Hacker News new | past | comments | ask | show | jobs | submit login

The unfortunate reality is that many mitigations are written by people who are not aware of the state of modern exploit development, or are so focused on protecting one particular subsystem that they become (in a relatively good case) myopic of other things that can be used to render the mitigation moot or (in the unfortunate case) interfere with or provide a side channel to bypass some other mitigation. Be wary of software that ships mitigations just so they can list it on a slide, or one that sounds overly cool or clever or custom. Consider that what's sold to you as "defense in depth" may actually mean "here's one more critical piece of code that can't be buggy, and if you break this you can also own the system".



How does one become aware of the state of modern exploit development? Just curious.


Watch lots of defcon & blackhat talks. Read papers. Watch the CVE feeds MITRE puts out.

Some of it also depends on the level you're interested in. EG I follow the International Association for Cryptologic Research (iacr.org) for information about cryptographic exploits & developments, but that's generally several steps away from practical use.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: