|
|
[ Message Precedent sur la mailing][ Message Suivant sur la mailing][ Precedent dans le fil][ Prochain dans le fil][ Index par Date][ Index par fil]
Re: [Full-disclosure] What the f*** is going on?
On Wed, Feb 23, 2011 at 2:09 PM, Michele Orru <antisnatchor@xxxxxxxxx> wrote:
On Tue, Feb 22, 2011 at 2:42 PM, Michal Zalewski <lcamtuf@xxxxxxxxxxx>
wrote:
> Also, I would say that even though
randomly prodding exec arguments
> with As isn't so elite, the space of "the non-web" is
much more deep
> and much more complex than the space of "the web"..
I think that sentiment made sense 8-10 years ago, but today,
it's
increasingly difficult to defend. I mean, we are at a point
where
casual users can do without any "real" applications, beyond
just
having a browser. And in terms of complexity, the browser
itself is
approaching the kernel, and is growing more rapidly.
Yes, web app vulnerabilities are easier to discover.
Web app security is beginners' security -- surely
everyone knows that?
Those with talent graduate on to low-level vulns (mem
corruptions, kernel vulns, etc).
Well even if I agree with you, I don't think guys like rsnake,
grossman, .mario, vela, ecc..
are not talented just because they mainly focus on web app/client
side security.
I'm the first one among many who want to learn RE and low level
things,
but I think both of the sides are complex enough.
Isn't your colleague Michal more focused on web app security
nowadays?
Yeah.... you know, we're not all in our teens or 20s any more. The mind ages... the skillz fade... and a return to web app sec is sadly inevitable.
</troll2>
Cheers Chris
Cheers
antisnatchor
</troll>
Cheers
Chris
That's partly
because of horrible design decisions back in the 1990s, and
partly
because we're dealing with greater diversity, more complex
interactions, and a much younger codebase. Plus, we had much
less time
to develop systemic defenses.
/mz
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
I think that sentiment made sense 8-10 years ago, but today,
it's
increasingly difficult to defend. I mean, we are at a point
where
casual users can do without any "real" applications, beyond
just
having a browser. And in terms of complexity, the browser
itself is
approaching the kernel, and is growing more rapidly.
Yes, web app vulnerabilities are easier to discover. That's
partly
because of horrible design decisions back in the 1990s, and
partly
because we're dealing with greater diversity, more complex
interactions, and a much younger codebase. Plus, we had much
less time
to develop systemic defenses.
/mz
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
<mz>
</mz>
Michal, your blog writeup does cut to the disheartening core
of the
issue, but as we all know large non-savvy organizations just
eat that
bravado and mystery up.
Also, I would say that even though randomly prodding exec
arguments
with As isn't so elite, the space of "the non-web" is much
more deep
and much more complex than the space of "the web".. and the
vulnerabilities are generally more interesting, generally more
difficult to find, and generally more difficult to exploit. If
we
examine the specialists in each area, I also think there is a
general
trend that "the web" houses the "less l33t", and "the non-web"
houses
the "more l33t". In general. I'm sure one can find the great
and the
garbage in both arenas.
I also completely agree with your concern for the well being
of both
our tax dollars, the health and safety of the internet, and
our
physical persons as well. I don't want HBGary sending some
thugs to
knock me with a blackjack if they see me on the wikileaks IRC
channel..
I mean, if these are the security industry's geniuses, why, what would the
writers of Stuxnet be?
...seriously?
Disclosing how their epic story simply involved SQLi, well, what about the
guys discovering 0days in native code?
Totally. I have long postulated that perl -e '{print "A"x1000}' is
considerably more l33t than <script>alert(1)</script> or ' OR '1' ==
'1.
I don't understand the point you are getting at. I think that the more
interesting aspect of this story are the egregious practices revealed
in that write-up (and elsewhere):
/mz
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars
Been reading the ...ah...umpteenth(?) article over the HBGary
story.
Well, it's been fun and all, but seriously, this is getting
tiring.
I don't want to bash Anonymous - they've got enough BS already,
and we all know about it, it ain't worth even mentioning.
Instead, I'll talk about the clueless idiots out there which run
supposedly informative articles.
So yeah, now we're calling kids vandalizing websites, causing
worthless damage, experts, geniuses even?
I mean, if these are the security industry's geniuses, why, what
would the writers of Stuxnet be?
Disclosing how their epic story simply involved SQLi, well, what
about the guys discovering 0days in native code?
Then there's the law aspect. Many seem to award people intruding
and damaging private property, exposing confidential data
somewhat of a good deed.
Yes, similar to punks expressing their artistic capabilities on
your front door and making off with anything they can pull off
from your car, if not with it as well.
When one views what kind of stuff they do, as well as their
literacy level, one can only conclude they're not far from the
lowly term of "script kiddies".
But let's leave the self-acclaimed victims aside - what about
the media. Surely naming kids as security gurus easily makes up
a media sensation.
Wonder how much time these authors have until the FBI knocks by.
Don't know how many counts of infringements they did, and unlike
the, uh, security gurus, they pretty much left their ID card for
every cop in town to look at.
Da sempre vostro,
Pietro DeMedici
Full-Disclosure - We believe in it.
Charter: link://[click]
Hosted and sponsored by Secunia - link://[click]
Archives de la liste de diffusion Secunia
Archives de la liste de diffusion Full Disclosure
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
