<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article10_03_21_1341201</id>
	<title>Google Hands Out Web Security Scanner</title>
	<author>Soulskill</author>
	<datestamp>1269182160000</datestamp>
	<htmltext>An anonymous reader writes <i>"Apparently feeling generous this week, Google has <a href="http://googleonlinesecurity.blogspot.com/2010/03/meet-skipfish-our-automated-web.html">released for free another of their internally developed tools</a>: this time, a nifty <a href="http://en.wikipedia.org/wiki/Web\_application\_security\_scanner">web security scanner</a> dubbed <a href="http://code.google.com/p/skipfish">skipfish</a>. A vendor-sponsored study cited by InformationWeek discovered that <a href="http://www.informationweek.com/news/security/app-security/showArticle.jhtml?articleID=224000223">90\% of all web applications are vulnerable to security attacks</a>. Are Google's security people trying to change this?"</i></htmltext>
<tokenext>An anonymous reader writes " Apparently feeling generous this week , Google has released for free another of their internally developed tools : this time , a nifty web security scanner dubbed skipfish .
A vendor-sponsored study cited by InformationWeek discovered that 90 \ % of all web applications are vulnerable to security attacks .
Are Google 's security people trying to change this ?
"</tokentext>
<sentencetext>An anonymous reader writes "Apparently feeling generous this week, Google has released for free another of their internally developed tools: this time, a nifty web security scanner dubbed skipfish.
A vendor-sponsored study cited by InformationWeek discovered that 90\% of all web applications are vulnerable to security attacks.
Are Google's security people trying to change this?
"</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557962</id>
	<title>2 side sword</title>
	<author>Anonymous</author>
	<datestamp>1269190800000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext>Is VERY fast, been observed 500 request/seconds against responsive internet servers, 2000/sec when in the same lan, and of course, is targetted against dynamic apps, not exactly static images/content. With that speed the first vulnerability that they will find is vulnerability to DoS attacks. The good news: when the bad guys try to find your application vulnerabilities using this tool, that will be the only one that they will find. Worst case scenario: the code gets included in a botnet,</htmltext>
<tokenext>Is VERY fast , been observed 500 request/seconds against responsive internet servers , 2000/sec when in the same lan , and of course , is targetted against dynamic apps , not exactly static images/content .
With that speed the first vulnerability that they will find is vulnerability to DoS attacks .
The good news : when the bad guys try to find your application vulnerabilities using this tool , that will be the only one that they will find .
Worst case scenario : the code gets included in a botnet,</tokentext>
<sentencetext>Is VERY fast, been observed 500 request/seconds against responsive internet servers, 2000/sec when in the same lan, and of course, is targetted against dynamic apps, not exactly static images/content.
With that speed the first vulnerability that they will find is vulnerability to DoS attacks.
The good news: when the bad guys try to find your application vulnerabilities using this tool, that will be the only one that they will find.
Worst case scenario: the code gets included in a botnet,</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557744</id>
	<title>Re:I don't trust it</title>
	<author>gmuslera</author>
	<datestamp>1269188220000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext>They want to promote to use more their services. One way to make that is to make the web safer, helping more sites to flourish, and so compelling users to do more things online, what will only help them.

So for this case, even if they are doing it by their own selfish motives, they are actually trying to helping you. So, in this particular case, your privacy won't get harmed and you will get a good tool. Why don't take it? Want that the real bad guys instead of google get your personal and job data instead?</htmltext>
<tokenext>They want to promote to use more their services .
One way to make that is to make the web safer , helping more sites to flourish , and so compelling users to do more things online , what will only help them .
So for this case , even if they are doing it by their own selfish motives , they are actually trying to helping you .
So , in this particular case , your privacy wo n't get harmed and you will get a good tool .
Why do n't take it ?
Want that the real bad guys instead of google get your personal and job data instead ?</tokentext>
<sentencetext>They want to promote to use more their services.
One way to make that is to make the web safer, helping more sites to flourish, and so compelling users to do more things online, what will only help them.
So for this case, even if they are doing it by their own selfish motives, they are actually trying to helping you.
So, in this particular case, your privacy won't get harmed and you will get a good tool.
Why don't take it?
Want that the real bad guys instead of google get your personal and job data instead?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558348</id>
	<title>Re:Can someone explain this</title>
	<author>SanityInAnarchy</author>
	<datestamp>1269194640000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>That is weird. Given Google Chrome does it, too, I'd assume it's something wrong on their side.</p><p>In particular, the headers for that URL are:</p><p><div class="quote"><p>200 OK<br>Cache-Control: public, max-age=604800<br>Connection: close<br>Date: Sun, 21 Mar 2010 11:57:00 GMT<br>Accept-Ranges: bytes<br>Age: 18380<br>Server: DFE/largefile<br>Content-Length: 146941<br>Content-Type: image/png<br>Expires: Sun, 28 Mar 2010 11:57:00 GMT<br>Last-Modified: Thu, 18 Mar 2010 19:13:33 GMT<br>Client-Date: Sun, 21 Mar 2010 17:03:20 GMT<br>Client-Peer: 209.85.225.82:80<br>Client-Response-Num: 1<br><b>Content-Disposition: attachment; filename="skipfish-screen.png"</b><br>X-XSS-Protection: 0</p></div><p>In other words, the server is deliberately telling your browser to treat it as an opaque attachment to be downloaded (and saved with that filename), and not something to be displayed.</p></div>
	</htmltext>
<tokenext>That is weird .
Given Google Chrome does it , too , I 'd assume it 's something wrong on their side.In particular , the headers for that URL are : 200 OKCache-Control : public , max-age = 604800Connection : closeDate : Sun , 21 Mar 2010 11 : 57 : 00 GMTAccept-Ranges : bytesAge : 18380Server : DFE/largefileContent-Length : 146941Content-Type : image/pngExpires : Sun , 28 Mar 2010 11 : 57 : 00 GMTLast-Modified : Thu , 18 Mar 2010 19 : 13 : 33 GMTClient-Date : Sun , 21 Mar 2010 17 : 03 : 20 GMTClient-Peer : 209.85.225.82 : 80Client-Response-Num : 1Content-Disposition : attachment ; filename = " skipfish-screen.png " X-XSS-Protection : 0In other words , the server is deliberately telling your browser to treat it as an opaque attachment to be downloaded ( and saved with that filename ) , and not something to be displayed .</tokentext>
<sentencetext>That is weird.
