lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 02 Jan 2008 16:55:02 -0500
From: Valdis.Kletnieks@...edu
To: reepex <reepex@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Was secreview crap - now OpenVMS!!

On Wed, 02 Jan 2008 13:48:13 CST, you said:

> its funny how you always talk about other people ( like a few days ago when
> you were amazed that people exploited an off by one ),

Actually, I was merely pointing out to a reader of the list that if you *can*
get x'41414141' into the appropriate register, you can probably abuse it into a
full exploit, and gave an example of an off-by-one-byte that produced such an
exploit.  Maybe in that reader's world, they can get away with asking "how is
that exploitable?", but some of us have to classify that as "should be
considered exploitable until proved otherwise".

>                                                        , and talk about "the
> old times"... sure signs of someone washed up as evident by your
> non-productiveness in the last few years

Failure to learn from the lessons of the past is a good way to shoot yourself
in the foot exactly the same way.  Yes - WANK was back in 1989.  However, even
now, almost 2 decades later, we're *still* seeing a lot of systems getting
exploited for the *exact same* base cause.

Additionally, it's proof that anybody who is just *now* waking up to the
concept of "cyber-warfare" is 20 years behind:

http://marc.info/?l=isn&m=100707930117213&w=2

It's also a good idea to keep in mind that not everybody in the security
industry measures "productivity" by "number of exploits published".  For some
of us who run production networkds, "no incidents happened, and none of the
users noticed a damned thing we did to ensure it" is the rarely attained
Nirvana.

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists