Re: [Full-disclosure] Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)
On Thu, Jun 20, 2013 at 3:41 PM, valdis.kletni...@vt.edu wrote: On Thu, 20 Jun 2013 06:56:16 -0500, Mark Felder said: But does your exploit compile with clang? I'm gonna have to call Poe's Law on this one. I can't tell if you're trolling or merely confused. :) My guess is he's troll-baiting. Incorporation of clang in FreeBSD as the default compiler (vs. gnucc) has been a matter of some heat+light in the FreeBSD community. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Why PRISM kills the cloud | Computerworld Blogs
On Mon, Jun 10, 2013 at 6:30 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Jun 10, 2013 at 9:15 PM, laurent gaffie laurent.gaf...@gmail.com wrote: Why is the Prims program such a big deal today? Most of us knew about echelon and the patriot act didn't we? This program was unconstitutional at the first place and should have raised indignation when it was approved at that time... +1. Below is my standard verbiage on clouds and backups to clouds. Jeff clouds and drop boxes. If you don’t want your data analyzed, inspected, shared, or mishandled, then don’t provide it in the first place. snip http://technet.microsoft.com/library/cc722487.aspx Numbers 3 and 6, at a minimum - from 1999/2000, or thereabouts. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 15 suspicion of rootkit (Alexandru Balan)
A better way of proceeding on this, assuming you can afford the time, is to boot from of the many live boot CDs (UBCD4Win, BartPe, various Linux-based rescue disks) to scan the disk while the suspect OS is not in memory. Those CD images either come with, or can be caused to contain, various AV packages. Make sure the packages used are current, and scan away. Kurt On Thu, Jul 12, 2012 at 6:57 AM, phocean 0...@phocean.net wrote: The only antivirus I have tried so far is Microsoft Security Essentials. And it finds nothing, which I certainly don't trust at all. Especially because it shows a very unusual certificate alert during the setup. I also scanned a few files that I chose (some dll and services) on VirusTotal with no results except some false positive. I also had a look on the disassembly of these files. So, I don't know what it is, but if it is a rootkit it is not a trivial one and I am afraid it is smarter than me :) --- phocean Le 12 juil. 2012 à 15:33, Mikhail A. Utin a écrit : -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of full-disclosure-requ...@lists.grok.org.uk Sent: Thursday, July 12, 2012 4:40 AM To: full-disclosure@lists.grok.org.uk Subject: Full-Disclosure Digest, Vol 89, Issue 15 Send Full-Disclosure mailing list submissions to full-disclosure@lists.grok.org.uk I've had very similar case of downloading software and getting a malware. I wanted just to get it fixed, so wheither a virus, or worm, or rootkit I do not know. Symptoms were disabled Windows update and Windows networking. TCP in general worked. I found malicious files (just a few) using one of security tools running under Linux CD-bootable to check consistency of Windows files. First I tried three AV systems (F-Secure, Kaspersky and Symantec), but they were useless. Finally, from Linux I was able to find files having inconsistent attributes, as far as I remember - the size and modification date. Nothing of particular, but: AV systems identify less than 90% of malware (both forward and backward tests), when downloading freeware stuff a virtual machine is the best option, and if after just installing of freeware Windows screw up, it is obvious what is the reason for. Mikhail -- Message: 1 Date: Thu, 12 Jul 2012 00:46:33 +0300 From: Alexandru Balan jay...@gmail.com Subject: Re: [Full-disclosure] suspicion of rootkit To: phocean 0...@phocean.net Cc: full-disclosure@lists.grok.org.uk, valdis.kletni...@vt.edu Message-ID: c0574ee4-8509-4ff4-ab60-565d0a256...@gmail.com Content-Type: text/plain; charset=iso-8859-1 Tried checking it with an AV ? http://quickscan.bitdefender.com On Jul 12, 2012, at 12:06 AM, phocean wrote: The machine is Windows XP SP3 quite up-to-date, but not fully. Except that Windows Update is not working anymore. One of the symptoms. I described the issues there: http://www.phocean.net/2012/06/30/rootkit-in-my-lab.html http://www.phocean.net/2012/07/11/rootkit-in-my-lab-part-ii.html You will see why some symptoms make me think about a rootkit. You are right, it could be some Windows being messed up. But it actually happened on a pretty fresh install: I finished setting XP and tens of analysis tools (I aimed this box to be my fresh reversing system). So even if possible, it sounds strange that a machine gets corrupted so quickly. And of course, I suspect some of these tools, got from multiple downloads. At last, I could analyse them one by one of course, but there are many so it would be painful (and I am not sure that I kept all setups). --- phocean CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On Sat, Jan 7, 2012 at 13:50, valdis.kletni...