Slashdot Mirror

← Back to Domains

Domain: immunitysec.com

Stories and comments across the archive that link to immunitysec.com.

Comments · 57

  1. Re:Remember the by Anonymous Coward · · Score: 1, Informative · on You Won't Recognize the Internet in 2020

    His books are actually titled "Emerald Eyes" "The Long Run" and "The Last Dancer". They're also very hard to find in print, but can be found here http://immunitysec.com/resources-dkm.shtml

  2. immunity by Deanalator · · Score: 3, Interesting · on A Software License That's Libre But Not Gratis?

    You might want to check out Immunity.

    http://www.immunitysec.com/

    They sell CANVAS, an exploitation framework. A subscription is pretty expensive (that is, dirt cheap compared to core impact), but it comes complete with python source code, and the licence they use gives full rights to modify any of the code as you need to (sort of a requirement for exploit frameworks).

  3. Re:Keep Linux out of defense by this+great+guy · · Score: 2, Insightful · on British Royal Navy Submarines Now Run Windows

    Backdooring something like the Linux Kernel via traditional means (by attempting to submit malicious patches) would be much, much harder than you think. I mean just read the LKML to understand how thorough the review process is: the owner of the code scrutinizes your patch line by line, suggests improvements, even catches coding style errors, etc. Maintainers are especially cautious about code that comes from unknown developers.

    Regarding your comment about hacking servers holding the source code, this would also very likely get caught really quickly, because of the very nature of version control systems whose only purpose is to track changes. As a matter of fact in 2003, a CVS mirror (not the primary repository) of the kernel source tree was successfully hacked and a backdoor was inserted in the code, but the problem got identified and fixed in less than 24 hours

    With proprietary software there is only a restricted number of people who review code, typically only a very specific dev/QA team employed by the software vendor. I would even argue that because of the implicit trust between these employees, reviews tend to be shallower. Two examples to prove my point: in 2001 it was discovered that a back door password has been hidden in Borland/Inprise's popular Interbase database software for at least seven years. In June 2008 it was discovered by a security researcher that for multiple years all versions of Windows have been intentionally using a lower-quality cryptographic function for Protected Storage when the locale was set to French.

    So, do you trust a development model where malicious code is caught in 24h, or a dev model where backdoors can exist for 7 years ? The answer is obvious to me :)

  4. Re:Pwned by Nos. · · Score: 5, Informative · on 2008 Pwnie Award Nominees Announced

    Nominees

    We received 134 submissions for the Pwnie Awards, of which we've selected 37 nominees. Please select an award category from the list above to see the nominees.

    The winners of the Pwnie Awards will be anounced on August 6, 2008 at a ceremony at the BlackHat USA conference in Las Vegas.

    Pwnie for Best Server-Side Bug

    Awarded to the person who discovered the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

    • Windows IGMP kernel vulnerability (CVE-2007-0069)

      Discovered by: Alex Wheeler and Ryan Smith

      Not only did Alex Wheeler and Ryan Smith lay claim to a lucky CVE number, they also laid down the law with a remote kernel code execution vulnerability that was exploitable in the default firewall configuration on Windows XP, 2003 and Vista. Despite the SWI team's claim that its exploitation is "unlikely in real-world conditions", Kostya Kortchinsky was able to develop a highly reliable exploit for this vulnerability.

    • NetWare kernel DCERPC stack buffer overflow

      Discovered by: Nicolas Pouvesle

      At REcon 2008, Nicolas Pouvesle demonstrated some amazing NetWare-Fu with his kernel exploitation techniques and staged payloads for a stack overflow in the DCERPC stack in the NetWare kernel. Besides impressing everyone at the conference (not to mention all of the Quebecois women around Montreal), he also struck fear into the hearts of NetWare administrators everywhere. All three of them.

      This vulnerability also shows how there can often be similar vulnerabilities in different implementations of the same functionality. And when a vulnerability in one implementation is found and fixed, similar bugs in other implementations may go unnoticed for a while. What does it take to make a vendor like Novell audit their DCERPC code for simple vulnerabilities? A widespread worm exploiting a stack overflow in the Microsoft DCERPC stack, crippling large portions of the Internet, and supposedly causing a blackout of the entire East Coast of the USA? Apparently not.

    • ClamAV Remote Command Execution (CVE-2007-4560)

      Discovered by: Nikolaos Rangos

      This vulnerability was a remote command injection in the recipient e-mail address of an e-mail message examined by the ClamAV open-source AntiVirus scanner. In a nod to 1993, ClamAV called sendmail with popen(), placing the recipient e-mail address right there in the command. With open source anti-virus products, Linus's Law clearly does hold: "Given enough eyeballs, all bugs shallow", even the ones that we knew about fifteen years ago.

