All kinds of viruses, trojans, and worms that we hear about on an almost daily basis now are nothing new and if you notice the articles they normally do not claim they are. Trojans going around on MSN, AIM, Yahoo!, Jabber, IRC, E-mail, Microsoft Messenger, Randor random web searching, or anywhere else have been around for many many years now. Is this even newsworthy? In my opinion it is not.
Right... so he intentionally installed a pirated copy. Good work. I think we should hold these genius responsible for breaking the law now.
In other news I intentionally stole a car with armored tires and proved the cops couldn't catch me and the spike strip they laid out to stop me couldn't rip my tires... blah blah blah.
Yes -- honestly I am very glad I was not present for this. I would have been disappointed and felt I wasted my time. Not trying to troll but this is a who cares story if I have ever soon one.
I think someone would be pretty hard pressed to convince me that XSS cannot be considered the earmark of bad or insecure coding in all or most cases. If anyone reads full disclosure we all know that any given moron can spend 24 hours a day looking on every website to find some XSS bug in the page. Now just because XSS exists in a site does not make it insecure or poorly coded (the later is arguable). However, when these XSS bugs exist on websites that use session cookies or have a login of some sort that allows users to take actions, post, edit things, etc. then it is a product of insecure and poor coding. The risks exists when something can be gained by a threat source by conducting an XSS attack. If a user can post something on slashdot that slaps over my slashdot username and password or my session cookie (allowing them to jump in on slashdot right now and post as me) then it is a security risk. Finding a XSS issue on a webpage such as one that www.arin.net (see Full Disclosure) really doesn't do anything or represent a risk. It is more about what can be gained or done from the XSS attack.
As a quick side not to this dicussion.. XSS is *VERY* easy to prevent. Much more so than SQL injection. Who knows maybe these people will try and reclassify SQL injection as not being a problem either. Sanitizing user input by not allowing it or for example converting to < and > respectively is pretty easy and will stop almost all of these attacks. There is no excuse for not being able to secure a page with such coding practices to protect your site and users.
Slashdot Mirror
All kinds of viruses, trojans, and worms that we hear about on an almost daily basis now are nothing new and if you notice the articles they normally do not claim they are. Trojans going around on MSN, AIM, Yahoo!, Jabber, IRC, E-mail, Microsoft Messenger, Randor random web searching, or anywhere else have been around for many many years now. Is this even newsworthy? In my opinion it is not.
Yea, turning in my Uncle was worth the savings though! What a great program.
Right... so he intentionally installed a pirated copy. Good work. I think we should hold these genius responsible for breaking the law now. In other news I intentionally stole a car with armored tires and proved the cops couldn't catch me and the spike strip they laid out to stop me couldn't rip my tires... blah blah blah.
Yes -- honestly I am very glad I was not present for this. I would have been disappointed and felt I wasted my time. Not trying to troll but this is a who cares story if I have ever soon one.
I think someone would be pretty hard pressed to convince me that XSS cannot be considered the earmark of bad or insecure coding in all or most cases. If anyone reads full disclosure we all know that any given moron can spend 24 hours a day looking on every website to find some XSS bug in the page. Now just because XSS exists in a site does not make it insecure or poorly coded (the later is arguable). However, when these XSS bugs exist on websites that use session cookies or have a login of some sort that allows users to take actions, post, edit things, etc. then it is a product of insecure and poor coding. The risks exists when something can be gained by a threat source by conducting an XSS attack. If a user can post something on slashdot that slaps over my slashdot username and password or my session cookie (allowing them to jump in on slashdot right now and post as me) then it is a security risk. Finding a XSS issue on a webpage such as one that www.arin.net (see Full Disclosure) really doesn't do anything or represent a risk. It is more about what can be gained or done from the XSS attack. As a quick side not to this dicussion.. XSS is *VERY* easy to prevent. Much more so than SQL injection. Who knows maybe these people will try and reclassify SQL injection as not being a problem either. Sanitizing user input by not allowing it or for example converting to < and > respectively is pretty easy and will stop almost all of these attacks. There is no excuse for not being able to secure a page with such coding practices to protect your site and users.