Comments on: Misterious Ghost Stories

By: Nathan McFeters

Nathan McFeters — Mon, 12 May 2008 15:02:39 +0000

Yeah, I would’ve loved to give you the details to get it fixed. Apparently the issue has been fixed in IE, so perhaps sirdarkcat’s is a new issue… or a new instance of the same attack.

-Nate

By: James

James — Mon, 12 May 2008 09:39:46 +0000

Probably not related, but http://www.thomasfrank.se/sessionvars.html is interesting.

By: Giorgio

Giorgio — Mon, 12 May 2008 05:50:38 +0000

@Nate:
No need to explain why you can’t give away details, the comment of yours I linked to “pretends” was clear enough.
I added a smile at the end of the statement you quoted: I was only trying to be ironic about the fact we’ve got an issue announced and looking like a doomsday device threatening “all browsers”, known to an audience of ~~hackers~~ security researchers who may or may not have good intentions, and no information to build a mitigation plan, other than throw-away browser sessions and our best friend.

Cheers :)

By: Nathan McFeters

Nathan McFeters — Sun, 11 May 2008 23:35:02 +0000

Yo Georgio!

"Then we’ve got two quite reticent posts by Nate McFeters, who was there but pretends he doesn’t remember well enough and/or he can’t disclose such an atomic bomb."

Why call me out like that?

There is two points I can say,

1.) I did see the talk and understand the attack, but I’m not certain I can accurately recount the entire attack vector, nor is it my place since it was someone else’s research (Manuel).
2.) I discussed this at length with Microsoft and they asked me not to talk about it for now, as this may still be a useable attack vector on several browsers. Being that they invited me to a private conference for discussions about research I was working on, and NOT as a journalist, I respect their wishes. They gave me exclusive coverage of the event, which was very cool of them, and so respecting their wishes about this issue was a small thing to give up.

I just had a look at sirdarkcat’s posting… I think it is very similar, but I don’t think it’s the exact same thing. Certainly he understands the concepts, but I’ll let Manuel or one of the other attendees confirm that. I wasn’t really taking notes on the whole ordeal, as I had some other work I was also doing at the time for my real job, so like I said, not 100% certain of how he did it, the general idea sounds very similar to what sirdarkcat has done, which is very serious in any case.

-Nate

By: hackademix.net » Who You Gonna Call?

hackademix.net » Who You Gonna Call? — Sun, 11 May 2008 22:25:44 +0000

[…] Misterious Ghost Stories 12 05 2008 […]

By: Giorgio

Giorgio — Sun, 11 May 2008 22:10:06 +0000

@Sirdarckcat:
I Ain’t ‘fraid of no catz :)
10x!

By: sirdarckcat

sirdarckcat — Sun, 11 May 2008 21:59:34 +0000

Can I Haz Ghostz?
http://sirdarckcat.blogspot.com/2008/05/browsers-ghost-busters.html

(lol catz have ruined my life)