Given Google Chrome does it, too, I'd assume it's something wrong on their side.In particular, the headers for that URL are:200 OKCache-Control: public, max-age=604800Connection: closeDate: Sun, 21 Mar 2010 11:57:00 GMTAccept-Ranges: bytesAge: 18380Server: DFE/largefileContent-Length: 146941Content-Type: image/pngExpires: Sun, 28 Mar 2010 11:57:00 GMTLast-Modified: Thu, 18 Mar 2010 19:13:33 GMTClient-Date: Sun, 21 Mar 2010 17:03:20 GMTClient-Peer: 209.85.225.82:80Client-Response-Num: 1Content-Disposition: attachment; filename="skipfish-screen.png"X-XSS-Protection: 0In other words, the server is deliberately telling your browser to treat it as an opaque attachment to be downloaded (and saved with that filename), and not something to be displayed.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558282</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558104</id>
	<title>Re:Oh Please, GIVE IT A REST.</title>
	<author>Hurricane78</author>
	<datestamp>1269192180000</datestamp>
	<modclass>Troll</modclass>
	<modscore>0</modscore>
	<htmltext><p>That is like saying that you should&rsquo;t badmouth Hitler, but just not to to Germany in 1942.<nobr> <wbr></nobr>;)</p></htmltext>
<tokenext>That is like saying that you should    t badmouth Hitler , but just not to to Germany in 1942. ; )</tokentext>
<sentencetext>That is like saying that you should’t badmouth Hitler, but just not to to Germany in 1942. ;)</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557714</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558402</id>
	<title>Re:Oh Please, GIVE IT A REST.</title>
	<author>Anonymous</author>
	<datestamp>1269195180000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Bless their sugar coated, crunchy (yet, a little chewy) hearts. What will we do now that we won't be able to laugh at idiots and their insecure sites screw-ups?</p></htmltext>
<tokenext>Bless their sugar coated , crunchy ( yet , a little chewy ) hearts .
What will we do now that we wo n't be able to laugh at idiots and their insecure sites screw-ups ?</tokentext>
<sentencetext>Bless their sugar coated, crunchy (yet, a little chewy) hearts.
What will we do now that we won't be able to laugh at idiots and their insecure sites screw-ups?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557714</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558398</id>
	<title>Re:Oh Please, GIVE IT A REST.</title>
	<author>Anonymous</author>
	<datestamp>1269195120000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p><div class="quote"><p>Google is one of the most anti-privacy, intrusive evil corporations out there, second only to Facebook. They make a living over promiscuous sharing of personal data. Why should I trust them?</p></div><p>Have they ever lied to you about what they do? I don't use Google under any misinformed idea that they *don't* track everything I do. I go into it knowing that this *is their business*.</p><p>Where you under some other impression?</p></div><p>Or the fact that any other company that does anything similar to google is also tracking everything you're doing there as well?</p></div>
	</htmltext>
<tokenext>Google is one of the most anti-privacy , intrusive evil corporations out there , second only to Facebook .
They make a living over promiscuous sharing of personal data .
Why should I trust them ? Have they ever lied to you about what they do ?
I do n't use Google under any misinformed idea that they * do n't * track everything I do .
I go into it knowing that this * is their business * .Where you under some other impression ? Or the fact that any other company that does anything similar to google is also tracking everything you 're doing there as well ?</tokentext>
<sentencetext>Google is one of the most anti-privacy, intrusive evil corporations out there, second only to Facebook.
They make a living over promiscuous sharing of personal data.
Why should I trust them?Have they ever lied to you about what they do?
I don't use Google under any misinformed idea that they *don't* track everything I do.
I go into it knowing that this *is their business*.Where you under some other impression?Or the fact that any other company that does anything similar to google is also tracking everything you're doing there as well?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557714</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558692</id>
	<title>Re:Can someone explain this</title>
	<author>gilgongo</author>
	<datestamp>1269197760000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Ironically, when I clicked that link, I thought "Woah! The server's trying to send me a file that's not an image! It's must be 0wned!"</p><p>But I carried on anyway because of my blind faith in all things Google, and was greeted by a rather ugly screenshot. And maybe an infected desktop or something...</p></htmltext>
<tokenext>Ironically , when I clicked that link , I thought " Woah !
The server 's trying to send me a file that 's not an image !
It 's must be 0wned !
" But I carried on anyway because of my blind faith in all things Google , and was greeted by a rather ugly screenshot .
And maybe an infected desktop or something.. .</tokentext>
<sentencetext>Ironically, when I clicked that link, I thought "Woah!
The server's trying to send me a file that's not an image!
It's must be 0wned!
"But I carried on anyway because of my blind faith in all things Google, and was greeted by a rather ugly screenshot.
And maybe an infected desktop or something...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558282</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558004</id>
	<title>Re:I don't trust it</title>
	<author>correnos</author>
	<datestamp>1269191220000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>I agree with most of your points, and agree that idiot conspiracy theorists are way too hard on Google. However, I'm not quite sure that you're correct in saying that Google is the top sponsor for Firefox. I couldn't find any info on it, but it seems unlikely seeing as google has its own browser.</htmltext>
<tokenext>I agree with most of your points , and agree that idiot conspiracy theorists are way too hard on Google .
However , I 'm not quite sure that you 're correct in saying that Google is the top sponsor for Firefox .
I could n't find any info on it , but it seems unlikely seeing as google has its own browser .</tokentext>
<sentencetext>I agree with most of your points, and agree that idiot conspiracy theorists are way too hard on Google.
However, I'm not quite sure that you're correct in saying that Google is the top sponsor for Firefox.
I couldn't find any info on it, but it seems unlikely seeing as google has its own browser.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557840</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31559376</id>
	<title>Re:I don't trust it</title>
	<author>shoehornjob</author>
	<datestamp>1269203880000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Get over it, privacy is dead (according to that asshole from facebook) and any website/app will mine/sell your data. Information is the new currency of the web. If you are going to be sold you might as well get something for it (enter Google Apps)</htmltext>
<tokenext>Get over it , privacy is dead ( according to that asshole from facebook ) and any website/app will mine/sell your data .
