Or as Clouseau would say: I believe everything and I believe nothing. I suspect everyone and I suspect no one.
-----Original Message----- From: Marc Maiffret [mailto:m...@marcmaiffret.com] Sent: Friday, May 15, 2009 6:13 PM To: NT System Admin Issues Subject: RE: The industrialization of hacking Ben Nagy use to work for me at eEye Digital Security where we helped pioneer some of the earliest forms of fuzzing before fuzzing was even a word used by the security industry. The field has changed dramatically in recent years as one that started with simply spewing randomized data at various protocols and file types, into the more sophisticated enterprise class applications that we have today. The one positive thing you have to keep in mind is that the reason that all of us in the research world are advancing the techniques used to discover vulnerabilities is because it is becoming harder to find vulnerabilities. The simple fuzzer of yesterday is not affect in finding vulnerabilities and requires a "cloud fuzzing" type of system that turns fuzzing into more of a numbers game with some luck of the rolling of devices or malformed data as it were. The thing you should fear most is the leaps ahead that happen in vulnerability research, the new classes of attacks, etc... A good example of this is SQL injection vulnerabilities. That being said some people whom have taken a more scientific and well thought out approach to things like fuzzing can also end up with systems that are very robust and have great statistics in number of tests and such but never really find many vulnerabilities. This goes back to one of the core concepts I use to preach to my researchers over 10 years ago that there are no mistakes in fuzzing technology for the goal is to be as randomly valid and invalid all at the same time. Bruce Lee said it best, "Using no way as a way, using no limitations as a limitation." Bruce Lee also said something that the security industry has yet to grasp, "Simplicity is the key to brilliance." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~