[cap-talk] bundling designation and authority
Charles Forsyth
forsyth at terzarima.net
Fri Oct 14 14:02:11 EDT 2005
>>(begin quote)
>>Dr Neil Barrett, a computer crime expert recently appointed to advise
>>the EC on Microsoft issues, said: "...the access was unauthorised. He
>>came to a site for which he did not have permission to exceed the normal
>>user levels of access and attempted to elevate that access. Now, it's
>>true that security professionals do such things - on penetration tests -
>>but that's where permission has been given."
>>(end quote)
perhaps this can drift back to capabilities, in a round about way:
when i read that bit, i was struck by Barrett's apparent assumption,
also assumed to be shared with his listeners, that adding /../../..
to a URL could ever be interpreted by a system as an instruction to
`elevate access'. i found it a very odd comment, but clearly he expected
people to accept it at face value.
worse, when i looked at a few more sites, i found some that described this process as
a `Directory Traversal Attack'. clearly cd has never been so powerful!
i suspect the underlying missing capability is `thought', but how best
to educate people that this sort of talk is fairly ridiculous?
More information about the cap-talk
mailing list