Information is the new currency of the web .
If you are going to be sold you might as well get something for it ( enter Google Apps )</tokentext>
<sentencetext>Get over it, privacy is dead (according to that asshole from facebook) and any website/app will mine/sell your data.
Information is the new currency of the web.
If you are going to be sold you might as well get something for it (enter Google Apps)</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557686</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558098</id>
	<title>Re:I don't trust it</title>
	<author>mrjatsun</author>
	<datestamp>1269192120000</datestamp>
	<modclass>Flamebait</modclass>
	<modscore>1</modscore>
	<htmltext><p>I like Google and their products. I use them all the time.</p><p>But I am concerned about them and every other company which keeps information<br>on me... It's total out of control.</p><p>While I don't have a lot of concern on what Google does with the information today..<br>I do worry about criminals getting a hold of the information (if they haven't, it's just a<br>matter of time).  And I do worry that the company Google is today will not be the<br>same as the company Google is tomorrow.</p><p>I agree with your assertion that you are replying to FUD... But, in some ways,<br>your reply is FUD too.. While Google may be better than all those other<br>companies today, does that make the data collection they do OK. It's not<br>a question specific to them.</p><p>&gt; and they also provide tons of great open source products.</p><p>I consider Google to be opensource neutral. They open source very little<br>of their code. I would like to know how much money, as a company, they<br>spend on open source software vs the money spent on all software they<br>write..  I would expect a very low percentage.</p><p>i.e. personally I would like to look through the code for the gmail client,<br>maps, reader, jabber client, calendar, etc. None of this is core to their income<br>stream. I believe it would help dramatically improve other websites on<br>the web over time.</p><p>What about their e-mail server, IM server, calendar, etc?</p><p>I understand why they would keep their search algorithm closed.<br>Their data and how they mine it is where their real value is.<br>It certainly is their prerogative to to keep everything else closed<br>too...  But I certainly wouldn't call them open source friendly.</p></htmltext>
<tokenext>I like Google and their products .
I use them all the time.But I am concerned about them and every other company which keeps informationon me... It 's total out of control.While I do n't have a lot of concern on what Google does with the information today..I do worry about criminals getting a hold of the information ( if they have n't , it 's just amatter of time ) .
And I do worry that the company Google is today will not be thesame as the company Google is tomorrow.I agree with your assertion that you are replying to FUD... But , in some ways,your reply is FUD too.. While Google may be better than all those othercompanies today , does that make the data collection they do OK. It 's nota question specific to them. &gt; and they also provide tons of great open source products.I consider Google to be opensource neutral .
They open source very littleof their code .
I would like to know how much money , as a company , theyspend on open source software vs the money spent on all software theywrite.. I would expect a very low percentage.i.e .
personally I would like to look through the code for the gmail client,maps , reader , jabber client , calendar , etc .
None of this is core to their incomestream .
I believe it would help dramatically improve other websites onthe web over time.What about their e-mail server , IM server , calendar , etc ? I understand why they would keep their search algorithm closed.Their data and how they mine it is where their real value is.It certainly is their prerogative to to keep everything else closedtoo... But I certainly would n't call them open source friendly .</tokentext>
<sentencetext>I like Google and their products.
I use them all the time.But I am concerned about them and every other company which keeps informationon me... It's total out of control.While I don't have a lot of concern on what Google does with the information today..I do worry about criminals getting a hold of the information (if they haven't, it's just amatter of time).
And I do worry that the company Google is today will not be thesame as the company Google is tomorrow.I agree with your assertion that you are replying to FUD... But, in some ways,your reply is FUD too.. While Google may be better than all those othercompanies today, does that make the data collection they do OK. It's nota question specific to them.&gt; and they also provide tons of great open source products.I consider Google to be opensource neutral.
They open source very littleof their code.
I would like to know how much money, as a company, theyspend on open source software vs the money spent on all software theywrite..  I would expect a very low percentage.i.e.
personally I would like to look through the code for the gmail client,maps, reader, jabber client, calendar, etc.
None of this is core to their incomestream.
I believe it would help dramatically improve other websites onthe web over time.What about their e-mail server, IM server, calendar, etc?I understand why they would keep their search algorithm closed.Their data and how they mine it is where their real value is.It certainly is their prerogative to to keep everything else closedtoo...  But I certainly wouldn't call them open source friendly.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557840</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558102</id>
	<title>Re:I don't trust it</title>
	<author>LordThyGod</author>
	<datestamp>1269192120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Amen. There is nobody out there doing anything near what Google has done to improve the internet for all of us by providing free tools. Nobody. Of course, its in their own self interests to do so. But its in mine too.</htmltext>
<tokenext>Amen .
There is nobody out there doing anything near what Google has done to improve the internet for all of us by providing free tools .
Nobody. Of course , its in their own self interests to do so .
But its in mine too .</tokentext>
<sentencetext>Amen.
There is nobody out there doing anything near what Google has done to improve the internet for all of us by providing free tools.
Nobody. Of course, its in their own self interests to do so.
But its in mine too.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557840</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31559092</id>
	<title>Re:I don't trust it</title>
	<author>Anonymous</author>
	<datestamp>1269201360000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>1</modscore>
	<htmltext><p>Here's your evidence: *.doubleclick.net (e.g., g.doubleclick.net, ad.doubleclick.net) still infests the web with its ads and cookies on a great majority of websites.</p><p>They are still using Doubleclick technologies on the web in parallel with their own technologies. Doubleclick was considered as "evil" long before they were acquired by Google, and that doesn't change as long as the Doubleclick presence persists on those websites. Check it for yourself--enable your cookies and turn off your ad-blocker--Doubleclick still serves various types of animated ads and Flash ads just like several other ad providers in existence (Burstnet, Fastclick, etc.) that the ad-blockers have been designed to block.</p></htmltext>
<tokenext>Here 's your evidence : * .doubleclick.net ( e.g. , g.doubleclick.net , ad.doubleclick.net ) still infests the web with its ads and cookies on a great majority of websites.They are still using Doubleclick technologies on the web in parallel with their own technologies .
