Re: What the f*** is going on?

[Charles Morris <cmorris () cs odu edu>]

<mz>
> > Disclosing how their epic story simply involved SQLi, well, what about the
> > guys discovering 0days in native code?
>
> Totally. I have long postulated that perl -e '{print "A"x1000}' is
> considerably more l33t than <script>alert(1)</script> or ' OR '1' ==
> '1.
>
> I don't understand the point you are getting at. I think that the more
> interesting aspect of this story are the egregious practices revealed
> in that write-up (and elsewhere):
</mz>

Michal, your blog writeup does cut to the disheartening core of the
issue, but as we all know large non-savvy organizations just eat that
bravado and mystery up.

Also, I would say that even though randomly prodding exec arguments
with As isn't so elite, the space of "the non-web" is much more deep
and much more complex than the space of "the web".. and the
vulnerabilities are generally more interesting, generally more
difficult to find, and generally more difficult to exploit. If we
examine the specialists in each area, I also think there is a general
trend that "the web" houses the "less l33t", and "the non-web" houses
the "more l33t". In general. I'm sure one can find the great and the
garbage in both arenas.

I also completely agree with your concern for the well being of both
our tax dollars, the health and safety of the internet, and our
physical persons as well. I don't want HBGary sending some thugs to
knock me with a blackjack if they see me on the wikileaks IRC
channel..

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/