A couple of months ago I got my hands on Tobias Klein's new book "A Bug Hunter's Diary" and have only recently managed to read through it and, I have to say, I liked it very much.The book takes the reader through a guided tour of seven vulnerabilities uncovered by Tobias over the last few years. Unlike most books on the topic of bug hunting (which typically focus on walking through the tools of the trade and talking in generalities) this book takes on a pseudo-diary format - revealing the thoughts, assumptions and leaps-of-faith that go in to uncovering the kinds of bugs that make the headlines.
As someone who's worked extensively in the commercial bug hunting and vulnerability exploitation business, nothing beats the shoulder-surfing approach to knowledge transfer, and I think this book manages to achieve much of that experience.
Given the span of bugs, platforms and years between discoveries, it provides an interesting perspective on the responses of vendors (and product maintenance engineers) to bugs that come their way and their capability to respond/fix them. My, how times have changed (in a good way - generally).
As a technical book, I think it has legs and I don't think it'll date quickly. Tobias works through the bugs in a logical and well thought out way and, as long as the reader has some familiarity with debuggers and some coding prowess, it shouldn't be that technically taxing. The best bug hunters aren't elite coders and assembly guru's - they're folks that explore imaginative "what if?" scenarios within the software or devices they're looking at.
What bugs are covered? Well, there are several, but divided in to the following major categories:
- VideoLAN's VLC media player
- Sun Solaris kernel
- FFmpeg multimedia library
- WebEx ActiveX
- Avast! AV
- OSX TTY IOCTL
- iPhone
Shoulder-surf in the comfort of your own home (or Kindle)!
No comments:
Post a Comment