Hi, Charlie Miller here. I was asked to come out to BlueHat to participate in a panel discussion about the vulnerability economy and selling exploits and such. Hopefully the folks who sat through us arguing for an hour got something out of it. I enjoyed it.
When I’m not out shining a light onto the dark world of exploit sales, I’m usually spending my time looking for bugs in software, particularly with fuzzers. BlueHat was a great opportunity for me to talk to some guys on the Microsoft fuzzing team. BlueHat’s reason for being is to bring Microsoft employees together with security researchers, or “hackers”. It can be a really interesting dynamic because traditionally, we are rivals. People like me try to find and exploit vulnerabilities, and people at Microsoft try to eliminate vulnerabilities or make them harder to exploit. One thing for sure, it’s definitely easier and more fun to be on the attacking side than the defending side! But anyway, the funny thing about BlueHat is that there are guys like me trying to figure out how Microsoft people work, how they test their software, how they run their fuzzers, and so on, in order to think of better ways to attack their software–while people from Microsoft are trying to figure out how researchers think, to better defend their software. It’s great fun and everyone benefits, I think.