Doubleclick was considered as " evil " long before they were acquired by Google , and that does n't change as long as the Doubleclick presence persists on those websites .
Check it for yourself--enable your cookies and turn off your ad-blocker--Doubleclick still serves various types of animated ads and Flash ads just like several other ad providers in existence ( Burstnet , Fastclick , etc .
) that the ad-blockers have been designed to block .</tokentext>
<sentencetext>Here's your evidence: *.doubleclick.net (e.g., g.doubleclick.net, ad.doubleclick.net) still infests the web with its ads and cookies on a great majority of websites.They are still using Doubleclick technologies on the web in parallel with their own technologies.
Doubleclick was considered as "evil" long before they were acquired by Google, and that doesn't change as long as the Doubleclick presence persists on those websites.
Check it for yourself--enable your cookies and turn off your ad-blocker--Doubleclick still serves various types of animated ads and Flash ads just like several other ad providers in existence (Burstnet, Fastclick, etc.
) that the ad-blockers have been designed to block.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557840</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492</id>
	<title>I don't trust it</title>
	<author>Anonymous</author>
	<datestamp>1269186060000</datestamp>
	<modclass>Troll</modclass>
	<modscore>-1</modscore>
	<htmltext><p>Google is one of the most anti-privacy, intrusive evil corporations out there, second only to Facebook. They make a living over promiscuous sharing of personal data. Why should I trust them?</p></htmltext>
<tokenext>Google is one of the most anti-privacy , intrusive evil corporations out there , second only to Facebook .
They make a living over promiscuous sharing of personal data .
Why should I trust them ?</tokentext>
<sentencetext>Google is one of the most anti-privacy, intrusive evil corporations out there, second only to Facebook.
They make a living over promiscuous sharing of personal data.
Why should I trust them?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557624</id>
	<title>Google API</title>
	<author>Tokerat</author>
	<datestamp>1269187200000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>4</modscore>
	<htmltext>Considering how many web apps use Google APIs in some form or another these days, I'd say it's in their best interests to ensure those sites don't all become a liability to eachother by way of their centralized cloud.</htmltext>
<tokenext>Considering how many web apps use Google APIs in some form or another these days , I 'd say it 's in their best interests to ensure those sites do n't all become a liability to eachother by way of their centralized cloud .</tokentext>
<sentencetext>Considering how many web apps use Google APIs in some form or another these days, I'd say it's in their best interests to ensure those sites don't all become a liability to eachother by way of their centralized cloud.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558610</id>
	<title>The 90\% figure is wrong</title>
	<author>Anonymous</author>
	<datestamp>1269197100000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I peeked at the report, out of curiosity. They don't claim that 90\% of web applications are vulnerable, they DO claim that 90 (well, 89\%) of all the web vulnerabilities are in web applications (which is quite a different thing).</p></htmltext>
<tokenext>I peeked at the report , out of curiosity .
They do n't claim that 90 \ % of web applications are vulnerable , they DO claim that 90 ( well , 89 \ % ) of all the web vulnerabilities are in web applications ( which is quite a different thing ) .</tokentext>
<sentencetext>I peeked at the report, out of curiosity.
They don't claim that 90\% of web applications are vulnerable, they DO claim that 90 (well, 89\%) of all the web vulnerabilities are in web applications (which is quite a different thing).</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31563264</id>
	<title>Re:Can someone explain this</title>
	<author>shird</author>
	<datestamp>1269189480000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Well, they are linking to the "downloads" section (check out the downloads section, its the same url). It makes sense that the "downloads" should be serving stuff up as downloaded rather than embedded content.</p></htmltext>
<tokenext>Well , they are linking to the " downloads " section ( check out the downloads section , its the same url ) .
It makes sense that the " downloads " should be serving stuff up as downloaded rather than embedded content .</tokentext>
<sentencetext>Well, they are linking to the "downloads" section (check out the downloads section, its the same url).
It makes sense that the "downloads" should be serving stuff up as downloaded rather than embedded content.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558348</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31574124</id>
	<title>Re:2 side sword</title>
	<author>Nicolay77</author>
	<datestamp>1269290820000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Yeah, because no one else can write a C web client any more, only Google.</p><p>&lt;/sarcasm&gt;</p><p>Really, do you work for Fox News or something?</p></htmltext>
<tokenext>Yeah , because no one else can write a C web client any more , only Google.Really , do you work for Fox News or something ?</tokentext>
<sentencetext>Yeah, because no one else can write a C web client any more, only Google.Really, do you work for Fox News or something?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557962</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558544</id>
	<title>As Spock would say ...</title>
	<author>ClosedSource</author>
	<datestamp>1269196320000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>"At what rate of payment?"</p></htmltext>
<tokenext>" At what rate of payment ?
"</tokentext>
<sentencetext>"At what rate of payment?
"</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557686</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558642</id>
	<title>Re:Oh Please, GIVE IT A REST.</title>
	<author>Anonymous</author>
	<datestamp>1269197400000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Why did you click "yes" on the page asking you if you'd like to use it, then? It doesn't sound like they tricked you so much as you're just an idiot.</p></htmltext>
<tokenext>Why did you click " yes " on the page asking you if you 'd like to use it , then ?
It does n't sound like they tricked you so much as you 're just an idiot .</tokentext>
<sentencetext>Why did you click "yes" on the page asking you if you'd like to use it, then?
It doesn't sound like they tricked you so much as you're just an idiot.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558260</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558632</id>
	<title>Here it is on GitHub</title>
	<author>richtaur</author>
	<datestamp>1269197340000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><a href="http://github.com/spinkham/skipfish" title="github.com" rel="nofollow">http://github.com/spinkham/skipfish</a> [github.com]</htmltext>
<tokenext>http : //github.com/spinkham/skipfish [ github.com ]</tokentext>
<sentencetext>http://github.com/spinkham/skipfish [github.com]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31560912</id>
	<title>Re:I don't trust it</title>
	<author>Anonymous</author>
	<datestamp>1269170880000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>An interesting stat which has shot up in the past 6 months actually makes it really hard to not use "Google Services". If you're the admin type for a reasonable organisation, take a look at the growth in bandwidth use for *google-analytics.com (that you! pay for). Sure, it's nifty for the sites who include it "for free" but all the information goes back to Google first. Suffice to say for an organisation of around 3600 people, I saw a growth from 505MB per month July last year, to more than 20GB monthly now. If you've got the rights, check it out, I now have to try and figure out how to block it on a corporate level, without breaking the user experience which sounds quite tricky from all accounts...  Remember, it's not just to serve up ads, these "free" services are collecting other things for both other websites and Google.</p></htmltext>
<tokenext>An interesting stat which has shot up in the past 6 months actually makes it really hard to not use " Google Services " .
