Mailing List Archive

On Sun, 14 Jul 2002, Berend-Jan Wever wrote:

Combine an incompetant programmer with a wanna-be incompetant researcher
and what do you get? A stupid advisory.

First of all, you "hacked your way out of" Anonymizer. Does this mean
that you paid for their service, then managed to surf without being
anonymous? Or, you managed to get their pay service for free?

Either way doesn't point at a vulnerability that would expose ones
privacy. Now if you were telling us that you are able to expose the
originating IP address of web requests coming from these services that
would be something.

>
> Anonymous surfing websites are written by incompetend programmers keen on your money and not your privacy; I tested a few of them and found them wanting:
> - Anonymizer.com (I have hacked my way out of Anonymizer 4 times before and they still lack proper filtering!)
> - The-cloak.com
> - Megaproy.com
> These were all the sites I found with google and could get acces to without registering, if you know some more, I'd be happy to hack my way out of their filters.
> I'd like to mention that all filter faults were found within minutes, just to show (off) how easy this was.
>
> Vendor status: hereby informed of the issue.
>
> Berend-Jan Wever aka SkyLined
> http://spoor12.edup.tudelft.nl
>
> PS. I'm going on a holiday, so I won't respond to any replies for about a week. Though luck!
>

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak@nmrc.org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

> Combine an incompetant programmer with a wanna-be incompetant researcher
> and what do you get? A stupid advisory.
>
> First of all, you "hacked your way out of" Anonymizer. Does this mean
> that you paid for their service, then managed to surf without being
> anonymous? Or, you managed to get their pay service for free?

I think if you at least clicked the advisory link (
http://spoor12.edup.tudelft.nl/SkyLined%20v4.2/?Advisories/Anonymous
surfing, NOT! ) it would help relieve some of your ignorance. What he's
reffering to is a getting script (usually javascript) through the filters
and executing on the 'anonymous' person's machine. If a site can do that
they can save cookies to the machine, thereby breaking the anonymity.

It's not really cross site scripting, though the techniques used to get it
through are similar. Right now 'cross site scripting' seems to be the buzz
word attached to any security breach involving scripts. Something we have to
live with I guess. Anyway, whatever it's called SkyLined seems to be the
l33test at it ;)

- Blazde

You would think that the email sent to the list would have contained
more information. Based on the email sent, one would might not even
bother clicking on the link. And for those of us who happen to be
checking email on Windoze boxes, clicking on random Internet links
probably isn't the brightest thing to do from IE unless you have
bothered to disable all the various active scripting etc.......

How seriously would you take an email that simply said "click here
www.clicktobeowned.com"

> I think if you at least clicked the advisory link (
http://spoor12.edup.tudelft.nl/SkyLined%20v4.2/?Advisories/Anonymous
surfing, NOT! ) it would help relieve some of your ignorance. What he's
reffering to is a getting script (usually javascript) through the
filters and executing on the 'anonymous' person's machine. If a site can
do that they can save cookies to the machine, thereby breaking the
anonymity.

It's not really cross site scripting, though the techniques used to get
it through are similar. Right now 'cross site scripting' seems to be the
buzz word attached to any security breach involving scripts. Something
we have to live with I guess. Anyway, whatever it's called SkyLined
seems to be the l33test at it ;)

- Blazde

_______________________________________________
Full-Disclosure - We believe in it. Full-Disclosure@lists.netsys.com
http://lists.netsys.com/mailman/listinfo/full-disclosure

On Sun, Jul 14, 2002 at 09:35:39AM -0600, Steve wrote:
...
> bother clicking on the link. And for those of us who happen to be
> checking email on Windoze boxes, clicking on random Internet links
> probably isn't the brightest thing to do from IE unless you have
> bothered to disable all the various active scripting etc.......
>


Patient: Doctor, it hurts when I bang my head into the wall. What can I do?
Doctor: Stop banging your head into the wall!


Chris

Hasty flames are counterproductive. Let us not be so quick to judge.
Speaking from personal experience, I would imagine that most people's
first few advisories are bound to lack clarity/details. Additionally one
must remember not to hit that reply button instantly after reading a
post that triggers anger/hostility. I myself am guilty of all the
aforementioned shortcomings. But hey we're human aren't we?

Nor should a man be in a hurry to publish his advisory the instant his
proof-of-concept exploit works. Sitting on a bug for a little while will
afford the time to polish the advisory and/or exploit. The discloser
must determine the fundamental pieces of information every advisory
should have and a format which puts the bottom-line-up-front. In this
fashion the discloser can take pride in knowing, whether the bug was
trivial to exploit or a work of art, that all of those who read it will
walk away with a clear understanding of the problem, impact, solution,
etc.. Take a look at security focus's vuln-help advisory template.

peace,
core

Steve wrote:
> You would think that the email sent to the list would have contained
> more information. Based on the email sent, one would might not even
> bother clicking on the link. And for those of us who happen to be
> checking email on Windoze boxes, clicking on random Internet links
> probably isn't the brightest thing to do from IE unless you have
> bothered to disable all the various active scripting etc.......
>
> How seriously would you take an email that simply said "click here
> www.clicktobeowned.com"
>
>
>>I think if you at least clicked the advisory link (
>
> http://spoor12.edup.tudelft.nl/SkyLined%20v4.2/?Advisories/Anonymous
> surfing, NOT! ) it would help relieve some of your ignorance. What he's
> reffering to is a getting script (usually javascript) through the
> filters and executing on the 'anonymous' person's machine. If a site can
> do that they can save cookies to the machine, thereby breaking the
> anonymity.
>
> It's not really cross site scripting, though the techniques used to get
> it through are similar. Right now 'cross site scripting' seems to be the
> buzz word attached to any security breach involving scripts. Something
> we have to live with I guess. Anyway, whatever it's called SkyLined
> seems to be the l33test at it ;)
>
> - Blazde
>
> _______________________________________________
> Full-Disclosure - We believe in it. Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
>

Chris replied to Steve:

> On Sun, Jul 14, 2002 at 09:35:39AM -0600, Steve wrote:
> ...
> > bother clicking on the link. And for those of us who happen to be
> > checking email on Windoze boxes, clicking on random Internet links
> > probably isn't the brightest thing to do from IE unless you have
> > bothered to disable all the various active scripting etc.......
>
> Patient: Doctor, it hurts when I bang my head into the wall. What can I do?
> Doctor: Stop banging your head into the wall!

Yes, yes but for many -- and for better or worse, though there's no
prize for guessing which I think it is -- not using Windows (and
even such stupidities as not using Outlook, or worse not using Notes)
is not an option without breaking local "security" policies. As the
people who are likely to directly benefit most (at all?) from lists
such as this are the people who have to be seen to be most committed
to enforcing security policies (even if they are grievously stupid
policies), throwing out a blanket "don't use Windows" or "don't use
<pet peeve network client software>" is not a constructive response.

Suggesting sidestepping or subverting the local security policy (I'm
not saying Chris was -- it could be inferred from his comment, but
that would be a stretch) is grossly unprofessional (unless the
suggester is not a security professional, in which case it is just
common stupidity).


Regards,

Nick FitzGerald

On Mon, 15 Jul 2002, Nick FitzGerald wrote:

[SNIP]

>
> Yes, yes but for many -- and for better or worse, though there's no
> prize for guessing which I think it is -- not using Windows (and
> even such stupidities as not using Outlook, or worse not using Notes)
> is not an option without breaking local "security" policies. As the
> people who are likely to directly benefit most (at all?) from lists
> such as this are the people who have to be seen to be most committed
> to enforcing security policies (even if they are grievously stupid
> policies), throwing out a blanket "don't use Windows" or "don't use
> <pet peeve network client software>" is not a constructive response.
>
> Suggesting sidestepping or subverting the local security policy (I'm
> not saying Chris was -- it could be inferred from his comment, but
> that would be a stretch) is grossly unprofessional (unless the
> suggester is not a security professional, in which case it is just
> common stupidity).
>

And yet, for those on the corp backbone stuck using broken software, and
unable to login to a system not-so-broked on the inside, perhaps reading
the lists from a hotmail or other account is a better option. Or perhaps
setting up a openbsd or linux system less prone to these exploits
circulating at home might be a better way t avoid some of the hassels with
borked systems on their desktops. It all depends I guess upon how much
effort they wish in invest into their chosen field of
employment/enjoyment.

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.