[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] What the f*** is going on?
- To: Chris Evans <scarybeasts@xxxxxxxxx>
- Subject: Re: [Full-disclosure] What the f*** is going on?
- From: Michele Orru <antisnatchor@xxxxxxxxx>
- Date: Wed, 23 Feb 2011 23:09:32 +0100
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
<br>
<br>
<blockquote style="border: 0px none;"
cite="mid:AANLkTim1Hzy5ue5=KD+yuWNns5RDZ49+s1oXwg2=8sbw@xxxxxxxxxxxxxx"
type="cite">
<div style="margin-left: 40px;">
<hr style="border-width: 1px 0pt 0pt; border-style: dotted none
none; border-color: rgb(181, 181, 181) -moz-use-text-color
-moz-use-text-color; height: 1px; margin: 0pt;"
class="__pbConvHr"><br>
</div>
<table style="padding-top: 5px;" class="__pbConvTable">
<tbody>
<tr>
<td valign="top"><img
src="cid:part1.07080403.02060709@gmail.com"
photoaddress="scarybeasts@xxxxxxxxx" photoname="Chris
Evans" name="compose-unknown-contact.jpg" width="29px"
height="29px"></td>
<td style="padding-left: 5px;" valign="top"><a
moz-do-not-send="true"
href="mailto:scarybeasts@xxxxxxxxx"; style="color: rgb(0,
136, 204) ! important; text-decoration: none !
important;">Chris Evans</a><br>
<font color="#888888">February 23, 2011 1:35 AM</font></td>
</tr>
</tbody>
</table>
<div style="color: rgb(136, 136, 136); margin-left: 40px;"
__pbrmquotes="true" class="__pbConvBody"><br>
On Tue, Feb 22, 2011 at 2:42 PM, Michal Zalewski <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:lcamtuf@xxxxxxxxxxx";>lcamtuf@xxxxxxxxxxx</a>></span>
wrote:<br>
<div class="gmail_quote">
<blockquote style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px
solid rgb(204, 204, 204); padding-left: 1ex;"
class="gmail_quote">
<div class="im">> Also, I would say that even though
randomly prodding exec arguments<br>
> with As isn't so elite, the space of "the non-web" is
much more deep<br>
> and much more complex than the space of "the web"..<br>
<br>
</div>
I think that sentiment made sense 8-10 years ago, but today,
it's<br>
increasingly difficult to defend. I mean, we are at a point
where<br>
casual users can do without any "real" applications, beyond
just<br>
having a browser. And in terms of complexity, the browser
itself is<br>
approaching the kernel, and is growing more rapidly.<br>
<br>
Yes, web app vulnerabilities are easier to discover.</blockquote>
<div><br>
</div>
<div>Web app security is beginners' security -- surely
everyone knows that?</div>
</div>
</div>
</blockquote>
<blockquote style="border: 0px none;"
cite="mid:AANLkTim1Hzy5ue5=KD+yuWNns5RDZ49+s1oXwg2=8sbw@xxxxxxxxxxxxxx"
type="cite">
<div style="color: rgb(136, 136, 136); margin-left: 40px;"
__pbrmquotes="true" class="__pbConvBody">
<div class="gmail_quote">
<div>Those with talent graduate on to low-level vulns (mem
corruptions, kernel vulns, etc).</div>
</div>
</div>
</blockquote>
Well even if I agree with you, I don't think guys like rsnake,
grossman, .mario, vela, ecc..<br>
are not talented just because they mainly focus on web app/client
side security.<br>
<br>
I'm the first one among many who want to learn RE and low level
things,<br>
but I think both of the sides are complex enough.<br>
<br>
Isn't your colleague Michal more focused on web app security
nowadays?<br>
<br>
Cheers<br>
antisnatchor <br>
<blockquote style="border: 0px none;"
cite="mid:AANLkTim1Hzy5ue5=KD+yuWNns5RDZ49+s1oXwg2=8sbw@xxxxxxxxxxxxxx"
type="cite">
<div style="color: rgb(136, 136, 136); margin-left: 40px;"
__pbrmquotes="true" class="__pbConvBody">
<div class="gmail_quote">
<div></troll></div>
<div><br>
</div>
<div><br>
</div>
<div>Cheers</div>
<div>Chris</div>
<div><br>
</div>
<blockquote style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px
solid rgb(204, 204, 204); padding-left: 1ex;"
class="gmail_quote">
That's partly<br>
because of horrible design decisions back in the 1990s, and
partly<br>
because we're dealing with greater diversity, more complex<br>
interactions, and a much younger codebase. Plus, we had much
less time<br>
to develop systemic defenses.<br>
<font color="#888888"><br>
/mz<br>
</font>
<div>
<div class="h5"><br>
_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a moz-do-not-send="true" target="_blank"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a
moz-do-not-send="true" target="_blank"
href="http://secunia.com/";>http://secunia.com/</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<pre wrap="">_______________________________________________
Full-Disclosure - We believe in it.