If you 're the admin type for a reasonable organisation , take a look at the growth in bandwidth use for * google-analytics.com ( that you !
pay for ) .
Sure , it 's nifty for the sites who include it " for free " but all the information goes back to Google first .
Suffice to say for an organisation of around 3600 people , I saw a growth from 505MB per month July last year , to more than 20GB monthly now .
If you 've got the rights , check it out , I now have to try and figure out how to block it on a corporate level , without breaking the user experience which sounds quite tricky from all accounts... Remember , it 's not just to serve up ads , these " free " services are collecting other things for both other websites and Google .</tokentext>
<sentencetext>An interesting stat which has shot up in the past 6 months actually makes it really hard to not use "Google Services".
If you're the admin type for a reasonable organisation, take a look at the growth in bandwidth use for *google-analytics.com (that you!
pay for).
Sure, it's nifty for the sites who include it "for free" but all the information goes back to Google first.
Suffice to say for an organisation of around 3600 people, I saw a growth from 505MB per month July last year, to more than 20GB monthly now.
If you've got the rights, check it out, I now have to try and figure out how to block it on a corporate level, without breaking the user experience which sounds quite tricky from all accounts...  Remember, it's not just to serve up ads, these "free" services are collecting other things for both other websites and Google.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557840</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31563252</id>
	<title>Many people are working to help App insecurity.</title>
	<author>workie</author>
	<datestamp>1269189240000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext>I just wanted to point out that many organizations and people are trying to resolve the global web-insecurity issue caused by many things including application insecurity.  Google is just one participant in this effort.

What is frustrating is that when Google talks people call it news. When these other organizations make contributions, nothing is heard.</htmltext>
<tokenext>I just wanted to point out that many organizations and people are trying to resolve the global web-insecurity issue caused by many things including application insecurity .
Google is just one participant in this effort .
What is frustrating is that when Google talks people call it news .
When these other organizations make contributions , nothing is heard .</tokentext>
<sentencetext>I just wanted to point out that many organizations and people are trying to resolve the global web-insecurity issue caused by many things including application insecurity.
Google is just one participant in this effort.
What is frustrating is that when Google talks people call it news.
When these other organizations make contributions, nothing is heard.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557840</id>
	<title>Re:I don't trust it</title>
	<author>Enderandrew</author>
	<datestamp>1269189240000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>I could just bury your comment by modding you a troll, but I'd rather correct the misinformation.</p><p>Microsoft has patents on how to sell your personal information to the highest bidder. Microsoft, Yahoo, and AOL all handed over your personal search histories to the US government. They all play ball in China. Yahoo handed over bloggers to the Chinese government.</p><p>Google targets ads to you, but they don't share your personal data out to anyone. Google tracks your information to serve up ads, but this is all machine controlled. It isn't like Google employees sit around all day reading your email.</p><p>If you don't want Google to have your information, then don't use their services. I happen to really like their services. I want the convenience of being able to get to my mail from any device without having to try and run my own mail server (dealing with SSH attacks, whitelisting, backups, etc. can be a pain). Google provides me a free service I enjoy, and thusly I willingly accept the trade-off of targeted ads.</p><p>They are VERY upfront about what they do, and they also provide tons of great open source products. They are the primary funder of Firefox, and they fund a decent chunk of Linux development. I'm sick of people calling them evil every single day without providing one single piece of evidence.</p><p>Either provide some evidence, or stop spouting FUD and lies. Personally, I'm sick of it.</p></htmltext>
<tokenext>I could just bury your comment by modding you a troll , but I 'd rather correct the misinformation.Microsoft has patents on how to sell your personal information to the highest bidder .
Microsoft , Yahoo , and AOL all handed over your personal search histories to the US government .
They all play ball in China .
Yahoo handed over bloggers to the Chinese government.Google targets ads to you , but they do n't share your personal data out to anyone .
Google tracks your information to serve up ads , but this is all machine controlled .
It is n't like Google employees sit around all day reading your email.If you do n't want Google to have your information , then do n't use their services .
I happen to really like their services .
I want the convenience of being able to get to my mail from any device without having to try and run my own mail server ( dealing with SSH attacks , whitelisting , backups , etc .
can be a pain ) .
Google provides me a free service I enjoy , and thusly I willingly accept the trade-off of targeted ads.They are VERY upfront about what they do , and they also provide tons of great open source products .
They are the primary funder of Firefox , and they fund a decent chunk of Linux development .
I 'm sick of people calling them evil every single day without providing one single piece of evidence.Either provide some evidence , or stop spouting FUD and lies .
Personally , I 'm sick of it .</tokentext>
<sentencetext>I could just bury your comment by modding you a troll, but I'd rather correct the misinformation.Microsoft has patents on how to sell your personal information to the highest bidder.
Microsoft, Yahoo, and AOL all handed over your personal search histories to the US government.
They all play ball in China.
Yahoo handed over bloggers to the Chinese government.Google targets ads to you, but they don't share your personal data out to anyone.
Google tracks your information to serve up ads, but this is all machine controlled.
It isn't like Google employees sit around all day reading your email.If you don't want Google to have your information, then don't use their services.
I happen to really like their services.
I want the convenience of being able to get to my mail from any device without having to try and run my own mail server (dealing with SSH attacks, whitelisting, backups, etc.
can be a pain).
Google provides me a free service I enjoy, and thusly I willingly accept the trade-off of targeted ads.They are VERY upfront about what they do, and they also provide tons of great open source products.
They are the primary funder of Firefox, and they fund a decent chunk of Linux development.
I'm sick of people calling them evil every single day without providing one single piece of evidence.Either provide some evidence, or stop spouting FUD and lies.
