----- Original Message ----- From: "Jeremiah Grossman" <jeremiahat_private> Subject: Re: New Web Vulnerability - Cross-Site Tracing > On Wed, 2003-01-22 at 15:52, xss-is-lameat_private wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > My objection is to the way that the whole issue was framed and presented. I realize that > everyone has to gloss things up a bit for marketting and dumb things down for laypeople, but > I think that the press release, the whitepaper and particularly the ExtremeTech article all > overstep what is excusable. They are sensational and exagerated. > > We do not believe PR statement or white paper misrepresented anything. > If fact we got the help from many known experts to make sure we did the > best job we could and everything was as clear as we could make it. We > also dont control media coverage. Oh come on, It's your arictle, the content thereof is within your control. If the article misrepresents some facts or hypes it up such as, you can't blame marketing or media coverage for what *your* article stated. Many of us disagree about the facts represented as being as they were claimed. > > > Some examples for the whitepaper and press release: > > "First of all, anything that attempts to help prevent the xss plague on the web is a good thing." > > > > The XSS plague? The only XSS plague I know of is on Bugtraq and other disclosure > mailing lists. Is anyone else sick of seeing posts about XSS problems in PHP applications > that runs on a total of five sites? > > We are sick of seeing it as well. And XSS is in everything and near > impossible to get rid of. Aka. plague. No, we're all sick of seeing these trivial, hyped-up claims. > Code Red was a plague. Melissa was a plague. In all > the time XSS has been around, I only know of a few instances where it has actually been used. > Do you have any evidence of an actual XSS epidemic taking place? > > > Well being a security expert in the field I can hardly comment on > specifics but yes... it does happen. Often? Whats Often? Being a security expert? Well, I don't want to get personal, and it's been a few years since I've seen what you're doing lately, but it's only been a few years and I don't want to get into it and explain my doubts about you suddenly becoming a 'security expert' since that time. Just claiming to be a leading expert in this field doesn't make it factual, nor that you are more qualified than other people that are in this field. Your article is hyped up nonsense and anymore of these XSS issues being hyped up, I'm going to friggin' loose it. <snip the rest of the nonsense> Really, nothing personal, but this is ridiculous. However, I don't intend to debate or argue on the list about this, so I'll end on that note. If you believe what you say in your article, you should go an example this in a real-world environment and who us all how 'frightening' this is. :-) Regards, Tim Greer chatmasterat_private Server administration, security, programming, consulting. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 19:08:37 PST