Dailydave mailing list archives

RE: VisualExploit.py

From: "Mike Bailey" <mike.bailey () sunbladesecurity com>
Date: Fri, 25 Feb 2005 23:59:35 -0500

couldn't come up with any "purdee pictures" (if you've got 
DDJ's Dec 1995 "Visual Programming" issue, it's got a great


Didn't Next have something similar to this as well. Maybe my memory has
merged "Cube" and nextcube but I recall a Visio/Dia like tool on there for
development.

I'm wondering what the overall effect of "lowering the bar" 
would be - would vendors then make a more concerted effort to 
writing "better" (read: more secure) programs before 
releasing?  Would they use the tools themselves?  Pehaps you


While thinking about the visual language interface I started on a
philosophical rant.. On one hand you have people that want to look at
writing exploits as an art or something else idealistic and pure. I bet most
of those people don't try to do it for living if at all. Then there are
people that whose job is to break stuff. Sometimes for fun and profit,
sometimes because they like doing a good in the QA lab and maybe even
sometimes in an effort to make someone or some companies dev staff look bad.

In most testing cases you're going to have to understand how to find the
vulnerability before worrying about exploiting them so there's no lowering
of the bar there "in my opinion". It seems more like adding a springboard in
an effort to get over that bar a little easier. Since I'm pretty tired and
hungry now a food reference comes to mind as well. Finding vulns is like
making a donut. Using a VPL interface with canvas would then be like a nice
chocolate glaze after slaving away in the kitchen to cook that donut.
Personally I'm thinking of it now as the krispyKreme of security testing
tools.

Maybe there will even be contests for who can make a working exploit that
looks like art to keep the idealists happy too! 

Sadly in some matrix like movie they'll be probably be using virtual reality
suits to build exploits with this tool. I shudder..

And for those unfamiliar with my donut-
http://www.krispykreme.com/varieties.html#

Oh well, I'll shut up now..

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

VisualExploit.py Dave Aitel (Feb 25)
- Re: VisualExploit.py Isaac Dawson (Feb 25)
  - Re: VisualExploit.py Gadi Evron (Feb 25)
- Re: VisualExploit.py Daryl Tester (Feb 25)
  - RE: VisualExploit.py Mike Bailey (Feb 25)
- Re: VisualExploit.py Mordy Ovits (Feb 28)
  - Re: VisualExploit.py Rodney Thayer (Feb 28)
  - Re: VisualExploit.py Dennis Cox (Feb 28)
- <Possible follow-ups>
- Re: VisualExploit.py Jerome ATHIAS (Feb 26)