Dailydave mailing list archives
Re: Two thoughts for the day:
From: "val smith" <valsmith () offensivecomputing net>
Date: Fri, 25 Apr 2008 11:09:39 -0600
I'll have to be honest, I don't really WANT Microsoft to change their patch methodology, even if the dramatic (probably incorrect) conclusions people seem to be drawing from this paper are true. Bear with me for a moment and Ill explain why. Lets be honest here, there are researchers (many on this list) who can rapidly find and exploit vulnerabilities. Patches help speed things up but BinDiff (and similar) things have been available for many years and the people who can write exploits understand this process and those with a financial stake in it have automated much of the process by now. If patches were to be obfuscated, or the process changed how long would it really take for someone to circumvent it? A binary has to exist somewhere at some point right? Someone smart enough will eventually send input to it, or reverse it or accidentally crash it eventually. Many of us make use of exploits and vulnerabilities in some way for a living whether we are pen testers, IDS sig developers, vuln researchers, framework builders or whatever. At this point security is such a tangled, many layered labyrinth that I no longer possess the self righteous fury required to shout from the pulpit: "Patch your systems! Configure security! Use an IDS! Educate your users!" I'm in it for the fun. There I said it. If everyone did everything securely, I wouldn't have much to do and I'd have to pour coffees or flip burgers for a living. I like showing up for a pen test and finding unpatched boxes, or users sharing admin passwords. I love finding web apps with null byte file inclusion bugs, or passwordless ssh keys with sudo permissions on every server. Its FUN. I suspect other security researchers have reached this conclusion (even if they haven't admitted it to themselves yet) that security is probably too hard a problem to "solve" and all our ranting really doesn't make anyone more secure in the long run. At this point, broken things are fun and we just want to play and thankfully people are willing to pay for it. I don't mind if you continuously make it just a little bit harder, just to keep it interesting, but don't take away my exploits please! ;) V. On Fri, Apr 25, 2008 at 8:53 AM, Halvar Flake <halvar () gmx de> wrote:
Hey all, regarding #1: I have written a rather lengthy post about this topic on my blog (addxorrol.blogspot.com) if anyone cares :) Cheers, Halvar _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Two thoughts for the day: Dave Aitel (Apr 24)
- Re: Two thoughts for the day: Pusscat (Apr 25)
- Re: Two thoughts for the day: jf (Apr 25)
- Re: Two thoughts for the day: Thomas Ptacek (Apr 25)
- Re: Two thoughts for the day: jf (Apr 25)
- Re: Two thoughts for the day: Joanna Rutkowska (Apr 25)
- Re: Two thoughts for the day: Dave Aitel (Apr 28)
- Re: Two thoughts for the day: Halvar Flake (Apr 25)
- Re: Two thoughts for the day: val smith (Apr 25)
- Re: Two thoughts for the day: Pusscat (Apr 25)