On Tue, Apr 15, 2008 at 7:24 PM, Jeff Stebelton <[EMAIL PROTECTED]> wrote: > On Tue, Apr 15, 2008 at 12:32 PM, n3td3v <[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>> wrote: > > > > > > > > Why May 1st 2008? Because web applications are closely related to > > e-commerce > > and May Day is a common day for peaceful anti-capitalism protests, so > > it makes sense > > to be on this day. > > > > > > ------------------------------------------------------------------------ > > I almost missed this little jewel, having the inestimable Mr. "n3td3v" > in my junk list (anyone else think it odd he always refers to himself in > the third party?) > > I want to see if I can follow the logic here. May 1st is a common day > for ANTI-capitalism protests. Web applications are tied to e-commerce. > Therefore, the day you *protest* commerce is the perfect day to hold a > contest that conceivably you wish to help make commerce more *secure*? > These threads never fail to provide some comic relief just when I need it.
i was just trying to bring awareness to web application security, not have a protest against capitalism, and like you say posting vulnerabilities in web applications is pro capitalism, so i don't see where the problem is. having it on may the 1st is just more shock and awe and is more likely to get attention towards web application security. there is no protest, there is web application security awareness day, it just makes it more interesting being on may day. if web application security awareness day was on december the 1st, would it have as much buzz about it? i say no... so to get the maximum benefits from WASAD then you need to have some controversay in it, than just say, ok we're going to have an annual day that for no reason we release more web application bugs than normal. i think its useful for web application security awareness day to be on may the 1st and not december the 1st, what do you think? no one is protesting anything, we all have a web applcation bug sitting in our back pockets anyway, they are easy to find and are useful tools. all web application security awareness day is ment to do is say *hey, we know maybe releasing cross-site scripting is normally lame and not very hacker credible, but if we have one day a year that says, if you release your lame xss's we won't laugh at you, like we might do on a normal day* and it even goes for people who don't normally release web application bugs, like folks who just go after buffer overruns in internet explorer, on a normal day they wouldn't release a xss, but what i say to them is, on web application security awareness day, its cool to do it.. and if you are a security researcher who normally only releases B0f's, you on web app sec awareness day you can throw your web app bug onto the list and it won't be considered lame. the vision is simple, on web app sec awareness day, its uncool not to release a web app bug, its the ppl who don't release one who should be the ones pointed and laughed at. thats the problem with web app sec awareness on a normal day, ppl say *boring xss*, *i'm not going to get hacker points with my peers, i'm just going to copy&paste it to a txt file and leave it on my mem key for five years until i remember its there again*. i say there should be one day a year, when its cool to release xss, just one day when ppl put their hands up and say, yup this is what i've got. one day in the year when everyone agrees ppl won't laugh and make fun of you because you post a xss, one day in the year when you're doing something positive in the scene to get bugs patched that you are on a normal day embarrassed to disclose. maybe may day *is* the wrong day to have web app sec awareness day on, but i do think there needs to be a web app sec bug amnesty day when high ranking security researchers will say, actually i've got a xss, or the script kid who thinks hes cool actually says *i've got an xss* and isn't laughed at. so no matter who you are or your supposed ranking in the security community, there should be a day where everyone participates in web app bug disclosure, thats ammune from all the other days in the year when its considered lame to release xss, because we've seen it all before, and admittedly, there not too hard to find. so what if there is some controversy with the date of it being on mayday? as long as its doing the main key thing of securing and bringing awareness, then overall its got to be a good thing. i've been observing that ppl are reluctant to post xss anymore, even though they have a ton in their back pocket. folks like morning_wood, he used to post sql injection/xss all time, i noticed he doesn't anymore, now is that because he doesn't have any, or is that because he thinks its not cool and hacker cred as it used to be. so now you've learned my thinking behind this day, i hope ppl can support it. and if ppl are really not happy about mayday being the day, then let's talk about it, but surely we all agree that a web app bug amnesty on whatever a day in the year is going to be the benefit to the scene, rather than web app bugs being kept in ppl's back pockets for over a year, ppl will only save them till web app sec awareness day, then drop them onto the list, rather than having a web app sec bug kept stored on ppl's mem keys for maybe 2 years or more, because ppl are shy to publish them onto the list because it might cause them embrassment between their social peers. so with web app sec awareness day, we're all agreeing, we won't hold our web app sec bugs privately for more than 12 months, for when web app sec awareness day comes, we all agree to drop bugs onto the list without fear of being labelled a xss lamer or script kid. for the ppl who do just post xss on anyday they feel like and they don't care about credibilty, thats fine, keep doing it, thats great. but what i have been observing is there are a large amount of ppl with xss, who are shy to post what they've got in their back pocket *ever*, so a day like this, it has to be a positive thing. web app sec awareness day isn't just about xss, i just used that as an example. yours sincerely, n3td3v. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/