Re: [Full-disclosure] Getting rid of n3td3v

[whistles]

> On 12/15/05, Joe Average <[EMAIL PROTECTED]> wrote:
> > netdev isn't an idiot,
> >
> > we've had many attacks avoided by him contacting our security address


N3td3v has saved himself? from attacks by contacting himself? It seems
like the same as using your left hand as its just like someone else
doing it.

I am stuck between the ideas that n3t4rd is a complete and utter moron
or he is some strange sort of honey pot. Occams razor says moron
though so i will stick with that.

n3td3v.com  is going back up quite soon due to continued idiocy  BTW
:)  Content submissions (quotes, flames, humor etc..) are welcome and
can be sent to this addy.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200512-08 ] Xpdf, GPdf, CUPS, Poppler: Multiple vulnerabilities

[Sune Kloppenborg Jeppesen]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200512-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: Xpdf, GPdf, CUPS, Poppler: Multiple vulnerabilities
  Date: December 16, 2005
  Bugs: #114428, #115286
ID: 200512-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been discovered in Xpdf, GPdf, CUPS and
Poppler potentially resulting in the execution of arbitrary code.

Background
==

Xpdf and GPdf are PDF file viewers that run under the X Window System.
Poppler is a PDF rendering library based on Xpdf code. The Common UNIX
Printing System (CUPS) is a cross-platform print spooler. It makes use
of Xpdf code to handle PDF files.

Affected packages
=

---
 Package   /   Vulnerable   /   Unaffected
---
  1  app-text/xpdf  < 3.01-r2   >= 3.01-r2
  2  app-text/gpdf < 2.10.0-r2>= 2.10.0-r2
  3  app-text/poppler  < 0.4.2-r1  >= 0.4.2-r1
  4  net-print/cups< 1.1.23-r3>= 1.1.23-r3
---
 4 affected packages on all of their supported architectures.
---

Description
===

infamous41md discovered that several Xpdf functions lack sufficient
boundary checking, resulting in multiple exploitable buffer overflows.

Impact
==

An attacker could entice a user to open a specially-crafted PDF file
which would trigger an overflow, potentially resulting in execution of
arbitrary code with the rights of the user running Xpdf, CUPS, GPdf or
Poppler.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Xpdf users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/xpdf-3.01-r2"

All GPdf users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/gpdf-2.10.0-r2"

All Poppler users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/poppler-0.4.2-r1"

All CUPS users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-print/cups-1.1.23-r3"

References
==

  [ 1 ] CVE-2005-3191
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191
  [ 2 ] CVE-2005-3192
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192
  [ 3 ] CVE-2005-3193
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200512-08.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


pgpSHALlbPkPo.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Symlink attack techniques

[Valdis . Kletnieks]

On Thu, 15 Dec 2005 18:14:51 CST, James Longstreet said:

> Since it doesn't seem like you can control what gets written to the  
> file, you probably can't directly get root access from there.  The  
> output could have some ill effect if written to the correct file...  
> hard to know without knowing what the output is.

> Of course, as was already suggested, you can be malicious and  
> destructive and destroy /etc/passwd (or any other file on the  
> system), but I don't see right away how to gain root from that.

The trick here is to find some file where the mere *existence* of the
file will alter the behavior of something.  Obvious targets include
/etc/hosts.equiv on boxes still running the BSD r* commands, or things
like /etc/cron.allow.  Other possibilities include finding a cron job
or frequently run program that will misbehave if it can't open a file
with open(..O_EXCL), and so on

It almost certainly won't get you root by itself, but it may be possible
to use it to leverage a second vulnerability that you wouldn't otherwise be
able to use


pgpWf1npiz8k9.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Administrivia: Requests for Moderation

[Aditya Deshmukh]

> 
> Hows about instead of moderation, we try vote-kicking?

I support this one, but who decides how many votes are
sufficent to get someone kicked ? And what about the 
Votes that can be automated ? 

