lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 22 Feb 2011 16:44:12 -0500
From: Charles Morris <cmorris@...odu.edu>
To: Michal Zalewski <lcamtuf@...edump.cx>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: What the f*** is going on?

<mz>
>> Disclosing how their epic story simply involved SQLi, well, what about the
>> guys discovering 0days in native code?
>
> Totally. I have long postulated that perl -e '{print "A"x1000}' is
> considerably more l33t than <script>alert(1)</script> or ' OR '1' ==
> '1.
>
> I don't understand the point you are getting at. I think that the more
> interesting aspect of this story are the egregious practices revealed
> in that write-up (and elsewhere):
>
</mz>

Michal, your blog writeup does cut to the disheartening core of the
issue, but as we all know large non-savvy organizations just eat that
bravado and mystery up.

Also, I would say that even though randomly prodding exec arguments
with As isn't so elite, the space of "the non-web" is much more deep
and much more complex than the space of "the web".. and the
vulnerabilities are generally more interesting, generally more
difficult to find, and generally more difficult to exploit. If we
examine the specialists in each area, I also think there is a general
trend that "the web" houses the "less l33t", and "the non-web" houses
the "more l33t". In general. I'm sure one can find the great and the
garbage in both arenas.

I also completely agree with your concern for the well being of both
our tax dollars, the health and safety of the internet, and our
physical persons as well. I don't want HBGary sending some thugs to
knock me with a blackjack if they see me on the wikileaks IRC
channel..

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