Full Disclosure mailing list archives
Re: What the f*** is going on?
From: Chris Evans <scarybeasts () gmail com>
Date: Thu, 24 Feb 2011 03:04:36 -0800
On Wed, Feb 23, 2011 at 2:09 PM, Michele Orru <antisnatchor () gmail com>wrote:
------------------------------ Chris Evans <scarybeasts () gmail com> February 23, 2011 1:35 AM On Tue, Feb 22, 2011 at 2:42 PM, Michal Zalewski <lcamtuf () coredump cx>wrote:Also, I would say that even though randomly prodding exec arguments with As isn't so elite, the space of "the non-web" is much more deep and much more complex than the space of "the web"..I think that sentiment made sense 8-10 years ago, but today, it's increasingly difficult to defend. I mean, we are at a point where casual users can do without any "real" applications, beyond just having a browser. And in terms of complexity, the browser itself is approaching the kernel, and is growing more rapidly. Yes, web app vulnerabilities are easier to discover.Web app security is beginners' security -- surely everyone knows that? Those with talent graduate on to low-level vulns (mem corruptions, kernel vulns, etc). Well even if I agree with you, I don't think guys like rsnake, grossman, .mario, vela, ecc.. are not talented just because they mainly focus on web app/client side security. I'm the first one among many who want to learn RE and low level things, but I think both of the sides are complex enough. Isn't your colleague Michal more focused on web app security nowadays?
Yeah.... you know, we're not all in our teens or 20s any more. The mind ages... the skillz fade... and a return to web app sec is sadly inevitable. </troll2> Cheers Chris
Cheers antisnatchor </troll> Cheers Chris That's partlybecause of horrible design decisions back in the 1990s, and partly because we're dealing with greater diversity, more complex interactions, and a much younger codebase. Plus, we had much less time to develop systemic defenses. /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ------------------------------ Michal Zalewski <lcamtuf () coredump cx> February 22, 2011 11:42 PM I think that sentiment made sense 8-10 years ago, but today, it's increasingly difficult to defend. I mean, we are at a point where casual users can do without any "real" applications, beyond just having a browser. And in terms of complexity, the browser itself is approaching the kernel, and is growing more rapidly. Yes, web app vulnerabilities are easier to discover. That's partly because of horrible design decisions back in the 1990s, and partly because we're dealing with greater diversity, more complex interactions, and a much younger codebase. Plus, we had much less time to develop systemic defenses. /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ------------------------------ Charles Morris <cmorris () cs odu edu> February 22, 2011 10:44 PM <mz> </mz> Michal, your blog writeup does cut to the disheartening core of the issue, but as we all know large non-savvy organizations just eat that bravado and mystery up. Also, I would say that even though randomly prodding exec arguments with As isn't so elite, the space of "the non-web" is much more deep and much more complex than the space of "the web".. and the vulnerabilities are generally more interesting, generally more difficult to find, and generally more difficult to exploit. If we examine the specialists in each area, I also think there is a general trend that "the web" houses the "less l33t", and "the non-web" houses the "more l33t". In general. I'm sure one can find the great and the garbage in both arenas. I also completely agree with your concern for the well being of both our tax dollars, the health and safety of the internet, and our physical persons as well. I don't want HBGary sending some thugs to knock me with a blackjack if they see me on the wikileaks IRC channel.. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ------------------------------ Michal Zalewski <lcamtuf () coredump cx> February 22, 2011 6:11 PM I mean, if these are the security industry's geniuses, why, what would the writers of Stuxnet be? ...seriously? Disclosing how their epic story simply involved SQLi, well, what about the guys discovering 0days in native code? Totally. I have long postulated that perl -e '{print "A"x1000}' is considerably more l33t than <script>alert(1)</script> or ' OR '1' == '1. I don't understand the point you are getting at. I think that the more interesting aspect of this story are the egregious practices revealed in that write-up (and elsewhere): http://lcamtuf.blogspot.com/2011/02/world-of-hbgary.html /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ------------------------------ Pietro de Medici <piedemed () gmail com> February 21, 2011 6:46 PM http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars Been reading the ...ah...umpteenth(?) article over the HBGary story. Well, it's been fun and all, but seriously, this is getting tiring. I don't want to bash Anonymous - they've got enough BS already, and we all know about it, it ain't worth even mentioning. Instead, I'll talk about the clueless idiots out there which run supposedly informative articles. So yeah, now we're calling kids vandalizing websites, causing worthless damage, experts, geniuses even? I mean, if these are the security industry's geniuses, why, what would the writers of Stuxnet be? Disclosing how their epic story simply involved SQLi, well, what about the guys discovering 0days in native code? Then there's the law aspect. Many seem to award people intruding and damaging private property, exposing confidential data somewhat of a good deed. Yes, similar to punks expressing their artistic capabilities on your front door and making off with anything they can pull off from your car, if not with it as well. When one views what kind of stuff they do, as well as their literacy level, one can only conclude they're not far from the lowly term of "script kiddies". But let's leave the self-acclaimed victims aside - what about the media. Surely naming kids as security gurus easily makes up a media sensation. Wonder how much time these authors have until the FBI knocks by. Don't know how many counts of infringements they did, and unlike the, uh, security gurus, they pretty much left their ID card for every cop in town to look at. Da sempre vostro, Pietro DeMedici _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- What the f*** is going on? Pietro de Medici (Feb 22)
- Re: What the f*** is going on? Michal Zalewski (Feb 22)
- Re: What the f*** is going on? root (Feb 22)
- Re: What the f*** is going on? Charles Morris (Feb 22)
- Re: What the f*** is going on? Michal Zalewski (Feb 22)
- Re: What the f*** is going on? Chris Evans (Feb 22)
- Re: What the f*** is going on? Michele Orru (Feb 23)
- Re: What the f*** is going on? Chris Evans (Feb 24)
- Re: What the f*** is going on? Fredrick Diggle (Feb 24)
- Re: What the f*** is going on? jf (Feb 22)
- Re: What the f*** is going on? Pietro de Medici (Feb 23)
- Re: What the f*** is going on? Michal Zalewski (Feb 22)
- Re: What the f*** is going on? Michal Zalewski (Feb 22)
- Re: What the f*** is going on? jf (Feb 22)
- Re: What the f*** is going on? Michal Zalewski (Feb 22)
- Re: What the f*** is going on? jf (Feb 22)