**HalvarFlake** @HalvarFlake · 2017-05-08T20:00:57Z

HalvarFlake @HalvarFlake

There are so many corners of insanity in all our IT systems.

I am starting to think that I am a poor attacker: I spend way too much effort on the crazy / impossible / hard bugs, or on finding bugs in the hard bits of code.

It seems that true offensive genius (which I don't have) is sniffing out the insanity in the codebase - the stuff that everybody forgot is there, or would prefer it wasn't there, and wishes it wasn't there.

May 08, 2017, 20:00 · Web · 4 · 6

**Munin, Keeper of Lore** @munin@mastodon.hasameli.com · May 08, 2017, 20:02

**Munin, Keeper of Lore** @munin@mastodon.hasameli.com · May 08, 2017, 20:02

@HalvarFlake I dunno about 'genius' but a lot of that comes down to archaeology - digging through the history of how something was developed and paying attention to the details of what changed.

In some cases that's easier than others - every once in a while you can find source files with very old dates listed in them ;-)

**HalvarFlake** @HalvarFlake · May 08, 2017, 20:03

**HalvarFlake** @HalvarFlake · May 08, 2017, 20:03

@munin There is old insane code, and there is new insane code.

**Munin, Keeper of Lore** @munin@mastodon.hasameli.com · May 08, 2017, 20:04

**Munin, Keeper of Lore** @munin@mastodon.hasameli.com · May 08, 2017, 20:04

@HalvarFlake The new insane code is sometimes the same as the old insane code - when people implement new things, they often make the same mistakes as those who implemented similar [or the same] things in prior generations...

**Munin, Keeper of Lore** @munin@mastodon.hasameli.com · May 08, 2017, 20:05

**Munin, Keeper of Lore** @munin@mastodon.hasameli.com · May 08, 2017, 20:05

@HalvarFlake People in similar situations given similar goals tend to come up with the same kinds of solutions; if they're not aware of the full history of the problem in previous generations, then the same mistakes recur....

**HalvarFlake** @HalvarFlake · May 08, 2017, 20:10

**HalvarFlake** @HalvarFlake · May 08, 2017, 20:10

@munin Why is this code difficult to read? I'll rewrite it in very simple.

*boom*. ;)

**Munin, Keeper of Lore** @munin@mastodon.hasameli.com · May 08, 2017, 20:14

**Munin, Keeper of Lore** @munin@mastodon.hasameli.com · May 08, 2017, 20:14

@HalvarFlake HAH

Yeah. That does seem to be a very common pattern ;-)

**Markus Vervier 👾** @marver · May 08, 2017, 22:24

**Markus Vervier 👾** @marver · May 08, 2017, 22:24

@HalvarFlake I think this has more dimensions. For example it depends on what is being attacked. You can certainly attack targets that others can't. Yet probably there is some 16 year old out there who is better at social engineering than you are.

**Markus Vervier 👾** @marver · May 08, 2017, 22:26

**Markus Vervier 👾** @marver · May 08, 2017, 22:26

@HalvarFlake As for finding bugs in code I know that situation. Sometimes you are so concentrated on a certain hard problem that you overlook obvious simple ones....that's why reviewing alone is not desirable IMHO.

**buherator** @buherator · May 09, 2017, 08:55

**buherator** @buherator · May 09, 2017, 08:55

@marver @HalvarFlake Reminds me of this classic: https://pbs.twimg.com/media/CA60tjoXEAAFaDl.png

**cynicalsecurity ->@bsd.network** @cynicalsecurity · May 09, 2017, 12:27

**cynicalsecurity ->@bsd.network** @cynicalsecurity · May 09, 2017, 12:27

@HalvarFlake it depends if you talk about the offensive genius in finding a specific exploit or the offensive genius in planning a new route of attack.

A bit like mountaineering you have those who manage to take routes at speeds previously thought impossible (e.g. without oxygen on the Everest) and those who open new routes.

Not the same skillset.