| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed May 25 18:24:45 2005 From: ACastigliola at unumprovident.com (Castigliola, Angelo) Subject: Not even the NSA can get it right What would XSS on NSA.GOV get a hacker anyways? Steal my NSA.GOV cookie "CFID 756140 nsa.gov/ 1024 2871474816 31895379 3010520960 29692615 * CFTOKEN 41950083 nsa.gov/ 1024 2871474816 31895379 3010820960 29692615 *" Don't think a hacker could do much with this. At best someone could try to use the exploit to phish passwords from NSA.GOV employees. -Angelo Castigliola III Security Architect -----Original Message----- From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Dan Margolis Sent: Wednesday, May 25, 2005 12:59 PM To: full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] Not even the NSA can get it right On Wed, May 25, 2005 at 11:43:32AM -0400, Valdis.Kletnieks@...edu wrote: > On Wed, 25 May 2005 07:14:12 CDT, "milw0rm Inc." said: > > lol are you guys joking? They wouldn't allow an xss bug on their > > website on purpose come on now. > > You're not devious enough. Remember that the *best* place to put a > honeypot is right out there in plain sight where it's likely to attract > attention. So now they've grepped their Apache logs, and they've > added several dozen people to their "suspected script kiddie" list. > > (Remember - the NSA probably knows more about proper airgapping than anybody. > All *those* webservers have on them is non-sensitive content, so you can't > actually *get* anything really interesting to happen - in the NSA view of the > world, "public website gets defaced" isn't particularly interesting or > noteworthy). Right, but why is XSS interesting? Why would they *want* a "suspected script kiddie" list? Honeypots are good for learning about what sorts of attacks are in the wild, *not* for learning who the attackers are. In fact, it seems the common approach to security largely ignores any notion of proactive law enforcement, and rightly so--you can't arrest all the script kiddies, but you can write your software to be more secure (or, to paraphrase Larry Lessig, _code_ is a much more effective form of control in cyberspace than _law_ is, most of the time). Granted, we don't know everything the NSA does, but I see little to gain from a public XSS hole, however insignificant. Occam's razor, folks; why should I buy into such a twisted conspiracy theory? -- Dan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists