lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <81637804AB36A644BBDE3ED9DD4E73FD9C4388@hermes.eCompany.gov>
From: dcopley at eeye.com (Drew Copley)
Subject: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ...

 

> -----Original Message-----
> From: Brian Eckman [mailto:eckman@....edu] 
> Sent: Thursday, February 12, 2004 11:46 AM
> To: Drew Copley
> Cc: Paul Tinsley; full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Re: Re: <to various 
> comments>EEYE: Microsoft ASN.1 ...
> 
> Drew Copley wrote:
> <mass snippage>
> > But, it turns out, that the guys
> > who can write exploit code also can reverse engineer patches...
> </mass snippage>
> 
> You said it all in that sentence. No other commentary was 
> necesary to make your point.
> 
> Besides reading exploit code (if such code were released, 
> which it was not), I'd imagine (as you mention) reverse 
> engineering the patch and/or sniffing the network traffic of 
> your (or another) scanner in action would be much more 
> productive methods of determining how to write an exploit 
> than your advisory was.

These things are true, though in this kind of argument really I am just
presenting evidence for the audience... Realizing that I am as if
talking to a stone for rhetorical purposes.

In some cases looking at the scanner output could help someone create an
exploit, in some cases this would not be the case. In this latest
case... There are multiple potential avenues of attacks... And what is
right for the goose is not for the gander.


> 
> Brian
> --
> Brian Eckman
> Security Analyst
> OIT Security and Assurance
> University of Minnesota
> 
> 
> "There are 10 types of people in this world. Those who 
> understand binary and those who don't."
> 
> 
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