lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1031960219.3070.10.camel@alice>
From: gml at phrick.net (gml)
Subject: RE: remote kernel exploits?

Oh i never said anything about "lo-tech/no-tech" and I wasn't referring
to social engineering.  My emphasis was on the "buffer overflow" we tend
to not look farther than trying to find flaws in software. I think I was
aiming myself mainly at the security companies who lurk on mailing lists
trying to find their next big score. There seems to be a big emphasis on
"what will the next bug be and who can find it first" and not just on
this list i mean everywhere and of course the media loves that.  I'm
also not saying this is a bad thing I enjoy a overflow as much as the
next guy, I'm just not bent on it.  Lately I am seeing a rise in
interest in worms and other autonomous agents I think that's good, too
bad this sort of research tends to be held close by the anti-virus
companies.  Of course I understand the approach of locate and fix, i
mean i'm a big believer in opensource and this is one of the reasons. 
The fact that the source code is available for auditing/tweaking is
wonderful.

On Fri, 2002-09-13 at 17:42, Nick FitzGerald wrote:
> > Personally I could really care less about "0-day exploits". There are a
> > thousand ways to penetrate a machine that are more effective then
> > relying on finding that one obscure piece of code. Why doesn't anyone
> > ever discuss interception, people seem to bent on the latest
> > vulnerability.  Then again what do I know. Maybe it IS all about
> > "0-day".
> 
> Technologists, not surprisingly, tend to focus on problems that can 
> be fixed by tweaking the technology.  Social engineering and many of 
> the useful/successful interception methods of "attack" are not 
> particularly solvable by technologists (the ethics of human NDA 
> research tend to "get in the way" here...   8-) ).
> 
> As the people on this list are in some sense mainly technologists, 
> the bias you point out in the concerns discussed here is quite
> understandable.  You are, of course, right that there are many 
> low-tech/no-tech attack methodologies but the people on lists such as 
> this are not the people who will "fix" them, so they're not likely to 
> get as much air-time here.
> 
> 
> Regards,
> 
> Nick FitzGerald
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