lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <0203A1F683E317458D5F226DAA5713330133BFE2@ptle2m04.up.corp.upc>
Date: Wed May 25 18:24:45 2005
From: ACastigliola at unumprovident.com (Castigliola, Angelo)
Subject: Not even the NSA can get it right

What would XSS on NSA.GOV get a hacker anyways? Steal my NSA.GOV cookie 

"CFID
756140
nsa.gov/
1024
2871474816
31895379
3010520960
29692615
*
CFTOKEN
41950083
nsa.gov/
1024
2871474816
31895379
3010820960
29692615
*"

Don't think a hacker could do much with this. At best someone could try
to use the exploit to phish passwords from NSA.GOV employees.

-Angelo Castigliola III
Security Architect

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Dan
Margolis
Sent: Wednesday, May 25, 2005 12:59 PM
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Not even the NSA can get it right

On Wed, May 25, 2005 at 11:43:32AM -0400, Valdis.Kletnieks@...edu wrote:
> On Wed, 25 May 2005 07:14:12 CDT, "milw0rm Inc." said:
> > lol are you guys joking?  They wouldn't allow an xss bug on their
> > website on purpose come on now.
> 
> You're not devious enough.  Remember that the *best* place to put a
> honeypot is right out there in plain sight where it's likely to
attract
> attention.   So now they've grepped their Apache logs, and they've
> added several dozen people to their "suspected script kiddie" list.
> 
> (Remember - the NSA probably knows more about proper airgapping than
anybody.
> All *those* webservers have on them is non-sensitive content, so you
can't
> actually *get* anything really interesting to happen - in the NSA view
of the
> world, "public website gets defaced" isn't particularly interesting or
> noteworthy).

Right, but why is XSS interesting? Why would they *want* a "suspected
script kiddie" list? Honeypots are good for learning about what sorts of
attacks are in the wild, *not* for learning who the attackers are. In
fact, it seems the common approach to security largely ignores any
notion of proactive law enforcement, and rightly so--you can't arrest
all the script kiddies, but you can write your software to be more
secure (or, to paraphrase Larry Lessig, _code_ is a much more effective
form of control in cyberspace than _law_ is, most of the time). 

Granted, we don't know everything the NSA does, but I see little to gain
from a public XSS hole, however insignificant. Occam's razor, folks; why
should I buy into such a twisted conspiracy theory? 
-- 
Dan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