@vt.edu wrote: On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said: Although, once they have gained popularity and to a stage where a garage office becomes a shop floor and a @home biz becomes a rent-a-million$-building office, it is time to shift priorities. If finding people who are competent enough to secure a payroll system for a company of 10 people is difficult, what makes you think that it's easy to find people who can secure the systems for a company of 1,000? I would think it would be easier, because a company of 1,000 is much more likely to have an actual budget for this kind of stuff than a company of 10, or 100. But, still not as easy as for a company of 10,000, or 100,000. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Meet the Guy Who Snitched on Occupy Wall Street to the FBI and NYPD
On Mon, Oct 17, 2011 at 06:03, valdis.kletni...@vt.edu wrote: On Mon, 17 Oct 2011 03:48:46 EDT, Jeffrey Walton said: Does the Darwin Awards have a category for dumb computer related decisions? Hmm.. for computer related ones? Good question. The Darwin Awards are for those who remove themselves from the gene pool in *spectacular* ways. They disallow entrants for reasons of mental disease or defect-- so failing to reproduce just because you're a troll living in your parent's basement loses twice - it's commonplace, not spectacular, and it usually isn't a result of a conscious decision you made. Having said that. I suppose it *is* possible. Consider the (hiopefully hypothetical) example of an expreme overclocker who does something predictably stupid and ends up with a lapful of liquid nitrogen and a case of severe frostbite. Gives a whole new meaing to shatter attack ;) Yeah, *that* would get a Darwin. ;) I have heard rumors of an instance that would qualify: Supposedly there was a fellow who knew he was under police surveillance for bad computing behavior of some sort or another, and had prepared for a raid by outfitting his residence with video cameras, and his computer with a kill switch. Little did he know that he was more literal than expected. He had packed the computer case full of thermite, rather than simply putting an ounce or three on top of the hard drive. He was next to the computer when noticed a raid descending, and he hit the kill switch. There wasn't much left of the room he was in... I've not been able to verify this story, but it does come from a source that I consider reliable. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Snail mail vs. Email
On Wed, Oct 12, 2011 at 22:11, Jeffrey Walton noloa...@gmail.com wrote: Sparta, as one of the first democracies, had it right. They put the public officials on trial when their term expired because they knew what Class A fuck-ups they were. Its funny how that lesson was lost to history. Jeff Sparta in the Classical age and earlier was not a democracy. They were a set of invaders who had enslaved the native Hellenes in the area (as opposed to buying slaves or capturing slaves in battle, which is what the other Hellenic city-states did), and which had kings and enforced military servitude from approximately ages 8 to 50 or so. And, actually, Athens, though it was the Western birthplace of democracy, free speech and all that, wasn't a very pretty society itself. Aside from the primitive state of technology, they were a religion- and superstition-bound society to a degree that most modern cultures would have difficulty comprehending. Not something I think we should emulate. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] GeoIPgen version 0.4 released - country-to-IPs generator
On Wed, Mar 10, 2010 at 11:50, Adrian P unknown.pentes...@gmail.com wrote: On Tue, Mar 9, 2010 at 5:17 AM, Andrew Horton and...@morningstarsecurity.com wrote: I've just released a new version of GeoIPgen Description: GeoIPgen is a country-to-IPs generator. It's a geographic IP generator for IPv4 networks that uses the MaxMind GeoLite Country database. Geoipgen is the first published use of a geographic ip database in reverse to translate from country-to-IPs instead of the usual use of IP-to-country. Features: Random or sorted order, unique or repeating IPs, skips broadcast addresses, Neat project, and a research topic I've been interested in for several years. However, it's not the first time that the MaxMind GeoLite database has been used to generate lists of IP blocks for a given country (country2ip, rather than ip2country). October 2007: http://www.gnucitizen.org/blog/strategic-hacking-geoip/ http://www.gnucitizen.org/static/blog/2007/10/country2ip.ppt one, many or all countries. Changes: Much faster than version 0.3, for example generating all IPs for Papa New Guinea took a couple of minutes with version 0.3. Now it takes a few seconds. Homepage: http://www.morningstarsecurity.com/research/geoipgen P.S. Please tell me about your projects or nationwide scanning efforts that use geoipgen. Eg. the Australian Web Enumeration Project http://www.auenumerate.net -- Cheers, Andrew Horton MorningStar Security Mobile +64 (0) 272 646 959 Web www.morningstarsecurity.com See also: http://xkcd.com/195/ Though I don't know where he got his data... Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
On Tue, Jan 26, 2010 at 00:11, Charles Skoglund charles.skogl...@bitsec.se wrote: This discussion is getting weirder and weirder. If an examiner finds evidence on YOUR computer / cell phone / usb disks / whatever, please do tell me how it's not necessarily yours? By claiming your computer has been hacked? You do know an examiner usually knows how to double-check your story for malicious code right? Or what are you guys talking about? My experience is that when I find the evidence, the person/s being investigated confesses quite rapidly. Cheers! I must suggest your experience is quite limited - the case below is not unique: http://en.wikipedia.org/wiki/State_of_Connecticut_v._Julie_Amero Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perhaps it's time to regulate Microsoft as Critical Infrastructure?
On Mon, Jan 25, 2010 at 14:11, valdis.kletni...@vt.edu wrote: On Mon, 25 Jan 2010 20:03:03 -0200, Rafael Moraes said: This is a subject that need to be discussed very carefully. I agree, It should be controlled, but, how far? In particular, one must be *very* careful to not create unintended consequences. For instance, in general the more regulated an industry is, the more risk-adverse the companies get - both because regulation implies don't rock the boat and the second-order effects of compliance paperwork and similar issues. Look at the mountains of paperwork needed to get the FAA to type-certify a new airplane as airworthy - what if Microsoft had to do that level of detail for Windows 8, the next release of Exchange, and the next release of Office? How do you make Microsoft regulated in any meaningful sense, and still allow them the ability to ship an out-of-cycle patch? That's one issue. There are others. The real issue, though, is not how to regulate MSFT. It's how to level the playing field. Best way I can think of to do that is to specify document formats, and make them available to all. ODF may not be the right format, but it's in the right direction. If government(s) were to specify that any software they buy needs to read and write a particular set of formats, with the specifications of those formats publicly available for no more than the cost of copying them, and that they would only accept documents in those formats, then anyone could build software that meets those specifications. Then you'd see a more competitive environment. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How Prosecutors Wiretap Wall Street
On Tue, Nov 3, 2009 at 20:13, Paul Schmehl pschmehl_li...@tx.rr.com wrote: --On November 4, 2009 12:55:45 PM +1100 Ivan . ivan...@gmail.com wrote: The answer is both more mundane and more alarming. Prosecutors are using the FBI's massive surveillance system, DCSNet, which stands for Digital Collection System Network. According to Wired magazine, this system connects FBI wiretapping rooms to switches controlled by traditional land-line operators, internet-telephony providers and cellular companies. It can be used to instantly wiretap almost any communications device in the U.S. — wireless or tethered. http://www.wallstreetandtech.com/blog/archives/2009/10/how_prosecutors.h tml;jsessionid=ABTR4HPERGBDFQE1GHPCKHWATMY32JVN Of course, without a warrant they can't wiretap anything. Really? Do tell. Hope your sarcasm meter is pegged here. Furthermore every warrant to wiretap has to be accompanied by evidence that justifies the warrant and signed by a federal judge who agrees that there is sufficient cause for the wiretap, and illegal wiretaps will not only get your case thrown out of court but your butt thrown in jail as well. Except when it doesn't. But other than that, it's really troubling As it should be. I don't trust Feds as far as I can spit when it comes to this sort of stuff. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Anti virus installations on Windows servers
