Dailydave mailing list archives
Re: Auggie
From: Nathan Sweaney <nathan () sweaney com>
Date: Tue, 9 Jul 2013 08:54:45 -0500
If the local news were to parade one engaging cat burglar in the shadows to tell the "behind the scenes" stories, then we'd all enjoy it as entertainment and move on. It would be absurd to assume that he speaks for, or even has knowledge of, how every other criminal practices their art outside of the small group he runs with. Obviously, given the risks involved, those of greater skill aren't going to associate or collaborate with those of lesser skill. The article is interesting and entertaining as far as it provides one perspective that many of us don't often consider, but it should hardly be considered authoritative or definitive on the state of the art. - nathan On Thu, Jul 4, 2013 at 4:47 AM, antisnatchor <antisnatchor () gmail com> wrote:
Well actually I disagree with that article. There have been multiple occasions of people hacking stuff with SQLmap for example, without even using a random UA, and many of those cases were time or boolean blind SQLi. Also the statement "it's hard to use", I'm not sure I agree with that either. It's hard to use if you retrieve bit-by-bit manually, but who does that? Cheers antisnatchor ------------------------------ Michal Zalewski <lcamtuf () coredump cx> July 3, 2013 5:59 PM The entire series is, ahem, interesting, for reasons that I will leave open to readers' interpretation: http://blog.whitehatsec.com/interview-with-a-blackhat-part-1/ /mz _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave ------------------------------ Dave Aitel <dave () immunityinc com> July 3, 2013 4:07 PM So I've now watched all of the Covert Affairs seasons, and I have to say, the writers got better as it went on and the show got a grittier, more disillusioned feel. More like Homeland, and less like Archer. But it's fantasy, of course. One of the characters (Auggie) is a blind operative and he occasionally gets sent out on missions where he runs about in strange cities and fights people and does other various spy things that are fairly hard to do when you're blind. They make it seem as plausible as, for example, the 5 foot, 100 pound Piper Perabo beating up various thugs (one per episode at least - she's quite violent). [image: Auggie is blind] (Note how in this obviously fantasy CIA picture there is no tweed, nor khakis!) In this blog, RSnake and some random blackhat go into a few things: http://blog.whitehatsec.com/blind-sql-injection-what-is-it-good-for/ One thing they point out is that one of the random BlackHats that they're friends with does not really use Blind SQLi to penetrate machines, and he doesn't know anyone who does. "Because it's annoying". Tru dat. """ Internally at WhiteHat we’ve had the long-standing belief that blind SQL injection is rarely if ever actually used in attacks. We hear a lot about blind SQL injection at conferences, in papers and while talking with researchers, but we just don’t hear about it being used. Sure, there may be one piece of anecdotal evidence somewhere, but as a general class of attack it doesn’t seem to be a favorite of attackers. The reason being? It’s hard to use. """ I love that paragraph for so many reasons. Regardless, Immunity's consulting arm uses only Blind SQLi for our penetration tests, both for finding vulnerabilities, and for exploiting them. -dave [1] Miguel's talk: https://lists.immunityinc.com/pipermail/dailydave/2013-January/000299.html _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Auggie Dave Aitel (Jul 03)
- Re: Auggie Michal Zalewski (Jul 03)
- Re: Auggie antisnatchor (Jul 09)
- Re: Auggie Nathan Sweaney (Jul 09)
- Re: Auggie antisnatchor (Jul 09)
- <Possible follow-ups>
- Re: Auggie a . real . life . blackhat . lol (Jul 09)
- Re: Auggie Michal Zalewski (Jul 03)