lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1043290193.1349.678.camel@localhost.localdomain>
From: jeremiah at whitehatsec.com (Jeremiah Grossman)
Subject: Re: New Web Vulnerability - Cross-Site Tracing

On Wed, 2003-01-22 at 18:28, Tim Greer wrote:

> > Well being a security expert in the field I can hardly comment on
> > specifics but yes... it does happen. Often? Whats Often?
> 
> Being a security expert? Well, I don't want to get personal, and it's been a
> few years since I've seen what you're doing lately, but it's only been a few
> years and I don't want to get into it and explain my doubts about you
> suddenly becoming a 'security expert' since that time. Just claiming to be a
> leading expert in this field doesn't make it factual, nor that you are more
> qualified than other people that are in this field. Your article is hyped up
> nonsense and anymore of these XSS issues being hyped up, I'm going to
> friggin' loose it.


Tim, its been a long time. Good to see you to.


> <snip the rest of the nonsense> 
> Really, nothing personal, but this is ridiculous. However, I don't intend to
> debate or argue on the list about this, so I'll end on that note. If you
> believe what you say in your article, you should go an example this in a
> real-world environment and who us all how 'frightening' this is. :-)


Well thats good, I dont intend to argue silly points either. Idea is
simply present security results as we understand them. So did you have
questions about the theory presented? 

About whom is using XST in the wild? I havent seen it used in the wild
yet personally. So I cant say that it is or isnt. I just dont know. I
would hope it wont be. But thats kinda besides the tech and
understanding of the potential.

We can get technical and I can answer whatever questions you have. Let
me know where your getting lost and I'll help ya out.





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