[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: core at bokeoa.com (Charles 'core' Stevenson)
Subject: Anonymous surfing my ass!
Hasty flames are counterproductive. Let us not be so quick to judge.
Speaking from personal experience, I would imagine that most people's
first few advisories are bound to lack clarity/details. Additionally one
must remember not to hit that reply button instantly after reading a
post that triggers anger/hostility. I myself am guilty of all the
aforementioned shortcomings. But hey we're human aren't we?
Nor should a man be in a hurry to publish his advisory the instant his
proof-of-concept exploit works. Sitting on a bug for a little while will
afford the time to polish the advisory and/or exploit. The discloser
must determine the fundamental pieces of information every advisory
should have and a format which puts the bottom-line-up-front. In this
fashion the discloser can take pride in knowing, whether the bug was
trivial to exploit or a work of art, that all of those who read it will
walk away with a clear understanding of the problem, impact, solution,
etc.. Take a look at security focus's vuln-help advisory template.
peace,
core
Steve wrote:
> You would think that the email sent to the list would have contained
> more information. Based on the email sent, one would might not even
> bother clicking on the link. And for those of us who happen to be
> checking email on Windoze boxes, clicking on random Internet links
> probably isn't the brightest thing to do from IE unless you have
> bothered to disable all the various active scripting etc.......
>
> How seriously would you take an email that simply said "click here
> www.clicktobeowned.com"
>
>
>>I think if you at least clicked the advisory link (
>
> http://spoor12.edup.tudelft.nl/SkyLined%20v4.2/?Advisories/Anonymous
> surfing, NOT! ) it would help relieve some of your ignorance. What he's
> reffering to is a getting script (usually javascript) through the
> filters and executing on the 'anonymous' person's machine. If a site can
> do that they can save cookies to the machine, thereby breaking the
> anonymity.
>
> It's not really cross site scripting, though the techniques used to get
> it through are similar. Right now 'cross site scripting' seems to be the
> buzz word attached to any security breach involving scripts. Something
> we have to live with I guess. Anyway, whatever it's called SkyLined
> seems to be the l33test at it ;)
>
> - Blazde
>
> _______________________________________________
> Full-Disclosure - We believe in it. Full-Disclosure@...ts.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@...ts.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
>
Powered by blists - more mailing lists