Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
Official wall of shame
Posted by: WhiteAcid
Date: September 28, 2006 01:01PM

As suggested in the FD thread, we could set up a more official way where people can report flaws. For instance a table with headings:
id | Company name | flaw type | date found | date fixed | comment
Then allowing that list to be sorted by any of those (as well as number of days unpatched).

We could simply have this as a wiki page where anyone can change any of the fields, or we could have an account system where only the users who created the flaw or their "friends" (no, this wouldn't be a social site, but this would help get flaw info up to date) can edit the info.

What do you guys think?

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Official wall of shame
Posted by: Kyran
Date: September 28, 2006 01:09PM

I think a wiki with accounts would be best. No guest editing.
We don't need Acunetic further denying things.

- Kyran

Options: ReplyQuote
Re: Official wall of shame
Posted by: WhiteAcid
Date: September 28, 2006 01:13PM

In that case we could just use a wiki I already have at http://wiki.whiteacid.org. That has member only editing but allows guest commenting (which of course I can change on a page per page basis).

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Official wall of shame
Posted by: maluc
Date: September 28, 2006 01:25PM

hrm, i like the idea .. although im partial to relations databases as opposed to wikis, since they have much more powerful searching capabilities.

However, i'm still going to disclose everying to theFD thread first in any case. And play catchup every so often to keep the wiki/database/watevar up to date. That's mostly due to laziness

-maluc

Options: ReplyQuote
Re: Official wall of shame
Posted by: Kyran
Date: September 28, 2006 01:29PM

I think we should get Rsnake to put up a wiki at http://su.ckers.org/
As much as I like Mr. Cash, we need some sort of wiki.

- Kyran

Options: ReplyQuote
Re: Official wall of shame
Posted by: WhiteAcid
Date: September 28, 2006 01:34PM

That would be good wiki and something I agree with. I guess we just need him to agree with the idea.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Official wall of shame
Posted by: id
Date: September 28, 2006 02:16PM

I will look into setting up a wiki after I talk to Rsnake.

-id

Options: ReplyQuote
Re: Official wall of shame
Posted by: kirke
Date: September 28, 2006 02:24PM

sounds good
may be acunetix gives a donation 'cause we pushed their name in the webappsec area, well they pu[ni]shed themselves too, somehow ;-)

Options: ReplyQuote
Re: Official wall of shame
Posted by: rsnake
Date: September 28, 2006 04:14PM

From one of our lurkers:

lurker: for the record, a wiki would suck for this
lurker: I think the format people post in should more standardized, and then a separate thread for posting screen shots for the "wall of shame"

What do you guys think?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Official wall of shame
Posted by: Kyran
Date: September 28, 2006 04:25PM

Yeah. That would work. 1 entry per post. Not a dozen like some posts have. If it's a non-standard vector, a short explanation. etc. Perhaps a numbering system. Any ideas for the exact form?

- Kyran

Options: ReplyQuote
Re: Official wall of shame
Posted by: WhiteAcid
Date: September 28, 2006 04:27PM

I can see why someone would think a wiki would suck, and it may very well suck, but if people played nice it would be perfect. I guess it falls down to if we can trust the members.

If we did have a wall of shame, then I don't see a point in the thread unless we come across a particularly interesting case. I don't think we should be required to post screenshots either, way too much hassle.

A problem with the thread is that it can be damn hard to find a specific XSS, this would be so much easier on the wiki, or whatever system was used.

my £0.01

In other news, this story continues over at darkreading: http://www.darkreading.com/document.asp?doc_id=104815

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Official wall of shame
Posted by: Kyran
Date: September 28, 2006 04:36PM

Yeah. If it was on a wiki, someone could post an image of it if they WANTED to, or if it was a particularly high-profile site that may deny it later.
I'm torn between just documenting our current progress and making the wiki.