    • SQL Server 200

  5. TC0 by xtracto · · Score: 1 · on Estimating the Time-To-Own of an Unpatched Windows PC

    Bah,

    We all know that Microsoft Windows has a lower Total Cost of 0wnership

  6. Re:so i can protect you by jdray · · Score: 1 · on Why the US Consumer Doesn't Deserve A Decent Robot

    Daniel Keys Moran writes a lot about robots in his novels and short stories. Several of such can be found here. This clip is from The Last Dancer, a scene where a multi-legged "medbot" is trying to help someone escape a building by breaking a window and getting into a hover-cab... some thirty stories up.

    Callia Sierran swallowed. "Oh, Harry." She took a deep breath, turned to the medbot. "'Bot?"
    "Yes, Mademoiselle?"
    "Help me into the cab."
    The medbot considered the task. It had been taught to aid the elderly and infirm in and out of bathtubs, to climb stairs, to turn unconscious PATIENTS in their beds, to catch PATIENTS who were falling. This would require a similar set of motions; it could do it. "I can do that," it announced. The medbot examined the geometry of the situation--how very interesting. Between 109 and 113 centimeters separated the cab from the window ledge; the cab moved back and forth a bit. The medbot dropped back to the floor, and pushed the gurney slightly back from the window. It telescoped itself to its greatest height, reached up with all three of its grasping append-ages and grasped the edges of the windowsill. The top of the windowsill was too high for its primary grasping appendage to reach; the medbot flipped random numbers and switched over to the left edge of the windowsill, and held onto that edge with one of its secondary and its primary grasping appendage.
    It lifted itself up very slowly. It was capable of lifting considerably greater weights than itself; but not from this position. The edge of its front three feet were almost parallel with the bottom ledge; it extended its legs, saw its front feet touch the ledge, and crept forward, centimeter by centimeter, until all six of its feet were firmly grasping the bottom ledge.
    The PATIENT said softly, "Good 'bot."
    The medbot turned its attention to the cab; it wavered back and forth in a periodic pattern, and the medbot timed it; when the cab was 111 centimeters distant, and swinging forward, the medbot released its grasping appendages' hold of the window ledge and pushed itself forward.
    It fell, crashed into the cab. The cab dipped, dropped lower still, and the medbot's feet lost most of their contact with the window ledge; the medbot scrambled frantically for a hold on the cab, along the line where the canopy would normally have sealed. First its right grasping appendage caught, and then its left; the medbot waited several seconds to make sure that it was secure, and then reached back with its primary grasping appendage. "Mademoiselle? Take my hand, and I will aid you into the cab."
  7. Re:Kismet? by cyriustek · · Score: 1 · on Linux Based Nokia N800 Internet Tablet Reviewed

    Well...While it is not Kismet, Immunitysec is running their product called, "Silica" on the device. Silica is great for auditing your wireless networks and the security of systems connected to them. You can find it at http://www.immunitysec.com/products-silica.shtml

  8. Compare the facts: open source patching is FAST by Anonymous Coward · · Score: 4, Interesting · on MS Giving Exploit Writers Clues To Flaws

    Let us take a look at the recent topic of a Madwifi vulnerability affecting certain wifi users in Linux.

    Julien Tinnes reported it at 13:48:00 EST on December 7, 2006.

    At 14:17:50 on the same day the patch was available in the main source code repository.

    A little while later at 17:08:26 the vulnerability is officially confirmed by Madwifi and advisories had been prepared.

    Looking downstream, the response times for an official fixes/advisories by distribution specific security teams were:
    Gentoo: December 10
    SUSE: Confirmed December 8, Fixed December 11
    Ubuntu: January 9

    There is certainly some room for improvement here with distribution specific fixes, but that also includes time spent testing the changes to the driver. To be fair to Microsoft (actually, I'm just being overly optimistic), they probably had a patch ready within 30 minutes of the initial vulnerability report as was the case with Madwifi. But instead of giving the customer the option of trying the "beta" patch so they can test it themselves, it is kept private. Days tick by at Microsoft HQ and nothing appears to happen. Eventually, a patch is released on the patch Tuesday of the next month (or the month after that). System administrators get no choice and no chance to test it themselves.

  9. More info by kunwon1 · · Score: 1 · on How Apple Kept the iPhone Secret

    There's a thread running on dailydave with some speculation as to the gory technical details of the iPhone. The thread includes a job offer from someone who is apparently an Apple hiring director :D

    http://lists.immunitysec.com/pipermail/dailydave/2 007-January/003938.html

  10. Cache doesn't really say anything by LKM · · Score: 2, Insightful · on Johnny Cache Breaks Silence On Wi-Fi Exploit

    It should be noted that Cache still didn't come out and say whether Macs with Apple's AirPort cards are vulnerable. Gruber Specifically asks him about this on the list, and he doesn't answer it. He does say that he expects a patch from Apple, which clearly implies that AirPort cards are vulnerable, but he doesn't say it, instead claiming that Apple is legally threatening him and running a "PR smear campaign" against him - again without giving any specifics.

    This whole episode is just insane. If Macs are vulnerable out of the box, why not say so (especially if you're "waiting for an patch from Apple")? If they aren't, why implying that they are?

    It's entirely possible that Macs are vulnerable. Macs aren't magically secure and save from bugs. The issue with this whole thing isn't that Mac users believe that Macs can't possibly be hacked. The issue is that the people who ostensibly found the security problem don't seem to be capable of telling us what the heck they actually found and whether Macs are vulnerable, instead making vague accusations and implying stuff without giving any specifics or even a demonstration.

  11. Cache doesn't really say anything by LKM · · Score: 2, Insightful · on Johnny Cache Breaks Silence On Wi-Fi Exploit

    It should be noted that Cache still didn't come out and say whether Macs with Apple's AirPort cards are vulnerable. Gruber Specifically asks him about this on the list, and he doesn't answer it. He does say that he expects a patch from Apple, which clearly implies that AirPort cards are vulnerable, but he doesn't say it, instead claiming that Apple is legally threatening him and running a "PR smear campaign" against him - again without giving any specifics.

    This whole episode is just insane. If Macs are vulnerable out of the box, why not say so (especially if you're "waiting for an patch from Apple")? If they aren't, why implying that they are?

    It's entirely possible that Macs are vulnerable. Macs aren't magically secure and save from bugs. The issue with this whole thing isn't that Mac users believe that Macs can't possibly be hacked. The issue is that the people who ostensibly found the security problem don't seem to be capable of telling us what the heck they actually found and whether Macs are vulnerable, instead making vague accusations and implying stuff without giving any specifics or even a demonstration.

  12. link to Cache's Dailydave post by yermej · · Score: 1 · on Johnny Cache Breaks Silence On Wi-Fi Exploit

    http://lists.immunitysec.com/pipermail/dailydave/2 006-September/003459.html

  13. link to Cache's Dailydave post by Anonymous Coward · · Score: 0 · on Johnny Cache Breaks Silence On Wi-Fi Exploit

    http://lists.immunitysec.com/pipermail/dailydave/2 006-September/003459.html

  14. yes, that small by brennz · · Score: 1 · on Researcher Creates Handheld Hacking Tool

    I saw this at Defcon in the Immunitysec booth. Dave had some nice demos going on, and he was also showing off
    Visualsploit http://www.immunitysec.com/documentation/vs_niprin t.html

    Silica is a full port of Canvas onto the Nokia, not "allows simulated hacking attacks", instead "full exploitation framework".

    Canvas licensing creams Core Impact (3kish vs. 30k).

  15. CEH = bogus cert by brennz · · Score: 2, Informative · on An 'Ethical Hacker' On Protecting Your Identity

    CEH is like an "i'm a newbie badge" for security. Think of it as one step below security+

    Anyone can pick up a book and learn how to run vuln scanners or use prepackaged exploits.

    If people want to go to some real security training, I recommend http://www.immunitysec.com/education-overview.shtm l

    Dave Aitel is both technically brilliant and incredibly funny - a rare combination.

  16. Re:Not quite by Yankovic · · Score: 1 · on Microsoft Bracing for Worm Attack

    FYI, here's the list archive:

    http://lists.immunitysec.com/pipermail/dailydave/2 006-August/003408.html

  17. Re:What kind of bullshit excuse is this? by Sepper · · Score: 1 · on Microsoft Talks Daily With Your Computer
    >MS owns the software, and I own a copy.

    No, they hold (or own) the COPYRIGHT to the software.
    No, no, no! Microsoft 0wns the software! You really just 0wn a copy...
  18. This is a problem with the "security" field by Anonymous Coward · · Score: 1, Interesting · on Busting People for Pointing Out Security Flaws
    There is no code of ethics.

    You have kids trying to "make a name" by breaking things. You have companies paying these kids to find vulnerabilities, I've heard that there is a 6-figure type bounty on certain specific vulnerabilities. At the same time you have big corporations that are taking a beating in the media because vulnerabilities are disclosed before they have time to react; you also have big corporations being told about problems (whether or not it is through proper channels remains to be seen, I don't expect that the new Windows bug is going to get fixed when you tell MS Sales about it.) You have security companies like eEye publishing every vulnerability they can find to give their company some "street cred." You have companies like Foundstone (now Symantec) pirating software to search for holes in it. There is this whole rationalization in the "hacker community" that they are some how doing the software vendors favors by finding the stuff; so just randomly postscanning hosts is really "research," huh? Dispite your lack of any publishing, education and any agreements with anybody that you're "researching" on? You have frauds like Steve Gibson saying that big corporations are putting backdoors in to code on purpose. You have opensource tools changing their license and close sourcing because of companies that are simply packaging their work can charging a lot of money for it; who can blame them? There are companies that now sell exploits and "0days." You have a whole OS "designed" around security, yet they cannot publish any of the changes they've actually made and explain why they have made them (come on guys, this would be a best seller of a book, just lists of code, this is the bug, this is why it's a bug, this is how we fixed it...) At the same time, I don't want Apple and MS pushing out patches minutes after they hear about things, I want the code QAed.

    Now the lawyers are getting involved. We need to check ourselves as an industry. We are a stones throw away from developers being held responsible for damages caused by software, there are already people in favor of that. Just stop and think about that. There is no union, there is no protection for the worker here, we're held in contempt at a lot of places, because of the highly paid prima donnas jerking around writing shitty code. It will only get worse right now.

    It's a sort of hot area right now, the feds are spending money. You can't be involved with software or networking and not have some kind of concern for security. This may sound old fashioned but to get a cert, whatever certs the security world wants to embrace, there should be an oath that encourages security always, encourages openess, discourages black market tactics for trading viruses and exploits, discourages this whole notion of "black magic," and discourages profiting from secrecy regarding security. I'd even go one better and add to the oath that there should be a certain and accepted public disclosure process for when a vulnerability is found in a network or application, the owner is told and then after 90 days the whole world is told, all of the time. I know of companies that have found problems in networks and then extorted money for information regarding them. That's just wrong and that should be criminal.

    There are no security best practices, not in any formal sense. You can pull 100 consultants or CISSPs off the street and you'll get a 100 different sets of things you should and shouldn't do. We need to formalize the discipline. We need to encourage practices during the writing of software and constuction of networks for security.

  19. OS X = insecure by brennz · · Score: 1, Redundant · on Call for Apple Security 'Czar'

    Don't believe me though.

    Read what the pros say about the simplicity of finding vulnerabilities in OS X

  20. Re:Who DOCUMENTS their evil backdoor? by nweaver · · Score: 1 · on WMF Vulnerability is an Intentional Backdoor?

    It was documented enough somewhere than Wine suffers too...
    http://lists.immunitysec.com/pipermail/dailydave/2 006-January/002806.html

  21. DailyDave by tiny69 · · Score: 2, Interesting · on The Six Dumbest Ideas in Computer Security
    There's already been some entertainment over Marcus's article on the DailyDave. Dave Aitel doesn't agree with Marcus.

    http://lists.immunitysec.com/pipermail/dailydave/2 005-September/002347.html

    Dave's "Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site"." http://lists.immunitysec.com/pipermail/dailydave/2 005-September/002366.html

  22. DailyDave by tiny69 · · Score: 2, Interesting · on The Six Dumbest Ideas in Computer Security
    There's already been some entertainment over Marcus's article on the DailyDave. Dave Aitel doesn't agree with Marcus.

    http://lists.immunitysec.com/pipermail/dailydave/2 005-September/002347.html

    Dave's "Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site"." http://lists.immunitysec.com/pipermail/dailydave/2 005-September/002366.html

  23. DailyDave by tiny69 · · Score: 2, Interesting · on The Six Dumbest Ideas in Computer Security
    There's already been some entertainment over Marcus's article on the DailyDave. Dave Aitel doesn't agree with Marcus.

    http://lists.immunitysec.com/pipermail/dailydave/2 005-September/002347.html

    Dave's "Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site"." http://lists.immunitysec.com/pipermail/dailydave/2 005-September/002366.html

  24. DailyDave by tiny69 · · Score: 2, Interesting · on The Six Dumbest Ideas in Computer Security
    There's already been some entertainment over Marcus's article on the DailyDave. Dave Aitel doesn't agree with Marcus.

    http://lists.immunitysec.com/pipermail/dailydave/2 005-September/002347.html

    Dave's "Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site"." http://lists.immunitysec.com/pipermail/dailydave/2 005-September/002366.html

  25. Not just faster, lower cost of 0wnersh1p too. by team99parody · · Score: 2, Interesting · on Red Hat/Apache Slower Than Windows Server 2003?

    And remember, that the TC0 (0 for 0wnersh1p) is lower for Windows as well (""Immunity's findings clearly show that the best platform for your targets to be running is Microsoft Windows, allowing YOU unparalleled value for THEIR dollar."). For anyone who missed it, /. had a lot of great discussion on that one from people who couldn't detect a troll.

  26. Is this a joke?!? The reward is worthless! by acz · · Score: 2, Informative · on Hack IIS6 Contest

    You have to be retarted to use an 0day IIS exploit to win an XBox when you can sell it for around 20K or impress customers during a pen test... (A pen test can be worth between 15K to 200K depending on the scope of the project).

    One hour of security consulting earns you an XBox, why bother with this contest?

    Link to post on vuln sharing club, here

  27. Re:OSS equivalent of WebInspect by Anonymous Coward · · Score: 0 · on Free Open-Source vs. Commercial Security Tools?

    SPIKEProxy
    http://www.immunitysec.com/resources-freesoftware. shtml

  28. Re:Bring it on. by ggvaidya · · Score: 3, Funny · on Ret. World Bank CTO on Desktop Linux TCO Facts

    We're talking about TCO - Total Cost of Ownership.

    You mispronounced 0wnership.

  29. Re:How do you explain it to Joe Sixpack? by Anonymous Coward · · Score: 0 · on Holland Bans AMD's 'Virus Protection' Campaign

    I think the first AC was correct. It turns out you do have to compile in options for the no-exec option to work. This is being discussed here, and other places.

    The GUI options the second AC pointed out are just for the MS-compiled code that already has the support builtin.

  30. BZZZZT, thanks for playing. by twitter · · Score: 1 · on Windows Not Expected Secure Until 2011, Says MS
    [security is] a gradual process of refining your design principles.

    In the case of Winblows, it should be a complete and radical rebuild. They can start with a kernel that really keeps track of memory usage, has real PIDs, users and file based permissions for user, group, world, read, write, execute and force it on applications. Lord knows, they've broken enough of their erstwhile competitor's programs to have done this already. Other nifty ideas would be not running email clients and web browsers that auto-open anything as close to root with permissions to overwrite system files. People have been telling them that their single user mode junk was not internet ready since DOS and winblows 3.1, you would think they understood by now and would implement some of the features of the OSes they coppied, VMS, Unix, etc.

    What would happen to Windows if it was stagnant while every line of code was scrutinized: it'll lose.

    That's happening now, but I doubt every line is being "scrutinized" while they blunder along with DRM features and database filesystems. A rebuild would be quicker than such scrutiny anyway.

    Compare (honestly) the security of 2003 against XP

    You mean that thing that banks and others run that just got totally owned by the makers of download.ject? I don't have to honestly compare that to that other OS I don't run because others have done it for me.

    Why do people listen to Microsoft anymore? Due to monumental arrogance, they never listen to anyone else. "Best Windows Ever" again? Who's going to believe that?

  31. Yes, like fish in the sea and cars on the road ... by twitter · · Score: 1 · on Windows Not Expected Secure Until 2011, Says MS
    Microsoft is ... the biggest fish in the sea. Every 'fisherman' is out to get them.

    As yes, as someone else so well put it, "Finding a vulnerability is like finding a fish. If the pond is overfished, it's harder to find them. Hackers are rather evenly split between running Linux and running Mac OSX. As much as a few professional NASCAR drivers drive Dodge Neons, a negligible amount of skilled hackers use Windows as their primary OS. Not to mention, many Win32 fish are given out for free by Microsoft when releasing patches. Here, there can be only one option. Even extremely modern versions of Windows have a TC0 much lower than older Linuxes" Why is it that the Microsoft sea never seems to run out of big, ugly fish?

  32. Microsoft defense by Anonymous Coward · · Score: 0 · on Microsoft Found Guilty of Misleading Advertising

    Officer in Charge
    The UK Advertising Standards Authority

    Dear sir,
    We would like to counter the charge that Microsoft used doctored report to falsify the result of cost comparison study against linux. Another outside, independent study has shown that Microsoft Windows indeed has lower TC0. For more info, contact the author,Dave Aitel, directly.

    Sincerely yours,
    Sir Bill Gates

  33. Re:Useful for TCO "analyses" by brennz · · Score: 2, Funny · on XP Starter Edition Examined

    tco or tc0? :D

  34. Re:Wait a minute! A lower cost of ownership? by Lshmael · · Score: 1 · on Microsoft Windows: A Lower Total Cost of 0wnership

    If the paper was distributed in Word document format, you might have a point, but there is an OpenOffice version of the paper. He could have use OO to convert it to HTML.

  35. For Non-acrobat or OOo Readers (Article Text) by MacGoldstein · · Score: 4, Informative · on Microsoft Windows: A Lower Total Cost of 0wnership

    I thought perhaps, that some reading this may not like to have to open up acrobat or Open Office... Enjoy:

    Microsoft Windows: A lower Total Cost of 0wnership

    August 12, 2004

    Introduction

    Microsoft has long asked third party analysts for accurate assessments of the total cost of ownership of Microsoft Windows deployments, especially against the Linux deployments commonly going into all segments of the market. However, Immunity, Inc. as a third party assessment provider has, until now, not done a thorough analysis, using Immunity proprietary data to tell the true story about the costs of Open Source.

    Other sources of 3rd party information can be found here: http://www.microsoft.com/mscorp/facts/default.asp

    The point of contact for this paper is Dave Aitel, Vice President of Media Relations, Immunity, Inc. He can be reached at mailto:dave@immunitysec.com. Further information on Immunity, Inc. is available at http://www.immunitysec.com/ .

    Executive Summary

    Based on our analysis, Microsoft Windows has one half the Total Cost of 0wnership (TC0) of modern Fedora Core Linux based technologies.

    Immunity's Methodology

    Immunity has four major services: Training on exploit development and vulnerability analysis, Application Security Consulting, the CANVAS assessment product, and the Immunity Vulnerability Sharing Club. In each of these, the costs to penetrate (0wn) systems based on Microsoft Windows Technologies was compared to the costs against a modern Linux system. In general there are three aspects to 0wning a system. These three things, Vulnerability Detection, Exploit Development, and Attack Execution, were used by Immunity to determine the costs to 0wn the different operating systems in configurations encountered during Immunity engagements. As Immunity is not in the rootkit (http://www.rootkit.com/) writing business, this paper does not cover the costs of maintaining 0wnership over a given OS.

    Vulnerability Detection

    There are several factors that affect how difficult it is to find vulnerabilities on a target platform. Some of these are listed below. Immunity's judgments are drawn from our current collection of remote 0day in the VSC, countless 0day in custom applications for Immunity Consulting customers across many different operating systems and over 80 remote exploits in CANVAS.

    Portability of common exploit development tools

    IDA-Pro, the premier disassembler and reverse engineering tool (a database and a disassembler together make for a powerful combination) is able to disassemble both Linux and Windows binaries, but only runs on Windows. A Linux version is, however, rumored to be in the works.

    PDB (Python Debugger), Immunity's newest tool in the armory, is available only for Windows (although the client is available on both Linux and Windows). This tool allows for many advanced scripts to be run, widely automating the exploit development process.

    Ollydbg (Visual Debugger), is far superior to GDB in many ways needed for exploit development. In addition, windbg and Softice provide valuable options for debugging at the kernel and user level.

    The TC0 advantage is clearly obvious for the Windows platform.

    Availability of Fish

    Finding a vulnerability is like finding a fish. If the pond is overfished, it's harder to find them. Hackers are rather evenly split between running Linux and running Mac OSX. As much as few professional NASCAR drivers drive Dodge Neons, a negligible amount of skilled hackers use Windows as their primary OS.

    Not to mention, many Win32 fish are given out for free by Microsoft when releasing patches. (See

  36. For Non-acrobat or OOo Readers (Article Text) by MacGoldstein · · Score: 4, Informative · on Microsoft Windows: A Lower Total Cost of 0wnership

    I thought perhaps, that some reading this may not like to have to open up acrobat or Open Office... Enjoy:

    Microsoft Windows: A lower Total Cost of 0wnership

    August 12, 2004

    Introduction

    Microsoft has long asked third party analysts for accurate assessments of the total cost of ownership of Microsoft Windows deployments, especially against the Linux deployments commonly going into all segments of the market. However, Immunity, Inc. as a third party assessment provider has, until now, not done a thorough analysis, using Immunity proprietary data to tell the true story about the costs of Open Source.

    Other sources of 3rd party information can be found here: http://www.microsoft.com/mscorp/facts/default.asp

    The point of contact for this paper is Dave Aitel, Vice President of Media Relations, Immunity, Inc. He can be reached at mailto:dave@immunitysec.com. Further information on Immunity, Inc. is available at http://www.immunitysec.com/ .

    Executive Summary

    Based on our analysis, Microsoft Windows has one half the Total Cost of 0wnership (TC0) of modern Fedora Core Linux based technologies.

    Immunity's Methodology

    Immunity has four major services: Training on exploit development and vulnerability analysis, Application Security Consulting, the CANVAS assessment product, and the Immunity Vulnerability Sharing Club. In each of these, the costs to penetrate (0wn) systems based on Microsoft Windows Technologies was compared to the costs against a modern Linux system. In general there are three aspects to 0wning a system. These three things, Vulnerability Detection, Exploit Development, and Attack Execution, were used by Immunity to determine the costs to 0wn the different operating systems in configurations encountered during Immunity engagements. As Immunity is not in the rootkit (http://www.rootkit.com/) writing business, this paper does not cover the costs of maintaining 0wnership over a given OS.

    Vulnerability Detection

    There are several factors that affect how difficult it is to find vulnerabilities on a target platform. Some of these are listed below. Immunity's judgments are drawn from our current collection of remote 0day in the VSC, countless 0day in custom applications for Immunity Consulting customers across many different operating systems and over 80 remote exploits in CANVAS.

    Portability of common exploit development tools

    IDA-Pro, the premier disassembler and reverse engineering tool (a database and a disassembler together make for a powerful combination) is able to disassemble both Linux and Windows binaries, but only runs on Windows. A Linux version is, however, rumored to be in the works.

    PDB (Python Debugger), Immunity's newest tool in the armory, is available only for Windows (although the client is available on both Linux and Windows). This tool allows for many advanced scripts to be run, widely automating the exploit development process.

    Ollydbg (Visual Debugger), is far superior to GDB in many ways needed for exploit development. In addition, windbg and Softice provide valuable options for debugging at the kernel and user level.

    The TC0 advantage is clearly obvious for the Windows platform.

    Availability of Fish

    Finding a vulnerability is like finding a fish. If the pond is overfished, it's harder to find them. Hackers are rather evenly split between running Linux and running Mac OSX. As much as few professional NASCAR drivers drive Dodge Neons, a negligible amount of skilled hackers use Windows as their primary OS.

    Not to mention, many Win32 fish are given out for free by Microsoft when releasing patches. (See

  37. Re:Why? by Anonymous Coward · · Score: 0 · on Point, Click, Root.
    Karma whore free mirror - didn't bother fixing links so piss off...

    The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. This project initially started off as a portable network game and has evolved into a powerful tool for penetration testing, exploit development, and vulnerability research.

    The Framework was written in the Perl scripting language and includes various components written in C, assembler, and Python. The widespread support for the Perl language allows the Framework to run on almost any Unix-like system under its default configuration. A customized Cygwin environment is provided for users of Windows-based operating systems. The project core is dual-licensed under the GPLv2 and Perl Artistic Licenses, allowing it to be used in both open-source and commercial projects.

    This project can be roughly compared to commercial offerings such as Immunity's CANVAS and Core Security Technology's Impact. The major difference between the Framework and these commercial products is the focus; while the commercial products need to always provide the latest exploits and an intuitive GUI, the Framework was designed to facilitate research and experimentation with new technologies.

    The Framework was developed by Spoonm and H D Moore, they can be reached via email at msfdev [at] metasploit.com.

    Recent Updates
    [ 08/07/2004 ] Released version 2.2 of the Metasploit Framework
    [ 08/07/2004 ] New exploit module added: lsass_ms04_011
    [ 08/07/2004 ] New exploit module added: mercantec_softcart
    [ 08/07/2004 ] New exploit module added: smb_sniffer
    [ 08/07/2004 ] New exploit module added: ut2004_secure_linux
    [ 08/07/2004 ] New exploit module added: ut2004_secure_win32
    [ 08/07/2004 ] New exploit module added: afp_loginext
    [ 07/07/2004 ] New exploit module added: distcc_exec
    [ 06/08/2004 ] New exploit module added: squid_ntlm_authenticate
    [ 06/06/2004 ] Released version 2.1 of the Metasploit Framework

  38. Re:What commercial tools? by daveaitel · · Score: 5, Informative · on Son of SATAN? Weighing Security Software's Risks
    There are in fact commercial tools that allow you to run exploits and include shellcode. For example:

    This one.

    Dave Aitel
    Immunity, Inc.

  39. My Microsoft Security Rap by daveaitel · · Score: 1 · on Gates: 'You don't need perfect code' for Security
    Originally here

    five hundred ph.ds running fuzzers and testin'
    to ensure that nt's security features keep progressin'
    sixty billion dollars can't build you a trusted computing base
    when you outsource all your code from bangkok to outer space
    before palladium's nexus has you all distressin'
    learn this lesson: the price to own microsoft eip is 50 rupee

    but there's no price that will buy something that's free

    -dave

  40. Re:Why do delinquents bother? by PetiePooo · · Score: 5, Interesting · on Worms Going Further, Faster

    Not to nitpick, but the SQL Slammer worm appeared to be written in assembly. It is quite interesting to read through the source. [alt] [alt]

    While the PRNG isn't of the highest quality, its brevity is what allowed it to spread so quickly. An infected system was sending out packets as fast as the outbound pipe could handle it. A smaller virus, even by a few bytes, would mean that much faster of an infection rate.

    By and large, you're right about VBScript making for simple virii, but this isn't the one to use as an example.

  41. GOBBLES! by EvilAlien · · Score: 2, Funny · on BitTorrent Blamed for Matrix2 Downloads

    Maybe GOBBLES got another contract!

  42. Since I found the bug.... by daveaitel · · Score: 1 · on Microsoft Refuses To Fix NT 4.0 Exploit
    This is not a new bug. As the original discoverer of that bug, and [linux binary] this other unpatched bug against port 445 on Windows 2000, I can say that these bugs are, in fact, months and months old. Not to mention another kernel memory leak in port 445 (their netbios stack) I found and released with SPIKE 2.8 a GPLed program for finding these sorts of issues.

    The real issue with Windows is not that they don't patch these bugs - it's that they didn't foresee these bugs. The fact that a pooly implemented, and impossible to understand, DCE-RPC stack is built so heavily into the NT architecture is Window's inherent security weakness compared with Unix, in my opinion.

    Don't think I don't have more bugs waiting in the wings...:>

  43. Since I found the bug.... by daveaitel · · Score: 1 · on Microsoft Refuses To Fix NT 4.0 Exploit
    This is not a new bug. As the original discoverer of that bug, and [linux binary] this other unpatched bug against port 445 on Windows 2000, I can say that these bugs are, in fact, months and months old. Not to mention another kernel memory leak in port 445 (their netbios stack) I found and released with SPIKE 2.8 a GPLed program for finding these sorts of issues.

    The real issue with Windows is not that they don't patch these bugs - it's that they didn't foresee these bugs. The fact that a pooly implemented, and impossible to understand, DCE-RPC stack is built so heavily into the NT architecture is Window's inherent security weakness compared with Unix, in my opinion.

    Don't think I don't have more bugs waiting in the wings...:>

  44. pyGTK is the EASIEST GUI toolkit by daveaitel · · Score: 2, Interesting · on Cross-Platform GUI Toolkits (Again)?

    pyGTK with Glade is the EASIEST GUI toolkit. It may not be the "best" but I've built a commercial, cross platform application using it (here is a screenshot) and I am a complete retard at GUIs. It took a total of 2 weeks - from complete scratch. Porting it to Windows for my customers is just a matter of installing a few simple .exe's - they are used to that anyways. Because the GUI is actually a .glade XML file, I don't have to write any code at all every time I change it. It just makes more sense than having to worry about integrating your entire IDE into a GUI builder!

  45. Re:Windows Clients/hosts? by kilgore_47 · · Score: 5, Informative · on Has the RIAA Wormed 95% of P2P Networks?
    hesiod says: Is he saying that "Gobbles" runs Bugtraq.org? Am I missing something here, or is he full of shit?
    Jesus fuck, people on slashdot are fucking stupid!

    Facts:
    1. Gobbles are not stupid, they've come up with many innovative exploits, and are without a doubt very talented hackers. You may remember them from such classics as the linuxslapper worm (based on their apache-scalper code), or the nifty ettercap remote-root-via-irc exploit.
    2. Obviously, the RIAA didn't hire them to "hack back". If the RIAA hired people to hack, they wouldn't talk about it on a fucking mailing list. (Furthermore, the bill that hinted at such "hack backs" wasn't ever passed.)
    3. Gobbles is prone to making hilarious outlandish claims. Clearly, this is a simple mpg123 exploit preceeded with a very funny joke to make the RIAA look bad.
    4. Yes, gobbles runs "bugtraq.org". That has nothing to do with the securityfocus mailinglist called bugtraq, however. It's just a domain name.
    Suggested reading:
    - BugTraq post with the funny RIAA bit, followed by actual mpg123 exploit code
    - Gobbles Homepage (sometimes available at bugtraq.org, but currently down there, and up here)

    So, in conclusion, the news here is this:
    mpg123 has a vuln.
    Gobbles are some funny guys.
    The p2p networks are not 0wned.
    (And, oh yeah, both the register and slashdot got trolled again. But thats not news anymore than "it's raining in seattle".)
    You may now return to filesharing as usual.
  46. Re:Btw, GOBBLES's homepage is at... by daveaitel · · Score: 1 · on Has the RIAA Wormed 95% of P2P Networks?

    Which is why each advisory is signed with a hushmail GPG key, I assume. I don't have any of the other recent GOBBLES advisories either, since I've been busy doing other things.

  47. Re:Gobbles is a glory whore by CaseyB · · Score: 2 · on Has the RIAA Wormed 95% of P2P Networks?
    Gobbles is also an idiot. Anyone remember his utterly wrong "exposure" of a directory traversing bug in Anti-Web?

    It turned out he was just too stupid to realize he was pointing Lynx at the filesystem instead of the web server.

  48. Re:Btw, GOBBLES's homepage is at... by daveaitel · · Score: 1 · on Has the RIAA Wormed 95% of P2P Networks?
    No, it's just I have a slow business DSL connection from Qwest. I'm curious to see how Zope handles the load anyways. I've actually had problems with Zope recently corrupting large files as they get transfered. (Yuck). The front end is Apache 2.0 though, which as we know is the best webserver on the planet.

    If you want to see some actual good GPL software also hosted on this site, you can check out SPIKE . SPIKE is unique, and SPIKE Proxy is uniquely good. (imho):>

    Dave Aitel
    Immunity, Inc.

  49. Btw, GOBBLES's homepage is at... by daveaitel · · Score: 1 · on Has the RIAA Wormed 95% of P2P Networks?

    http://www.immunitysec.com/GOBBLES/. I'm not yet hosting their latest files, however.

  50. Re:Bugtraq, not bugtrack, and other squibbling. by CaseyB · · Score: 2 · on Controversy Surrounds Huge IE Hole

    The asshat still has the advisory up on his web site too. The extent of his utter cluelessness is astonishing.