Dailydave mailing list archives
Re: The lack of hard questions
From: Charles Miller <cmiller () securityevaluators com>
Date: Mon, 1 Sep 2008 18:05:49 -0500
First off, I'm not a MS hater. I'm sure MS has security guys better than many security experts, no doubt better than myself. That is not the point. The point is, it only takes one or two of the best exploit developers to make a reliable exploit and it is very hard to predict what these guys can do. (and I stand by my statement that MS doesn't employ the BEST exploit developers - why would they?) It seems to me to be inherently unpredictable to predict how reliable a particular vulnerability is. For example, I'm sure MS was unaware that you could defeat ASLR and reliably exploit IE bugs until Alex and Mark told them. Charlie On Sep 1, 2008, at 5:05 PM, ergosum wrote:
On Thursday 28 August 2008 00:43:43 Charles Miller wrote:But the problem is, if there are only a handful of people who can make a reliable exploit for a particular vulnerability (or not) and none of them work for MS, how can MS accurately determine whether an exploit for a particular vulnerability will be somewhat reliable or totally reliable (or not possible at all)? Doesn't anyone remember gobbles :)Charles, no ofense, but the MS Security team has several members who can make reliable exploits, probably much better than many "security experts". So, don't take for granted that MS is full of crap because that shows your lack of knowledge about them.
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The lack of hard questions Dave Aitel (Aug 26)
- Re: The lack of hard questions security curmudgeon (Aug 26)
- Re: The lack of hard questions Dave Aitel (Aug 26)
- Re: The lack of hard questions Mike Reavey (Sep 01)
- Re: The lack of hard questions dan (Sep 02)
- Re: The lack of hard questions Dave Aitel (Aug 26)
- Re: The lack of hard questions security curmudgeon (Aug 26)
- Re: The lack of hard questions Charles Miller (Aug 26)
- Re: The lack of hard questions Pusscat (Aug 27)
- Message not available
- Re: The lack of hard questions Charles Miller (Sep 01)
- Re: The lack of hard questions ergosum (Sep 01)
- Re: The lack of hard questions Charles Miller (Sep 02)
- Re: The lack of hard questions Matt (Sep 03)
- Re: The lack of hard questions Pusscat (Sep 03)
- Re: The lack of hard questions Pusscat (Aug 27)
- Re: The lack of hard questions Matthieu Suiche (Sep 02)
- Re: The lack of hard questions Charles Miller (Sep 03)
- Re: The lack of hard questions Trygve Aasheim (Sep 03)