…And You Will Know me by the Trail of Bits

This blog will be about vulnerabilities, exploits, reverse engineering, forensics, cybercrime, snake-oil security products, the security industry, and whatever else I feel like ranting about.  The opinions expressed here are my own and do not reflect the opinions, positions, or anything else of my current or past employers, clients, teachers, parents, and/or pets.

My editorial stance on this blog will espouse several common philosophies and positions:

• Studying security vulnerabilities and offensive security tools and techniques is important to building secure systems and defending them.  Every civil engineer studies the effects of earthquakes, the Tacoma Narrows bridge, and now the World Trade Center.  Software engineering should be no different.
• Security testing tools must remain legal to build and freely distribute in order to maintain a level playing field between attackers and defenders.  Offensive security tools are necessary in penetration testing and other security testing in order to properly demonstrate the risk presented by security vulnerabilities.
• The dominant approach to addressing vulnerabilities in consumer software and Internet infrastructure is essentially damage control at best.  Microsoft’s Security Development Lifecycle is the best-in-breed process for ongoing development, but not enough work is being done to address vulnerabilities in already shipped software if only externally reported vulnerabilities are patched.
• Responsible vulnerability disclosure is the most appropriate approach to fixing a discovered vulnerability as long as the vendor is making a good faith effort at releasing a patch within an appropriate time frame.  Full disclosure must be preserved as an option for cases when the vendor cannot nor will not address a vulnerability that places users at risk.
• While I may frequently criticize Apple’s lack of proper security in MacOS X, I am a hardcore MacOS X fan.  I have been using exclusively MacOS X on my personal systems since 2001 and used a mix of FreeBSD (home workstation and servers), Solaris (personal SPARCbook laptop and servers at work), and NeXTSTEP/OpenStep (NeXTstation Turbo Color) before that.