More on: Opinion: Jikto - Evil by the Good that will result in Good


A friend pinged me in confidence, regarding my last statement on the post:

"the good guys will be able to invent a silver bullet to fix this thing once and for all."
One really bad thing about the type-written word is that it's very difficult for vocal inflections to come across properly. Anybody who knows me personally knows that I tend to think with my mouth at times, rather than with my brain - I say the words before I have a chance to process them, and I tend to use sarcasm more than is really prudent.

The remark I made about the good guys finding a silver bullet was and was not meant to be sarcastic. Here are several things I can use to clarify the remark:
  • I don't think there's going to be some "magical solution" that will make XSS go away all by itself. History and browser security tells us so.
  • I do believe there's a cure (output filtering, XHTML, proper input filtering, level of indirection) for it, but it doesn't implement itself. It takes a lot of work to discover existing problems, fix those existing problems, and instill a development culture of good coding practices.
  • I do believe that the organizations that want to be rid of XSS can be rid of it, but again, it's hard.
  • I am not sorry I made the statement.
  • I am sorry for not clarifying what I meant. I shall try in the future to make sure that comments I type don't rely on the reader to read with the proper vocal inflections to understand the meaning - especially since English is not the primary language of many of my readers.
And Billy Hoffman (or somebody pretending to be Billy - but they type a lot like he speaks) has posted a blog entry explaining what the discussion will be about, and defending the means by which the information will be disclosed. And with that, I acquiesce any further discussion on the matter directly to Billy himself - how dare I try to tell you what he meant.