Personally, I'm sick of it.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31562966</id>
	<title>Re:I don't trust it</title>
	<author>Xzallion</author>
	<datestamp>1269186720000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>You can encrypt the text of your response where only gmail see's who sent it, or use any one of the many throwaway email services that will let you make an email account that only lasts for 24 hours.  look into PGP, throwaway email addresses, and also just look at the text.  If you say "Yes grandma I will be at the family reunion." or
"Yes we will close the Jefferson Deal" what information does google have on you?  That you expect to go to A family reunion out of the estimated thousands of them every day?  Or that they somehow magically know what the Jefferson deal is about?  All they can do is parse the text, and keep an internal record link to the email address that sent it.  Just email them explaining you don't like unencrypted text over email (cause all public email will be parsed for keywords, how do you think yahoo and AOL make their money?).  Then encrypt it and let them unencrypt it on their machine where google gets nothing.

Stop blaming their system for your lack of effort.</htmltext>
<tokenext>You can encrypt the text of your response where only gmail see 's who sent it , or use any one of the many throwaway email services that will let you make an email account that only lasts for 24 hours .
look into PGP , throwaway email addresses , and also just look at the text .
If you say " Yes grandma I will be at the family reunion .
" or " Yes we will close the Jefferson Deal " what information does google have on you ?
That you expect to go to A family reunion out of the estimated thousands of them every day ?
Or that they somehow magically know what the Jefferson deal is about ?
All they can do is parse the text , and keep an internal record link to the email address that sent it .
Just email them explaining you do n't like unencrypted text over email ( cause all public email will be parsed for keywords , how do you think yahoo and AOL make their money ? ) .
Then encrypt it and let them unencrypt it on their machine where google gets nothing .
Stop blaming their system for your lack of effort .</tokentext>
<sentencetext>You can encrypt the text of your response where only gmail see's who sent it, or use any one of the many throwaway email services that will let you make an email account that only lasts for 24 hours.
look into PGP, throwaway email addresses, and also just look at the text.
If you say "Yes grandma I will be at the family reunion.
" or
"Yes we will close the Jefferson Deal" what information does google have on you?
That you expect to go to A family reunion out of the estimated thousands of them every day?
Or that they somehow magically know what the Jefferson deal is about?
All they can do is parse the text, and keep an internal record link to the email address that sent it.
Just email them explaining you don't like unencrypted text over email (cause all public email will be parsed for keywords, how do you think yahoo and AOL make their money?).
Then encrypt it and let them unencrypt it on their machine where google gets nothing.
Stop blaming their system for your lack of effort.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558196</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558196</id>
	<title>Re:I don't trust it</title>
	<author>YrWrstNtmr</author>
	<datestamp>1269193140000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><i>If you don't want Google to have your information, then don't use their services</i> <br> <br>Realistically, we don't have that option. Someone sends me an email from a gmail acct, poof, there I am. And I can't reply without using gmail, because that is all <i>they</i> use.<br> <br>I do use google products quite a lot, so I'm not trying to hide from them. But they have become so pervasive that it is <i>hard</i> to not use them, even tangentially.</htmltext>
<tokenext>If you do n't want Google to have your information , then do n't use their services Realistically , we do n't have that option .
Someone sends me an email from a gmail acct , poof , there I am .
And I ca n't reply without using gmail , because that is all they use .
I do use google products quite a lot , so I 'm not trying to hide from them .
But they have become so pervasive that it is hard to not use them , even tangentially .</tokentext>
<sentencetext>If you don't want Google to have your information, then don't use their services  Realistically, we don't have that option.
Someone sends me an email from a gmail acct, poof, there I am.
And I can't reply without using gmail, because that is all they use.
I do use google products quite a lot, so I'm not trying to hide from them.
But they have become so pervasive that it is hard to not use them, even tangentially.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557840</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558172</id>
	<title>Re:I don't trust it</title>
	<author>tylerni7</author>
	<datestamp>1269192900000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>3</modscore>
	<htmltext><a href="http://techcrunch.com/2008/08/28/mozilla-extends-lucrative-deal-with-google-for-3-years/" title="techcrunch.com">http://techcrunch.com/2008/08/28/mozilla-extends-lucrative-deal-with-google-for-3-years/</a> [techcrunch.com]</htmltext>
<tokenext>http : //techcrunch.com/2008/08/28/mozilla-extends-lucrative-deal-with-google-for-3-years/ [ techcrunch.com ]</tokentext>
<sentencetext>http://techcrunch.com/2008/08/28/mozilla-extends-lucrative-deal-with-google-for-3-years/ [techcrunch.com]</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558004</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557628</id>
	<title>Re:I don't trust it</title>
	<author>Foofoobar</author>
	<datestamp>1269187260000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext>How's the weather under that tinfoil hat?</htmltext>
<tokenext>How 's the weather under that tinfoil hat ?</tokentext>
<sentencetext>How's the weather under that tinfoil hat?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557714</id>
	<title>Oh Please, GIVE IT A REST.</title>
	<author>Anonymous</author>
	<datestamp>1269187980000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p><div class="quote"><p>Google is one of the most anti-privacy, intrusive evil corporations out there, second only to Facebook. They make a living over promiscuous sharing of personal data. Why should I trust them?</p></div><p>Have they ever lied to you about what they do? I don't use Google under any misinformed idea that they *don't* track everything I do. I go into it knowing that this *is their business*.<br> <br>Where you under some other impression?</p></div>
	</htmltext>
<tokenext>Google is one of the most anti-privacy , intrusive evil corporations out there , second only to Facebook .
They make a living over promiscuous sharing of personal data .
Why should I trust them ? Have they ever lied to you about what they do ?
I do n't use Google under any misinformed idea that they * do n't * track everything I do .
I go into it knowing that this * is their business * .
Where you under some other impression ?</tokentext>
<sentencetext>Google is one of the most anti-privacy, intrusive evil corporations out there, second only to Facebook.
They make a living over promiscuous sharing of personal data.
Why should I trust them?Have they ever lied to you about what they do?
I don't use Google under any misinformed idea that they *don't* track everything I do.
I go into it knowing that this *is their business*.
