lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20050525165836.GD23485@force.stwing.upenn.edu>
Date: Wed May 25 18:10:24 2005
From: lists.fd.dmargoli at af0.net (Dan Margolis)
Subject: Not even the NSA can get it right

On Wed, May 25, 2005 at 11:43:32AM -0400, Valdis.Kletnieks@...edu wrote:
> On Wed, 25 May 2005 07:14:12 CDT, "milw0rm Inc." said:
> > lol are you guys joking?  They wouldn't allow an xss bug on their
> > website on purpose come on now.
> 
> You're not devious enough.  Remember that the *best* place to put a
> honeypot is right out there in plain sight where it's likely to attract
> attention.   So now they've grepped their Apache logs, and they've
> added several dozen people to their "suspected script kiddie" list.
> 
> (Remember - the NSA probably knows more about proper airgapping than anybody.
> All *those* webservers have on them is non-sensitive content, so you can't
> actually *get* anything really interesting to happen - in the NSA view of the
> world, "public website gets defaced" isn't particularly interesting or
> noteworthy).

Right, but why is XSS interesting? Why would they *want* a "suspected
script kiddie" list? Honeypots are good for learning about what sorts of
attacks are in the wild, *not* for learning who the attackers are. In
fact, it seems the common approach to security largely ignores any
notion of proactive law enforcement, and rightly so--you can't arrest
all the script kiddies, but you can write your software to be more
secure (or, to paraphrase Larry Lessig, _code_ is a much more effective
form of control in cyberspace than _law_ is, most of the time). 

Granted, we don't know everything the NSA does, but I see little to gain
from a public XSS hole, however insignificant. Occam's razor, folks; why
should I buy into such a twisted conspiracy theory? 
-- 
Dan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