|
JavaScript bug hunting tool demonstrated by skullaria at 11:58 am EDT, Mar 26, 2007 |
That's a good description of Billy. lol Cool. :) |
|
RE: JavaScript bug hunting tool demonstrated by dc0de at 8:08 pm EDT, Apr 8, 2007 |
skullaria wrote: That's a good description of Billy. lol Cool. :)
billy hoffman is my hero. and he's up to 1,450,000! Results 1 - 10 of about 1,450,000 for billy hoffman. (0.23 seconds) |
|
JavaScript bug hunting tool demonstrated by possibly noteworthy at 10:57 am EDT, Mar 25, 2007 |
A security researcher at ShmooCon on Saturday demonstrated, but did not release, a tool that turns the PCs of unknowing Web surfers into hacker help. As expected, SPI Dynamics researcher Billy Hoffman demonstrated a Web application vulnerability scanner written in JavaScript. The tool, called Jikto, can make an unsuspecting Web user's PC silently crawl and audit public Web sites, and send the results to a third party, Hoffman said. "The whole point was to show how scary cross-site scripting has become." "Once one person has talked about the ability to do it, it doesn't take that long for somebody else to come up with it," said one ShmooCon attendee who asked to remain anonymous. "It will come out."
There are already 50k hits for a Google search on "Jitko". A few comments from around the web: Jeremiah Grossman, of Whitehat Security, and "Pascal". Anurag Agarwal offered a Reflection on Billy Hoffman, along with a photo: This week on Reflection we have a very young guy from the webappsec field. Billy’s knowledge on Ajax is tremendous ... his ability to think differently has helped him achieve so much in such a short time. I got a chance to meet with him in the WASC meetup at RSA. He is a very lively character. Let me put it this way, if billy is a part of a conversation, you won’t get bored even if you just stand there and listen.
|
Billy Hoffman: 'Would you like a destoyed Internet with your JavaScript?' by Rattle at 12:10 pm EDT, Mar 25, 2007 |
A security researcher at ShmooCon on Saturday demonstrated, but did not release, a tool that turns the PCs of unknowing Web surfers into hacker help. As expected, SPI Dynamics researcher Billy Hoffman demonstrated a Web application vulnerability scanner written in JavaScript. The tool, called Jikto, can make an unsuspecting Web user's PC silently crawl and audit public Web sites, and send the results to a third party, Hoffman said. "The whole point was to show how scary cross-site scripting has become." "Once one person has talked about the ability to do it, it doesn't take that long for somebody else to come up with it," said one ShmooCon attendee who asked to remain anonymous. "It will come out."
There are already 50k hits for a Google search on "Jitko". A few comments from around the web: Jeremiah Grossman, of Whitehat Security, and "Pascal". Anurag Agarwal offered a Reflection on Billy Hoffman, along with a photo: This week on Reflection we have a very young guy from the webappsec field. Billy’s knowledge on Ajax is tremendous ... his ability to think differently has helped him achieve so much in such a short time. I got a chance to meet with him in the WASC meetup at RSA. He is a very lively character. Let me put it this way, if billy is a part of a conversation, you won’t get bored even if you just stand there and listen.
Anyone who has worked with Billy knows, he is one of the best security researchers in the world. Billy is among the first people I contact when I need to bounce an idea off someone, and the insight he brings to the table is always impressive. Based on my firsthand experience, it is incomplete to the degree of inaccuracy to simply say "he thinks outside the box". Billy destroys the box before your eyes while telling you what you need to keep in mind when building your next box. We can say with confidence, that when what comes after "Web 2.0"/AJAX is created, Billy's work will be one of the factors driving design decisions. I enjoy watching him repeatedly pop up in the press. I feel proud to have known him back when he was just an unknown college student getting sued for the first time.. :) Oh, btw.. Billy is also a member of the Industrial Memetics Team, and actively contributes to MemeStreams development. We consider ourselves lucky. |
Billy Hoffman: 'Would you like a destoyed Internet with your JavaScript?' by Decius at 5:54 pm EDT, Mar 25, 2007 |
A security researcher at ShmooCon on Saturday demonstrated, but did not release, a tool that turns the PCs of unknowing Web surfers into hacker help. As expected, SPI Dynamics researcher Billy Hoffman demonstrated a Web application vulnerability scanner written in JavaScript. The tool, called Jikto, can make an unsuspecting Web user's PC silently crawl and audit public Web sites, and send the results to a third party, Hoffman said. "The whole point was to show how scary cross-site scripting has become." "Once one person has talked about the ability to do it, it doesn't take that long for somebody else to come up with it," said one ShmooCon attendee who asked to remain anonymous. "It will come out."
There are already 50k hits for a Google search on "Jitko". A few comments from around the web: Jeremiah Grossman, of Whitehat Security, and "Pascal". Anurag Agarwal offered a Reflection on Billy Hoffman, along with a photo: This week on Reflection we have a very young guy from the webappsec field. Billy’s knowledge on Ajax is tremendous ... his ability to think differently has helped him achieve so much in such a short time. I got a chance to meet with him in the WASC meetup at RSA. He is a very lively character. Let me put it this way, if billy is a part of a conversation, you won’t get bored even if you just stand there and listen.
Billy got an amazing amount of press out of this one. Google is up to 74,000! |
Jikto craziness by Acidus at 9:36 am EDT, Mar 26, 2007 |
Rattle Says: This week on Reflection we have a very young guy from the webappsec field. Billy’s knowledge on Ajax is tremendous ... his ability to think differently has helped him achieve so much in such a short time. I got a chance to meet with him in the WASC meetup at RSA. He is a very lively character. Let me put it this way, if billy is a part of a conversation, you won’t get bored even if you just stand there and listen.
Anyone who has worked with Billy knows, he is one of the best security researchers in the world. Billy is among the first people I contact when I need to bounce an idea off someone, and the insight he brings to the table is always impressive. Based on my firsthand experience, it is incomplete to the degree of inaccuracy to simply say "he thinks outside the box". Billy destroys the box before your eyes while telling you what you need to keep in mind when building your next box. We can say with confidence, that when what comes after "Web 2.0"/AJAX is created, Billy's work will be one of the factors driving design decisions. I enjoy watching him repeatedly pop up in the press. I feel proud to have known him back when he was just an unknown college student getting sued for the first time.. :)
This has been an interesting week. It started with people who don't even know me questioning my moral fiber. They hadn't seen Jikto. They hadn't asked me what it did. Instead they based all their opinions solely off a news article. As in any situation, forming an opinion, let alone announcing your opinion on a blog when it's only based on knowledge from 1 or 2 sources is rather irresponsible. However, I must say I laughed more than anything this week. How can you not when you see two people who have never even met you arguing on a public forum: "I think Billy really means this...." "No you're wrong, the larger point of Jikto is ..." I should say that only a handful of these colorful commentators ever stop to ask me anything. All and all I think Jikto has been success. The demo went extremely well. The presentation was packed to standing room only. I gave a detailed description of the architecture, an exhaustive demo, showed proxy dumps of what was happening, and discussed improvements. I received lots of positive feedback and thanks from many important people, including high level people at Microsoft, Google, MITRE, DoD, IEEE, and Mozilla for disclosing what I had found. As with any good con, I left with more ideas than I arrived with, and hopefully the audience left with a better understanding of the dangers of XSS. |
There is a redundant post from Thrynn not displayed in this view.
|
|