Re: New Web Vulnerability - Cross-Site Tracing

["Tim Greer" <chatmaster () charter net>]

----- Original Message -----
From: "Jeremiah Grossman" <jeremiah () whitehatsec com>
Subject: Re: New Web Vulnerability - Cross-Site Tracing


> On Wed, 2003-01-22 at 15:52, xss-is-lame () hushmail com wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
>
>
> > My objection is to the way that the whole issue was framed and
presented.  I realize that
> everyone has to gloss things up a bit for marketting and dumb things down
for laypeople, but
> I think that the press release, the whitepaper and particularly the
ExtremeTech article all
> overstep what is excusable.  They are sensational and exagerated.
>
> We do not believe PR statement or white paper misrepresented anything.
> If fact we got the help from many known experts to make sure we did the
> best job we could and everything was as clear as we could make it. We
> also dont control media coverage.

Oh come on, It's your arictle, the content thereof is within your control.
If the article misrepresents some facts or hypes it up such as, you can't
blame marketing or media coverage for what *your* article stated. Many of us
disagree about the facts represented as being as they were claimed.

> > Some examples for the whitepaper and press release:
> > "First of all, anything that attempts to help prevent the xss plague on
the web is a good thing."
> > The XSS plague?  The only XSS plague I know of is on Bugtraq and other
disclosure
> mailing lists.  Is anyone else sick of seeing posts about XSS problems in
PHP applications
> that runs on a total of five sites?
>
> We are sick of seeing it as well. And XSS is in everything and near
> impossible to get rid of. Aka. plague.

No, we're all sick of seeing these trivial, hyped-up claims.

> Code Red was a plague.  Melissa was a plague.  In all
> the time XSS has been around, I only know of a few instances where it has
actually been used.
> Do you have any evidence of an actual XSS epidemic taking place?
>
>
> Well being a security expert in the field I can hardly comment on
> specifics but yes... it does happen. Often? Whats Often?

Being a security expert? Well, I don't want to get personal, and it's been a
few years since I've seen what you're doing lately, but it's only been a few
years and I don't want to get into it and explain my doubts about you
suddenly becoming a 'security expert' since that time. Just claiming to be a
leading expert in this field doesn't make it factual, nor that you are more
qualified than other people that are in this field. Your article is hyped up
nonsense and anymore of these XSS issues being hyped up, I'm going to
friggin' loose it.

<snip the rest of the nonsense>

Really, nothing personal, but this is ridiculous. However, I don't intend to
debate or argue on the list about this, so I'll end on that note. If you
believe what you say in your article, you should go an example this in a
real-world environment and who us all how 'frightening' this is. :-)

Regards,
Tim Greer  chatmaster () charter net
Server administration, security, programming, consulting.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html