Glad to be a perfect straight man
In his response to my comments on vulnerability hunting, Pete Lindstrom discusses four ways to make things better:
- Legislate/enforce the law
- Buy exploits now and then
- Create Software security data sheets
- More honeypots
I don’t think that (1) actually helps. More laws against finding vulns makes life harder for the good guys, by moving information flow back underground. Were we better off in the days of Zardoz? It would move the mailing lists and web sites offshore, not slow down the rate of finding things.
(2) would seem to help, but Immunity is already doing it. Is that helping?
(3) I really like. Better data from software authors is good.
(4) I’m not sure I understand.
Pete also says:
I don’t see any reason that exploit code would cease to exist, the volume and proliferation would just slow down. Of course, I certainly wouldn’t lose sleep if there were no exploits anymore. Ultimately, the existence of these host intrusion prevention products is what makes my opinion stronger – because there are solutions that don’t rely on signatures of known attacks.
I certainly would lose sleep, because without easy access to exploit code, we don’t see exchanges like this. Without such commentary, how can we decide if our tools work?