Actually I do lol.

March 28, 2014 05:45AM
"It's also easy to say 'no vulnerabilities in any of my stuff' but this is pointless if your stuff sits on top
of other stuff that are exploitable."

Your example includes the PHP interpreter. How exactly do you think code *HITS* the PHP interpreter? Your code is what's pulling it in. Similarly speaking if you could do a buffer overrun on Apache, it should not matter since Apache should be running as a weak useless account that can't do anything other than run Apache - so executing arbitrary code *as* that Apache account should not be able to do anything useful (IE, no delete perms, read-only perms to specific folders). Trust me, locking down a system isn't hard and when you get audited they're running machines that contain the known existing exploits and trying to achieve things. When I've been audited, system wise, they couldn't do shit even directly cabled into the back of the machine. Because locking down systems isn't that hard when it's what you know how to do. Regardless - the types of defects we're talking about with AT&T and with Phorum are not underlying overrun scenarios for Apache - they're bad code written by developers that is just lazy in nature which a qualified developer should not be writing.

"Yeah so you go on and filter all those strings, and somebody comes along with a 0day vulnerability in
the PHP interpreter itself that he's willing to burn on something like qhcf because he is
**sitting on lots of them** and blows the lids off your entire input validation theory. "

No one externally can break my ability to validate and translate input. I have to give them that ability by writing bad code. If it's my code that's rendering the page I can absolutely and unquestionably validate that input before writing it out to someone's browser.

"Input means nothing by itself because it's raw bytes. You can only validate what you can account for
at the point where you do the validation, and there is no way that you can account for everything
that happens after you happily pass that data along down the chain. "

LOL what? You've got stevers agreeing with me here, so it's pretty chilly in hell but what are you trying to say here? Everything can be validated, including "raw bytes".


"You're also not taking into account security issues that stem directly from the human element,
such as system integration/configuration/logic errors. Where is your input validation there?
Some of the vulnerabilities that Stuxnet exploited, had nothing to do with input and everything to do
with programming logic errors (that could have been deliberate, that's another can of worms). "

These scenarios obviously don't apply to XSS but a secure system has configuration management, change control, multiple party consent to deployments, user acceptance testing/staged testing and user account management and auditing. The systems I built for the government by their mandate required RSA tokens, password rotation and dual party consent to deployments (coders did not have permission to deploy, a 3rd party handled deployments who had no rights to code). So yeah you can rule out the human element as well. You think the banking and military software systems run on a trust model?

It's not impossible to prevent intrusions. It's really not.



Edited 1 time(s). Last edit at 03/28/2014 05:47AM by Death_Claw.
Subject Author Posted

What happened? Hacked? nt

The Forsaken March 25, 2014 09:24AM

Sorry, I may have sullied Krilcov's name. It isn't him..

Gabe(VIP) March 25, 2014 12:30PM

Is PMs disabled?

Death_Claw March 25, 2014 10:29PM

>Is >Plural

Srev March 26, 2014 06:24PM

PMs are fixed, had to update a module. (n/t)

Gabe(VIP) March 26, 2014 03:14AM

I'd like to take this time to thank RobDarken for exploiting some holes in your website. Give him developer privileges, I say. (n/t)

Srev March 26, 2014 06:26PM

Also, now looks like a good time to bring forth a VIP that can and will prevent these kinds of issues.

Srev March 26, 2014 06:31PM

I'll take this opportunity to say thanks for maintaining this site, sorry some don't play nice nt

Rade March 26, 2014 05:13AM

You're welcome. (n/t)

Matrik March 26, 2014 05:14AM

Lol it would be impossible to bring the name down any further. But that was a pretty good troll job and a even better guy to make people think did it. (n/t)

Anti-Hero March 25, 2014 06:31PM

I missed the excitement

Rade March 25, 2014 06:30PM

Sounds like he iframed something else in. I didn't see it myself.

