Thursday, August 18, 2005

There seems to be some odd blog war going in a triangle between Thomas Ptacek, Some guy called Lindstrom, and Adam Shostack.

Lindstrom's posts can be seen here:

If you read his posts, you can see that he clearly has no clue about code auditing. Anyone who has a passion for bugs and has done some serious work on finding bugs will agree that in high-exposure programs such as OpenSSH or IIS it is getting harder and harder to find decent bugs. And there would not be a hacker-side anti-disclosure movement if this wasn't the case.

It is amusing how everybody and his dog tries to dress up their ideas in fake-economic-speech, too. Economics has gotten to be an interesting form of science -- someone comes up with an idea and then tries to build "science" arguing in his direction. The empirical part is usually showing that at least one set of data does not contradict the claim and then deduce generality. Bloody brilliant.

Ahwell. Reading the discussion makes me tired. Anyone who thinks that bugs are not getting rarer in core internet daemons is living in a parallel universe or hasn't audited in recent years.

Sunday, August 07, 2005

I have to admit I really enjoy reading Thomas Ptacek's blog. It's refreshingly honest in a security industry full of smokes, mirrors, and sockpuppets.

Friday, August 05, 2005

Reverse Engineering C++ code is always a bit of a pain because it is so unobvious which language constructs generate what assembly-level code. Contrary to what a C compiler does a C++ compiler has to jump through all sorts of odd hoops in order to make the "OO" part work.

After posting a question about this to www.openrce.org, I got a few replies with some VERY useful links which I'd like to share here:
(thanks to Erlend & Igorsk for the links ! :)

Doc1
Doc2
Doc3
For those of you that speak german, this is an interesting link:

http://www.bsi.de/ausschr/einkauf/auftrag27684.htm

Basically, the german government wants to purchase a device to find bugs that
communicate with the outer world via infrared/optical means.

For me as somebody totally clueless about surveillance/eavesdropping devices,
I am intrigued by the idea of using infrared for communication with the outside
world: One the one hand, since the beam can be so highly direction, I'd assume
it is going to be extremely hard to detect it (aside from putting lots of smoke/
particles into the air), and can also be minituarized significantly (as one doesn't
need much of an antenna to emit the waves).

Interesting.