lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <44A581D4.7040907@csuohio.edu>
Date: Fri Jun 30 20:55:28 2006
From: michael.holstein at csuohio.edu (Michael Holstein)
Subject: New member asking question...

> I have been reading the posts over the past few weeks, and am wondering
> how the heck you guy discover these vulnerabilities.  Granted, I am
> still very new to the IS world, but I cannot begin to understand how you
> discover weaknesses.  After reading these posts, the explanation always
> makes since, but are you guys actively seeking weaknesses, or just
> happen to come across them?

Learn how things are *supposed* to work (for example, write your own 
webserver in C), then intentionally throw broken requests at it. 
Eventually you'll find a result you *didn't* expect, and that's what you 
should investigate. Knowing *what* is broken is never as important as *why*.

As mentioned by another, learning to dream in C, and understanding asm 
go a *long* way.

Oh .. and one more note .. practice on your own stuff. It's easy to get 
arrested in the process of learning if you're not careful. When you get 
good at it, play nice and adhere to the rules of "responsible 
disclosure" (search the archives for lengthy threads on this seperate issue)

/mike.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