Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Full-disclosure] Not even the NSA can get it right

from [Castigliola, Angelo] Network Security [Permanent Link]
Subject: RE: [Full-disclosure] Not even the NSA can get it right
Date: Wed, 25 May 2005 13:24:40 -0400 
What would XSS on NSA.GOV get a hacker anyways? Steal my NSA.GOV cookie 

"CFID
756140
nsa.gov/
1024
2871474816
31895379
3010520960
29692615
*
CFTOKEN
41950083
nsa.gov/
1024
2871474816
31895379
3010820960
29692615
*"

Don't think a hacker could do much with this. At best someone could try
to use the exploit to phish passwords from NSA.GOV employees.

-Angelo Castigliola III
Security Architect

-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Dan
Margolis
Sent: Wednesday, May 25, 2005 12:59 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Not even the NSA can get it right

On Wed, May 25, 2005 at 11:43:32AM -0400, Valdis.Kletnieks@vt.edu wrote:

On Wed, 25 May 2005 07:14:12 CDT, "milw0rm Inc." said:

lol are you guys joking?  They wouldn't allow an xss bug on their
website on purpose come on now.


You're not devious enough.  Remember that the *best* place to put a
honeypot is right out there in plain sight where it's likely to

attract

attention.   So now they've grepped their Apache logs, and they've
added several dozen people to their "suspected script kiddie" list.

(Remember - the NSA probably knows more about proper airgapping than

anybody.

All *those* webservers have on them is non-sensitive content, so you

can't

actually *get* anything really interesting to happen - in the NSA view

of the

world, "public website gets defaced" isn't particularly interesting or
noteworthy).


Right, but why is XSS interesting? Why would they *want* a "suspected
script kiddie" list? Honeypots are good for learning about what sorts of
attacks are in the wild, *not* for learning who the attackers are. In
fact, it seems the common approach to security largely ignores any
notion of proactive law enforcement, and rightly so--you can't arrest
all the script kiddies, but you can write your software to be more
secure (or, to paraphrase Larry Lessig, _code_ is a much more effective
form of control in cyberspace than _law_ is, most of the time). 

Granted, we don't know everything the NSA does, but I see little to gain
from a public XSS hole, however insignificant. Occam's razor, folks; why
should I buy into such a twisted conspiracy theory? 
-- 
Dan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Not even the NSA can get it right, Dan Margolis
Next by Date:  [Full-disclosure] iDEFENSE Security Advisory 05.25.05: GNU Mailutils 0.6 mail header_get_field_name() Buffer Overflow Vulnerability, iDEFENSE Labs
Previous by Thread:  RE: [Full-disclosure] Not even the NSA can get it right, Lachniet, Mark
Next by Thread:  RE: [Full-disclosure] Not even the NSA can get it right, James Longstreet
Indexes:  [Date] [Thread] [Top] [All Lists]