I bet someone will create a huge farm for voting 
Whenever there is any voting all the results will 
be swayed



Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Moderated lists

[Aditya Deshmukh]

 
> Why not do a self-regulating list?  Something along the lines 
> of keeping
> track of signup dates and IP addresses, then when a yahoo starts
> spouting crap, put it to a vote on list. (only members older then xyz
> date have a vote) If the list's wish is to have the user 
> banned, then so
> be it... 
> 

This is all so good in principle but how do you implement it ? And how
Does voting take place ? By email to the list ? This way anytime we have 
To remove someone from the list it will generate a whole lot of useless 
mail


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] infosecbofh

[InfoSecBOFH]

ahahaha... sure troll.



On 12/15/05, Joe Average <[EMAIL PROTECTED]> wrote:
>
> your remarks on the list have been less than helpful,
>
>
> i have spoke with netdev to resolve the issue and hopefully with your help
> the list can get back to normal
>
> dont add to the noise
>
> we're all professionals looking for a clear resolve (work with us)
> ___
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] infosecbofh

[Joe Average]

 
your remarks on the list have been less than helpful,
 
 
i have spoke with netdev to resolve the issue and hopefully with your help the list can get back to normal
 
dont add to the noise
 
we're all professionals looking for a clear resolve (work with us)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [JRSA_0x2fbcd0251e8d606ebbb595dccb685f9446f441a7320f912666fd8b3362f3bffe_15-Dec-2005] Software Based Cipher Implementation Vulnerabilities Security Advisory 15-Dec-2005

[coderman]

Software Based Cipher Implementation Vulnerabilities

Random (tm) Security Advisory 15-Dec-2005
by J. Random Expert, CPA, CISSP, CISM, CISA, CCNA, CCSE, CCSA, GCIA,
 GCIH, GCFW, GIAC, GSNA, GCFA, GCUX, GSEC, GSUX, QUE, GQUE, WTFBBQ.
contact: [EMAIL PROTECTED]


I. BACKGROUND

We are experts on information security dedicated to bringing the public
the highest quality imitation products and services to protect against
all those dire security risks and impending integrity breeches that will
bankrupt and publicly humiliate you unless you purchase our services for
a reasonable recurring fee paid up front or net 30.


II. DESCRIPTION

Cryptography is the mysterious and complicated art of making information
look like entropy.  While the theory behind block and public key ciphers
is straight forward the implementations are often flawed due to various
oversights.  We have empirically verified a class of cache and host
based timing side channel attacks against common processors and operating
systems which allows for 3DES, AES, RSA, DSA, ElGamal and Diffie Hellman
secret key recovery remotely or via local exploit.  Hyper-threading
capabilities in newer processors can also be used to make local attacks
even more effective.

The basis for these attacks is the use of high resolution timing
information related to processing of specially crafted cipher texts or
specific memory regions to discern secret key material based on its
representation in processor memory caches during encryption or decryption
operations.

This timing mechanism can be implemented across a low latency network or
using a local unprivileged helper process on the target host.  For the
technical details and theory behind these attacks please refer to the
following published materials:

  http://cr.yp.to/antiforgery/cachetiming-20050414.pdf
  http://www.daemonology.net/hyperthreading-considered-harmful/
  http://eprint.iacr.org/2005/368


III. ANALYSIS

Successful exploitation of the described vulnerabilities allows
unauthenticated remote attackers and authenticated local users to recover
key material used on the host for various private communication channels.
Compromise of these channels can lead to privilege escalation and / or
remote exploitation of vulnerable systems.

To gauge the feasibility of this attack we hired world renowned black
hat 'MacGyver' to demonstrate this exploit on actual systems owned by a
competitor of ours.  We can confirm that key recovery and full remote
exploitation of their IPsec VPN was attained using gcc, duct tape, and a
roll of cinnamon flavored dental floss.  Incriminating email evidence of
their pool dying prank at our annual Christmas party was recovered as
proof of our l33t'ness.  Suck it you losers, we knew it was you.

The Electronic Frontier Foundation has also independently verified this
vulnerability and launched a new 'Software Ciphers Suck!' campaign to
educate the public on the privacy dangers of using leaky cipher
implementations.  Sony BMG in particular was anxious to add this key
recovery exploit to their audio disc DRM rootkit.  Please contact our
sales department with exploit licensing inquiries.


IV. DETECTION

If you are using software cipher implementations on Intel, AMD, IBM or
Sparc processors you are vulnerable to this attack.  Other architectures
may have similar weaknesses but nobody gives a shit about them anyway.
All known operating systems executing on the afore mentioned processors
are also assumed to be vulnerable.

NOTE: Those fortunate enough to live in a region where only mint or plain
dental floss is sold may not be vulnerable to the MacGyver remote key
recovery exploit.

Unix, BSD and Linux users can use the psrinfo utility or /proc/cpuinfo
file for more detailed processor identification.  Windows users have
bigger security holes to worry about.  Move along, move along...


V. WORKAROUNDS

Special program modifications that add redundant execution loops and
stack / heap padding can obfuscate timing information related to memory
cache and bus communication latencies.  In particular a general technique
described in the following paper can be used to reduce or eliminate the
potential for this attack:
  http://eprint.iacr.org/2005/368

Remember: five times slower and twice as fat is a feature, not a bug!

The use of perfect forward secrecy and frequent key rotation may reduce
the potential for successful exploitation.

If at all possible hardware cipher implementations for offload of
cryptographic processing is highly recommended.  VIA's Padlock Engine
is particularly attractive:
  http://www.via.com.tw/en/initiatives/padlock/hardware.jsp

You losers stuck with Intel/AMD/IBM/Slowlaris procs can always buy a PCI
based crypto accelerator:
  http://www.soekris.com/vpn1401.htm

The are unsubstantiated reports that a properly designed tin foil hat
placed directly above the processor fan may protect L1/L2 cache lines in
the Intel family of processors.  Please see the following for details on
pro

Re: [Full-disclosure] Getting rid of n3td3v

[InfoSecBOFH]

ahahaha... and the hits keep coming.



On 12/15/05, Joe Average <[EMAIL PROTECTED]> wrote:
>
>
>
> On 12/15/05, Stejerean, Cosmin <[EMAIL PROTECTED]> wrote:
> > I have a simple suggestion to get rid of the n3td3v problem. Aside from
> > creating a spam filter for every message that contains n3td3v or his email
> > address the next best thing to do is simply ignore all his posts. If you
> > feel the need to let him know what a big moron he is then please do so
> > directly to his email address and do not send it to the list. You do not
> > need to prove to anyone else that n3td3v is an idiot; anyone already on
> the
> > lists should know that by now. If we all ignore any messages from n3td3v
> and
> > any thread started by him I hope that he will go away and find someone
> else
> > that will pay attention to his "security research".
> >
> > Cosmin Stejerean
>
> netdev isn't an idiot,
>
> we've had many attacks avoided by him contacting our security address
> > ___
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> >
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] the noise over crosstalk ratio

[Joe Average]

i have spoke with netdev and he agrees not to respond to nicknames
 
if you people encourage the situation then we cant find a reasonable exit plan
 
please dont add to the noise
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] RE: Request for moderation

[Steve Manzuik]

There is also VulnWatch (www.vulnwatch.org) as an alternative moderated
list.  Zero noise, just advisories.  Or, for a little more noise
VulnDiscuss, also moderated but more discussion based.

Cheers;

Steve Manzuik
Moderator - VulnWatch


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Symlink attack techniques

[Tim]

> Ok I should have been more precise in my previous mail. In this scenario I 
> don't have control over the output generated by the find command. So 
> basically the cronjob is something like:
> 
> 15 4 ?* * 6 ?root ?/usr/bin/find /home/userA -type f -print > /tmp/report.txt
> 
> Consequently as userB I have no way of influencing what information is 
> printed 
> by the find command to /tmp/report.txt but I can surely 
> control /tmp/report.txt. Any other ideas of how to exploit this to gain root 
> access?

h, as userB, you do have a way to influence userA's files.  It's
staring you right in the face.

Symlink /tmp/report to a malicious filename under /home/userA, much like
H D Moore suggested.

Then, before the next cronjob runs, re-symlink it to a script that will
execute your command.

Never tried something like that, but with enough hackery, it seems like
it could work.

good luck,
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Getting rid of n3td3v

[Joe Average]

On 12/15/05, Stejerean, Cosmin <[EMAIL PROTECTED]> wrote:
I have a simple suggestion to get rid of the n3td3v problem. Aside fromcreating a spam filter for every message that contains n3td3v or his email
address the next best thing to do is simply ignore all his posts. If youfeel the need to let him know what a big moron he is then please do sodirectly to his email address and do not send it to the list. You do not
need to prove to anyone else that n3td3v is an idiot; anyone already on thelists should know that by now. If we all ignore any messages from n3td3v andany thread started by him I hope that he will go away and find someone else
that will pay attention to his "security research".Cosmin Stejerean
 
netdev isn't an idiot,
 
we've had many attacks avoided by him contacting our security address
___Full-Disclosure - We believe in it.Charter: 
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: WSLabs, Phishing Alert: Internal Revenue (FAO Todd Towles)

[Joe Average]

On 12/15/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Websense, the largest of corporates? Perhaps you're used to working at startup ISPs, oh wait, you probably dont even have time for a job considering you haven't left pre-school yet. You didn't influence the company iteself and I'm suprised that gmail hasn't been RBL'ed with the amount of crap you've been spamming everyone with lately.
n00b. 
 
 
we've spoke with netdev and we hope the situation can be resolved by him not responding to bait mail 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] n3tdev shit

[VeNoMouS]

it reminds you of #teen or something from irc, ure a dick  , no your a 
dick


just ignore him ffs! unless your wanting your own pok`e mon to battle him 
with your enormous e-penis!!
- Original Message - 
From: "adnan habib" <[EMAIL PROTECTED]>

To: <[EMAIL PROTECTED]>; 
Sent: Friday, December 16, 2005 11:57 AM
Subject: Re: [Full-disclosure] n3tdev shit







come on let him live for some time  :)




From: cdowns >my favorite thing about this list is watching people slap 
each other around hahahah.. only in the security industry...


5+ years in and I can always count on it ;)

~!>D

Scott Schappert wrote:

What a mangled version of J. Robert Oppenheimer's statement. How 
pathetic.




*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of 
*(M.o.H.a.J.a.L.i)

*Sent:* Thursday, December 15, 2005 1:23 PM
*To:* Full Disclosue List
*Subject:* [Full-disclosure] n3tdev shit

if u have a gmail email or anyemail system that supports filters...then 
just filter anyemail containing the word n3td3v...




--
®.Now I Am Become DeathThe Destroyer Of Worlds©



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Symlink attack techniques

[James Longstreet]

On Dec 15, 2005, at 7:09 AM, Werner Schalk wrote:

Ok I should have been more precise in my previous mail. In this  
scenario I

don't have control over the output generated by the find command. So
basically the cronjob is something like:

15 4  * * 6  root  /usr/bin/find /home/userA -type f -print > /tmp/ 
report.txt


Consequently as userB I have no way of influencing what information  
is printed

by the find command to /tmp/report.txt but I can surely
control /tmp/report.txt. Any other ideas of how to exploit this to  
gain root

access?


Since it doesn't seem like you can control what gets written to the  
file, you probably can't directly get root access from there.  The  
output could have some ill effect if written to the correct file...  
hard to know without knowing what the output is.


Of course, as was already suggested, you can be malicious and  
destructive and destroy /etc/passwd (or any other file on the  
system), but I don't see right away how to gain root from that.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TPM - will it work as pushed to the public?

[Jeroen Massar]

[EMAIL PROTECTED] wrote:
> On Thu, 15 Dec 2005 12:47:10 CST, Todd Towles said:
> 
>> http://www.msnbc.msn.com/ID/10441443
>>
>> Is it me or is this totally not going to work for normal people?
> 
> You totally missed the point (which the TPM proponents *are* trying hard to
> gloss over, so it's not surprising)...
> 
> TPM isn't about protecting you.  It's about protecting the owner of the DRM
> and related crap that will be forced down your throat.

