Re: The lack of hard questions

[Charles Miller <cmiller () securityevaluators com>]

First off, I'm not a MS hater.  I'm sure MS has security guys better  
than many security experts, no doubt better than myself.  That is not  
the point.  The point is, it only takes one or two of the best exploit  
developers to make a reliable exploit and it is very hard to predict  
what these guys can do.   (and I stand by my statement that MS doesn't  
employ the BEST exploit developers - why would they?)  It seems to me  
to be inherently unpredictable to predict how reliable a particular  
vulnerability is.  For example, I'm sure MS was unaware that you could  
defeat ASLR and reliably exploit IE bugs until Alex and Mark told them.
Charlie


On Sep 1, 2008, at 5:05 PM, ergosum wrote:

> On Thursday 28 August 2008 00:43:43 Charles Miller wrote:
> > But the problem is, if there are only a handful of people who can  
> > make
> > a reliable exploit for a particular vulnerability (or not) and none  
> > of
> > them work for MS, how can MS accurately determine whether an exploit
> > for a particular vulnerability will be somewhat reliable or totally
> > reliable (or not possible at all)?  Doesn't anyone remember  
> > gobbles :)
>
> Charles, no ofense, but the MS Security team has several members who  
> can make
> reliable exploits, probably much better than many "security  
> experts". So,
> don't take for granted that MS is full of crap because that shows  
> your lack
> of knowledge about them.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave