are fun and we just want to
play and thankfully people are willing to pay for it.  I don't mind if
you continuously make it just a little bit harder, just to keep it
interesting,  but don't take away my exploits please! ;)

V.

On Fri, Apr 25, 2008 at 8:53 AM, Halvar Flake <halvar () gmx de> wrote:

Hey all,

 regarding #1: I have written a rather lengthy post about this topic on
 my blog (addxorrol.blogspot.com) if anyone cares :)

 Cheers,
 Halvar


_______________________________________________
 Dailydave mailing list
 Dailydave () lists immunitysec com
 http://lists.immunitysec.com/mailman/listinfo/dailydave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: