Dailydave mailing list archives
Re: Exploit writing thoughts
From: gilhespy () quicknet nl
Date: Wed, 07 Apr 2010 19:05:38 +0200
Dave, what tends to make exploit writers happier - the incredibly complex scenario where the world is left saying "how the hell did he ever work that out?" - or the discovery of the so painfully obvious that the world is left saying "DOH! how the hell did we ever ALL miss that? all this time"..? Mike ----- Original Message ----- From: dave <dave () immunityinc com> Date: Wednesday, April 7, 2010 6:49 pm Subject: [Dailydave] Exploit writing thoughts To: dailydave () lists immunityinc com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So what is it exactly you are asking of someone when you ask them to write an exploit, is something I think about a lot. Usually it goes like this: "Hi, you know that wacky technology no one who can avoid it uses, ["Java","ColdFusion","Sharepoint","etc"]? Yeah, I need you to become an expert at it to the level where you could explain how it works to the developers at Sun/Oracle, and then find that corner case that makes it fail. Ideally this would happen today, right?" And at the end of maybe a month to six months of really hard work, you (maybe) get a tiny 500 line program that does something weird, but not too weird. Or maybe you get nothing. One of the hard things about exploits (especially these days) is that you have to absorb a LOT of failure in order to get the spectacular results that are your bread and butter. Exploit devs have huge egos by way of necessity and are tenacious like an Overtown pitbull, so one of the harder parts of the job is to tell them to "give up, find another one". In other words, you have to fail fast, but not too fast. How are you going to know which is which unless you've been there? - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAku8kJgACgkQtehAhL0gheqfywCeOG1e7mOv9ss5p+XrqyWA5slx clIAmgM5pRYXTcH0Ti8alCIH2/SSyW6b =IkDJ -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Exploit writing thoughts dave (Apr 07)
- Re: Exploit writing thoughts gilhespy (Apr 07)
- Re: Exploit writing thoughts Halvar Flake (Apr 07)
- Re: Exploit writing thoughts Nate Lawson (Apr 07)
- Re: Exploit writing thoughts Marius (Apr 09)
- Re: Exploit writing thoughts Nate Lawson (Apr 07)