I've done some of work in the area. Most of the companies that use, or even require fuzzing in their software development procedures, have a certain problem: the same people who write the parsers write the fuzzers. When they write these fuzzers, they make some too-strong assumptions on the formats of the data involved.<p>Writing smarter fuzzers may be needed to fully exercise certain file formats, say where certain blocks of data need to match a CRC elsewhere. But smart fuzzers fail where the authors fail to account for edge conditions. Having both in your toolset is invaluable.<p>Regardless, it's sad for companies like Apple that they're not doing any of this.
"He went into the project figuring that he wouldn't find any vulnerabilities with the dumb fuzzer. "But I found bugs, lots of bugs. That was both surprising and disappointing." And it also made him ask why vendors like Microsoft, Apple and Adobe, which have teams of security engineers and scores of machines running fuzzers looking for flaws, hadn't found these bugs long ago."<p>Or, maybe the companies have already found those bugs and more, but focus their efforts on bugs that surface in the wild and don't spend resources on the others. If they fix all the bugs, then they spend money on some bugs that would never have surfaced. Just a guess.
This is somewhat equivalent to WikiLeaks' release strategy: tell the organization that you have evidence of XYZ problem, but don't describe the exact nature and scope of the evidence, then pressure them to come clean and fix the problem themselves; hopefully this leads to more comprehensive "cleanup" efforts that have a larger positive long-term effect.<p>How relevant is the WikiLeaks strategy in the field of security?
He sounds naive and his logic is quite the cliche. Surprised he didn't close it with a line from the hacker's manifesto.<p>I'm not sure what it is with some people acting like the smartest guy in the room while refusing to share their knowledge for the betterment of society. Entrepreneurs benefit tremendously from mentors and advice from those who've made it. I'd be surprised if he didn't learn a vast portion of his trade from the openness of information. I guess he feels empowered w/ his :15 minutes and this is how he leverages it? Weak^10.<p>+++the pxlpshr+++