lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed May 25 21:10:35 2005
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Not even the NSA can get it right 

On Wed, 25 May 2005 12:58:37 EDT, Dan Margolis said:

> Right, but why is XSS interesting? Why would they *want* a "suspected
> script kiddie" list? Honeypots are good for learning about what sorts of
> attacks are in the wild, *not* for learning who the attackers are.

So watching the console logs on a tempting target like www.nsa.gov for
a month isn't going to give a *really* good idea of what's out there?

Consider - of those who went and tried the XSS that got posted, what percent
probably tried some *other* tricks to see what *else* they could get it to do?

Yes, the NSA crew almost certainly know the attacks themselves - but by keeping
an eye on what tricks have made it out to the script kiddies, they can measure
how fast the tricks propagate. Any attack they see on *that* server they can
safely conclude that it's part of the script kiddie canon (as it's very unlikely
that a black hat would blow a 0-day attacking that server when everybody *knows*
there's probably nothing worthwhile on there...)

Remember - we're talking about the organization that provided guidance on the
design of DES's S-boxes, which made *no* sense at the time.  Many years later,
we find out that the NSA knew about differential cryptanalysis, the IBM crew
independently discovered it, but kept quiet at the NSA's urging, and then when
differential cryptanalysis came out in the open literature, the S-boxes made
sense.  This gave the NSA a *very* good measure of how far ahead they were
at the time.

Or the public website is just maintained by low-pay civil servants (after
all, there's no need for a security clearance for any of those pages ;)

> Granted, we don't know everything the NSA does, but I see little to gain
> from a public XSS hole, however insignificant. Occam's razor, folks; why
> should I buy into such a twisted conspiracy theory?

I never said you should.  I merely implied that immediately concluding that
it was a stupid mistake might in itself be stupid.  Remember - we *know* that
many black hats try to stay under the radar by leaving tracks that look like
common script kiddies (so all the recon probes disappear in the noise).  Why
shouldn't the world leader in spreading and recognizing disinformation do the
same once in a while? ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050525/f2df9287/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