Indeed it is more for them to protect their intellectual property than
anything else. But I guess most people, who want to earn a living coding
software and building hardware (or managing music artists ;) actually
will be happy with that. People with a less fatter wallet, or who never
coded a line, never spent time on playing an instrument won't be that
happy with it ;) IPR is IMHO more about respecting the authors than
anything else. Usually the person who actually did the work get peeped
over the money issue anyway. "Meja - It's all about the money" :)

The 'point' made about running a VNC to 'inject' and take over is not
(supposed to be ;) true for TPM protected devices. These devices, eg
keyboard/mouse/fingerprint scanners/etc run in the 'tpm protected
channel' and only trusted applications should have access to them, not
your trojan VNC. Of course that is what it is supposed to do,
OpenBSD/Windows/Linux/Solaris/AIX/ is also supposed
to be secure and everybody finds a bug there. But TPM does help to make
it a bit more difficult ;)

I will also not be surprised for some company who is against TPM to
create a contest with some nice prize money award to crack it wide open.

Greets,
 Jeroen



signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: WSLabs, Phishing Alert: Internal Revenue (FAO Todd Towles)

[qballus]

Websense, the largest of corporates? Perhaps you're used to working at
startup ISPs, oh wait, you probably dont even have time for a job
considering you haven't left pre-school yet. You didn't influence the
company iteself and I'm suprised that gmail hasn't been RBL'ed with the
amount of crap you've been spamming everyone with lately.

n00b.
On 12/16/05, n3td3v <[EMAIL PROTECTED]> wrote:
Heres proof I have infulence over the biggest of corporations!-- Forwarded message --From: Websense Security Labs <[EMAIL PROTECTED]
>Date: Dec 15, 2005 6:40 PMSubject: WSLabs, Phishing Alert: Internal Revenue ServiceTo: [EMAIL PROTECTED]Websense(r) Security Labs(TM) has received reports of a new phishing
attack that targets American taxpayers and claims to be the InternalRevenue Service. Users receive a spoofed email message, which claimsthey may access and track their tax refund information online. Uponclicking the link in the email, users are taken to a fraudulent
website. The fraudulent website prompts users for their first and lastname, social security number, mailing and email address, credit cardnumber, CVV2, and ATM pin.This phishing site is hosted in Italy and was down at the time of this alert.
Phishing email:*Subject:* Refund noticeYou filed your tax return and you're expecting a refund. You have justone question and you want the answer now - Where's My Refund?Access this secure Web site to find out if the IRS received your
return and whether your refund was processed and sent to you.**New program enhancements** allow you to begin a refund trace onlineif you have not received your check within 28 days from the originalIRS mailing date. Some of you will also be able to correct or change
your mailing address within this application if your check wasreturned to us as undelivered by the U.S. Postal Service. "Where's MyRefund?" will prompt you when these features are available for your
situation.To get to your refund status, you'll need to provide the followinginformation as shown on your return:* Your first and last name* Your Social Security Number (or IRS Individual Taxpayer
Identification Number)* Your Credit Card Information (for the successful complete of theprocess)Okay now, **Where's My RefundNote: If you have trouble while using this application, please check
the Requirements to makesure you have the correct browser software for this application to
function properly and check to make sure our system is available.
Phishing screenshot available with full alert.For additional details and information on how to detect and preventthis type of attack:
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=372=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-Websense Security Labs discovers and investigates today's advanced
internet threats and publishes its findings enablingorganizations to best protect employee computing environments fromincreasingly sophisticated and dangerous internet threats.To unsubscribe: 
http://www.websensesecuritylabs.com/unsubscribeFAQs: http://www.websensesecuritylabs.com/about/Download a free 30 day trial: 
http://www.websense.com/downloads/SecurityLabs/___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME A MODERATED LIST

[Byron Sonne]

Seriously folks, just set some spam filters. Out of the 1640 FD messages 
I had, I set a filter on 'n3t' and it snagged 225 messages, or in other 
words, 13.7% of messages got junked. Total time: 1 minute


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME A MODERATED LIST

[Ryan Sumida]

Enrico Kern <[EMAIL PROTECTED]>
wrote on 12/15/2005 10:28:43 AM:

