 
Dailydave mailing list archives
Re: Some Sums
From: "Thomas Ptacek" <tqbf () matasano com>
Date: Sun, 11 Feb 2007 12:06:16 -0600
The fuzzing vs. inspecting argument is fun and I'm happy to read it from the sidelines, but can I suggest: 1. It's not insightful to point out that fuzzers don't find everything; the point is, they find a lot. 2. A lot of people are "finding" things simply by being the first to aim someone else's fuzzer at them. I'm not sure what this implies, but it implies something. 3. Ari Takanen, and in particular the OUSPG project at OULU.FI, clearly has some software testing bona fides; PROTOS may be the first comprehensive rule-based format-aware fuzzer for ASN.1 protocols. The SNMP report from '02 was a Big Deal. 4. Ari, if you get on DailyDave and making fun of people for competitive vuln research, you deserve all the crap you get. Troll. =) On 2/10/07, Ari Takanen <ari.takanen () codenomicon com> wrote:
Hello Olef, Sorry did not notice this comment earlier. Sounds like an interesting challenge, but there are few problems withy the setup. Firstly, our tool does not run for 2 weeks (it takes less than few hours to test the MS Exchange). This is because we do not do random (or any form of non-deterministic) testing. Secondly, we are fully no-disclosure company, and refuse to disclose flaws in commercial software (and our customers appreciate this). We are not in the blackmailing business... Open source would be free target though (my personal opinion, not our company opinion). Thirdly, we do not build exploits like Dave already pointed out earlier, again from ethical reasons (and because nobody has ever asked us to develop exploits for the found flaws even if building the exploit would be easy). And last note, we would have no use nor interest for your exploit, nor would we want to even see it due to the related liability issues. So I am sorry I have to decline the offer. You are free to continue hunting for your fame and glory from the remote exploits. I wish you good luck in the hunt! And I will shut up about our products as I definitely do not even want you to get these tools in your hand. ;) I hope you had a chance to visit us at RSA! We are constantly looking for skilled people who wish to start doing more proactive work in security. /Ari PS: Yes we have some VC funding (from early 2005), but most of our money comes from customers, not from VC:s. And we do not throw our money away like some other VC funded companies might appear to be doing. We have existed since 2001, and released our first commercial fuzzing tools in 2002. On Thu, Feb 08, 2007 at 01:22:02PM -0500, dailydave-request () lists immunitysec com wrote:Date: Thu, 8 Feb 2007 09:48:36 -0800 From: "Olef Anderson" <olef.anderson () gmail com> Subject: Re: [Dailydave] Some Sums To: dailydave () lists immunitysec com About this whole fuzzer business, how about putting some cold hard cash where the corporate mouthpiece is at ? Since obviously you happen to have some VC money, a booth at the RSA floor is a sign, you can back your claims with real currency. I would love to give you the opportunity. Lets take the latest Microsoft Exchange release (2007) and 2 weeks of your time running your PROTOS fuzzer. At the end of the 2 weeks if you can find the existing remote root hole in it, I am offering to pay you the bugs worth of $150 000.00. However If you are not successful, I should be payed the very same amount which in return I shall present you the exploit. From that point you will be free to coordinate vendors, release advisories whatever it takes. Just to clarify a point though, no DoSes are acceptable, should be an overflow that leads to clear code execution ( the mailing list subscribers could be the judge of that). Wouldn't that be nice to prove that you actually know what you are talking about ? On 2/7/07, Ari Takanen <ari.takanen () codenomicon com> wrote:Hmmm, distantly related to this: Maybe us fuzzer developers should save hashes of some millions of attacks somewhere also, so that we can prove our tools were used to find the flaws in the first place... Looking at past iDefence disclosures for example, I am beginning to doubt that they reward for publishing flaws instead of finding flaws (this is like patent system in Europe which rewards first to file, not first to invent)... More and more flaws are found using tools, and pre-packaged attacks. If a flaw is found using a product like Codenomicon/PROTOS or CANVAS, I supposed the reward should also be paid to the tool developer and not the tool user. ;) Tongue-in-the-cheek-greetings, /Ari-- -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- Ari Takanen Codenomicon Ltd. ari.takanen () codenomicon com Tutkijantie 4E tel: +358-40 50 67678 FIN-90570 Oulu http://www.codenomicon.com Finland PGP: http://www.codenomicon.com/codenomicon-key.asc -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Some Sums Steven M. Christey (Feb 07)
- <Possible follow-ups>
- Re: Some Sums Ari Takanen (Feb 08)
- Re: Some Sums Dave Aitel (Feb 08)
- Re: Some Sums Olef Anderson (Feb 08)
 
- Re: Some Sums Ari Takanen (Feb 11)
- Re: Some Sums Thomas Ptacek (Feb 11)
- Re: Some Sums Roland Dobbins (Feb 11)
- Re: Some Sums Paul Melson (Feb 12)
 
- Re: Some Sums Olef Anderson (Feb 13)
 
- Re: Some Sums Thomas Ptacek (Feb 11)
- Re: Some Sums Steven M. Christey (Feb 12)
- Re: Some Sums Jared DeMott (Feb 12)
 
 


