FX of Phenoelit published an excellent write up regarding the next FUD in security:

http://www.phenoelit.net/lablog/rants/security2.0.sl

Damn........
Its a nice writeup

http://hackathology.blogspot.com

Thing is, the FUD of today can be tommorows real danger. They talk about that everyone in security already knows this. Well, hardly true. For me, it can't be overstated to much: the webapp layer is the new attack layer, or like Jeremiah said: Javascript is the new shellcode.

I agree deperimeteritization is the way, but that is theorectical and hardly a practical sollution in websec. The real world is still a little different then a theoretical one.

FUD? tell that to sammy, who actually turned websec FUD into a reality while coding his little worm on a sunday afternoon.

Part of the issue is that the industry keeps yapping about how ajax, xss, web2.0, and csrf are going to doom us and don't actually bring new data to the table. They need to focus on very specific new examples and not just keep bringing us the same old crap on a monthly basis. When people like Amit Klein or Michael Zalewski post something you know it will be good, new, and bring actual value.

I'm a big believer and not talking for the sake of talking....

pdp is doing nothing wrong, but he is pushing things too far according to some people. personally, i like what he does (but don't follow him blindly [yet])... appreciate all of his work, etc.

some people would think php is "pouring salt into an open wound". this may be slightly true. we know that xss worms work, so fixing it is a first priority.

i find it strange that owasp approved his talk. owasp explicitly states on their website that they don't want people creating new vulnerabilities, exploits, or attack paths. it's not about that. it's about educating developers.

however, FX is the wrong person to attack pdp at this level. FX was decidedly against embedded platforms and attacked them with the same rigor for many years. FX has been wrong about many things on his blog lately - and there is no way to comment or call him on what he's saying.

both are some of the best at what they do - both are not US citizens - and both have a lot more in common than either would like to think.

Ronald: you hit the nail on the head at the crux of the issue - old hackers like FX (shellcode, buffer overflows, et al) don't understand the new hacker world like pdp (xss^xss, web2.0wned, csrf, et al).

Still, what is new Zeno? all things I have seen and we talk about exists since there where browsers and since internet existed. Some exists even longer but did not had the name which someone creative gave it that

DNS pinning etc stuff is ages old, I talk 1996 here.
XSS over 6 - 7 years old (maybe earlier)
SQL injection, I guess 15-20 years?
CSRF since the internet was born, but used as a prank.
HTTP response splitting (Amit) which actually is CLRF injection and is as old as my first computer.

I cannot think of one thing that is new stuff actually, it's all mashups for things that where known a long time and based upon them.

To clarify, I am not badmouthing any particular person :)

Ronald Wrote:
-------------------------------------------------------
> Still, what is new Zeno? all things I have seen

I stated speaking as they come out, not re-speaking about them for marketing purposes (sometimes to major news sites) on a monthly/bi-monthly/Quarterly basis.

Writing new content on an older subject I find to be acceptable as long as there is value brought to the table, and it isn't marketed as something 'new', groundbreaking, or the end of the internet as we know it.

I understand, but I wanted to clarify it a little. because some people get way too much credit in this field, including me. To me, PDP is one of the few who puts his hands where his mouth is. Even that should be applauded because talking about it is one thing, to actually do it is another. I think PDP showed us a great deal with his attack api and other cool stuff/ideas and the possibilities of it and not boasting about it in any sense. Little of his effort is know, until you look it up.

I think we overestimate the real attackers also here, a few who are really creative. Even many phishers buy a phishing kit cause they don't have the skills to write a scheme themselfs. ^^

I totally agree with Robert and ntp - but I don't think FX was really attacking pdp. It was just a call for more quiet disclosure and not that much sensationalism. But w/o FUD no awareness and w/o awareness no change.

I find the old hacker/young hacker debate quite funny btw. What makes a hacker an old hacker?

My 2cent...

Greetings,
.mario

Quote

To clarify, I am not badmouthing any particular person :)

Are you sure about that?

Quote

FX was decidedly against embedded platforms and attacked them with the same rigor for many years.

I think you knew exactly what you were writing!

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill



Edited 1 time(s). Last edit at 07/17/2007 03:10PM by thrill.

haha ^^

thrill Wrote:
-------------------------------------------------------
> FX was decidedly against embedded platforms and
> attacked them with the same rigor for many years.
>
> I think you knew exactly what you were writing!

I love how the media twists our words around...

To say FX isn't able to understand XSS is just a real funny joke. Every lame sec newcomer understands XSS in absolutely no time. So why exactly he shouldn't understand that?

Especially pdp is just spamming lists with every of his blog articles for drawing some attention. But many people are only just annoyed by his frequent blabla. Nothing new, nothing noteworthy really for the majority of sec people (well, free speech).

For me personally Ronald articles for example are much more substantial, because these are funny findings and stuff and show his fun with what he does (and he isn't annoying anyone).

The sec FUD is just about "HALP! THE INTARWEBS ARE GOING DOWN!!one", which won't happen the way pdp describes.

@.mario

Errr[404]... So you agree with the rest, deny me about it, and have a gnucitizen sig? please do explain, because if you read closely I didn't take anyone's side. Not my style, everyone has a job to do, some to this, some other do the other, and me, welll I do what ever I want to do.

It looks like trolling and I don't like that, an explaination is highly appreciated.



Edited 1 time(s). Last edit at 07/17/2007 07:42PM by Ronald.

@Robert: Some of your recent posts make me wonder - and so does this one.

"I totally agree with Robert and ntp" Yeah - I deny you.

"and have a gnucitizen sig?" I do because I help maintaining some of the GNUCITIZEN projects and because I like it.

"because if you read closely I didn't take anyone's side" Where in my post did I say you or me take anyone's side?

"Not my style" haha - http://sla.ckers.org/forum/read.php?11,13574

"It looks like trolling" What??

Please let's discuss this personal issue - if there's more to discuss - via PM or mail.

Greetings,
.mario



Edited 1 time(s). Last edit at 07/18/2007 04:57AM by .mario.

I am delighted that we have such a vivid and interesting discussion. I would like to respond with one of my favorite quotes which says:


If you believe in what you are doing, then let nothing hold you up in your work. Much of the best work of the world has been done against seeming impossibilities. The thing is to get the work done.


This is what I do and this is what GNUCITIZEN is all about.

FX is one of the best security researchers I know. I agree on some of the points he brought up, although I find others not very objective due to the fact that they have been taken out of context. The context is one of my recent articles, titled "Projections" which you can access from the following URL: http://www.gnucitizen.org/blog/projections .

I believe that what brought all of that fuzz was my bold statement that "old generations of security experts and hackers will never grasp these (Web2.0 hacking) principles the way the upcoming waves will." I didn't mean to be rude and offend anyone. For that I apologise. However, I will stick behind my statement as I have done (so far).

There is a very logical and highly accepted principle behind what I've said. I based it on the fact that very often we do what we do best no matter whether this is what we have to do. It is easier for us to stay in our comfort zone instead of making extra effort and move forward. For that reason old-school hackers will continue doing whatever they do while new-school hackers will move forward.

Keep in mind that some of the articles that I write fall into the category of creative/expressive writing. I ask a lot of rhetorical questions which are meant not to be answered but to reach a particular emotional state within the reader. Call that FUD if you like. After all, we are all different, aren't we? :)

@.mario

So what are you now? or think you are? consider that one instead of bitching me off. You totally missed my whole point, ah who gives a rats ass anyway. PDP's little helper, pathetic, beyond words, no mind of your own and you sound like a bitch there. Well, see if I care now.



Edited 1 time(s). Last edit at 07/19/2007 01:34AM by Ronald.

As many of you know, I provide sporadic comic relief here whenever possible, but right now I need to step in as the 'elder' 41yo mature male and stop this bickering between .mario and Ronald.

Guys, we are all strong minded here. Realize that. And we all believe we're right. When I have input on a specific subject, you know I prove my point regardless of what is said, and how wrong people may originally think I am.

With that out in the open, you are both great contributors to this site, and while I may not have started it, nor may have much input in it, I've really enjoyed reading all the great things both of you have posted, so I'd like to ask both of you to let things go. Misunderstandings in the communication age run rampant, and there have been many times when I've said something that rubbed someone the wrong way. At times it was meant this way, and at others they just perceived it wrong, and I'd hate for you two guys, who are some of the greater contributors to these boards to get into a tiffy over a misunderstanding.

Or as id would say, chill the F* out! ;)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

thrill is right.