- Kyran

Options: ReplyQuote
Re: Official wall of shame
Posted by: WhiteAcid
Date: September 28, 2006 04:39PM

Well... it may be a lot of work, but what about being needing to create a user account and only being able to update status etc for your own submissions?

Shouldn't be too hard if we stay at that.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Official wall of shame
Posted by: Kyran
Date: September 28, 2006 04:40PM

It also depends on how much customizing/skinning/installing rsnake and id want to do.

- Kyran

Options: ReplyQuote
Re: Official wall of shame
Posted by: id
Date: September 28, 2006 04:41PM

As long as I don't do any work except install the software, OK!

/and WhiteAcid thinks he's lazy

-id

Options: ReplyQuote
Re: Official wall of shame
Posted by: id
Date: September 28, 2006 04:46PM

oh, and suggestions as to what wiki software would be nice, not something I keep up on.

-id

Options: ReplyQuote
Re: Official wall of shame
Posted by: Kyran
Date: September 28, 2006 04:50PM

I actually prefer the original MediaWiki, the one Wikipedia was originally based on. http://www.mediawiki.org/wiki/MediaWiki

- Kyran

Options: ReplyQuote
Re: Official wall of shame
Posted by: WhiteAcid
Date: September 28, 2006 04:55PM

Media wiki is the standard, but extremely bloated and reportedly hard to customise (I've never tried it myself).

Another decent one is http://wikkawiki.org/HomePage. They're the much more basic version, but easier to fiddle with.

There is another wiki I know of, being built as part of another site. I've asked the author if the wiki part is ready and he'd mind it being used here (I can guarantee it's made pretty damn securely, but of course.... well... examine the code yourselves too). I'll post here when I get a response.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Official wall of shame
Posted by: id
Date: September 28, 2006 05:05PM

Did a brief look around at some, I would really rather it used a DB backend for auth, but didn't see anything out there that did.

and I found this fun.
http://www.theregister.co.uk/2006/09/07/wiki_exploit/

I'll look some more, maybe modify someone elses' code.

-id

Options: ReplyQuote
Re: Official wall of shame
Posted by: kirke
Date: September 28, 2006 05:34PM

> .. how much customizing/skinning/installing ..
a simple table, 3, 4, or sow columns, plain HTML, one message in a thread where all registered users can edit. I guess those posting the links can also be trusted to manage the table. If there is a DB backend, that's just nice to have.
KISS - keep it simple stupid

Options: ReplyQuote
Re: Official wall of shame
Posted by: Kyran
Date: September 28, 2006 06:11PM

Perhap a wiki with a db backend, at least for user accounts. Make it use the sla.ckers user table and add an extra column, wiki_allow. Which the wiki would check when you attempted to login. so only specified people can edit, and we can use our forum accounts.

- Kyran

Options: ReplyQuote
Re: Official wall of shame
Posted by: maluc
Date: September 28, 2006 07:07PM

I'll go ahead and weigh in my two cents.. I'm a bit lazy to fill out a form everytime i post an XSS in the FD thread .. for bigger sites i probably will immediately .. but for many, i'll batch do em sum evening i'm bored

for that, try to allow the 'submission time' to be past-dated.. and i'll match it with the FD time.

As for the form fields.. that should prolly be decided on here, Anything other than (out take out one of) these:
submitter
direct link (a locally hosted POST submitter would be nice)
date disclosed
date company notified (this ones debateable)
input type (login, search, registration etc)
injection type (jscript, html, plaintext, etc) <-as in wut u broke out of
date fixed
type of site (news, searchengine, sec company, commercial, etc)

oh.. but, dont make them required. if quiltingtutorials.com has an issue.. i really dont wanna fill in all columns. and ya, tired of brainstorming..

-maluc

Options: ReplyQuote
Re: Official wall of shame
Posted by: id
Date: September 28, 2006 07:10PM

the point of the db is I could tie it to your logins here and then just permit the ones that are cool to post on it, more than one login is lame.

