Bogwitch,

nice write up and comparison. I agree that user generated crypto keys would be nice, but it is likely just the paranoia that the manufacturer would be interested in checking all returned devices. However, if the key found it's way into mainstream then thats another story.

I'm not sure I like the idea 'bricking' the device after 'x' failed attempts, seen too many users looking themselves out of wind0ze, might keep that feature for techies only.

I'd be slightly wary of any manufacturer claiming a standard that it is not going to try and achieve officially. This could be a huge selling factor in the UK after the recent 'lost' CD screw-ups.....

Either that's a coincidence or an intentional quote, either way brightened my work day, cheers

Bojan,

have you asked Google first?

From my understanding you will need to modify an existing application to execute your 'hidden' code, therefore I'd be surprised if there are any tools that can automate the process (at least I haven't come across anything).

I'll skip over most of the article as the relevance/bias has already been covered.

The aspect that confused me was 'the minor dumbs' section. The writer laughs at/insults anyone that is looking for a silver bullet and doesn't practice defense in depth, yet has written an entire article aimed to removing an available tool in a security setup. I agree that if we had more secure applications we would need less after market security, but to use his own comparision
'would you trust your life to the aviation industry if they only took the manufacturers word that the plane isn't going to fall out the sky, without testing it first?

I'd say this guy has an agenda or a screw-lose.

And I thought politics were boring

Think I'll save the link for the next time a suit decides security does provide a good ROI. Thanks Don

again, definition of 'stumble upon'?

Is that in day to day use? fuzzers? Stress testing? ........

I agree with Manu, without Do's and Don'ts drawing a strict line in the sand it still upto Microsoft to determine what the accept as responsible. If they define responsible as only reporting issues discovered during normal use then this isn't related to 'hacking' ethical, responsible or otherwise.

To me this article seems like PR fluff and doesn't change a thing.

Everyones favourite topic....

Several recent reports (ISC and El Reg) are indicating what many of us have come to suspect; the window between patch release and exploit is getting smaller. In the days of change control, patch management and multiple regulatory bodies stating that all patches (or any change to a production system) must be tested.

Does anyone from the front lines have any tips, systems or anecdotes for dealing with this increasing issue?

(Highlighting is mine)

Who decides what is 'responsibly'? If it is still Microsoft then the goalposts haven't changed at all.

Agreed though, scary 

I'm starting to guess that the recent 'stupid' posts are fictious. So what you weally need is a life

P.S. if serious, take BillV's advice...

Oh dear Oh dear

Some how rap and geeks can work though, try this

I really hope so....

on the other hand if this is real, I might be ready to sit the C|EH exam after all

Depends entirely on what you are trying to achieve.

If you are trying to automate routines and tool usage, go for something like shell or perl.

If you want to code exploits or tools from scratch go the C route.

This topic has been covered extensively in these forums previously so I'd recommend the search box for more analysis.

I would definitely recommend learning to program though as it can difficult to use/fix/modify existing tools without the base knowledge.

Vijay2,

nice article, thanks for the link. As I've just left academia seemed right on the money to me.

SynJunkie,

nice tips and article, think I'll take a closer look at you site

cyeudoxus

are you sure that's the link you intended?

I haven't come across Wi-Spy before, what functionality to you require?