lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 24 Feb 2011 21:30:39 -0800
From: Fredrick Diggle <fdiggle@...il.com>
To: Michele Orru <antisnatchor@...il.com>
Cc: Charles Morris <cmorris@...odu.edu>, full-disclosure@...ts.grok.org.uk
Subject: Re: What the f*** is going on?

> I'm the first one among many who want to learn RE and low level things,
> but I think both of the sides are complex enough.
>

I am not sure if you follow the teachings of Fredrick Diggle but to
paraphrase you may imagine security as a disc. On one side you have web app
security (for illustrative purposes let us imagine this thusly)

         , - ~ ~ ~ - ,
     , '               ' ,
   ,                       ,
  ,                         ,
 ,                           ,
 ,          alert()          ,
 ,                           ,
  ,                         ,
   ,                       ,
     ,                  , '
       ' - , _ _ _ ,  '


On the other side you have low level security with mountains of stale
objects and ROP payloads cascading over waterfalls of executable pages. We
flip the disc over and envision this...

         , - ~ ~ ~ - ,
     , '               ' ,
   ,                       ,
  ,                         ,
 ,                           ,
 ,        MOV al, 0x0b       ,
 ,                           ,
  ,                         ,
   ,                       ,
     ,                  , '
       ' - , _ _ _ ,  '


Now your average hacker is handed this disc and stares intently at a side.
The swirling colors, the endless complexity, it becomes all engrossing. But
the Diggle teaches that we must examine a side only for a time, we then flip
the disc and appreciate the majesty that is the flip side. Then after a
similar period another flip and another and another until the two sides
blend into a single sphere. only then does the student realize that the
target system encompasses all of this and that the alert box is simply an
object which can be used after free() like any other.

Tangentially, I prefer to look at this sphere after drinking thus seeing two
of them side by side.

         , - ~ ~ ~ - ,                  , - ~ ~ ~ - ,
     , '               ' ,          , '               ' ,
   ,                       ,      ,                       ,
  ,                         ,    ,                         ,
 ,                           ,  ,                           ,
 ,        MOV al, 0x0b       ,  ,        MOV al, 0x0b       ,
 ,                           ,  ,                           ,
  ,                         ,    ,                         ,
   ,                       ,      ,                       ,
     ,                  , '         ,                  , '
       ' - , _ _ _ ,  '               ' - , _ _ _ ,  '


Fredrick Diggle Esq.

YAY!



>
Isn't your colleague Michal more focused on web app security nowadays?
>
> Cheers
> antisnatchor
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