Dailydave mailing list archives
Re: Staying on the treadmill.
From: "Halvar Flake" <halvar () gmx de>
Date: 16 Jul 2009 00:23:33 +0200
In order to continue my tradition of mostly nonsensical posts: Joanna wrote:
No! I highly respect all the people who demonstrated how different things are possible. When you show an exploit that attacks things that have never been attacked before, it is extremely useful. Remember Solar Designer's JPEG Netscape *first* public heap overflow? Now, that's what matters. But coming up with yet-another-one client-side exploit for Browser/PDF viewer/etc usually is meaningless. We have seen enough such exploits to understand that currently used mitigations do not work (apps code audit, apps fuzzing, ASLR, NX), and that we should assume any desktop application that takes untrusted input can be exploited. And we need to address the problem in a different way, with the assumption that even some applications on my desktops gets compromised that others still work. Today's OSes do not provide this feature.
I wholeheartedly agree. It has long been my (and my employers) position that there are way too many presentations of exploitation techniques. I therefore propose that we alter this years' Blackhat schedule as follows: - Remove the John McDonald / Chris Valasek talk - Remove FX's talk - Remove the Dowd/Smith/Dewey talk - Remove Kostya's talk Instead, I think we should substitute at least two of these with fundamental talks about trusted computing, one with a talk about homomorphic encryption, on smartcards and one with a talk about visual spoofing. I would like some songs, too. And *plenty* of architecture diagrams please, perhaps with a security proof thrown in. :-P
It was joked away, because we are not paid for having fun, but for (trying) to solve the actual problems our customers might have. I'm yet to find a company that would be advertising their services as "hire us, so *we* could have some fun". Have you seen one? Halvar's maybe? Or is it rather "hire us, we will help you *solve* your problems?"
I would prefer to advertise: "You might have some problems that we would have a ton of fun with. If you make sure we don't starve while having fun with these problems, we'll do an excellent job -- we love our work, and take pride in it. Would you prefer to hire someone that likes his work, or someone that gets paid to pretend to like it ?" :-) Holy crap, where has the lightheartedness gone ? Could we *please* all quit taking ourselves quite so seriously ? I am looking forwards to seeing y'all in Vegas in 10 days. Cheers, Halvar _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Staying on the treadmill. dave (Jul 14)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 14)
- Re: Staying on the treadmill. nnp (Jul 14)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 14)
- Re: Staying on the treadmill. Don Bailey (Jul 14)
- Re: Staying on the treadmill. Matthew Wollenweber (Jul 15)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 15)
- Message not available
- Message not available
- Re: Staying on the treadmill. Halvar Flake (Jul 15)
- Re: Staying on the treadmill. nnp (Jul 14)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 14)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 14)
- Re: Staying on the treadmill. Halvar Flake (Jul 14)