> forget it,
> 
> we discussed this a few weeks ago, most of the guys on this list just
love 
> to get spam and bullshit. The one side says "well yeah omg its
no 
> full-disclosure anymore with moderation" (penguin fucker style)
and the 
> others want the trash sorted out.
> 
> Well from my point of view a moderated list will help to enhance the

> quality on full-disclosure, moderation doesnt mean that full-disclosure
of 
> a vulnerability isnt posslible anymore (hello wtf is wrong with you?
we 
> just want the trash sorted out).
> 
> Actually Full-Disclosure lost so much of the art and quality it had
in the 
> past, its just sad. "omg omg why do you read FD if you dont like
it" 
> replys are wrong here, Full-Disclosure is still a great list, but
its full 
> of trash lately.
> 
> What about making a second full-disclosure list with moderated content

> (sorting out the kids) of the original list?
> 

You've got to be kidding me with this BS.  If you want the trash sorted
out do it yourself.  If you are looking for a moderated full-disclosure
then I suggest bugtraq.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] a call for full-disclosure to become a moderated list

[Troy]

On 12/14/05, [EMAIL PROTECTED] wrote:

how many people who actually find value in this list (which i have,since len rose set it up quite a long time ago) agree with this
position?
 
I have found quite a bit of value in this list. Yes, there are a lot of crap posts on this list, but it has always been that way.
if you think there's a compelling reason for no moderation, i'd like to hear it.
 
 

There are already numerous moderated security lists out there. Why would you want this list to be like everything else? Besides, how can you have "Full Disclosure" if what you can post is restricted in any way?

 
-- 
Troy
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME A MODERATED

[Jason Coombs]

[EMAIL PROTECTED] wrote:
> Everybody knows this list is
> 98% a joke

And if you truly need an hourly fix of the latest codez and sploitz then you're 
a misguided black hat. There are plenty of alternatives out there for you to 
use for swapping illegal materials and sharing evil secrets.

Full-Disclosure is for the sharing of knowledge, ideas, belief systems, and the 
awareness necessary for good people to achieve and understand how to prove 
their own security.

What are you looking for today? A call for moderation is counterproductive, but 
there may be some merit to the idea of blocking endless profane nonsense and 
flame wars. One idea that might improve the quality of discussions is to leave 
FD unmoderated for new threads, and moderate any thread that reaches some 
number of replies. Either moderate all replies or trigger moderated discussion 
at some point for long threads.

Regards,

Jason Coombs
[EMAIL PROTECTED]

Sent from my BlackBerry wireless handheld.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] n3tdev shit

[adnan habib]

come on let him live for some time  :)




From: cdowns >my favorite thing about this list is watching people slap 
each other around hahahah.. only in the security industry...


5+ years in and I can always count on it ;)

~!>D

Scott Schappert wrote:


What a mangled version of J. Robert Oppenheimer’s statement. How pathetic.



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of 
*(M.o.H.a.J.a.L.i)

*Sent:* Thursday, December 15, 2005 1:23 PM
*To:* Full Disclosue List
*Subject:* [Full-disclosure] n3tdev shit

if u have a gmail email or anyemail system that supports filters...then 
just filter anyemail containing the word n3td3v...




--
®.Now I Am Become DeathThe Destroyer Of Worlds©



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: RLA ("Remote LanD Attack")

[Synister Syntax]

 Not a problem at all Roger.  I agree, its a bit shocking, by I am
far less concerned about the Cisco devices and/or business networks. 
What I am concerned over is consumer grade products, that do not
enforce all the RFC's.  That lack security against spoofed packets,
and spoofed internal address on the external interface.  Network
administrators for business will usually have such a rule set that
will keep them from being vulnerable of such an attack, if not, I hope
they will now set a rule, but Joe Smith and his $15 Verizon router
will have no clue what a packet is, let alone the RFC's.  With such
devices being susceptible to attack, and with the delay in user
patches, or firmware updates.

 I think it is such users we need to worry about, they have no
recourse.  The devices will shut off.  That's why I am hoping that the
vendors will release patches/updates.

 As far as Win2K3, again, I am not sure, it was brought up in a
privet email about this exploit.  And it was simply brought up to see
if what I released was related to that CVE.  Of course they are
related in the fact they are LanD attacks, but mine is different in
many ways, (one, mines remote [outside networks], and two, my exploit
is for devices only).  I do not have a of Win2K3 to even test.  Sorry
if bringing it up has cause any more confusion.

