Re: Not even the NSA can get it right

[Dan Margolis <lists.fd.dmargoli () af0 net>]

On Wed, May 25, 2005 at 11:43:32AM -0400, Valdis.Kletnieks () vt edu wrote:
> On Wed, 25 May 2005 07:14:12 CDT, "milw0rm Inc." said:
> > lol are you guys joking?  They wouldn't allow an xss bug on their
> > website on purpose come on now.
>
> You're not devious enough.  Remember that the *best* place to put a
> honeypot is right out there in plain sight where it's likely to attract
> attention.   So now they've grepped their Apache logs, and they've
> added several dozen people to their "suspected script kiddie" list.
>
> (Remember - the NSA probably knows more about proper airgapping than anybody.
> All *those* webservers have on them is non-sensitive content, so you can't
> actually *get* anything really interesting to happen - in the NSA view of the
> world, "public website gets defaced" isn't particularly interesting or
> noteworthy).

Right, but why is XSS interesting? Why would they *want* a "suspected
script kiddie" list? Honeypots are good for learning about what sorts of
attacks are in the wild, *not* for learning who the attackers are. In
fact, it seems the common approach to security largely ignores any
notion of proactive law enforcement, and rightly so--you can't arrest
all the script kiddies, but you can write your software to be more
secure (or, to paraphrase Larry Lessig, _code_ is a much more effective
form of control in cyberspace than _law_ is, most of the time). 

Granted, we don't know everything the NSA does, but I see little to gain
from a public XSS hole, however insignificant. Occam's razor, folks; why
should I buy into such a twisted conspiracy theory? 
-- 
Dan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/