[cap-talk] bundling designation and authority

Charles Forsyth forsyth at terzarima.net
Fri Oct 14 14:02:11 EDT 2005


>>(begin quote)
>>Dr Neil Barrett, a computer crime expert recently appointed to advise 
>>the EC on Microsoft issues, said: "...the access was unauthorised. He 
>>came to a site for which he did not have permission to exceed the normal 
>>user levels of access and attempted to elevate that access. Now, it's 
>>true that security professionals do such things - on penetration tests - 
>>but that's where permission has been given."

>>(end quote)

perhaps this can drift back to capabilities, in a round about way:

when i read that bit, i was struck by Barrett's apparent assumption,
also assumed to be shared with his listeners, that adding /../../..
to a URL could ever be interpreted by a system as an instruction to
`elevate access'.  i found it a very odd comment, but clearly he expected
people to accept it at face value.

worse, when i looked at a few more sites, i found some that described this process as
a `Directory Traversal Attack'.  clearly cd has never been so powerful!

i suspect the underlying missing capability is `thought', but how best
to educate people that this sort of talk is fairly ridiculous?



More information about the cap-talk mailing list