 By all means, if you have any further questions, I would be glad
to answer them.  Again, thanks for your input and interests.

Thanks...

On 12/15/05, Roger A. Grimes <[EMAIL PROTECTED]> wrote:
> I appreciate you writing back. I'm not quarreling with what you wrote. A
> LAND attack being successful on a Cisco device is quite surprising.  I
> tried a Syn LAND attack on my W2K3 server without WF enabled and it
> didn't do anything. I'm not sure what that reference is referring to.
>
> -Original Message-
> From: Synister Syntax [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 15, 2005 5:11 PM
> To: Roger A. Grimes
> Subject: Re: RLA ("Remote LanD Attack")
>
>  Here is the CVE I was referring to:  *CVE-2005-0688*
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0688
>
>  Again, my exploit has nothing to do with the CVE (MS Windows 2K3)
> exploit, and I am in no way stating such systems are susceptible.  My
> reports are about Network Devices, namely Border/Perimeter devices
> (Routers, Modems, Switches, Firewalls).  Hope this helps.
>
> Thanks...
>
> On 12/15/05, Roger A. Grimes <[EMAIL PROTECTED]> wrote:
> > I just tried it against W2K3 SP1 and it does not work. I don't have a
> > non-SP1 version to check at the moment.
> >
> > -Original Message-
> > From: Synister Syntax [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, December 15, 2005 2:32 PM
> > To: Roger A. Grimes
> > Subject: Re: RLA ("Remote LanD Attack")
> >
> >  Sorry had a few spelling errors...
> >
> > Fixed below
> >
> > "  That is correct this affects network perimeter devices, such as
> > routers, switches, etc.  This is not an accountant about an OS
> exploit.
> > Although Microsoft only recently patched the initial exploit, it is
> > patched for both external and internal attacks.
> > Windows 2003 may still be susceptible to such an attack, however that
> > is a different post, under CVE investigation, this has nothing to do
> > with such an exploit.
> >
> > I used the -k switch a few, times although, it seemed to work
> > either way.  Although, to make sure it works, it would be best to use
> > such a switch.  Also, I wanted to point out, using the -d switch and
> > increasing the data/payload size seems to cause the attack to be more
> optimized.
> > Works faster in some cases.  It will work either way.
> > --
> > Regards,
> > SynSyn
> > Network Manager, Server Administrator, Security Specialist
> > (http://www.teamtrinix.com)"
> >
> > On 12/15/05, Synister Syntax <[EMAIL PROTECTED]> wrote:
> > >  That is correct this affects network perminter devices, such as
>
> > > routers, switches, etc.  This is not an accounment about an OS
> > > exploit.  Although Microsoft only recently patched the initial
> > > exploit, it is patched for both external and internal attacks.
> > > Windows 2003 may still be susecpitble to such an attack, however
> > > that is a diffrent post, under CVE invesigation, this has nothing to
>
> > > do with such an exploit.
> > >
> > >  I used the -k switch a few, times although, it seemed to work
> > > eitherway.  Although, to make sure it workes, it would be best to
> > > use such a switch.  Also, I wanted to point out, using the -d switch
>
> > > and increaseing the data/payload size seems to cause the attack to
> > > be more
> >
> > > optimiozed.  Workes faster in some cases.  It will work eitherway.
> > >
> > > On 12/15/05, Roger A. Grimes <[EMAIL PROTECTED]> wrote:
> > > > Just to clarify, so that people don't think this affects Windows
> > > > XP
> > SP2.
> > > > I've tested SP2 again, and the LAND attack no longer works. This
> > > > announcem

Re: [Full-disclosure] OT: Amazing, the Diebold insider said.

[Paul Schmehl]

--On Thursday, December 15, 2005 13:41:04 -0700 Dude VanWinkle 
<[EMAIL PROTECTED]> wrote:



p.s.: http://www.house.gov/mckinney/voterrights.htm


I wouldn't believe Cynthia McKinney if all she did was say, "Hi, my name's 
Cynthia McKinney."