Where you under some other impression?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558794</id>
	<title>Skipfish vulnerability scanner</title>
	<author>Anonymous</author>
	<datestamp>1269198780000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>3</modscore>
	<htmltext><p>We configured skipfish and pointed it at our custom platform with full administrator rights.  Entered our systems custom file extensions into the skipfish dictionary.</p><p>Overall the performance is quite good (&gt;3k HTTP requests per second) after tweaking concurrent connection count.  Orders of magnitude better than any scanner we have ever used.</p><p>The report UI seemed polished and provided quite a bit of useful data with summaries and drill down to detail. It would really help if instead of simply posting raw request/response data it would highlight sections of the response that lead it to make an assumption WRT a particular vulnerability.</p><p>In terms of scan results they look for quite a number of common vulnerabilities, some of the checks are quite creative.  I especially liked the check for "interesting" contents.  Some of our test data tripped them - this was perfectly reasonable given content.</p><p>Aborted the scanner at the 5 million http request mark ~20mins later.</p><p>In terms of actual results against our system out of the several dozen possible vulnerabilties reported from XSRF, injection..etc there were no actual problems discovered - 100\% false alarms.</p><p>There is something really odd about some of the requests being made<nobr> <wbr></nobr>.. I don't know if its intentional to discover bugs but the folder/file parsing looks to be broken and its building stupid path names with the filename<nobr> <wbr></nobr>/subfolder..  This seems to be causing most of the UI not to crawl as it seems to be ending up in the 404 category.  Maybe this is my fault on dictionary configuration but the system wastes way too many requests throwing the dictionary at each resource and not nearly enough time crawling the site and discovering whats available for expliot.</p><p>I then took a cursory glance at the source code.. all of the rule checking is hard-coded in C. (See analysis.c)<nobr> <wbr></nobr>... which to me seems quite stupid and useless.</p><p>The tool is a start already better than many freebie tools I have used over the years.</p><p>My advice is to first and foremost abstract the analysis details out of C code. Focus more on walking even if its dynamic content and bolt in some intelligence/expert system to direct activities.</p></htmltext>
<tokenext>We configured skipfish and pointed it at our custom platform with full administrator rights .
Entered our systems custom file extensions into the skipfish dictionary.Overall the performance is quite good ( &gt; 3k HTTP requests per second ) after tweaking concurrent connection count .
Orders of magnitude better than any scanner we have ever used.The report UI seemed polished and provided quite a bit of useful data with summaries and drill down to detail .
It would really help if instead of simply posting raw request/response data it would highlight sections of the response that lead it to make an assumption WRT a particular vulnerability.In terms of scan results they look for quite a number of common vulnerabilities , some of the checks are quite creative .
I especially liked the check for " interesting " contents .
Some of our test data tripped them - this was perfectly reasonable given content.Aborted the scanner at the 5 million http request mark ~ 20mins later.In terms of actual results against our system out of the several dozen possible vulnerabilties reported from XSRF , injection..etc there were no actual problems discovered - 100 \ % false alarms.There is something really odd about some of the requests being made .. I do n't know if its intentional to discover bugs but the folder/file parsing looks to be broken and its building stupid path names with the filename /subfolder.. This seems to be causing most of the UI not to crawl as it seems to be ending up in the 404 category .
Maybe this is my fault on dictionary configuration but the system wastes way too many requests throwing the dictionary at each resource and not nearly enough time crawling the site and discovering whats available for expliot.I then took a cursory glance at the source code.. all of the rule checking is hard-coded in C. ( See analysis.c ) ... which to me seems quite stupid and useless.The tool is a start already better than many freebie tools I have used over the years.My advice is to first and foremost abstract the analysis details out of C code .
Focus more on walking even if its dynamic content and bolt in some intelligence/expert system to direct activities .</tokentext>
<sentencetext>We configured skipfish and pointed it at our custom platform with full administrator rights.
Entered our systems custom file extensions into the skipfish dictionary.Overall the performance is quite good (&gt;3k HTTP requests per second) after tweaking concurrent connection count.
Orders of magnitude better than any scanner we have ever used.The report UI seemed polished and provided quite a bit of useful data with summaries and drill down to detail.
It would really help if instead of simply posting raw request/response data it would highlight sections of the response that lead it to make an assumption WRT a particular vulnerability.In terms of scan results they look for quite a number of common vulnerabilities, some of the checks are quite creative.
I especially liked the check for "interesting" contents.
Some of our test data tripped them - this was perfectly reasonable given content.Aborted the scanner at the 5 million http request mark ~20mins later.In terms of actual results against our system out of the several dozen possible vulnerabilties reported from XSRF, injection..etc there were no actual problems discovered - 100\% false alarms.There is something really odd about some of the requests being made .. I don't know if its intentional to discover bugs but the folder/file parsing looks to be broken and its building stupid path names with the filename /subfolder..  This seems to be causing most of the UI not to crawl as it seems to be ending up in the 404 category.
Maybe this is my fault on dictionary configuration but the system wastes way too many requests throwing the dictionary at each resource and not nearly enough time crawling the site and discovering whats available for expliot.I then took a cursory glance at the source code.. all of the rule checking is hard-coded in C. (See analysis.c) ... which to me seems quite stupid and useless.The tool is a start already better than many freebie tools I have used over the years.My advice is to first and foremost abstract the analysis details out of C code.
Focus more on walking even if its dynamic content and bolt in some intelligence/expert system to direct activities.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558260</id>
	<title>Re:Oh Please, GIVE IT A REST.</title>
	<author>Anonymous</author>
	<datestamp>1269193800000</datestamp>
	<modclass>Troll</modclass>
	<modscore>0</modscore>
	<htmltext>They didn't lie to me, but they tricked me into making my email part of a social network.</htmltext>
<tokenext>They did n't lie to me , but they tricked me into making my email part of a social network .</tokentext>
<sentencetext>They didn't lie to me, but they tricked me into making my email part of a social network.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557714</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31559818</id>
	<title>Nothing Is Free</title>
	<author>Anonymous</author>
	<datestamp>1269163680000</datestamp>
	<modclass>Troll</modclass>
	<modscore>0</modscore>
	<htmltext><p>Including skipfish. While I haven't downloaded it, I have no doubt that something is being reported back to Google. Just as with any business practice, there is always a light at the end of the tunnel. Google advertising maybe? Possibly, whatever the reason, I doubt "Free" in this case really isn't "Free".</p></htmltext>
<tokenext>Including skipfish .
