On Mon, 2 Mar 2009, Chris Evans wrote:
For the sake of prolonging a pointless argument, let's stick to the
original premise of a tab crash with no other consequence, and see
where it goes :)
It depends on where the piece of data causing the crash has come from.
(1) Could it (or any other
This was 2 years well spent... NOT!
Seriously what is with all these people popping up releasing advisories that
are absolute SHIT? Is it to try and get jobs or what?
On Tue, Mar 3, 2009 at :55 AM, ISecAuditors Security Advisories
advisories at isecauditors.com wrote:
I know, its insane. It is a new trend, though, just like people registering
gmail accounts just to flame and troll on FD!
Its like, your credability like, goes like, ok you start like at 0, and then
like, it goes like to -1, and like, then even lower like.
Absolutely genius.
x0x0x0x0x0x0x0x0x0x
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Yes.
- -bm
On Tue, 03 Mar 2009 18:28:30 -0500 Biz Marqee
biz.mar...@gmail.com wrote:
This was 2 years well spent... NOT!
Seriously what is with all these people popping up releasing
advisories that
are absolute SHIT? Is it to try and get jobs or
Mister Snarks,
I've never been anything but who I purport to be, the humble upper
facial hair quadrant of a loquacious sysadmin. Low of birth, though
noble in aspiration, a student of history and of the many mustaches
who came before myself.
You, young scholar, should be wary, though!
Ah, probably not. Your stringing together words to make sentences is what
I'll regret reading. I'll continue to use my muscle milk and you'll continue
to work your 9-5. The world turns once again!
On Wed, Mar 4, 2009 at 4:06 PM, Valdis' Mustache
security.musta...@gmail.com wrote:
Mister
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mr. Stark,
You're body fat seems to be fairly high, you should consider a
cutting phase and quitting the muscle milk and whatever cheap
steroids you use. Your looking like a fat dumb homosexual in those
tights. Someone with you're levels of
Rob,
Our young scholar does nonetheless have some sage advice for young ladies of
colour.
http://www.helium.com/items/250130-advice-to-black-females
I was rather alarmed at his arrest and methamphetamine abuse, however one
might presume that his recent weight training is part of a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
'stache,
Perhaps his current lack of methamphetamines is the cause of his
extra girth.
Mr. Starks, I suggest immediately going off the low-reward, mass-
marketed and overpriced muscle muscle milk and doing a bit of
cardiovascular exercise until
On Tue, Mar 3, 2009 at 3:28 PM, Biz Marqee biz.mar...@gmail.com wrote:
This was 2 years well spent... NOT!
Seriously what is with all these people popping up releasing advisories that
are absolute SHIT? Is it to try and get jobs or what?
I worry it's only going to get worse as the economy
But what if www.evil.com has run an injection attack of some kind (SQL,
XSS in blog comments, etc, etc) against www.stupid.com?
Visitors to stupid.com then suffer a DoS...
In such a case, the attacker may just as well clobber body.innerHTML,
run a while (1) loop, or otherwise logically deny
Michal Zalewski to me:
But what if www.evil.com has run an injection attack of some kind (SQL,
XSS in blog comments, etc, etc) against www.stupid.com?
Visitors to stupid.com then suffer a DoS...
In such a case, the attacker may just as well clobber body.innerHTML,
run a while (1)
Chris Evans to me:
So, you have injected HTML into stupid.com, and you choose to inflict
the fury of a closing tab upon hapless visitors?
Your point?
I said nothing about how big or bad of a vulnerability it is, just that
it is one.
Are there lots and lots of trivial vulns in software?
I said nothing about how big or bad of a vulnerability it is, just that
it is one.
Which, in a wonderfully circular manner, brings us to the very
beginning of this branch of the thread, where opposing views on the
subject were discussed before Thierry brought this specific example in
;-)
Are
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dear Mr. FitzGerald,
Exactly what is this dick-wad you speak of? Please elaborate, for
the sake of professionalism and coherency on this fine list of ours.
thanks,
- -bm
On Mon, 02 Mar 2009 23:35:00 -0500 Nick FitzGerald n...@virus-
l.demon.co.uk
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dear Valdis,
I have been able to reproduce a similar situation using Firefox
under MacOSX, using different websites and a significantly larger
number of tabs. Do you think these issues might be related or are
they operating system specific? What
Mr. Mustache, it is obvious that I have more talent than a box of
chocolates, and that you envy the sadistic nature of your fellow trolls on
this list. Point blank.
On Tue, Mar 3, 2009 at 6:18 AM, bobby.mug...@hushmail.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dear Valdis,
I
On Mon, 02 Mar 2009 22:49:41 PST, Chris Evans said:
So, you have injected HTML into stupid.com, and you choose to inflict
the fury of a closing tab upon hapless visitors?