Why should he do that? Agree with him, or disagree, he's trying to raise the bar. If the community disagrees, many members thereof will certainly speak up. So far, in this thread, you're the only one. Besides, that xkcd is classic. Kurt On Wed, Apr 29, 2009 at 10:27, don bailey don.bai...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Valdis, Again, to clarify: I'm not interested in your actual opinion, only that you confine the scope of your opinion to yourself. Thanks! D valdis.kletni...@vt.edu wrote: On Wed, 29 Apr 2009 11:16:11 MDT, don bailey said: Being overly verbose and using a plethora of asterisks does not enhance the validity of your statement. I didn't bother reading your statement due to its unnecessary length. Simply focus less on speaking for the community and confine your scope to your personal opinion. Thanks. http://xkcd.com/463/ Short enough for you? -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkn4jgcACgkQM8x1V+fkydMuyQCgiBjnQuTdKtpnAX5rN+ebfavD B1QAnixxg3VRl5pvQNdldgRP/erCfVj7 =0DQE -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Oh Yeah, botnet communications
On Thu, Feb 19, 2009 at 21:21, valdis.kletni...@vt.edu wrote: On Thu, 19 Feb 2009 23:38:37 EST, T Biehn said: God Valdis, Dont concentrate on the mundane, the core issue is the unpredictable nature of it. You have them all coordinate reading the news at 12:00 AM GMT. You build some silly algorithm that ensures they pick the right article. Right, so now you need this insanely complicated system to make sure that you get the right article at midnight, even if you have a race condition or you're getting an old copy because of a caching proxy in the path or if they hit different boxes on a load balancer and the articles update a few seconds apart, and then make sure they all pick the right article - which means they need to *agree* on the right article without knowing for sure what article the *other* bots are looking at. And that also means that the botnet owner (or at least a system they have) has to *also* be online so it can also check CNN and figure out what domain to register - which sucks if Godaddy just put up the Down for 3 hours due to unexpected system problem sign or any of a zillion other failure modes in trying to register that next domain in real time. You can't register the next 3-4 day's worth of domains ahead of time and make sure they went live. Lots of failure modes there. Or you can just hash the damned clock once an hour, which seems to be quite sufficient to keep the average botnet running. *THAT* is why they don't base it off a news RSS feed - all these mundane issues make it *harder*. You wanna do it the hard way that has more ways to fail and sprout bugs, be my guest. Most of the coders out there prefer something just a bit simpler. Not necessarily as insanely complicated as you might think - an RSS feed can include some interesting numbers, such as stock quotes, etc., where the non-integer portion of the number(s) are pretty random, and reporting on them is pretty standardized. And, I don't think, for the purposes of discussion, it *has* to be an RSS feed. It could be any publicly available, regularly updated text, including www.wsj.com. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DoS attacks on MIME-capable software via complex MIME emails
On Mon, Dec 8, 2008 at 2:56 PM, Bernhard Brehm [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] said: You want *real* loads of fun? Go read up on message/partial ;) snip The situation is quite similiar to the reason, why MTAs like sendmail are no real target for such attacks: No server should try to convert 8bit encoding to 7bit encoding any more. Nobody needs to split a message into several parts for transfer and expects the mailclient to reassemble the parts. Not all pieces of MIME-related software really need to understand these rather obscure content-types. Not exactly true. There might not be any clients which support it currently (don't know, myself) but *my* users are constantly trying to send huge messages that I don't allow for size reasons. Breaking them apart into chunks automatically for automatic reassembly by the recipient would very much appeal to them. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security industry software license
On Sat, Nov 29, 2008 at 10:17 AM, andrew. wallace [EMAIL PROTECTED] wrote: snip Now what the DHS need to do if they want to counter hackers and cyber terrorism is to focus on worth while things like developing a security industry software license scheme that vets everybody using software and gets better regulation into the industry. This is the way ahead, Yes, indeed. Freedom is always served by taking it away from those who can't afford the credentials. It's why gun control works so well. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security industry software license
