Re: New Web Vulnerability - Cross-Site Tracing

• Original Message ----- From: "Jeremiah Grossman" <jeremiah@whitehatsec.com> Subject: Re: New Web Vulnerability - Cross-Site Tracing

> On Wed, 2003-01-22 at 15:52, xss-is-lame@hushmail.com wrote:
presented. I realize that
> everyone has to gloss things up a bit for marketting and dumb things down
for laypeople, but
> I think that the press release, the whitepaper and particularly the
ExtremeTech article all
> overstep what is excusable. They are sensational and exagerated.

Oh come on, It's your arictle, the content thereof is within your control. If the article misrepresents some facts or hypes it up such as, you can't blame marketing or media coverage for what *your* article stated. Many of us disagree about the facts represented as being as they were claimed.

>
> > Some examples for the whitepaper and press release:
the web is a good thing."
> >
> > The XSS plague? The only XSS plague I know of is on Bugtraq and other
disclosure
> mailing lists. Is anyone else sick of seeing posts about XSS problems in
PHP applications
> that runs on a total of five sites?

No, we're all sick of seeing these trivial, hyped-up claims.

> Code Red was a plague. Melissa was a plague. In all
actually been used.
> Do you have any evidence of an actual XSS epidemic taking place?

Being a security expert? Well, I don't want to get personal, and it's been a few years since I've seen what you're doing lately, but it's only been a few years and I don't want to get into it and explain my doubts about you suddenly becoming a 'security expert' since that time. Just claiming to be a leading expert in this field doesn't make it factual, nor that you are more qualified than other people that are in this field. Your article is hyped up nonsense and anymore of these XSS issues being hyped up, I'm going to friggin' loose it.

<snip the rest of the nonsense>

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Really, nothing personal, but this is ridiculous. However, I don't intend to debate or argue on the list about this, so I'll end on that note. If you believe what you say in your article, you should go an example this in a real-world environment and who us all how 'frightening' this is. :-)

Regards,
Tim Greer chatmaster@charter.net
Server administration, security, programming, consulting. Received on Wed Jan 22 23:17:00 2003