@Ronald: Contact me anytime via mail if we have sth to talk about - you know my ID. I'm still surprised where your hate is coming from - have had better conversations with you. I think right know it's not the point who's right or wrong (it somehow never was) - just notice and keep in mind that i don't to be offended in public for reasons I don't even get.

more food for rants at:
5 Generic Yahoo Pipes Hackers Cannot live Without ( http://www.gnucitizen.org/blog/5-generic-yahoo-pipes-hackers-cannot-live-without )



Edited 2 time(s). Last edit at 07/19/2007 06:10AM by pdp.gnucitizen.

I have to agree with what ntp said:

"Old hackers don't understand the new hackers"

These words are sooo true. However he might have meant something different.

The reason why WE (yes me, too) don't understand you is not because we don't understand your content. The opposite, most of us don't understand why you celebrate people for documenting things that are actually old. We also don't understand why you celebrate people who obviously have nothing better todo than document every little browser fault in their blog so that when finally someone makes something useful out of it they can claim prior art.

We also don't understand why you need to build groups like OWASP, PHPSEC, WASC and all the other consortia that are more marketing instruments than security groups.

We really don't understand why everything you find suddenly DOOOMS the internet.

And finally I don't like it when Michael and Amit are mentioned in the same league. Michael is one of the old guys and he has been around for ages. And I am pretty sure that Michael, like me agree in many parts with FX.



Edited 1 time(s). Last edit at 07/20/2007 02:44AM by ionic.

pdp: Self fulfilling prophecies work -- in one way or another.

ionic: Point, point and point!

comments inlined

ionic Wrote:
-------------------------------------------------------
> I have to agree with what ntp said:
>
> "Old hackers don't understand the new hackers"
>
> These words are sooo true. However he might have
> meant something different.
>
> The reason why WE (yes me, too) don't understand
> you is not because we don't understand your
> content. The opposite, most of us don't understand
> why you celebrate people for documenting things
> that are actually old. We also don't understand

I cannot see anything that is actually new :) in the security industry

> why you celebrate people who obviously have
> nothing better todo than document every little
> browser fault in their blog so that when finally
> someone makes something useful out of it they can
> claim prior art.
>
> We also don't understand why you need to build
> groups like OWASP, PHPSEC, WASC and all the other
> consortia that are more marketing instruments than
> security groups.
>

just because these groups are open it doesn't mean that they are useless

>
> We really don't understand why everything you find
> suddenly DOOOMS the internet.
>

MPack, WebAttacker, WebAttacker2, Sammy, Yammaner

Sammy is one of the fastest spreading worms that reached more then 3m users. My space is around 90m. Try reaching that number with traditional attack vectors.

>
> And finally I don't like it when Michael and Amit
> are mentioned in the same league. Michael is one
> of the old guys and he has been around for ages.
> And I am pretty sure that Michael, like me agree
> in many parts with FX.

I have great respect for Michael and Amit and I think that there are some of the best hackers today, however, most of the vulns Michael has disclosed recently are all based on bugs found ages ago. It doesn't mean that they are not interesting and that he hasn't done an extremely good job. No! Opposite to that.

It is more then obvious to us why you don't understand new gens of hackers. :) Please, do not refer to us as some XSS dudes. The research that we undertake span way beyond this. Proof?... check out this year Blackhat:

Black Ops 2007: Design Reviewing The Web

Dan Kaminksy

Intranet Invasion With Anti-DNS Pinning

David Byrne

Hacking Intranet Websites from the Outside (Take 2)—"Fun With and Without JavaScript Malware"

Jeremiah Grossman & Robert Hansen

OpenID: Single Sign-On for the Internet

Eugene Tsyrklevich & Vlad Tsyrklevich

Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity

Brad Hill

SQL Server Database Forensics

Kevvie Fowler

Premature Ajax-ulation

Bryan Sullivan & Billy Hoffman

Building and Breaking the Browser

Window Snyder & Mike Shaver

The Little Hybrid Web Worm that Could

Billy Hoffman & John Terrill

A Dynamic Technique for Enhancing the Security and Privacy of Web Applications

Ezequiel D. Gutesman & Ariel Waissbein

ionic Wrote:
-------------------------------------------------------
> We also don't understand why you need to build
> groups like OWASP, PHPSEC, WASC and all the other
> consortia that are more marketing instruments than
> security groups.

I can't speak on behalf of all of these groups but I can say a few points.