On Sat, Nov 29, 2008 at 11:52 AM, andrew. wallace [EMAIL PROTECTED] wrote: On Sat, Nov 29, 2008 at 7:32 PM, Kurt Buff [EMAIL PROTECTED] wrote: On Sat, Nov 29, 2008 at 10:17 AM, andrew. wallace [EMAIL PROTECTED] wrote: snip Now what the DHS need to do if they want to counter hackers and cyber terrorism is to focus on worth while things like developing a security industry software license scheme that vets everybody using software and gets better regulation into the industry. This is the way ahead, Yes, indeed. Freedom is always served by taking it away from those who can't afford the credentials. It's why gun control works so well. Kurt Gun control in Britian actually works pretty well I don't know where you live. Its all about effective management of the control, you put in bad management you're going to have bad control. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security industry software license
On Sat, Nov 29, 2008 at 11:52 AM, andrew. wallace [EMAIL PROTECTED] wrote: On Sat, Nov 29, 2008 at 7:32 PM, Kurt Buff [EMAIL PROTECTED] wrote: On Sat, Nov 29, 2008 at 10:17 AM, andrew. wallace [EMAIL PROTECTED] wrote: snip Now what the DHS need to do if they want to counter hackers and cyber terrorism is to focus on worth while things like developing a security industry software license scheme that vets everybody using software and gets better regulation into the industry. This is the way ahead, Yes, indeed. Freedom is always served by taking it away from those who can't afford the credentials. It's why gun control works so well. Kurt Gun control in Britian actually works pretty well I don't know where you live. Excellent - avoid the main point, focus on the minor point. To get back to the major point, I'll ask a question: How is freedom served by your recommendation? If you wish to know where I live, google me. Its all about effective management of the control, you put in bad management you're going to have bad control. This kind of management is always bad, in that it means decreasing the ability of free people to ply their trade, or even to explore the world and gain knowledge on their own. To rebut your response on the minor point, I'll ask another question - how much do you think home invasion burglaries would diminish in your country if ordinary folks could own effective means of defense? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Reverse Shell Without Enabling Netcat's GAPING_SECURITY_HOLE
On Fri, Sep 19, 2008 at 3:01 PM, 545945 [EMAIL PROTECTED] wrote: Recently a friend of mine asked me a seemingly simple question. What is the easiest method to get a reverse shell from a *nix based system using Netcat. He then added a caveat, that he did not want worry about recompiling the source to enable the GAPING_SECURITY_HOLE option that allows you to bind a shell using -e. My first thought was to say Dude go check Google and stop bothering me with this piddly shit, however I have in the past had this same discussion with others and trying to construct a Google search string and get meaningful results on this subject can prove very irritating. Because of this I gave in and told him the method I use which is laid out below. I then had the thought that I should post it somewhere else so it was a little easier for the next person to find. I say somewhere else because I can only assume that I am not the first person to post this method. snip Or you could just grab cryptcat and be done with it, if I understand what you're after. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Greedy Jews fact of the day
And after that message, you still shouldn't. Parse it a bit more carefully... On Tue, Apr 1, 2008 at 5:28 PM, T Biehn [EMAIL PROTECTED] wrote: Valdis, Never took you for a anti-Semite. On Tue, Apr 1, 2008 at 8:06 PM, [EMAIL PROTECTED] wrote: On Tue, 01 Apr 2008 16:21:55 PDT, Andrew A said: Why should we leave a single follower of such a filthy, greedy religion alive? Do any of you have an idea? You're just sore because they thought of the meme All the riches rightfully belong to those of our religion before your religion did... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
On 3/23/08, Larry Seltzer [EMAIL PROTECTED] wrote: I understand the attractiveness of not having to remember lots of IDs and passwords, but when you give up control of your data, you give up control of your future. Normal people aren't going to remember enough passwords, let alone strong passwords, to make that control meaningful. I do get your point, but I bet that the best alternative is to give them one set of credentials and make it as strong as possible. PasswordSafe/KeePass on a PDA, or something similar, can make up for poor memory. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Email Disclaimers...Legally Liable if breached?
I'd guess that the only disclaimer that carries any weight, and it'll probably be minimal, is the kind that says something along the lines of The person who wrote this email is not an officer of the organization, and statements contained herein that contradict organization policy are not enforceable, nor are they representative of the organization. Anything else, such as directives to destroy before reading, etc., is purely hogwash. The problem then becomes identifying those who *are* officers of the organization, and putting an appropriate claim on their emails, stating their responsibilities, or at least making sure that their emails don't have the disclaimer on them. On 10/10/07, Kelly Robinson [EMAIL PROTECTED] wrote: It is common these days for email messages to contain a disclosure notice, which may include statements such as: You must read the notice The views expressed in the accompanying email are not necessarily those of the company The email and any attachments should be checked for viruses. Do these notices carry any legal force? Why or Why not? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rapid integer factorization = end of RSA?
Get it peer-reviewed, or go away. On 4/25/07, Eugene Chukhlomin [EMAIL PROTECTED] wrote: Hi list! I discovered a new method of integer factorization for any precision numbers, probable it should be an end of RSA era. Details: Let N - the ring and N = p*q Then, (-p) in terms of ring(N) is equal (N-p) Lemma: p*(-q)=p*q*(-p) and respective: (-p)*q=p*q*(-q) Proof: p*(-q)=p*(N-q) - by the data, then p*(-q)=p*(p*q-q)=p*pq-p*q=p*q*p-p*q=(p-1)*(p*q) (-p)*q=q*(N-p) - by the data, then (-p)*q=(p*q-p)*q=p*q*q-p*q=p*q*q-p*q=(q-1)*(p*q) Q. E. D. Gypothesis: Let N = p*q = A1*B1 + A2*B2... + An*Bn Then exists some subset(A1...An) and respective subset(B1...Bn), which satisfies for equality: A1*(-B1)+A2*(-B2)...+An*(-Bn) = p*(-q)=p*q*(p-1) or A1*(-B1)+A2*(-B2)...+An*(-Bn) = (-p)*q=p*q*(q-1) If found such (A1...An) and (B1...Bn), we can find p or q by dividing p*(q-1) on p*q: p*(q-1)=p*q*(p-1) = (p*(q-1))/(p*q)=(p-1) = (p-1)+1 = p or (p-1)*q=p*q*(q-1)=((-p)*q)/(p*q)=(q-1) = (q-1)+1 = q Sample: 21 = 3*7 Let's view a binary representation of this number: 10101 = 2^4 + 2^2 + 1 = 4*4+2*2+1*1 Then, we can try to find 7*(-3) in terms of ring(21): 4*(-4) + 2(-2) + 1*(-1) = 4*(21-4)+2*(21-2)+1*(21-1)=4*17+2*19+1*20 = 68+38+20= 68+38+20 = 126 = 6*21 6+1=7 This implementation of my gypothesis has very hard complexity (about a log2(N)! comparations), but exists a short way with fixed complexity for implementation of hypothesis (plan B) - but, by ethical reason, I'll not post it here. Regards, Eugene Chukhlomin ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gary McKinnon
Poor English skills? On 4/14/06, Nobody Particular [EMAIL PROTECTED] wrote: snip/ And in addition, under what basis are you assuming that I am a US citizen? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Spy Agency Mined Vast Data Trove
Rodrigo Barbosa wrote: On Mon, Dec 26, 2005 at 10:11:45PM -0600, Leif Ericksen wrote: Really if we have nothing to hide we should not fear them listening to us. Now if they come in and start forcing a special mark or code word or something special in order to live or buy or sell anything then it is time to revolt. Now, that is an interesting view of someone who really is not paying attention. What would you qualify as something to hide ? How about my banking account data ? How about the trade secrets of my company ? Interesting line of argument, but really beside the point. You are correct that Leif has taken the wrong line of argument, but you yourself haven't quite got it right. Leif speaks as if the government has a right to monitor our thoughts. Such a stance indicates that we are property of (a|the) government. Just the opposite is true. The just government serves at the pleasure of its citizens, and must not be allowed any more power than what is strictly necessary, if any at all. For the US, the 4th Amendment applies, and all of the history surrounding it - secure in papers and effects, unreasonable search/seizure, etc. The recent NSA actions (and older programs, too, such as Echelon), taken at the behest of Presidential directive, are clearly illegal, and destructive of the relationship between citizens and their government. The 1st Amendment also applies, in that free speech can also be private, with unauthorized others excluded, for whatever reason, and/or anonymous. If government intrudes, it has an unwarranted chilling effect. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Your One-Stop Site For Sony Lawsuit Info
Eliah Kagan wrote: Anonymous Squirrel wrote: At the risk of this discussion running far afield, I think Jason and Paul may be talking past each other. My understanding is that Jason has a point -- corporations can't suffer the same punishment as individuals. They aren't deprived of their freedom in prisons. The most common corporate punishment is a fine. Paul's point is SOX, GLBA, and HIPAA hold individuals accountable for their acts at corporations. Those two opinions are both correct, and do not contradict each other. This is true, and important. Nonetheless, Jason seems to be almost calling for mob justice, when he says: The only option available to the people is mob justice. Corporations can be ruined and they can be burned to the ground, but they can't be touched in a meaningful way through mechanisms of law. Corporate persons are truly first-class citizens, rising above the rest of us natural persons in importance and worth to society. Paul Schmehl is pointing out that this is false--the law can be used against corporations, to regulate the acts of corporations by making the persons who constitute their leadership personally liable in criminal court. I strongly doubt that vigilantism is an appropriate or even useful response to corporations victimizing their customers with spyware. I And yet, Jason has a deep point - corporations have more rights than citizens. There is no jail time (freezing of assets and suspension of sales, perhaps?) or death penalty (forced liquidation of assets, distribution of proceeds to bond/stock owners - outside of bankruptcy court) for them, and it's unlikely there ever will be, because they have the money. The penalties should exist and be enforced, IMHO. But this is political discussion, and perhaps not completely relevant to this forum. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is the Bottom Line Impacted by Security Breaches?
Frank Knobbe wrote: snip Perhaps you should ask: If 40 million customer social security numbers are exposed in a security breach at the credit card processor CardSystems, why do a significant number of people not request new social security numbers? After all, there is no limit on liability with fraud on those Regards, Frank Easy - you can't get one, so asking won't help. Unless, of course, you're under the protection of the Federal Witness Relocation program. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Useless tidbit (MS AntiSpyware)
If one [or more] of you on the list could be so kind to indicate a [many] resource[s] that lame hamstung admins would be wise to follow as guidlines to secure Windows systems.. it would be so much more productive. espcially for those lazy a$$ admins who may overlook the single [or multiple] missed step that lets them become owned, hacked, infected, unpatched, bugged, spewing, spamming, bots, rooted [I am sure to have skipped a few important ones] ;-P steve Google is your friend - start with 'NSA security guidelines windows'. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/