Re: Detecting vulnerabilities to write exploits

[vinny <vinu () hiwaay net>]

Joshua wrote:

> On point 2 I must beg to differ. In many cases this is the only way to 
> force a company to make the appropriate updates to their product. If 
> you propose that we wait until a company releases a patch, then we may 
> as well wait until all users everywhere have downloaded and installed 
> said patch. Many vulnerabilities can lead to the discovery of others. 
> I would much rather that any additional holes, or exploit methods are 
> found prior to the patch for a few reasons.
>
> 1. A company is less likely to revisit an issue if they feel they have 
> addressed it in a capacity to placate the average end user.
>
> 2. Better to have the knowledge on what to avoid (in specific) to 
> better answer questions from those less technically inclined.
>
> 3. Its more fun...

I agree with Joshua,

I think that finding vulnerabilities is much like finding patterns in 
crossword puzzles or anything else.  People start looking at it and come 
up with patterns that are inherently insecure, and start from there.  
They will see that a certain type of exploit "may" work here, and the 
engineer an exploit that will take advantage of this insecure code. 

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------