On Wed, Sep 16, 2009 at 11:14 AM, Aryeh Gregor < [email protected] <simetrical%[email protected]>> wrote:
> On Tue, Sep 15, 2009 at 6:40 PM, Anthony <[email protected]> wrote: > > There are. You didn't want us to describe them in our article, did you? > > All nontrivial software has unknown security vulnerabilities. Fine, I'm willing to leave it at that. I just felt the need to defend Judd (and, as a board member of the non-profit which published the blog article, myself) against a claim of lying in a blog post. > It should be noted, though, that actual demonstrated risk is probably > more important to users than theoretical patch response times. For > whatever reason, attacks on MediaWiki seem to be comparatively rare. > I think the "soft security" model is oftentimes a good one. It certainly blurs the lines between what is a "security breach" and what is vandalism, and gives the script kiddies something to do which doesn't constitute a true security breach. > I would be interested in hearing of any real-world attacks anyone > knows of -- there must have been *some*, but I've never heard of one. The only one I can think of that I know of directly would be the IP spoofing one where the attacker pretended to be a proxy and sent a false "IP forwarded" or whatever. But indirectly I know of many "Grawp" exploits. I guess I know of one of those directly, which is whatever I got hit with on my Mediawiki installation. I never investigated what specifically it was, though. There's also various forms of nasty once-upon-a-time unrecoverable vandalism like moving a page on top of another which arguably aren't security holes but arguably *are* security holes in the form of design flaws. _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