Death_Claw March 25, 2014 10:04PM

You have only strengthened our Holy Father. In Kov we trust. NT

Sam March 25, 2014 03:44PM

Just out of curiosity, do you intend to, or have you already, notify/ied the fbi or some other authority? (n/t)

alansmithee March 25, 2014 01:06PM

Thanks for making me snort beer out of my nose asshole (n/t)

HairyOrangutan March 25, 2014 04:10PM

Beer through nose asshole? Yikes, that must have hurt. (n/t)

Murphy March 25, 2014 04:43PM

The pharynx- the asshole of the nose. Nasehole? (n/t)

The Faithful of Nazmorghul(VIP) March 26, 2014 03:37AM

Hahaha. Seriously? I'd love to be the guy at the FBI that got that call. (n/t)

Matrik March 25, 2014 03:56PM

I know you and Murphy think it's funny or would be ignored, but you're wrong. I've seen it. Believe me or not, I don't much care. (n/t)

alansmithee March 26, 2014 09:36AM

You're right, I meant HairyOrangutan. (n/t)

alansmithee March 28, 2014 07:08AM

You don't much care about anything. That's why you post here so much. Also, what exactly would the FBI do with it? Tell Gabe to quit prank calling? (n/t)

Srev March 26, 2014 06:28PM

I don't even know what you're talking about. Stop making claims about me thinking something, or I'll call FBI. (n/t)

Murphy March 26, 2014 05:18PM

Seen it or not, it's pathetic and a waste of valuable time/resources. (n/t)

Matrik March 26, 2014 10:45AM

Really?

Frosty March 26, 2014 07:08PM

Pretty much.

Death_Claw March 25, 2014 10:09PM

Swing and a BIG miss. (n/t)

Frosty March 26, 2014 07:11PM

You don't know what you're talking about

zoskia March 26, 2014 07:26AM

Here's the thing...

Death_Claw March 26, 2014 10:38AM

You still don't get it

zoskia March 26, 2014 11:42AM

Actually I do lol.

Death_Claw March 28, 2014 05:45AM

I don't particularly like educating the clueless & ignorant

zoskia March 30, 2014 09:09AM

I really hope people don't pay you for your opinions. (small text added)

Death_Claw April 03, 2014 10:41AM

No, you don't get it.

Srev March 26, 2014 06:49PM

It's cyclical

NbM March 26, 2014 12:06PM

Sounds like some bullshit spewed from an expensive textbook that is pretending to be relevant. (n/t)

Srev March 26, 2014 06:49PM

I'm not defending either, though I do think it was funny as hell.

Matrik March 26, 2014 05:08AM

"I am exploitable" =/= "It is permissable to exploit me" nt

Splntrd March 26, 2014 04:24AM

I'm not saying its right.

Death_Claw March 26, 2014 04:35AM

Agreed nt

Splntrd March 26, 2014 04:48AM

Not right now, I think I'll open a dialogue with him first. (n/t)

Gabe(VIP) March 25, 2014 01:08PM

I missed the word of the Holy Lord and Savior? Kov dammit. NT

Sam March 25, 2014 11:39AM

Last I seen was Daurwyn getting a timeout

Malgrim March 25, 2014 09:26AM

And BOY does that kid need to have a few minutes in the corner. (n/t)

The Faithful of Nazmorghul(VIP) March 26, 2014 03:38AM

Hacked is a vague word..

Gabe(VIP) March 25, 2014 09:25AM

Why do we keep letting him come around again? It's like every time he does people forget how massive of a fucking problem he is. He gets the mud newbie locked for christ saked.

Anti-Hero March 25, 2014 11:49AM

I have declared a fatwah on all Anti-Heroes. NT

Sam March 25, 2014 03:45PM

Script kiddies are cute. (n/t)

NbM(VIP) March 25, 2014 09:37AM

As if you had any idea what you're talking about. (n/t)

Srev March 26, 2014 06:32PM

Ideally it should be resolved now. (n/t)

Gabe(VIP) March 25, 2014 10:51AM

Yeesh. Looked like he took control of your account.

The Forsaken March 25, 2014 09:33AM

While we're here can we delete his thread on the log board? Since he outs my current and all. Might be a couple of people who still don't know. (n/t)

Elystan March 25, 2014 09:27AM

i don't know which one is your current, but I just assume it is an AP.

Perpetual_Noob March 25, 2014 02:27PM

Speculation: BAN! (n/t)

Srev March 26, 2014 06:33PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 26
Record Number of Users: 59 October 25, 2015
Record Number of Guests: 143 August 28, 2015