Full Disclosure mailing list archives
RE: Not even the NSA can get it right
From: "Castigliola, Angelo" <ACastigliola () unumprovident com>
Date: Wed, 25 May 2005 13:24:40 -0400
What would XSS on NSA.GOV get a hacker anyways? Steal my NSA.GOV cookie "CFID 756140 nsa.gov/ 1024 2871474816 31895379 3010520960 29692615 * CFTOKEN 41950083 nsa.gov/ 1024 2871474816 31895379 3010820960 29692615 *" Don't think a hacker could do much with this. At best someone could try to use the exploit to phish passwords from NSA.GOV employees. -Angelo Castigliola III Security Architect -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Dan Margolis Sent: Wednesday, May 25, 2005 12:59 PM To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Not even the NSA can get it right On Wed, May 25, 2005 at 11:43:32AM -0400, Valdis.Kletnieks () vt edu wrote:
On Wed, 25 May 2005 07:14:12 CDT, "milw0rm Inc." said:lol are you guys joking? They wouldn't allow an xss bug on their website on purpose come on now.You're not devious enough. Remember that the *best* place to put a honeypot is right out there in plain sight where it's likely to
attract
attention. So now they've grepped their Apache logs, and they've added several dozen people to their "suspected script kiddie" list. (Remember - the NSA probably knows more about proper airgapping than
anybody.
All *those* webservers have on them is non-sensitive content, so you
can't
actually *get* anything really interesting to happen - in the NSA view
of the
world, "public website gets defaced" isn't particularly interesting or noteworthy).
Right, but why is XSS interesting? Why would they *want* a "suspected script kiddie" list? Honeypots are good for learning about what sorts of attacks are in the wild, *not* for learning who the attackers are. In fact, it seems the common approach to security largely ignores any notion of proactive law enforcement, and rightly so--you can't arrest all the script kiddies, but you can write your software to be more secure (or, to paraphrase Larry Lessig, _code_ is a much more effective form of control in cyberspace than _law_ is, most of the time). Granted, we don't know everything the NSA does, but I see little to gain from a public XSS hole, however insignificant. Occam's razor, folks; why should I buy into such a twisted conspiracy theory? -- Dan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Not even the NSA can get it right, (continued)
- Re: Not even the NSA can get it right Paul Kurczaba (May 25)
- Re: Not even the NSA can get it right Dan Margolis (May 27)
- Re: Not even the NSA can get it right Barrie Dempster (May 27)
- Re: Not even the NSA can get it right James Tucker (May 27)
- Re: Not even the NSA can get it right Eric Paynter (May 30)
- Re: Not even the NSA can get it right Mister Coffee (May 25)
- RE: Not even the NSA can get it right James Longstreet (May 25)
- Re: Not even the NSA can get it right Valdis . Kletnieks (May 25)
- Re: Not even the NSA can get it right Aaron Horst (May 26)