| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri May 27 04:54:58 2005 From: stevex11 at sbcglobal.net (Steve Kudlak) Subject: Not even the NSA can get it right Way back when I worked for government agencies for a living all the easy to get to sites had nothing sensitive on them. Everything that had sensitive stuff was not on the ARPANET or was behind multiple gsteways. Right now even normal citizens like you and me can build pretty secure systems that will stop a lot of stuff. I assume the NSA does the same too but can do better. I come from the "Rainbow Books" era and those have been replaced by other things at this point. But there were a few bugs in Sun's C-2 Security and that's low level. Now it could be they hired some standard webdesign firm to do it and that the website is only its sort of public face. There are Intanets with much better security and there are secure Networks that run on nice BSD variants that are very good. BSD is good because a lot of it is people who every morning or evening;) they get up for the past 20+ years they have thought about security issues and watched what happened and all that stuff. I have been giggling at the teenagers who have been attacking my website as of late. I learned a lot by reading the logs. But but we have secure passwords that are not in any dictionary and all that good stuff. It is also completely seperate from public accounts like this one I use for day to chattering about on the Internet.. Have Fun, Sends Steve Have Fun, Sends Steve Valdis.Kletnieks@...edu wrote: >On Wed, 25 May 2005 12:58:37 EDT, Dan Margolis said: > > > >>Right, but why is XSS interesting? Why would they *want* a "suspected >>script kiddie" list? Honeypots are good for learning about what sorts of >>attacks are in the wild, *not* for learning who the attackers are. >> >> > >So watching the console logs on a tempting target like www.nsa.gov for >a month isn't going to give a *really* good idea of what's out there? > >Consider - of those who went and tried the XSS that got posted, what percent >probably tried some *other* tricks to see what *else* they could get it to do? > >Yes, the NSA crew almost certainly know the attacks themselves - but by keeping >an eye on what tricks have made it out to the script kiddies, they can measure >how fast the tricks propagate. Any attack they see on *that* server they can >safely conclude that it's part of the script kiddie canon (as it's very unlikely >that a black hat would blow a 0-day attacking that server when everybody *knows* >there's probably nothing worthwhile on there...) > >Remember - we're talking about the organization that provided guidance on the >design of DES's S-boxes, which made *no* sense at the time. Many years later, >we find out that the NSA knew about differential cryptanalysis, the IBM crew >independently discovered it, but kept quiet at the NSA's urging, and then when >differential cryptanalysis came out in the open literature, the S-boxes made >sense. This gave the NSA a *very* good measure of how far ahead they were >at the time. > >Or the public website is just maintained by low-pay civil servants (after >all, there's no need for a security clearance for any of those pages ;) > > > >>Granted, we don't know everything the NSA does, but I see little to gain >>from a public XSS hole, however insignificant. Occam's razor, folks; why >>should I buy into such a twisted conspiracy theory? >> >> > >I never said you should. I merely implied that immediately concluding that >it was a stupid mistake might in itself be stupid. Remember - we *know* that >many black hats try to stay under the radar by leaving tracks that look like >common script kiddies (so all the recon probes disappear in the noise). Why >shouldn't the world leader in spreading and recognizing disinformation do the >same once in a while? ;) > > >------------------------------------------------------------------------ > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050526/5090a882/attachment.html
Powered by blists - more mailing lists