| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: core at bokeoa.com (Charles 'core' Stevenson) Subject: Anonymous surfing my ass! Hasty flames are counterproductive. Let us not be so quick to judge. Speaking from personal experience, I would imagine that most people's first few advisories are bound to lack clarity/details. Additionally one must remember not to hit that reply button instantly after reading a post that triggers anger/hostility. I myself am guilty of all the aforementioned shortcomings. But hey we're human aren't we? Nor should a man be in a hurry to publish his advisory the instant his proof-of-concept exploit works. Sitting on a bug for a little while will afford the time to polish the advisory and/or exploit. The discloser must determine the fundamental pieces of information every advisory should have and a format which puts the bottom-line-up-front. In this fashion the discloser can take pride in knowing, whether the bug was trivial to exploit or a work of art, that all of those who read it will walk away with a clear understanding of the problem, impact, solution, etc.. Take a look at security focus's vuln-help advisory template. peace, core Steve wrote: > You would think that the email sent to the list would have contained > more information. Based on the email sent, one would might not even > bother clicking on the link. And for those of us who happen to be > checking email on Windoze boxes, clicking on random Internet links > probably isn't the brightest thing to do from IE unless you have > bothered to disable all the various active scripting etc....... > > How seriously would you take an email that simply said "click here > www.clicktobeowned.com" > > >>I think if you at least clicked the advisory link ( > > http://spoor12.edup.tudelft.nl/SkyLined%20v4.2/?Advisories/Anonymous > surfing, NOT! ) it would help relieve some of your ignorance. What he's > reffering to is a getting script (usually javascript) through the > filters and executing on the 'anonymous' person's machine. If a site can > do that they can save cookies to the machine, thereby breaking the > anonymity. > > It's not really cross site scripting, though the techniques used to get > it through are similar. Right now 'cross site scripting' seems to be the > buzz word attached to any security breach involving scripts. Something > we have to live with I guess. Anyway, whatever it's called SkyLined > seems to be the l33test at it ;) > > - Blazde > > _______________________________________________ > Full-Disclosure - We believe in it. Full-Disclosure@...ts.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure@...ts.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > >
Powered by blists - more mailing lists