Comments on: Reconsidering the Side-jacking Attack

By: pdp

pdp — Mon, 18 Feb 2008 09:39:48 +0000

yep it did and it has raised the user awareness…

By: kuza55

kuza55 — Mon, 18 Feb 2008 08:29:42 +0000

Fine, I’ll accept that it’s innovation by that definition, but then I don’t particularly care about innovation. I care about new ideas. Maybe there’s a specific term for that I should start using instead.

I’m not trying to say the tool sucks or anything; just that it’s generated waaaay more attention than it deserves.

By: pdp

pdp — Mon, 18 Feb 2008 07:52:32 +0000

on another note, WiFi hacking is the most easiest way to get into corporate networks. I am speaking from personal experience by looking at all pentest I have performed in the past and also by considering every single emergency response I have encountered. It is too bad that all this knowledge cannot be shared due to various forms of NDAs I’ve signed. I was one of the first to comment on Robert’s talk but I can clearly see now that judging others for what they do is pointless. You will never reach to the same conclusions unless you put yourself in their shoes.

By: pdp

pdp — Mon, 18 Feb 2008 07:44:36 +0000

kuza55, before Metasploit there were tones of other tools that did practically the same. Before BackTrack there was Knopix. And before Hamster and Ferret it was mostly dsniff. As I've mentioned in the article, the concepts are not innovative. If you watch Robert's talk you will see that he is quite clear about that as well. Within his presentation, it was mentioned more then once that it is about the tools or at least the combination of them: proxy + sniffer + packet content analyzer - something that was not available before that. Ferret and Hamster is for sniffing like Metasploit for exploits. It is innovation, because the next generation of hacker sniffing tools will concentrate on getting the most of the captured data without wasting too much time. And yes, it is an innovation! But in order to prove that I've picked the right words, let me quote how innovation is defined by several sources:

A creation (a new device or process) resulting from study and experimentation.
Introduction of a new idea into the marketplace in the form of a new product or service, or an improvement in organization or process.
The use of a new technology, item, or process to change what goods and services are provided, the way they are produced, or the way they are distributed.
The creation, development and implementation of a new product, process or service, with the aim of improving efficiency, effectiveness or competitive advantage. Innovation may apply to products, services, manufacturing processes, managerial processes or the design of an organization.
etc...

By: kuza55

kuza55 — Mon, 18 Feb 2008 01:27:18 +0000

I’m confused here, writing a tool that doesn’t need to be written since you can do the same with existing tools is now innovation? You’ve got to be kidding me…

Sure, writing a point and click tool that replaces some semblance of knowledge of what you’re doing improves upon the exploitability of something by incompetents, but it’s not particularly noteworthy.

The recent addition to what they found, i.e. that Gmail fails open when it can’t connect via SSL, is interesting in a “this is a great example of how not to write software” way, but is still just a single bug…

P.S. The whole topic of discussion is pretty worthless considering almost everyone who does web stuff knew about this problem before and we have the secure attribute on cookies to prevent this exact issue.

By: RobotSkirts » Blog Archive » Reconsidering the Side-jacking Attack

RobotSkirts » Blog Archive » Reconsidering the Side-jacking Attack — Sun, 17 Feb 2008 23:57:53 +0000

[...] Reconsidering the Side-jacking Attack PDP reconsiders “side-jacking”, I still think it’s a joke/hype, but will take another look. [...]