Many contributors want something out of it beyond helping the industry. This could be resume material, material they need for their own job, or marketing material for their company. People would be lying otherwise. I don't see this as much of an issue assuming it isn't a marketing fest and provides decent/useful material. For WASC companies wishing to mention contributions in their OWN venues is fine, however WASC will NEVER promote a specific company or solution. To help ensure this we have created a member based voting system made up of product vendors, services vendors, users (small and enterprise), independents, qa, and developers. You'd better believe if a product or services person said X solution is better than another the other would speak up. The number of vendors is actually starting to decline in this process as we get more 'users' involved. We disallow any project to promote a given service or solution. I can speak more in regards to this offline/private message for anyone willing to learn more about it (if you care).

I personally fit into the 'helping the industry' and 'material I need for my own job' categories. To be more efficient at my own job I look at materials written by others and use them to help speed up my job. I utilize the Threat Classification in my own job for pen testing (currently working on v2 because v1 is needing an update badly) and bug tracking purposes, and have used the WAFEC project to help evaluate an application firewall at my company.

Without spoiling to much there is an interesting new WASC project (yes this post is marketing, however you'll probably find it worthwhile) due to be out in a week or so with the goal of mapping every method to execution script (per major browser) without script tags with some data ready to be released. The goal of this is to help those pen testing poor blackbox based filters (beyond the cheat sheet), as well as understand how script can execute when building something requiring user accepted html. This particular project is something I'm 'contributing towards' because A. I find it interesting and B. I need it for my own job as a non vendor/services company.

Some projects by orgs such as OWASP/WASC/whoever also release material to challenge the industry to let them know 'we know what you suck at, and now others do, so please get better at it because now your customers are aware of the issues and will demand more. Stop the snake oil.'. For me (not a vendor) knowing product/service limitations helps me do my job better when picking a solution/figuring out what needs to be done.

My $0.02

- z

zeno Wrote:
-------------------------------------------------------
> I can't speak on behalf of all of these groups but
> I can say a few points.

There are some bad apples at OWASP, but the majority of the people in the majority of cities are focused on awareness, education, research, and promotion of new ideas/concepts.

In fact, I've only heard of 3 people that did not fully live up to the standards that OWASP has on their website - and pdp is one of them. The other two are there to get customers and make money (and they are not well liked and have probably been asked to leave/stop).

pdp, as mentioned earlier - is announcing and actively writing exploits. while against OWASP policy - I strongly believe that somebody needs to build these tools and for OWASP to allow him to speak shows they also really do get it. OWASP listens - not preaches. OWASP is therefore not a marketing group.

> Many contributors want something out of it beyond
> helping the industry. This could be resume
> material, material they need for their own job, or
> marketing material for their company. People would
> be lying otherwise. I don't see this as much of an
> issue assuming it isn't a marketing fest and
> provides decent/useful material. For WASC
> companies wishing to mention contributions in
> their OWN venues is fine, however WASC will NEVER
> promote a specific company or solution. To help
> ensure this we have created a member based voting
> system made up of product vendors, services
> vendors, users (small and enterprise),
> independents, qa, and developers. You'd better
> believe if a product or services person said X
> solution is better than another the other would
> speak up. The number of vendors is actually
> starting to decline in this process as we get more
> 'users' involved. We disallow any project to
> promote a given service or solution. I can speak
> more in regards to this offline/private message
> for anyone willing to learn more about it (if you
> care).

This was a good, very intelligent answer. I am glad WASC is also doing the right things in this regard.

For those out there dismissing these groups, did we address all your issues?

> I personally fit into the 'helping the industry'
> and 'material I need for my own job' categories.
> To be more efficient at my own job I look at
> materials written by others and use them to help
> speed up my job. I utilize the Threat
> Classification in my own job for pen testing
> (currently working on v2 because v1 is needing an
> update badly) and bug tracking purposes, and have
> used the WAFEC project to help evaluate an
> application firewall at my company.

I have never found any of the WASC stuff to be useful. I am sad to say that. I use OWASP and MITRE material to help me all the time.

It feels like I am being excluded from WASC. I would like to help out with the WA Proxy Honeypot research, but not much came out of that project. Their next release of information is supposed to be next month. How does one track their progress between February and August?

I found it easier to get involved with NIST SAMATE than WASC. WASC seems to be redundant to me. Please correct me because I will likely get involved more once I figure out how they operate and what they're actively working on.

> Without spoiling to much there is an interesting
> new WASC project (yes this post is marketing,
> however you'll probably find it worthwhile) due to
> be out in a week or so with the goal of mapping
> every method to execution script (per major
> browser) without script tags with some data ready
> to be released. The goal of this is to help those
> pen testing poor blackbox based filters (beyond
> the cheat sheet), as well as understand how script
> can execute when building something requiring user
> accepted html. This particular project is
> something I'm 'contributing towards' because A. I
> find it interesting and B. I need it for my own
> job as a non vendor/services company.

So it's HTMangLe meets HTML Unit? Is it a document? A tool?

I'm growing very tired of tools being written for pen-testers. Isn't that the problem our industry is facing?

OWASP focuses on developers. Why don't we help them out? We already have point-and-click tools to test a website externally and usually anyone on the Internet with a web browser is a potential pen-tester (as seen in this forum). Why put research into an area that is already optimized?

Which brings me back to my first post, where I said something about pouring salt in an open wound.

Getting back to the original topic...

FX is right. pdp is right. Or maybe they are both wrong. Whatever. I just see hypocrisy in what FX said about the FUD. I see future problems for pdp if he continues down this lonely road... just look at what happened to Dave Aitel.

pdp should listen to FX and find the inner meaning. I think what he's trying to say is - stop saying the world is going to end... and fix the glitch. If pdp has the power to halt the Internets, then he also has the power to save them.

Work needs to be done ethically, and one step at a time.

pdp says, "If you believe in what you are doing, then let nothing hold you up in your work. Much of the best work of the world has been done against seeming impossibilities. The thing is to get the work done".

pdp: Hitler probably said something similar at one point.

Do it ethically and get it done - one step forward means take one step back.

pdp: you and your team are in a very unique situation. The hackers I respect the most are Chris Abad and Samy Kumkar. The ones I feared the most (besides the guy who wrote Code Red) were peaboy (MOD) and mookie. I respect Abad and Samy because they are new-school hackers, young, filled with all the best skills and ideas. I fear peaboy and mookie because they are old-school hackers, filled with playfulness, quirkiness, and dangerous skills combined with a sociopathic mind.

For Ronald, .mario (and his crew), the NoScript guys, etc - keep up the fantastic work. You should be working together instead of against each other, but you probably can't and won't. The blog postings and software you write is pushing this industry forward in very innovative ways. You all seem to be fighting for the spot that pdp is in. Competition can be good for some people, but you guys don't want to be the next Aitel either. hdm, skape, FX, etc - they are all respected. Aitel and Zalewski are feared.

It's not all about skill, or ethics, or any one thing - it's a balance.

Look at all those names of presenters. The only old school speaker is Window. Some could say that RSnake, Hoffman, and Kaminsky have been around forever. But I disagree - even Hoffman has only been speaking for 3 years now - that's not a very long time (from my perspective). Kaminsky just sucks and gives the same talk every year.

Window is probably trying very hard to save the world from pdp's most evil thoughts, but I see her as "fucking up". HttpOnly - example one. Why not just implement content-restrictions? Why not build a browser that requires signed Javascript, signed Java, etc? Why not listen to anything that Jeremiah Grossman or I say (see: GC NTPolicy) about "fixing the browser"?

Window's fuck-up number two is this whole patch the problem, blame IE, and then it turns out the patch didn't work! See: http://www.computerdefense.org/?p=359

Finally, the Firefox security team is releasing a fuzzer for BlackHat? Who cares? A new black-box fuzzer is only useful for about 3 iterations of 72 hours each. Then it's found everything! Hybrid analysis tools are the future of negative testing - so where's the talk on that? Firefox has a great open-source SCA tool that nobody ever talks about. But no - they talk about fuzzing because it's the buzz word of the year. Now that, my fellow readers - is what's known as "marketing".

That's enough for now - I am sick of this post.



Edited 2 time(s). Last edit at 07/22/2007 11:46AM by ntp.

I think I'll open an offshore bankaccount for all the $0.02 that is flying around here, if I would have a ll the 0,02 cents on all forums I would be a billionaire I guess.

I'm pretty tired of that lame competition among hackers, who gives. There are a couple who are downplaying it, Which is a dangerous situation because they just don't understand the ultimate end impact of it.

For example:

Last week I had a small chit chat with a old school programmer type, his jaw dropped the moment I started to talk about the single fact that Javascript is allowed to pass every firewall. They miss out, afterall they are an endangered species ^^

Quote

I fear peaboy and mookie because they are old-school hackers

Courtsey of Foxnews: