I think I'm almost the only websec guy that agrees with Joel on this one. Hence, Iv'e been talking about it before; Acunetix claim is false on a practical level. It's only a theorectical one, and it must be considered as such. No man can state 70% is really vulnerable to a compromise, even if I saw all data. Then you have to figure out to make it profitable to actually do it, and get away with the crime. Ever wondered how citibank lost all those millions to some russians? not through XSS or SQL injection, but actually hacking into their network.
But hear my theory: "I think that 70% of all local banks are in risk of an inmediate heist!"
Yeah, this could be in theory. Now I have to only do it. And that is the biggest problem.
Another one: "99% of all stores are vulnerable to a stickup!"
Yeah for sure, but can I rob all stores? and how much can I rob before someone grabs me?
The things that have been summed up by the websec guys like:
Well, sure this can be done. But is it profitable? is it doable on a large scale? do real hackers want to read your clipboard? C'mon, of coarse they do not. They want 150.000 creditcards. And to obtain those you need to hack into a server, in their network. You cannot do this with a little XSS. tell me the first person who did this with Cross Site Scripting? Anyone's server being taken done through it?
I guess not.
That is where threat analysis come into view, how much of those 70% of web sites pose a real threat? are all those 70% of sites online banks? then they are right. But my sheer guess is that no bank is listed on their scanlist.
Sorry but this time I do not agree with most websec guys in the real context of threat analysis of the sites they hav scanned.
Slashdot Mirror
I think I'm almost the only websec guy that agrees with Joel on this one. Hence, Iv'e been talking about it before; Acunetix claim is false on a practical level. It's only a theorectical one, and it must be considered as such. No man can state 70% is really vulnerable to a compromise, even if I saw all data. Then you have to figure out to make it profitable to actually do it, and get away with the crime. Ever wondered how citibank lost all those millions to some russians? not through XSS or SQL injection, but actually hacking into their network.
But hear my theory: "I think that 70% of all local banks are in risk of an inmediate heist!" Yeah, this could be in theory. Now I have to only do it. And that is the biggest problem.
Another one: "99% of all stores are vulnerable to a stickup!" Yeah for sure, but can I rob all stores? and how much can I rob before someone grabs me?
The things that have been summed up by the websec guys like:
*portscanning
*cookie stealing
*clipboard reading
*and whatever...
Well, sure this can be done. But is it profitable? is it doable on a large scale? do real hackers want to read your clipboard? C'mon, of coarse they do not. They want 150.000 creditcards. And to obtain those you need to hack into a server, in their network. You cannot do this with a little XSS. tell me the first person who did this with Cross Site Scripting? Anyone's server being taken done through it?
I guess not.
That is where threat analysis come into view, how much of those 70% of web sites pose a real threat? are all those 70% of sites online banks? then they are right. But my sheer guess is that no bank is listed on their scanlist.
Sorry but this time I do not agree with most websec guys in the real context of threat analysis of the sites they hav scanned.