Security tooling anecdote: Back in the day, I got rejected for a Black Hat talk about Dranzer. Reason: we weren't releasing the tool. At the time, CERT was very afraid of "bad people" using it. Years later and Dranzer public, Microsoft has all but removed ActiveX from browsers.
-
Show this thread
-
We worked with Microsoft extensively and waited almost 4 years after IE7 release before the public release. In the IE6 days, everyone would have been popped left and right. Thought experiment: Would we all have been better off if CERT released Dranzer to the public without delay?
3 replies 0 retweets 6 likesShow this thread -
Replying to @wdormann
weren't COMRaider and AxMan already public at the time? Dranzer was probably better, but people were popping those ActiveX anyway. maybe it would lead to an overall awareness that ActiveX had to go and accelerate its death.
1 reply 0 retweets 1 like
Yeah. But they both had very large blind spots (none checked for overflows via initialization data), and also didn't seem to be easy to automate. Those aspects combined allowed me to find about a thousand different vulnerabilities with virtually zero user interaction.pic.twitter.com/RA6KltcLEy
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.