CyberSec.eu

*** The bad things you don’t know about such proxies ***
Unfortunately the other site of the coin looks much worse:

• You don’t know who run these proxies
• You don’t know if these proxies are secure and clean from any malware and drive-bys
• You don’t know the intentions of the persons who runs these proxies (maybe they have mean ill?)

But you have must be aware of one fact: Those proxies aren’t anonymous! Web Proxy scripts like Glype&Co have a free configurable option wheter the administrator of the (glype-) proxy wants to log the requests which are passing his proxy or not. And you can be sure that the most Glype administrators will do.

When you go into security consulting engagements with a new business
unit you usually face a few questions from the developers and business
owners. “What is it exactly that you’re going to tell us?”

We always answer this the same way: “Things that will surprise you.”

Most developers have read a lot about security these days – they
understand SQL Injection, Cross Site Scripting, access control, not to
use their own cryptographics, and all sorts of other security truisms.

What they can’t possibly understand is how a hacker’s mind works, and
what they’re likely to find. Even security specialists who have only
worked defence often have never really seen a hacker go.

Largely I think this is because there’s a difference between someone
playing cards with chips and someone with their house and life on the
line. People say penetration testing is a model of an attacker. But how
do you model obsession?

- -dave