-id

Options: ReplyQuote
Re: Official wall of shame
Posted by: digi7al64
Date: September 28, 2006 08:06PM

personally i think a wiki is overkill and unnecessary.

Instead as others have suggested I agree that a simple database driven FD list is far more managable and usable.

Table should be as follows

fd_user_id - submitter
fd_link - link to the url
fd_method - post/get/qs/
fd_date - disclosure date
fd_input - login, search, registration etc
fd_content - jscript, html, plaintext, etc
fd_category - news, searchengine, sec company, commercial, etc
fd_notes - editable by members (article style)

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 1 time(s). Last edit at 09/28/2006 08:07PM by digi7al64.

Options: ReplyQuote
Re: Official wall of shame
Posted by: maluc
Date: September 28, 2006 08:37PM

your right that it's very much overkill if one of us wrote it from scratch.. i think ideally, a plain relations database (i.e. sql) with one input page to add new disclosures, one page to run any random SELECT queries (filtered of course, to prevent overwriting/overaccess). one browse page with plain sorting.. which can be merged together with the query one .. and one stats page of interesting statistics (longest open hole, fastest fix time, etc)

4 pages + a database, and it'd probably be everything we need .. but wikis come with pre-made script - so i can understand from the laziness view. If i want to know how many media sites were added in the month of september, for example, the relations db far outshines a wiki.

however, that'd probably take the better part of a day for one person to get up and running..

-maluc

Options: ReplyQuote
Re: Official wall of shame
Posted by: kirke
Date: September 29, 2006 09:16AM

something like that: http://www.shamewall.tld/shame/on/me


Someone willing to do it? It's all GUI in browser, but I lost my mouse ...



Edited 1 time(s). Last edit at 10/29/2006 05:45AM by kirke.

Options: ReplyQuote
Re: Official wall of shame
Posted by: rsnake
Date: September 29, 2006 10:15AM

You know, I spent a lot of time thinking about this last night... what value does this provide exactly? Is it simply because you want to be able to query for certain companies and statistics? The rest of it seems very hindering. I know I probably wouldn't use this, because frankly, I'm not super into tracking who has been vulnerable (that's not really my business), and unless we set up some sort of automated process to detect if the hole is fixed or not, the statistics on how long it takes to close them is kinda meaningless (which actually might be a fairly interesting stat).

Mostly for me it is seeing how you guys are finding the holes and what the holes look like themselves. I've always been way more interested in the vector and the problem as a whole than the particular company itself, but maybe that's not why you are here.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Official wall of shame
Posted by: kirke
Date: September 29, 2006 11:55AM

good point.
The most important value is the amount of time they need to fix it, that was the only reason why I suggested such a table.
The benefit for the public would be that value, seeing how some people take care about you. Keep in mind: the XSS hole attacks the client/customer first, that's why manager's often don't care about XSS.
Probably the blamed sites can get back some reputation when fixing fast.
Such a table is a "nice to have", nothing more, nothing less.

Just my 2 pence.

Options: ReplyQuote
Re: Official wall of shame
Posted by: metal_hurlant
Date: September 30, 2006 04:26AM

The concept of a wall of shame reminds me of a page eeye maintains at http://research.eeye.com/html/advisories/upcoming/index.html

At one point, that page had several vulnerabilities that clocked at over a year overdue, assigned to microsoft and oracle, if my memory serves.

The shame comes from the interval of time between the moment a company is notified of a vulnerability and the time a fix is issued.

While it's entertaining in itself to see companies that sell XSS scanners getting caught with XSS on their own sites and denying it, I suspect there's more long term value in tracking the responsiveness of companies at acknowledging and handling web app security issues.

Options: ReplyQuote
Re: Official wall of shame
Posted by: id
Date: September 30, 2006 01:39PM

I agree with MH, I would like to see it as a score card for companies, their responsiveness to things like this are a good indication of how they do business in general. I don't care if a company has a problem, but I will make purchasing decisions for myself and my clients based on how they respond to security problems.

-id

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.