I dont think you are right. There are two extremes when checking if two files are the same:
* Both files are exact byte copies - we are happy, because everything is clear * Both files are absolutely different - we are also happy, because we know that something is bad But scanner which consider just these two extremes will throw many false positives, because world isn't ideal. Just download two copies of some page few minutes in sequence and you will see. Different banner? Different language (because you changed IP)? New information here? Everything these you have to consider and have to report only important things. Because it is more heuristic than exact measurement, attacker can adapt his code to be less harmful and skip notification threshold of scanner. There are two ways how to fight attackers: a) Opensource scanner and beat them by spending months on scanner improvements. b) Leave scanner closed and piss them up (my way) I think your irony isn't outright. Trust me I didn't spend almost year of my life on bullshit. John: I know SoaT quite well, I originally consider to improve it. But my attitude is quite different. SoaT checks everything else than content (as you wrote: SSL, policy etc) - and throws many false positives once content differs a bit. I'm interested just in content. Marek On Sun, Jun 20, 2010 at 11:05 PM, Anders Andersson <pipat...@gmail.com> wrote: > Unfortunately I >> cannot publish source codes because attackers can adapt own techniques >> (though it would be very difficult). > > Yummy. Security through obscurity. Let's hope the bad guys doesn't > find out. Or do they already know?.. *********************************************************************** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/