Remember that anti-XSS feature we put in IE8?

Yeah, well, it looks like it’s actually the source of XSS attacks now.

Sorry. We suck at this.

Sincerely,
Microsoft

Security? We Don’t Need No Stinking Security!

As someone who builds web applications, stories like this scare the hell out of me. Apache.org suffered an attack affecting several services spread across different infrastructure, all stemming from a single XSS attack. To a sysadmin, the prospect that this could happen to them results in pure terror. At least for this sysadmin.

The guys at Apache are smart. They’re real smart. They’re so smart that if they are “sysadmins”, I should be considered some sort of pre-schooler who happens to know how to shell in to a server and copy/paste some lines of text. Just the fact that they can put together such a detailed account of how the attackers got in shows just how smart they are. I’ve been in charge of systems that were hacked before, and it is extremely difficult to put together a detailed post-mortem like this.

So, the message for today is, watch your back, triple-check your security, and pray to whoever it is you pray to.