You still don't get it

March 26, 2014 11:42AM
Input validation is easy to say, in theory, but it means nothing in the real world.
It's also easy to say 'no vulnerabilities in any of my stuff' but this is pointless if your stuff sits on top
of other stuff that are exploitable. It's the weakest link that counts, not the strongest one.

**You can't start building castles on top of sand**

> If you look at the vulnerabilities for this software for instance, it's literally that they take parameters from a
> GET query string and render that HTML out directly to the person's page.

Yeah so you go on and filter all those strings, and somebody comes along with a 0day vulnerability in
the PHP interpreter itself that he's willing to burn on something like qhcf because he is
**sitting on lots of them** and blows the lids off your entire input validation theory.

Input means nothing by itself because it's raw bytes. You can only validate what you can account for
at the point where you do the validation, and there is no way that you can account for everything
that happens after you happily pass that data along down the chain.

You're also not taking into account security issues that stem directly from the human element,
such as system integration/configuration/logic errors. Where is your input validation there?
Some of the vulnerabilities that Stuxnet exploited, had nothing to do with input and everything to do
with programming logic errors (that could have been deliberate, that's another can of worms).

Look, the real issue for everyone in the know these days is not how to stop intrusions
(impossible) but how to detect them after they happen. Mandiant is pushing for 'open indicators
of compromise', the US cybersecurity groups are ramping up on sensor technology and
yet more research into data mining and further, most of the money flows into offense,
because the defense game is over and everyone knows it.

Edited 1 time(s). Last edit at 03/26/2014 11:52AM by zoskia.
Subject Author Posted

What happened? Hacked? nt

The Forsaken March 25, 2014 09:24AM

Sorry, I may have sullied Krilcov's name. It isn't him..

Gabe(VIP) March 25, 2014 12:30PM

Is PMs disabled?

Death_Claw March 25, 2014 10:29PM

>Is >Plural

Srev March 26, 2014 06:24PM

PMs are fixed, had to update a module. (n/t)

Gabe(VIP) March 26, 2014 03:14AM

I'd like to take this time to thank RobDarken for exploiting some holes in your website. Give him developer privileges, I say. (n/t)

Srev March 26, 2014 06:26PM

Also, now looks like a good time to bring forth a VIP that can and will prevent these kinds of issues.

Srev March 26, 2014 06:31PM

I'll take this opportunity to say thanks for maintaining this site, sorry some don't play nice nt

Rade March 26, 2014 05:13AM

You're welcome. (n/t)

Matrik March 26, 2014 05:14AM

Lol it would be impossible to bring the name down any further. But that was a pretty good troll job and a even better guy to make people think did it. (n/t)

Anti-Hero March 25, 2014 06:31PM

I missed the excitement

Rade March 25, 2014 06:30PM

Sounds like he iframed something else in. I didn't see it myself.

Death_Claw March 25, 2014 10:04PM

You have only strengthened our Holy Father. In Kov we trust. NT

Sam March 25, 2014 03:44PM

Just out of curiosity, do you intend to, or have you already, notify/ied the fbi or some other authority? (n/t)

alansmithee March 25, 2014 01:06PM

Thanks for making me snort beer out of my nose asshole (n/t)

HairyOrangutan March 25, 2014 04:10PM

Beer through nose asshole? Yikes, that must have hurt. (n/t)

Murphy March 25, 2014 04:43PM

The pharynx- the asshole of the nose. Nasehole? (n/t)

The Faithful of Nazmorghul(VIP) March 26, 2014 03:37AM

Hahaha. Seriously? I'd love to be the guy at the FBI that got that call. (n/t)

Matrik March 25, 2014 03:56PM

I know you and Murphy think it's funny or would be ignored, but you're wrong. I've seen it. Believe me or not, I don't much care. (n/t)

alansmithee March 26, 2014 09:36AM

You're right, I meant HairyOrangutan. (n/t)

alansmithee March 28, 2014 07:08AM

You don't much care about anything. That's why you post here so much. Also, what exactly would the FBI do with it? Tell Gabe to quit prank calling? (n/t)

Srev March 26, 2014 06:28PM

I don't even know what you're talking about. Stop making claims about me thinking something, or I'll call FBI. (n/t)

Murphy March 26, 2014 05:18PM

Seen it or not, it's pathetic and a waste of valuable time/resources. (n/t)

Matrik March 26, 2014 10:45AM


Frosty March 26, 2014 07:08PM

Pretty much.

Death_Claw March 25, 2014 10:09PM

Swing and a BIG miss. (n/t)

Frosty March 26, 2014 07:11PM

You don't know what you're talking about

zoskia March 26, 2014 07:26AM

Here's the thing...

Death_Claw March 26, 2014 10:38AM

You still don't get it

zoskia March 26, 2014 11:42AM

Actually I do lol.

Death_Claw March 28, 2014 05:45AM

I don't particularly like educating the clueless & ignorant

zoskia March 30, 2014 09:09AM

I really hope people don't pay you for your opinions. (small text added)

Death_Claw April 03, 2014 10:41AM

No, you don't get it.

Srev March 26, 2014 06:49PM

It's cyclical

NbM March 26, 2014 12:06PM

Sounds like some bullshit spewed from an expensive textbook that is pretending to be relevant. (n/t)

Srev March 26, 2014 06:49PM

I'm not defending either, though I do think it was funny as hell.

Matrik March 26, 2014 05:08AM

"I am exploitable" =/= "It is permissable to exploit me" nt

Splntrd March 26, 2014 04:24AM

I'm not saying its right.

Death_Claw March 26, 2014 04:35AM

Agreed nt

Splntrd March 26, 2014 04:48AM

Not right now, I think I'll open a dialogue with him first. (n/t)

Gabe(VIP) March 25, 2014 01:08PM

I missed the word of the Holy Lord and Savior? Kov dammit. NT

Sam March 25, 2014 11:39AM

Last I seen was Daurwyn getting a timeout

Malgrim March 25, 2014 09:26AM

And BOY does that kid need to have a few minutes in the corner. (n/t)

The Faithful of Nazmorghul(VIP) March 26, 2014 03:38AM

Hacked is a vague word..

Gabe(VIP) March 25, 2014 09:25AM

Why do we keep letting him come around again? It's like every time he does people forget how massive of a fucking problem he is. He gets the mud newbie locked for christ saked.

Anti-Hero March 25, 2014 11:49AM

I have declared a fatwah on all Anti-Heroes. NT

Sam March 25, 2014 03:45PM

Script kiddies are cute. (n/t)

NbM(VIP) March 25, 2014 09:37AM

As if you had any idea what you're talking about. (n/t)

Srev March 26, 2014 06:32PM

Ideally it should be resolved now. (n/t)

Gabe(VIP) March 25, 2014 10:51AM

Yeesh. Looked like he took control of your account.

The Forsaken March 25, 2014 09:33AM

While we're here can we delete his thread on the log board? Since he outs my current and all. Might be a couple of people who still don't know. (n/t)

Elystan March 25, 2014 09:27AM

i don't know which one is your current, but I just assume it is an AP.

Perpetual_Noob March 25, 2014 02:27PM

Speculation: BAN! (n/t)

Srev March 26, 2014 06:33PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 38
Record Number of Users: 59 October 25, 2015
Record Number of Guests: 341 February 12, 2018