While I have n't downloaded it , I have no doubt that something is being reported back to Google .
Just as with any business practice , there is always a light at the end of the tunnel .
Google advertising maybe ?
Possibly , whatever the reason , I doubt " Free " in this case really is n't " Free " .</tokentext>
<sentencetext>Including skipfish.
While I haven't downloaded it, I have no doubt that something is being reported back to Google.
Just as with any business practice, there is always a light at the end of the tunnel.
Google advertising maybe?
Possibly, whatever the reason, I doubt "Free" in this case really isn't "Free".</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558282</id>
	<title>Can someone explain this</title>
	<author>Anonymous</author>
	<datestamp>1269193980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>When I click on "View a sample screenshot", my browser <em>downloads</em> the damn PNG file instead of simply displaying it like it should. Is it something wrong on Google's side or is it my browser?</p></htmltext>
<tokenext>When I click on " View a sample screenshot " , my browser downloads the damn PNG file instead of simply displaying it like it should .
Is it something wrong on Google 's side or is it my browser ?</tokentext>
<sentencetext>When I click on "View a sample screenshot", my browser downloads the damn PNG file instead of simply displaying it like it should.
Is it something wrong on Google's side or is it my browser?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31560776</id>
	<title>Go Away Idiot</title>
	<author>Anonymous</author>
	<datestamp>1269170100000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Fucking moron.</p></htmltext>
<tokenext>Fucking moron .</tokentext>
<sentencetext>Fucking moron.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31559818</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31562132</id>
	<title>90\% is probably low</title>
	<author>Geek of the Week</author>
	<datestamp>1269180240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I wouldn't be surprised if the actual number is much, much higher.  This has always been a problem with software development, I'm not sure why anyone thought it got better when apps became web-based.  When your business depends on apps being up and running (or running the newest, coolest features) security is usually not the highest priority.</p><p>As a vendor I sit in meetings all the time with app architects and even security people (up to and including CISOs) at some of the biggest corporations in the world who freely admit to the horrid security holes in their apps.   Worse, a lot of them think their packet inspection firewall will protect them.  Layer 7 attacks are still not very well understood or appreciated by a lot of IT people.</p></htmltext>
<tokenext>I would n't be surprised if the actual number is much , much higher .
This has always been a problem with software development , I 'm not sure why anyone thought it got better when apps became web-based .
When your business depends on apps being up and running ( or running the newest , coolest features ) security is usually not the highest priority.As a vendor I sit in meetings all the time with app architects and even security people ( up to and including CISOs ) at some of the biggest corporations in the world who freely admit to the horrid security holes in their apps .
Worse , a lot of them think their packet inspection firewall will protect them .
Layer 7 attacks are still not very well understood or appreciated by a lot of IT people .</tokentext>
<sentencetext>I wouldn't be surprised if the actual number is much, much higher.
This has always been a problem with software development, I'm not sure why anyone thought it got better when apps became web-based.
When your business depends on apps being up and running (or running the newest, coolest features) security is usually not the highest priority.As a vendor I sit in meetings all the time with app architects and even security people (up to and including CISOs) at some of the biggest corporations in the world who freely admit to the horrid security holes in their apps.
Worse, a lot of them think their packet inspection firewall will protect them.
Layer 7 attacks are still not very well understood or appreciated by a lot of IT people.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557686</id>
	<title>Re:I don't trust it</title>
	<author>Tokerat</author>
	<datestamp>1269187740000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>If you want the internet to remain free, you'll have to get off your lazy ass. Start by going and downloading the skipfish source - it's under an Apache license - and audit it for us. Tell us if it's got any phone-home reporting, if it leaves out any major items from it's scans, etc.</p><p>We all know we should question everything, including Google's intentions. We're pretty smart, we get that. Instead of offering blind, childish rhetoric, you could offer proof and/or solutions. Just sayin'; calling Google a major privacy invader doesn't stop them.</p></htmltext>
<tokenext>If you want the internet to remain free , you 'll have to get off your lazy ass .
Start by going and downloading the skipfish source - it 's under an Apache license - and audit it for us .
Tell us if it 's got any phone-home reporting , if it leaves out any major items from it 's scans , etc.We all know we should question everything , including Google 's intentions .
We 're pretty smart , we get that .
Instead of offering blind , childish rhetoric , you could offer proof and/or solutions .
Just sayin ' ; calling Google a major privacy invader does n't stop them .</tokentext>
<sentencetext>If you want the internet to remain free, you'll have to get off your lazy ass.
Start by going and downloading the skipfish source - it's under an Apache license - and audit it for us.
Tell us if it's got any phone-home reporting, if it leaves out any major items from it's scans, etc.We all know we should question everything, including Google's intentions.
We're pretty smart, we get that.
Instead of offering blind, childish rhetoric, you could offer proof and/or solutions.
Just sayin'; calling Google a major privacy invader doesn't stop them.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492</parent>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_21_1341201_13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558692
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558282
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_21_1341201_17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31559092
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557840
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_21_1341201_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558102
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557840
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_21_1341201_14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558172
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558004
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557840
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_21_1341201_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558642
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558260
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557714
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_21_1341201_15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31559376
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557686
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_21_1341201_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558398
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557714
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_21_1341201_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31560776
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31559818
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_21_1341201_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31562966
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558196
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557840
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_21_1341201_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558104
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557714
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_21_1341201_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31563264
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558348
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558282
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_21_1341201_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31574124
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557962
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_21_1341201_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557744
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_21_1341201_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31560912
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557840
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_21_1341201_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557628
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_21_1341201_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558402
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557714
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_21_1341201_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558098
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557840
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_21_1341201_16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558544
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557686
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_21_1341201.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557624
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_21_1341201.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557962
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31574124
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_21_1341201.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558282
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558692
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558348
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31563264
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_21_1341201.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31559818
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31560776
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_21_1341201.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558794
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_21_1341201.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557492
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557628
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557744
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557686
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31559376
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558544
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557840
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558196
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31562966
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31559092
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558004
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558172
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558102
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31560912
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558098
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31557714
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558260
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558642
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558104
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558398
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_21_1341201.31558402
</commentlist>
</conversation>