Charter: <a class="moz-txt-link-freetext"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a>
Hosted and sponsored by Secunia - <a class="moz-txt-link-freetext"
href="http://secunia.com/";>http://secunia.com/</a></pre>
<hr style="border-width: 1px 0pt 0pt; border-style: dotted none
none; border-color: rgb(181, 181, 181) -moz-use-text-color
-moz-use-text-color; height: 1px; margin: 15px 0pt 0pt;"
class="__pbConvHr"><br>
</div>
<table style="padding-top: 5px;" class="__pbConvTable">
<tbody>
<tr>
<td valign="top"><img
src="cid:part1.07080403.02060709@gmail.com"
photoaddress="lcamtuf@xxxxxxxxxxx" photoname="Michal
Zalewski" name="compose-unknown-contact.jpg"
width="29px" height="29px"></td>
<td style="padding-left: 5px;" valign="top"><a
moz-do-not-send="true" href="mailto:lcamtuf@xxxxxxxxxxx";
style="color: rgb(0, 136, 204) ! important;
text-decoration: none ! important;">Michal Zalewski</a><br>
<font color="#888888">February 22, 2011 11:42 PM</font></td>
</tr>
</tbody>
</table>
<div style="color: rgb(136, 136, 136); margin-left: 40px;"
__pbrmquotes="true" class="__pbConvBody"><br>
<div><!----><br>
I think that sentiment made sense 8-10 years ago, but today,
it's<br>
increasingly difficult to defend. I mean, we are at a point
where<br>
casual users can do without any "real" applications, beyond
just<br>
having a browser. And in terms of complexity, the browser
itself is<br>
approaching the kernel, and is growing more rapidly.<br>
<br>
Yes, web app vulnerabilities are easier to discover. That's
partly<br>
because of horrible design decisions back in the 1990s, and
partly<br>
because we're dealing with greater diversity, more complex<br>
interactions, and a much younger codebase. Plus, we had much
less time<br>
to develop systemic defenses.<br>
<br>
/mz<br>
<br>
_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a class="moz-txt-link-freetext"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a class="moz-txt-link-freetext"
href="http://secunia.com/";>http://secunia.com/</a><br>
</div>
<hr style="border-width: 1px 0pt 0pt; border-style: dotted none
none; border-color: rgb(181, 181, 181) -moz-use-text-color
-moz-use-text-color; height: 1px; margin: 15px 0pt 0pt;"
class="__pbConvHr"><br>
</div>
<table style="padding-top: 5px;" class="__pbConvTable">
<tbody>
<tr>
<td valign="top"><img
src="cid:part1.07080403.02060709@gmail.com"
photoaddress="cmorris@xxxxxxxxxx" photoname="Charles
Morris" name="compose-unknown-contact.jpg" width="29px"
height="29px"></td>
<td style="padding-left: 5px;" valign="top"><a
moz-do-not-send="true" href="mailto:cmorris@xxxxxxxxxx";
style="color: rgb(0, 136, 204) ! important;
text-decoration: none ! important;">Charles Morris</a><br>
<font color="#888888">February 22, 2011 10:44 PM</font></td>
</tr>
</tbody>
</table>
<div style="color: rgb(136, 136, 136); margin-left: 40px;"
__pbrmquotes="true" class="__pbConvBody"><br>
<div><mz><br>
</div>
<div><!----></mz><br>
<br>
Michal, your blog writeup does cut to the disheartening core
of the<br>
issue, but as we all know large non-savvy organizations just
eat that<br>
bravado and mystery up.<br>
<br>
Also, I would say that even though randomly prodding exec
arguments<br>
with As isn't so elite, the space of "the non-web" is much
more deep<br>
and much more complex than the space of "the web".. and the<br>
vulnerabilities are generally more interesting, generally more<br>
difficult to find, and generally more difficult to exploit. If
we<br>
examine the specialists in each area, I also think there is a
general<br>
trend that "the web" houses the "less l33t", and "the non-web"
houses<br>
the "more l33t". In general. I'm sure one can find the great
and the<br>
garbage in both arenas.<br>
<br>
I also completely agree with your concern for the well being
of both<br>
our tax dollars, the health and safety of the internet, and
our<br>
physical persons as well. I don't want HBGary sending some
thugs to<br>
knock me with a blackjack if they see me on the wikileaks IRC<br>
channel..<br>
<br>
_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a class="moz-txt-link-freetext"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a class="moz-txt-link-freetext"
href="http://secunia.com/";>http://secunia.com/</a><br>
</div>
<hr style="border-width: 1px 0pt 0pt; border-style: dotted none
none; border-color: rgb(181, 181, 181) -moz-use-text-color
-moz-use-text-color; height: 1px; margin: 15px 0pt 0pt;"
class="__pbConvHr"><br>
</div>
<table style="padding-top: 5px;" class="__pbConvTable">
<tbody>
<tr>
<td valign="top"><img
src="cid:part1.07080403.02060709@gmail.com"
photoaddress="lcamtuf@xxxxxxxxxxx" photoname="Michal
Zalewski" name="compose-unknown-contact.jpg"
width="29px" height="29px"></td>
<td style="padding-left: 5px;" valign="top"><a
moz-do-not-send="true" href="mailto:lcamtuf@xxxxxxxxxxx";
style="color: rgb(0, 136, 204) ! important;
text-decoration: none ! important;">Michal Zalewski</a><br>
<font color="#888888">February 22, 2011 6:11 PM</font></td>
</tr>
</tbody>
</table>
<div style="color: rgb(136, 136, 136); margin-left: 40px;"
__pbrmquotes="true" class="__pbConvBody"><br>
<blockquote type="cite">
<pre wrap="">I mean, if these are the security industry's geniuses,
why, what would the
writers of Stuxnet be?
</pre>
</blockquote>
<pre wrap=""><!---->
...seriously?
</pre>
<blockquote type="cite">
<pre wrap="">Disclosing how their epic story simply involved SQLi,
well, what about the
guys discovering 0days in native code?
</pre>
</blockquote>
<pre wrap=""><!---->
Totally. I have long postulated that perl -e '{print "A"x1000}' is
considerably more l33t than <script>alert(1)</script> or ' OR '1' ==
'1.
I don't understand the point you are getting at. I think that the more
interesting aspect of this story are the egregious practices revealed
in that write-up (and elsewhere):
<a class="moz-txt-link-freetext"
href="http://lcamtuf.blogspot.com/2011/02/world-of-hbgary.html";>http://lcamtuf.blogspot.com/2011/02/world-of-hbgary.html</a>
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: <a class="moz-txt-link-freetext"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a>
Hosted and sponsored by Secunia - <a class="moz-txt-link-freetext"
href="http://secunia.com/";>http://secunia.com/</a>
</pre>
<hr style="border-width: 1px 0pt 0pt; border-style: dotted none
none; border-color: rgb(181, 181, 181) -moz-use-text-color
-moz-use-text-color; height: 1px; margin: 15px 0pt 0pt;"
class="__pbConvHr"><br>
</div>
<table style="padding-top: 5px;" class="__pbConvTable">
<tbody>
<tr>
<td valign="top"><img
src="cid:part1.07080403.02060709@gmail.com"
photoaddress="piedemed@xxxxxxxxx" photoname="Pietro de
Medici" name="compose-unknown-contact.jpg" width="29px"
height="29px"></td>
<td style="padding-left: 5px;" valign="top"><a
moz-do-not-send="true" href="mailto:piedemed@xxxxxxxxx";
style="color: rgb(0, 136, 204) ! important;
text-decoration: none ! important;">Pietro de Medici</a><br>
<font color="#888888">February 21, 2011 6:46 PM</font></td>
</tr>
</tbody>
</table>
<div style="color: rgb(136, 136, 136); margin-left: 40px;"
__pbrmquotes="true" class="__pbConvBody"><br>
<a moz-do-not-send="true"
href="http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars";>http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars</a><br>
<br>
Been reading the ...ah...umpteenth(?) article over the HBGary
story.<br>
<br>
Well, it's been fun and all, but seriously, this is getting
tiring.<br>
<br>
I don't want to bash Anonymous - they've got enough BS already,
and we all know about it, it ain't worth even mentioning.<br>
<br>
Instead, I'll talk about the clueless idiots out there which run
supposedly informative articles.<br>
<br>
So yeah, now we're calling kids vandalizing websites, causing
worthless damage, experts, geniuses even?<br>
<br>
I mean, if these are the security industry's geniuses, why, what
would the writers of Stuxnet be?<br>
<br>
Disclosing how their epic story simply involved SQLi, well, what
about the guys discovering 0days in native code?<br>
<br>
Then there's the law aspect. Many seem to award people intruding
and damaging private property, exposing confidential data
somewhat of a good deed.<br>
Yes, similar to punks expressing their artistic capabilities on
your front door and making off with anything they can pull off
from your car, if not with it as well.<br>
<br>
When one views what kind of stuff they do, as well as their
literacy level, one can only conclude they're not far from the
lowly term of "script kiddies".<br>
<br>
But let's leave the self-acclaimed victims aside - what about
the media. Surely naming kids as security gurus easily makes up
a media sensation.<br>
Wonder how much time these authors have until the FBI knocks by.
Don't know how many counts of infringements they did, and unlike
the, uh, security gurus, they pretty much left their ID card for
every cop in town to look at.<br>
<br>
Da sempre vostro,<br>
Pietro DeMedici<br>
<div>_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a class="moz-txt-link-freetext"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a class="moz-txt-link-freetext"
href="http://secunia.com/";>http://secunia.com/</a></div>
</div>
</blockquote>
</body>
</html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/