This is a mail Valzsmith, one of the creators of BackTrack , wrote.
From: val smith <valsmith_at_offensivecomputing.net>
Date: Fri, 25 Apr 2008 11:09:39 -0600
I'll have to be honest, I don't really WANT Microsoft to change their
patch methodology, even if the dramatic (probably incorrect)
conclusions people seem to be drawing from this paper are true. Bear
with me for a moment and Ill explain why. Lets be honest here, there
are researchers (many on this list) who can rapidly find and exploit
vulnerabilities. Patches help speed things up but BinDiff (and
similar) things have been available for many years and the people who
can write exploits understand this process and those with a financial
stake in it have automated much of the process by now. If patches were
to be obfuscated, or the process changed how long would it really take
for someone to circumvent it? A binary has to exist somewhere at some
point right? Someone smart enough will eventually send input to it, or
reverse it or accidentally crash it eventually.
Many of us make use of exploits and vulnerabilities in some way for a
living whether we are pen testers, IDS sig developers, vuln
researchers, framework builders or whatever. At this point security is
such a tangled, many layered labyrinth that I no longer possess the
self righteous fury required to shout from the pulpit: "Patch your
systems! Configure security! Use an IDS! Educate your users!"
I'm in it for the fun.
There I said it. If everyone did everything securely, I wouldn't have
much to do and I'd have to pour coffees or flip burgers for a living.
I like showing up for a pen test and finding unpatched boxes, or users
sharing admin passwords. I love finding web apps with null byte file
inclusion bugs, or passwordless ssh keys with sudo permissions on
every server. Its FUN. I suspect other security researchers have
reached this conclusion (even if they haven't admitted it to
themselves yet) that security is probably too hard a problem to
"solve" and all our ranting really doesn't make anyone more secure in
the long run. At this point, broken things are fun and we just want to
play and thankfully people are willing to pay for it. I don't mind if
you continuously make it just a little bit harder, just to keep it
interesting, but don't take away my exploits please! ;)
Its said like it is.