Friday, July 06, 2007
Minor Rant on Fuzzing
Bejtlich's Pre Review triggered some painful memories. Back when I was a teacher, I ran across two types of really bad papers: those that were so bad they were funny and those are those that are so bad they made you angry, really angry -- because they were wasting your time.
Last year, I had the misfortune of serving as a technical reviewer for the new Addison Wesley Fuzzing book. The manuscripts I read clearly fell into the into the second category. It just wasn't worth the $750 (or whatever it was they were going to pay me) to provide feedback and fill out the little forms, so I eventually quit responding to emails from the editors and a deleted all the copies of manuscripts I had in my possession. Now, to be honest, it wasn't just that the manuscripts were a lost cause that I gave up the endeavor. I did have a lot on my plate: trying to get my house on the market in Austin, finish up some projects for my last job, and figure out where the hell I was going to live in Chicago--and move two kids and two dogs cross country, without losing any of them in Oklahoma. Which almost happened.
But if I thought the book had any hope of being useful I probably would have found the time. Unfortunately, from the table of contents, it doesn't look like they fixed the book's structural flaws. Not only the did conceptual sequence not make much sense to me, the audience and purpose were always a mystery. But maye that was maybe because I didn't ever see the first section. I was never sure if it existed? Was it be written last? There was no clear driving purpose linking the content. Was the book targetting professional application security teams (Software Security is an example of one of these, a very useful book) or just a quick way for 3rd rate independent researchers to find a bug or two. It appeared to be the latter, which to me was a pointless exercise. Why invest time in writing (let along reading) a book on the topic of vulnerability testing that does not go beyond what you could find by downloading tools from Packet Storm.
Lastly, I wonder if they cleaned up annoying colloquial writing style that sounded like a transcript of a bad Black Hat talk (except what I assume were Pedram's Amini's chapters, the were fairly well written and had some original content as well) but I guess I'll never know. I'd love to hear these problems were fixed, but I'm certainly not going to spend good money on finding out myself.