tag:blogger.com,1999:blog-13756280.post5828409324534193284..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: the nature of thingsJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-13756280.post-59273824681779609942008-05-20T09:26:00.000-07:002008-05-20T09:26:00.000-07:00Good post! We often become a self-perpetuating cyc...Good post! We often become a self-perpetuating cycle of non-disclosure and then complaining about lack of information sharing as one of our biggest challenges.<BR/><BR/>Soon (if not already), such professionals are going to lose credibility if they complain about a problem they perpetuate.Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-80393952992013166402008-05-20T08:01:00.000-07:002008-05-20T08:01:00.000-07:00Just keep on posting what and as you can. Your in...Just keep on posting what and as you can. Your insights and comments are still highly valued. Thanks for your posts in the past, and I look forward to reading more for a long time in the future.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-16815018364153306572008-05-20T07:43:00.000-07:002008-05-20T07:43:00.000-07:00Ahh that's a very good question. New attack techni...Ahh that's a very good question. <BR/><BR/>New attack techniques and their solutions will continue to be freely and openly released by me (WhiteHat) as we come across them. Most of the time still have to sanity check with other trusted experts though, which could cause some delay.<BR/><BR/>The specifics of the types of malicious things that can potentially be done with them, malware PoC, gets to be a little bit of a gray area - as are details of how to automate vulnerability discovery and unique instances of what sites they appear on. That's what sla.ckers.org an XSSed.com is for. Something RSnake and I really can't do personally.<BR/><BR/>Incident details are areas almost always off limits as is how the company goes about resolving the matter, other than what is already publicly available of course. I think this is the area RSnake and I were most focused on. The agendas and directions people take that rarely get revealed heavily influencing the state of things. <BR/><BR/>This what you wanted to know?Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-2024253933182875122008-05-20T07:32:00.000-07:002008-05-20T07:32:00.000-07:00For clarification this does not translate into new...For clarification this does not translate into new aspects of web application security being kept secret, correct? I'm referring strictly to concepts that may arise, or have already been created, such as the very issues you have relayed to readers in the past: XSS, CSRF, and subsequently combining these topics to provide works like the Javascript port scanner, or the CSS "history hack". I thrive on much of the innovative techniques and discoveries posted by you, Rsnake, GNUCITIZEN (the entire group), Ronald van den Heetkamp (0x000000), Billy Rios, and a few others. It's understandable that your business commitments prevent you from being able to share a majority of your findings, but please post what you are able to, and what the rest of us may find beneficial.Anonymousnoreply@blogger.com