[Dailydave] What Car Does Dave Drive?

shadown shadown at gmail.com
Mon Oct 8 05:09:36 EDT 2007 

Hi Joanna,

This is an interesting topic. (not the car thing of course :P)
Some customers (if not most of them) know that security is something
critical for them, but in the end most of them just don't really get it.
I mean, they don't realize how bad things could go, and they use to
under-rate security problems because there's no public exploit, or just
because they think that exploiting the issue is whether impossible or so
difficult that they underestimate and low the bar to the point that they
don't even fix the problem.
I do believe that developing custom exploits makes people understand
that they have to fix the problems with no excuses.
Actually this is very valid when it comes to demo 'pown'ability and
pivoting of/from:
	- Network Printers
	- Appliances
	- DSL routers
	- Voip devices
	- a large etc

As many of them are developed on different CPUs and modified OSs (some
of them proprietary), showing what could be done is very eyes-opening
for the customers.

My 2 cents.
Cheers,
  Sergio


Joanna Rutkowska wrote:
> If you want to know the answer:
> 
> http://www.darkreading.com/document.asp?doc_id=135564&WT.svl=news1_2
> 
> One thing I don't quite get though:
> 
> <quote>
> "We'll analyze a random printer DLL you have installed, write an
> exploit, and use that on your network," he says, to help companies
> better secure their environments.
> </quote>
> 
> While I greatly respect skills needed to write sophisticated exploits, I
> still don't see how exploit writing could be used to secure anything...?
> 
> You can, of course, use exploits to test some security products (e.g. an
> IPS), but here we're talking about exploits for bugs in some custom
> code. Many of us will agree that IPS are useless in this case, almost by
> definition, and I think that Dave is one that will agree most eagerly
> (search for IDS-related threads on this list). So, testing an IPS
> against custom exploits for bugs in the custom code seems pretty much
> useless, no?
> 
> The question is then: how you convince a client to pay you not only for
> code audit (no doubt it's useful) but also to write an exploit for each
> bug you find? I *really* would love to know the answer :)
> 
> Having said that all, I need to stress that I can't overestimate the
> (educational) value of exploit writing for the whole IT security field
> -- one might not be following the latest trends in heaps exploits for
> RPC thingis, but if one never wrote and understood an exploit there's
> quite a big change that they simply "don't get it all". It's just I
> don't see how individual companies would be interested in paying
> somebody for preparing "educational material" for other researchers?
> 
> joanna.
_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

-- 
Sergio Alvarez
Security, Research & Development
IT Security Consultant
email: shadown at gmail.com

More information about the Dailydave mailing list