The L Word

[Dave Aitel <dave () immunitysec com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There's a new show on Showtime about lesbians called "The L Word".
Once Justine and I wandered into a lesbian bar in the West Village and
they played bluegrass music and the waitress wore no make-up and had
strangely masculine hands that I couldn't stop staring at.

~From the commercials the L word stands for Love, Lies, and Lesbians.
Anyways, now that I've covered the other two, I wanted to cover Lies.
Specifically, I wanted to point out that there are some pretty funny
papers printed on Bugtraq. http://www.rtfm.com/bugrate.pdf

I think the best arguments against the paper are:
1. It's got a lot of bullshit equations in it. They add nothing.
2. The graphs are also completely made up.
3. "The bottom line, then, is that based on the evidence we cannot
conclude that bug finding and disclosure provides an increase in
software security sufficient to offset the effort being invested"
<---makes no sense.

To back up my attack on the paper, I'd like to do a few, basic, case
studies.
Case study 1.
RealServer ../.. bug. When the vendor finally fixed the bug, there
were no x86 RealServers on the Internet that had not been hacked.

Case study 2.
Sadmind. The vendor has decided not to fix it, but the conclusion is
the same.

Case study 3.
Compaq Web Management. Currently I'm trying to get HP to fix a bug in
it (one of my customers is running it). They claim it's fixed already
(as vendors always do). I consider any machine with CWM on it a
machine with a pre-installed, undetectable, backdoor. It's really just
a difference in wording, I guess.



See, I guess what I'm trying to say is, I wrote an exploit today, and
in it is this, which I also wrote today:
#we need to write a mini shellcode that jumps forwards 500 bytes,
#with no knowledge of what eip is right now, or what the registers are
#and we might have to avoid some bad bytes, which we don't know ahead
of time.
generator=shellcodeGenerator.X86()
generator.addAttr("Jump",{"jmpvalue":500,"badstring":self.badstring})
jmpval=generator.get()

The goal of MOSDEF is programs which can write programs. Someone in
Singapore told me that MOSDEF is over-engineered. It probably is, the
way most exploits are these days. But it's not about having to find a
"definitive answer to the question of whether bug finding is useful"
anymore than bluegrass music is.

Dave Aitel
Immunity, Inc.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAD2ttzOrqAtg8JS8RAuQDAKD4Ru03LaMlYMmBSMMhXbgiuWKotACeNgMz
poYQ1QxxeEH2Bx6AfcNEWwY=
=+1HL
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave