Crispin Cowan wrote:
> Do you suppose it is because of the different techniques researchers use
> to detect vulnerabilities in source code vs. binary-only code? Or is
> that a bad assumption because the hax0rs have Microsoft's source code
> anyway? :-)
I'm in the process of hiring an outside firm
On Tue, 12 Jun 2007, Michael S Hines wrote:
> So - aren't a lot of the Internet security issues errors or omissions in the
> IETF standards - leaving things unspecified which get implemented in
> different ways - some of which can be exploited due to implementation flaws
> (due to specification f
I agree with Ryan, at the top skill levels anyway. Binary reverse
engineering seems to have evolved to the point where I refer to binary as
"source-equivalent," and I was told by some well-known applied researcher
that some vulns are easier to find in binary than source.
But the bulk of public d
Steven M. Christey wrote:
> On Mon, 11 Jun 2007, Crispin Cowan wrote:
>
>> Kind of. I'm saying that "specification" and "implementation" are
>> relative to each other: at one level, a spec can say "put an iterative
>> loop here" and implementation of a bunch of x86 instructions.
>>
> I agre
On Mon, 11 Jun 2007, Crispin Cowan wrote:
> Gary McGraw wrote:
> > Though I don't quite understand computer science theory in the same way
> > that Crispin does, I do think it is worth pointing out that there are two
> > major kinds of security defects in software: bugs at the implementation
>
So - aren't a lot of the Internet security issues errors or omissions in the
IETF standards - leaving things unspecified which get implemented in
different ways - some of which can be exploited due to implementation flaws
(due to specification flaws)?
Mike H.
-
Michael
Gary McGraw wrote:
> Though I don't quite understand computer science theory in the same way that
> Crispin does, I do think it is worth pointing out that there are two major
> kinds of security defects in software: bugs at the implementation level, and
> flaws at the design/spec level. I think