[wp-testers] Re: Bugs/Fixes, Security Requests

g30rg3_x g30rg3x at gmail.com
Thu Dec 4 17:22:59 GMT 2008


Another directly reply to me? come on guys give me a break =P....

First, i don't see why you two are after me? the original author of
this thread was the only promoting this change get to core, me? well i
think i previously say that after giving the last attempt to promote
it -from ticket #7545- i desist with the idea and m just glad that
developers give us tools for resolving this issues via plugins.

Second, I don't really know your experience in the security-field
(specially webappsec) and i consider that putting on discussion that
experience is totally rude and unnecessary but based on my personal
experience... i have to say that i see this information as sensitive
and it really helps intruders to map your entire security
infrastructure which then would enable him to see your weak points.
Like i say before: hiding sensitive information won't enhance your
security will just buy some time for you which normally is enough time
to mitigate the security-issue, time which on a 0-day is really
valued.

Third, Yes. "Script Kiddie" / "Spammer" attacks are the vast majority
intrusion attempts today but they aren't all and you should not only
consider this attempts as the only one's you would see, sophisticated
attack are on the map too so don't just consider the first ones only.

Fourth,
> In other words, these are events which would require a lot of developmental effort to change, for little reward.
Not really, all the changes are there will just require a little
developmental effort from your part for exactly obtain the same little
reward and actually you don't need that developmental effort with so
many different plugins out there (and even the one posted in my first
reply) you aren't required to do this "developmental effort".

Fifth, usability issues are always joint with security enhancements
(even dilbert knows it[1])... a legitimate user won't fail to login or
forget his username/password (normally) and in such a case i guess its
better to ask for a password reset rather than guessing via the error
messages.
If you handle different usernames and password, may i suggest you try
kepass? i used this password database software cause i handle tons of
different usernames and passwords (even have categorized password
complexity by risk thread) and from time to time i forget it, so i
found this software very neat.


In the security-field there are two types of people... those who
thinks that all users/guests are "good" for nature and does who don't,
personally m from the second group and i guess you two are from the
first... and after saying that i just want to end with a motto from
Andrew Grove: "Only the paranoid survive."...

[1] http://www.dilbert.com/fast/2007-11-16/

Best Regards otto && mrmist.

2008/12/4 mrmist <listswptesters at mist.org.uk>:
> In message <d5d5430f0812021803s7a5d039cn3624668dff97db4e at mail.gmail.com>,
> g30rg3_x <g30rg3x at gmail.com> writes
>>
>> Third, you are considering the "script kiddie" / "spammer" scenarios,
>> not the real ones which involves real crackers not just people taking
>> exploits from milw0rm.com and spamming all over the web.
>
> That's considered because it represents the majority of attacks in this day
> and age.
>
>
>> There are some scenarios, which involves particular use of sensitive
>> information (like the version of the product and username) but they
>> are limited to a lot of variables and sometimes they play a minor role
>> over the intrusion, so even that your 3 scenarios are right, there are
>> scenarios were sensitive information are used are still there, just
>> that they play such a little/minor role in the intrusion that are
>> often underestimated
>>
>
> In other words, these are events which would require a lot of developmental
> effort to change, for little reward.
>
>
>> Summarizing...
>> i didn't say they play a "higher" role on your "harder" security
>> infrastructure, they play a little/minor/nano role and also we are not
>> only discussing enumeration of version (here) this type of
>> vulnerabilities are actually enrolled with full path disclosure and
>> username enumeration, there are tactics to avoid disclosing this
>> information so really man, if you don't want to see it as security
>> then don't see it as security see it as privacy... i don't want people
>> to easily get this information just as you don't want spammers to get
>> your email address (crappy comparison but reflects my point).
>>
>
> People will get your usernames anyway. Only is some unlikely sets of
> circumstances would some average user have a username that was really that
> far removed from publically displayed information.  I would guess that many
> users just use admin.
>
> Those type of user login boxes that don't tell you where the problem is are
> an example of security above common sense.  I actually find it annoying some
> times when I try to log in to some random online thing and it says "user
> name or password error".  That's no help at all to ME, the user, the
> legitimate user of that web site who just happens to have more than one
> username and more than one password.  That sort of response does my nut in.
>  It's trying to be more "secure" , but what it actually does is make the
> thing more ANNOYING to use.  To top off the stupidity of it all, most of
> those same things will let you try user/password combos over and over again.
> No common sense has entered therein.
>
>
>
> --
> mrmist
> _______________________________________________
> wp-testers mailing list
> wp-testers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-testers
>



-- 
_________________________
             g30rg3_x


More information about the wp-testers mailing list