</troll>
Cheers
Chris
That's partly
because of horrible design decisions back in the 1990s, and
partly
because we're dealing with greater diversity, more complex
interactions, and a much younger codebase. Plus, we had much
less time
to develop systemic defenses.
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
I think that sentiment made sense 8-10 years ago, but today,
it's
increasingly difficult to defend. I mean, we are at a point
where
casual users can do without any "real" applications, beyond
just
having a browser. And in terms of complexity, the browser
itself is
approaching the kernel, and is growing more rapidly.
Yes, web app vulnerabilities are easier to discover. That's
partly
because of horrible design decisions back in the 1990s, and
partly
because we're dealing with greater diversity, more complex
interactions, and a much younger codebase. Plus, we had much
less time
to develop systemic defenses.
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
http://secunia.com/
<mz>
</mz>
Michal, your blog writeup does cut to the disheartening core
of the
issue, but as we all know large non-savvy organizations just
eat that
bravado and mystery up.
Also, I would say that even though randomly prodding exec
arguments
with As isn't so elite, the space of "the non-web" is much
more deep
and much more complex than the space of "the web".. and the
vulnerabilities are generally more interesting, generally more
difficult to find, and generally more difficult to exploit. If
we
examine the specialists in each area, I also think there is a
general
trend that "the web" houses the "less l33t", and "the non-web"
houses
the "more l33t". In general. I'm sure one can find the great
and the
garbage in both arenas.
I also completely agree with your concern for the well being
of both
our tax dollars, the health and safety of the internet, and
our
physical persons as well. I don't want HBGary sending some
thugs to
knock me with a blackjack if they see me on the wikileaks IRC
channel..
_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
http://secunia.com/
I mean, if these are the security industry's geniuses, why, what would the
writers of Stuxnet be?
...seriously?
Disclosing how their epic story simply involved SQLi, well, what about the
guys discovering 0days in native code?
Totally. I have long postulated that perl -e '{print "A"x1000}' is
considerably more l33t than <script>alert(1)</script> or ' OR '1' ==
'1.
I don't understand the point you are getting at. I think that the more
interesting aspect of this story are the egregious practices revealed
in that write-up (and elsewhere):
http://lcamtuf.blogspot.com/2011/02/world-of-hbgary.html
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars
Been reading the ...ah...umpteenth(?) article over the HBGary
story.
Well, it's been fun and all, but seriously, this is getting
tiring.
I don't want to bash Anonymous - they've got enough BS already,
and we all know about it, it ain't worth even mentioning.
Instead, I'll talk about the clueless idiots out there which run
supposedly informative articles.
So yeah, now we're calling kids vandalizing websites, causing
worthless damage, experts, geniuses even?
I mean, if these are the security industry's geniuses, why, what
would the writers of Stuxnet be?
Disclosing how their epic story simply involved SQLi, well, what
about the guys discovering 0days in native code?
Then there's the law aspect. Many seem to award people intruding
and damaging private property, exposing confidential data
somewhat of a good deed.
Yes, similar to punks expressing their artistic capabilities on
your front door and making off with anything they can pull off
from your car, if not with it as well.
When one views what kind of stuff they do, as well as their
literacy level, one can only conclude they're not far from the
lowly term of "script kiddies".
But let's leave the self-acclaimed victims aside - what about
the media. Surely naming kids as security gurus easily makes up
a media sensation.
Wonder how much time these authors have until the FBI knocks by.
Don't know how many counts of infringements they did, and unlike
the, uh, security gurus, they pretty much left their ID card for
every cop in town to look at.
Da sempre vostro,
Pietro DeMedici
