Re: Staying on the treadmill.

[Joanna Rutkowska <joanna () invisiblethingslab com>]

Matthew Wollenweber wrote:
> My point is that you can have a fetish for esoteric attacks where the hotel
> maid is stealing fde passwords and spend years developing mitigations.

You got it backwards! The example of hotel maid stealing your FDE password was
a *simple* attack, for which we already have off-the shelve solutions (e.g.
Bitlocker).

> The much more probable attacks are that the researchers laptop is lost,
> stolen, or that while online it's compromised be a heap-overflow ninja with
> an IE/Firefox/whatever exploit.

But when designing your security, you should assume that this will always happen
on your daily-use browser. It is a mistake to think otherwise.

> So with FDE and understanding heap-overflow ninjitsu he's probably better off
> than waiting for trusted computing.

So, how's the heap-overflow nija can help mitigate those browser attacks? By
spending 4543523444234533 days looking at the code of all the applications that
your company uses and finding all possible overflows and other bugs there? ;)

> Then again, I much preferred the portion of the tour with the room size
> speaker that shook satellites to see what would fall off and break. When it
> did, they determined the problem and fixed it... much like the exploit
> writers. When an exploit is part of a process then it's much more than
> simply demonstrating a problem -- it's iteratively finding and fixing the
> weak spots.

So, you're saying that fuzzing is the "much preferred" way? Even if we assumed
this to be true (which is not, of course), then still, I'm asking you, why do an
organization need heap overflow ninja? To operate the shaking speaker, errm,
fuzzer? ;)

joanna.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave