lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 23 Feb 2011 23:09:32 +0100
From: Michele Orru <antisnatchor@...il.com>
To: Chris Evans <scarybeasts@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, Charles Morris <cmorris@...odu.edu>
Subject: Re: What the f*** is going on?



> ------------------------------------------------------------------------
>
> 	Chris Evans <mailto:scarybeasts@...il.com>
> February 23, 2011 1:35 AM
>
>
> On Tue, Feb 22, 2011 at 2:42 PM, Michal Zalewski <lcamtuf@...edump.cx 
> <mailto:lcamtuf@...edump.cx>> wrote:
>
>     > Also, I would say that even though randomly prodding exec arguments
>     > with As isn't so elite, the space of "the non-web" is much more deep
>     > and much more complex than the space of "the web"..
>
>     I think that sentiment made sense 8-10 years ago, but today, it's
>     increasingly difficult to defend. I mean, we are at a point where
>     casual users can do without any "real" applications, beyond just
>     having a browser. And in terms of complexity, the browser itself is
>     approaching the kernel, and is growing more rapidly.
>
>     Yes, web app vulnerabilities are easier to discover.
>
>
> Web app security is beginners' security -- surely everyone knows that?
> Those with talent graduate on to low-level vulns (mem corruptions, 
> kernel vulns, etc).
Well even if I agree with you, I don't think guys like rsnake, grossman, 
.mario, vela, ecc..
are not talented just because they mainly focus on web app/client side 
security.

I'm the first one among many who want to learn RE and low level things,
but I think both of the sides are complex enough.

Isn't your colleague Michal more focused on web app security nowadays?

Cheers
antisnatchor
> </troll>
>
>
> Cheers
> Chris
>
>     That's partly
>     because of horrible design decisions back in the 1990s, and partly
>     because we're dealing with greater diversity, more complex
>     interactions, and a much younger codebase. Plus, we had much less time
>     to develop systemic defenses.
>
>     /mz
>
>     _______________________________________________
>     Full-Disclosure - We believe in it.
>     Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>     Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------------------------------------------------
>
> 	Michal Zalewski <mailto:lcamtuf@...edump.cx>
> February 22, 2011 11:42 PM
>
>
>
> I think that sentiment made sense 8-10 years ago, but today, it's
> increasingly difficult to defend. I mean, we are at a point where
> casual users can do without any "real" applications, beyond just
> having a browser. And in terms of complexity, the browser itself is
> approaching the kernel, and is growing more rapidly.
>
> Yes, web app vulnerabilities are easier to discover. That's partly
> because of horrible design decisions back in the 1990s, and partly
> because we're dealing with greater diversity, more complex
> interactions, and a much younger codebase. Plus, we had much less time
> to develop systemic defenses.
>
> /mz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------------------------------------------------
>
> 	Charles Morris <mailto:cmorris@...odu.edu>
> February 22, 2011 10:44 PM
>
>
> <mz>
> </mz>
>
> Michal, your blog writeup does cut to the disheartening core of the
> issue, but as we all know large non-savvy organizations just eat that
> bravado and mystery up.
>
> Also, I would say that even though randomly prodding exec arguments
> with As isn't so elite, the space of "the non-web" is much more deep
> and much more complex than the space of "the web".. and the
> vulnerabilities are generally more interesting, generally more
> difficult to find, and generally more difficult to exploit. If we
> examine the specialists in each area, I also think there is a general
> trend that "the web" houses the "less l33t", and "the non-web" houses
> the "more l33t". In general. I'm sure one can find the great and the
> garbage in both arenas.
>
> I also completely agree with your concern for the well being of both
> our tax dollars, the health and safety of the internet, and our
> physical persons as well. I don't want HBGary sending some thugs to
> knock me with a blackjack if they see me on the wikileaks IRC
> channel..
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------------------------------------------------
>
> 	Michal Zalewski <mailto:lcamtuf@...edump.cx>
> February 22, 2011 6:11 PM
>
>
>> I mean, if these are the security industry's geniuses, why, what would the
>> writers of Stuxnet be?
>
> ...seriously?
>
>> Disclosing how their epic story simply involved SQLi, well, what about the
>> guys discovering 0days in native code?
>
> Totally. I have long postulated that perl -e '{print "A"x1000}' is
> considerably more l33t than<script>alert(1)</script>  or ' OR '1' ==
> '1.
>
> I don't understand the point you are getting at. I think that the more
> interesting aspect of this story are the egregious practices revealed
> in that write-up (and elsewhere):
>
> http://lcamtuf.blogspot.com/2011/02/world-of-hbgary.html
>
> /mz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------------------------------------------------
>
> 	Pietro de Medici <mailto:piedemed@...il.com>
> February 21, 2011 6:46 PM
>
>
> http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars
>
> Been reading the ...ah...umpteenth(?) article over the HBGary story.
>
> Well, it's been fun and all, but seriously, this is getting tiring.
>
> I don't want to bash Anonymous - they've got enough BS already, and we 
> all know about it, it ain't worth even mentioning.
>
> Instead, I'll talk about the clueless idiots out there which run 
> supposedly informative articles.
>
> So yeah, now we're calling kids vandalizing websites, causing 
> worthless damage, experts, geniuses even?
>
> I mean, if these are the security industry's geniuses, why, what would 
> the writers of Stuxnet be?
>
> Disclosing how their epic story simply involved SQLi, well, what about 
> the guys discovering 0days in native code?
>
> Then there's the law aspect. Many seem to award people intruding and 
> damaging private property, exposing confidential data somewhat of a 
> good deed.
> Yes, similar to punks expressing their artistic capabilities on your 
> front door and making off with anything they can pull off from your 
> car, if not with it as well.
>
> When one views what kind of stuff they do, as well as their literacy 
> level, one can only conclude they're not far from the lowly term of 
> "script kiddies".
>
> But let's leave the self-acclaimed victims aside - what about the 
> media. Surely naming kids as security gurus easily makes up a media 
> sensation.
> Wonder how much time these authors have until the FBI knocks by. Don't 
> know how many counts of infringements they did, and unlike the, uh, 
> security gurus, they pretty much left their ID card for every cop in 
> town to look at.
>
> Da sempre vostro,
> Pietro DeMedici
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Content of type "text/html" skipped

Download attachment "compose-unknown-contact.jpg" of type "image/jpeg" (1421 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