If your intent is to cause stupid.com to lose traffic while flying under
the wire, that's a good place to start. Trashing
Can we stay on task, please?
Jason Starks jstarks...@gmail.com 03/03/2009 10:11
Mr. Mustache, it is obvious that I have more talent than a box of
chocolates, and that you envy the sadistic nature of your fellow trolls on
this list. Point blank.
On Tue, Mar 3, 2009 at 6:18 AM,
Dear Thierry,
On Fri, Feb 27, 2009 at 10:36 AM, Thierry Zoller thie...@zoller.lu wrote:
In my book, maybe only in mine, a software bug is security relevant
(sorry for the lack of clarity - it's late over here) as soon as
Integrity / Availabilty / Confidentiality are under arbritary direct
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mr. Stark,
Adhering to the tradition of my fathers, I do not sport any facial
hair and take offense to your comment, and since you're obviously
lacking basic observational skills I highly doubt you're even as
talented as my Cadburys, at anything.
-
Mr. Mustache,
There is a missing s on the end of my last name.
Yours truly,
Jason Bench Press Starks
On Tue, Mar 3, 2009 at 5:45 PM, bobby.mug...@hushmail.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mr. Stark,
Adhering to the tradition of my fathers, I do not sport any
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Where?
- -bm
On Tue, 03 Mar 2009 17:54:51 -0500 Jason Starks
jstarks...@gmail.com wrote:
Mr. Mustache,
There is a missing s on the end of my last name.
Yours truly,
Jason Bench Press Starks
On Tue, Mar 3, 2009 at 5:45 PM,
Right..
On Tue, Mar 3, 2009 at 5:45 PM, bobby.mug...@hushmail.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mr. Stark,
There.
On Tue, Mar 3, 2009 at 5:56 PM, bobby.mug...@hushmail.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Where?
- -bm
On Tue, 03 Mar 2009
Chris Evans to me:
By this definition of yours, DoS is fundamentally built in to browsers
(by way of simply following specifications) -- even those with decent
privsep models.
Not necessarily...
Factually, probably so but that says more about our s/w development
methods and what has
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Huh?
- -bm
On Tue, 03 Mar 2009 18:01:05 -0500 Jason Starks
jstarks...@gmail.com wrote:
Right..
On Tue, Mar 3, 2009 at 5:45 PM, bobby.mug...@hushmail.com
wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mr. Stark,
There.
On Tue, Mar 3,
Mr. Snarks,
If you can't tell the difference between the Zimbabwean president and
what's under my esteemed owner's nose I suggest you consult RFC 2821
for guidance.
I am NOT amused.
Your humble servant,
V knír z Valdis
On Tue, Mar 3, 2009 at 6:01 PM, Jason Starks jstarks...@gmail.com wrote:
Did Safari have a bug or something...
On Tue, Mar 3, 2009 at 6:21 PM, Valdis' Mustache
security.musta...@gmail.com wrote:
Mr. Snarks,
If you can't tell the difference between the Zimbabwean president and
what's under my esteemed owner's nose I suggest you consult RFC 2821
for guidance.
I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mr. Starks,
Please remind us what you're talking about.
- -bm
On Tue, 03 Mar 2009 18:31:05 -0500 Jason Starks
jstarks...@gmail.com wrote:
Did Safari have a bug or something...
On Tue, Mar 3, 2009 at 6:21 PM, Valdis' Mustache
Browsers could reasonably implement various kinds of resource expenditure
limitations, but few, if any, do OOTB (FF 2.x I think added some basic
this script is taking too long controls, but there is a lot more that
could be done).
IE, Firefox, Safari and Chrome all have basic protection
On Tue, Mar 3, 2009 at 3:00 PM, Nick FitzGerald
n...@virus-l.demon.co.uk wrote:
Chris Evans to me:
By this definition of yours, DoS is fundamentally built in to browsers
(by way of simply following specifications) -- even those with decent
privsep models.
Not necessarily...
Factually,
On Fri, Feb 27, 2009 at 5:36 AM, Thierry Zoller thie...@zoller.lu wrote:
Hi,
Michal with all due respect I'd like to beg to differ (and maybe be
too nitpicky here).
MZ Vulnerabilities are a subset of software engineering bugs.
I do not think this is the case (lack of the term software).
Chris Evans to Thierry Zoller:
Example
If a chrome tab can be crashed arbritarely (remotely) it is a DoS attack
but with ridiculy low impact to the end-user as it only crashes the tab
it was subjected to, and not the whole browser or operation system.
But the fact remains that this was
Eh? If you visit www.evil.com and your tab crashes, that's no
different from www.evil.com closing its own tab with Javascript.
