Comments | alierak: (без темы)

alierak

(Untitled)

Jul 18, 2006 17:31

You may have noticed it's been a while since I posted anything here. There's a reason for that. In February I got busy participating in the Livejournal XSS Contest, where I learned a few javascript / CSS tricks and won three permanent accounts for my trouble. I keep wondering if I should finish writing up that experience, and how much detail to go ( Read more... )

toys, lj

Comments 8

siderea July 18 2006, 23:11:59 UTC

You know, my life has been too full of ethical calls lately for me volunteer to participate in another -- those neurons are tired -- so I'll decline. But I wanted to say "hi!" and let you know I'm still reading. How are things going?

alierak July 19 2006, 07:37:04 UTC

Oh well. Good and bad, can't really talk about it yet. I'm about to have to uncork a bunch of long-repressed social behaviors in order to make a life for myself here, meanwhile I can feel my brain trying to recoil in horror and show me how good it is at solving math problems instead.

ecwoodburn July 19 2006, 01:19:19 UTC

I abstained on question three. I'd be interested in details; I'd suggest flocking them to be safe; but use your best judgement on how much detail to give out on unfixed, existing issues.

xb95 July 19 2006, 01:27:43 UTC

I'm abstaining because of obvious bias! :D

Brad ran that contest rather .. well, retarded-ly. Or whatever the word for that would be. There was no way he'd ever be responsible enough for making sure everything got handled. There's also no way he'd ever get them moved into RT (I doubt they're in there - I don't see any high priority security fixes anyway).

I'm not back on LJ yet (and won't be for another 6-8 weeks, at least), but I'd be happy to take a look at the outstanding issues. I still have commit access (and make use of it!) so...

alierak July 19 2006, 08:18:04 UTC

On second glance, it appears he called it a "challenge", not a contest, so I may have been operating under invalid assumptions in the first place.

This all appears to have happened well after the deployment of RT, for example one of the fixed bugs was ticket #815. I suspect the unfixed bugs would be in the neighborhood of #1100 +/- 30, assuming they were all previously unreported. I don't think he'd have marked them high-priority, given the relative obscurity of some browsers involved.

My goal isn't to force you to fix the bugs, and given the trend of the poll I don't think I'll disclose them publicly anyway. Rather, it's to get that particular story told, so I'll feel like moving on with the narrative of my journal, such as it is.

coderlemming July 19 2006, 05:35:20 UTC

I haven't read the ToS, so I don't really know what the rules are, but here's what I answered, in order: "in full detail", "everyone", "in full detail", "friends only ( ... )

alierak July 19 2006, 08:32:24 UTC

Thanks. I'm definitely leaning in the direction of your answers. It is reassuring that you are one of the few people on my flist actually qualified to give advice on security research.

As for things being fixed only on the test site, it's (imho) unethical to discover that, because you'd have had to try an exploit on the main site, which was not in the scope of the challenge. Permission was granted to bang on only the test server, afaik. But I think I can assume security bugfixes were applied to the test site and then to the main site within a day of the changes having appeared in public CVS / SVN. The bugs I'm calling "fixed" ought to be unambiguously dead at this point.

coderlemming July 19 2006, 17:40:21 UTC

Oh, right, good point. In that case, I think you're right, you've got every reason to believe that "fixed" means fixed.