Vulnerability Development mailing list archives

Re: Immunix Adversary/Exploit Developer/Librarian

From: crispin () WIREX COM (Crispin Cowan)
Date: Wed, 5 Jul 2000 00:09:35 -0700


Blue Boar wrote:

Crispin Cowan wrote:


[I understand that VULN-DEV is not a recruiting forum, but this position
is precisely on-topic for the VULN-DEV mailing list:  a vulnerability
developer.  Please post it if you find it appropriate, and I understand
if you don't.  Thanks.]


OK, I let this through on cool factor.


Thanks!

 I assume it also went to the
security jobs list?


Yes, it went to securityjobs last week, but I thought vuln-dev might want to see it.

I think the only only job I've seen that ranks up there is this one:
CD11F9F59C6BD3118BF5009027B0F53B0884EC () adp-exch-1 cmet af 
mil">http://securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=CD11F9F59C6BD3118BF5009027B0F53B0884EC
 () adp-exch-1 cmet af mil</A>
(probably wrapped)


Fascinating.

So, I assume that as this guy break your own stuff, you'll post
the info to the various lists?  Will he share research with the rest
of us?


You know how construction sites have signs up that say "This site has been injury free for XX days"?  We want to put up 
a web site that
says:

   * Immunix OS has been exploit-free for XX days
   * Red Hat Linux has been exploit-free for YY days

The Immunix Adversary will be responsible for testing & refining exploits to back up these claims.  When something is 
found that gets
through either system, the counter gets re-set to "1", and for those that affect Immunix, an advisory goes out.  To the 
extent possible, we
hope to conform to the spirit of the Rain Forrest Puppy protocol for releasing advisories  
http://www.wiretrip.net/rfp/policy.html

For instance, I would LOVE to be able to announce that Immunix is immune to the recent Kerberos and WU-FTPD buffer 
overflows, but I won't do
that until I can validate it.  Such validation would reset the Red Hat counter to "1", and the Immunix counter would 
depend on the testing
result.

This "days of safety" hack is my response to marketing & management wanting to stage a "hack me" contest.  I feel that 
this has at least as
much marketing punch, and a great deal more technical validity (cf. the usual reasons that "hack me" contests don't 
prove anything).

Crispin

--
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org
        Security JOB:  http://immunix.org/jobs.html

Current thread:

Immunix Adversary/Exploit Developer/Librarian Crispin Cowan (Jul 04)
- Re: Immunix Adversary/Exploit Developer/Librarian Blue Boar (Jul 04)
  - Re: Immunix Adversary/Exploit Developer/Librarian Crispin Cowan (Jul 05)