<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<pre wrap="">I find articles like the recent one in <a href="http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/">Forbes</a> quite funny in a way - and likewise talks about "rootite" and bug mining and so forth. Part of this is because philosophically I know that teams who focus on the money tend to lose. Obviously you need a lot of money to get things done in this industry, but I think it's a slippery slope from that to looking for where the money really is, <a href="http://immunityinc.com/infiltratemovies/movies/andrewcushman_keynote.mp4">which is defense</a>.
And when you're doing defense, you're not writing exploits, you're creating "security tests". You're not as concerned with "where will this exploit get me" so much as meeting this month's exploit quota. "How many checks do you have?" is the kind of customer you're competing for.
This month CANVAS released one exploit. And that one exploit in Samba is worth more to me than a hundred "security tests" in random bits of Microsoft software no one interesting has ever installed. [1]
You can see it in action here, or if you have CANVAS, you can download it as of last night.
<a href="http://partners.immunityinc.com/movies/CANVAS-SambaNDR.mov">http://partners.immunityinc.com/movies/CANVAS-SambaNDR.mov</a>
-dave
[1] As a side note, you'll notice none of the static analysis companies can find this bug.
[2] Also you should read <a href="http://expertmiami.blogspot.com/2012/05/skype-does-away-with-random-supernodes.html">Kostya's blog post</a> today just because it's in English.
</pre>
<pre class="moz-signature" cols="72">--
INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach
<a class="moz-txt-link-abbreviated" href="http://www.infiltratecon.com">www.infiltratecon.com</a>
</pre>
</body>
</html>