With a real team, it's not about the numbers

[Dave Aitel <dave () immunityinc com>]

I find articles like the recent one in Forbes 
<http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/>
 quite funny in a way - and likewise talks about "rootite" and bug mining and so forth. Part of this is because 
philosophically I know that teams who focus on the money tend to lose. Obviously you need a lot of money to get things 
done in this industry, but I think it's a slippery slope from that to looking for where the money really is, which is 
defense <http://immunityinc.com/infiltratemovies/movies/andrewcushman_keynote.mp4>. 

And when you're doing defense, you're not writing exploits, you're creating "security tests". You're not as concerned 
with "where will this exploit get me" so much as meeting this month's exploit quota. "How many checks do you have?" is 
the kind of customer you're competing for.

This month CANVAS released one exploit. And that one exploit in Samba is worth more to me than a hundred "security 
tests" in random bits of Microsoft software no one interesting has ever installed. [1] 

You can see it in action here, or if you have CANVAS, you can download it as of last night. 
http://partners.immunityinc.com/movies/CANVAS-SambaNDR.mov

-dave
[1] As a side note, you'll notice none of the static analysis companies can find this bug. 
[2] Also you should read Kostya's blog post 
<http://expertmiami.blogspot.com/2012/05/skype-does-away-with-random-supernodes.html> today just because it's in 
English.


-- 
INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach
www.infiltratecon.com

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave