|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [Full-disclosure] Not even the NSA can get it right
From: Castigliola, Angelo (ACastigliola
unumprovident.com)
Date: Wed May 25 2005 - 12:24:40 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
What would XSS on NSA.GOV get a hacker anyways? Steal my NSA.GOV cookie
"CFID
756140
nsa.gov/
1024
2871474816
31895379
3010520960
29692615
*
CFTOKEN
41950083
nsa.gov/
1024
2871474816
31895379
3010820960
29692615
*"
Don't think a hacker could do much with this. At best someone could try
to use the exploit to phish passwords from NSA.GOV employees.
-Angelo Castigliola III
Security Architect
-----Original Message-----
From: full-disclosure-bounceslists.grok.org.uk
[mailto:full-disclosure-bounceslists.grok.org.uk] On Behalf Of Dan
Margolis
Sent: Wednesday, May 25, 2005 12:59 PM
To: full-disclosurelists.grok.org.uk
Subject: Re: [Full-disclosure] Not even the NSA can get it right
On Wed, May 25, 2005 at 11:43:32AM -0400, Valdis.Kletnieksvt.edu wrote:
> On Wed, 25 May 2005 07:14:12 CDT, "milw0rm Inc." said:
> > lol are you guys joking? They wouldn't allow an xss bug on their
> > website on purpose come on now.
>
> You're not devious enough. Remember that the *best* place to put a
> honeypot is right out there in plain sight where it's likely to
attract
> attention. So now they've grepped their Apache logs, and they've
> added several dozen people to their "suspected script kiddie" list.
>
> (Remember - the NSA probably knows more about proper airgapping than
anybody.
> All *those* webservers have on them is non-sensitive content, so you
can't
> actually *get* anything really interesting to happen - in the NSA view
of the
> world, "public website gets defaced" isn't particularly interesting or
> noteworthy).
Right, but why is XSS interesting? Why would they *want* a "suspected
script kiddie" list? Honeypots are good for learning about what sorts of
attacks are in the wild, *not* for learning who the attackers are. In
fact, it seems the common approach to security largely ignores any
notion of proactive law enforcement, and rightly so--you can't arrest
all the script kiddies, but you can write your software to be more
secure (or, to paraphrase Larry Lessig, _code_ is a much more effective
form of control in cyberspace than _law_ is, most of the time).
Granted, we don't know everything the NSA does, but I see little to gain
from a public XSS hole, however insignificant. Occam's razor, folks; why
should I buy into such a twisted conspiracy theory?
--
Dan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]