While I generally agree that if its just a straight DoS that there is
very little difference-- but to play devils advocate some--
the difference is that with JS closing
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dear Nick,
You and Thierry Loller are wrong.
- -bm
On Mon, 02 Mar 2009 21:28:17 -0500 Nick FitzGerald n...@virus-
l.demon.co.uk wrote:
Chris Evans to Thierry Zoller:
Example
If a chrome tab can be crashed arbritarely (remotely) it is a
DoS
bobby.mug...@hushmail.com wrote:
Dear Nick,
You and Thierry Loller are wrong.
Thank-you for your comprehensive and compelling argument.
Applying your debating technique, I now see that you are a dick-wad.
Regards,
Nick FitzGerald
___
I would like to point out that I have been able to create a hung
state in the Firefox browser by opening 30 simultaneous tabs pointed
at http://www.welcometointernet.org/lawnmower/ and adding a 31st tab
viewing http://www.hotrussianbrides.com.
Also, I am not amused.
Your humble servant,
Ze
Grow up, really.
On Mon, Mar 2, 2009 at 11:41 PM, Valdis' Mustache
security.musta...@gmail.com wrote:
I would like to point out that I have been able to create a hung
state in the Firefox browser by opening 30 simultaneous tabs pointed
at http://www.welcometointernet.org/lawnmower/ and
Jason,
Initially I was not amused by your sententious and self-righteous
reply, coming as it does from someone apparently unable to read GCC
documentation, someone whose very question on this very list resulted
in substantial wasting of time by the owner of this very mustache
(time that might
On Mon, Mar 2, 2009 at 6:28 PM, Nick FitzGerald
n...@virus-l.demon.co.uk wrote:
Chris Evans to Thierry Zoller:
Example
If a chrome tab can be crashed arbritarely (remotely) it is a DoS attack
but with ridiculy low impact to the end-user as it only crashes the tab
it was subjected to, and
On Tue, Mar 3, 2009 at 2:22 AM, jf j...@danglingpointers.net wrote:
Eh? If you visit www.evil.com and your tab crashes, that's no
different from www.evil.com closing its own tab with Javascript.
While I generally agree that if its just a straight DoS that there is
very little difference-- but
A Denial of Service in a Beta browser. Wow. Stop the presses.
On Fri, Feb 27, 2009 at 12:29 PM, Michal Zalewski lcam...@coredump.cx wrote:
By the way, I'm now selling a Risk Management and Scoring
tool for $19.99 that will allow you to enter a program and
define what you think the risk is.
Hi,
Michal with all due respect I'd like to beg to differ (and maybe be
too nitpicky here).
MZ Vulnerabilities are a subset of software engineering bugs.
I do not think this is the case (lack of the term software). How's
this for being nitpicky ? ;)
In my book, maybe only in mine, a software
On Fri, 27 Feb 2009, Thierry Zoller wrote:
If we want to arrive at a state where risk can be managed, it needs
to be measured. And if we aren't that far in 2009 I pity us all.
One of the most difficult tasks in risk management has always
been the measurement factorability. Many books have
[Thierry Zoller]
In my book, maybe only in mine, a software bug is security relevant
(sorry for the lack of clarity - it's late over here) as soon as
Integrity / Availabilty / Confidentiality are under arbritary direct
or indirect control of a another entity (i.e attacker). Period,
This is
On Fri, 27 Feb 2009 08:03:46 CST, J. Oquendo said:
By the way, I'm now selling a Risk Management and Scoring
tool for $19.99 that will allow you to enter a program and
define what you think the risk is. The program will allow
you to pick your target: CIO, CEO, CSO. It will then go
out and
I vulnerability could technically be ANYTHING of value to the attacker
that is out of the programs normal, expected, or believed behavior.
Many people have many different views and that is why some
vulnerabilities are published, some are not. A bug that is usually
considered just a bug could have
By the way, I'm now selling a Risk Management and Scoring
tool for $19.99 that will allow you to enter a program and
define what you think the risk is. The program will allow
you to pick your target: CIO, CEO, CSO. It will then go
out and create a custom chart to maximize your budgetary
The fun times of security semantics! I'd have to argue that DoS conditions
have the potential to be security issues. Then again, I'd also prefer not to
remove A from CIA, but this is not from the standpoint of a developer or
software vendor. I understand how that opinion changes based on
Dear Michael,
I understand your point, however consider that
your examples are showing the different *impacts* of a DoS condition.
A bug becomes a security problem once it violates at least one of the three
letters C or I or A. That's the point. The impact and risk assesement
is to be done
The fun times of security semantics!
Old debates never die...
Vulnerabilities are a subset of software engineering bugs. As the name
implies, they are defined strictly by the impact they have; if a bug
does not render the victim appreciably susceptible to anything that
would be of value to
51 matches
Mail list logo