She's an idiot.

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME A MODERATED

[bugtraq]

If you don't like it unsubscribe. Everybody knows this list is 98% a joke, but 
that every once in awhile something
interesting comes through. If you really *need* to be on this list read the 
thread
title, and decide if it's worth your time.

I advise checking out the following alternatives

* Daily Dave (http://lists.immunitysec.com/mailman/listinfo/dailydave)
* The Web Security Mailing List (http://www.webappsec.org/lists/websecurity/)
* SC-l Mailing List (http://www.securecoding.org/list/)  

- zn
http://www.cgisecurity.com/ Website Security, and more!
http://www.cgisecurity.com/index.rss Website Security New RSS Feed

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: RLA ("Remote LanD Attack")

[Synister Syntax]

 Below is the dialog between Roger and myself, at first the dialog
was privet due to me not replying to all.  Sorry about that, if anyone
has any input, please chime in...

Thanks...

-- Forwarded message --
From: Synister Syntax <[EMAIL PROTECTED]>
Date: Dec 15, 2005 5:10 PM
Subject: Re: RLA ("Remote LanD Attack")
To: "Roger A. Grimes" <[EMAIL PROTECTED]>


 Here is the CVE I was referring to:  *CVE-2005-0688*
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0688

 Again, my exploit has nothing to do with the CVE (MS Windows 2K3)
exploit, and I am in no way stating such systems are susceptible.  My
reports are about Network Devices, namely Border/Perimeter devices
(Routers, Modems, Switches, Firewalls).  Hope this helps.

Thanks...

On 12/15/05, Roger A. Grimes <[EMAIL PROTECTED]> wrote:
> I just tried it against W2K3 SP1 and it does not work. I don't have a
> non-SP1 version to check at the moment.
>
> -Original Message-
> From: Synister Syntax [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 15, 2005 2:32 PM
> To: Roger A. Grimes
> Subject: Re: RLA ("Remote LanD Attack")
>
>  Sorry had a few spelling errors...
>
> Fixed below
>
> "  That is correct this affects network perimeter devices, such as
> routers, switches, etc.  This is not an accountant about an OS exploit.
> Although Microsoft only recently patched the initial exploit, it is
> patched for both external and internal attacks.
> Windows 2003 may still be susceptible to such an attack, however that is
> a different post, under CVE investigation, this has nothing to do with
> such an exploit.
>
> I used the -k switch a few, times although, it seemed to work either
> way.  Although, to make sure it works, it would be best to use such a
> switch.  Also, I wanted to point out, using the -d switch and increasing
> the data/payload size seems to cause the attack to be more optimized.
> Works faster in some cases.  It will work either way.
> --
> Regards,
> SynSyn
> Network Manager, Server Administrator, Security Specialist
> (http://www.teamtrinix.com)"
>
> On 12/15/05, Synister Syntax <[EMAIL PROTECTED]> wrote:
> >  That is correct this affects network perminter devices, such as
> > routers, switches, etc.  This is not an accounment about an OS
> > exploit.  Although Microsoft only recently patched the initial
> > exploit, it is patched for both external and internal attacks.
> > Windows 2003 may still be susecpitble to such an attack, however that
> > is a diffrent post, under CVE invesigation, this has nothing to do
> > with such an exploit.
> >
> >  I used the -k switch a few, times although, it seemed to work
> > eitherway.  Although, to make sure it workes, it would be best to use
> > such a switch.  Also, I wanted to point out, using the -d switch and
> > increaseing the data/payload size seems to cause the attack to be more
>
> > optimiozed.  Workes faster in some cases.  It will work eitherway.
> >
> > On 12/15/05, Roger A. Grimes <[EMAIL PROTECTED]> wrote:
> > > Just to clarify, so that people don't think this affects Windows XP
> SP2.
> > > I've tested SP2 again, and the LAND attack no longer works. This
> > > announcement concerns gateway network devices that computers may
> > > attach to (the announcement is a little confusing at first).
> > >
> > > Also, to pull off the hping2 example, you'll need the -k parameter
> > > to make sure the source port stays at port 80, else it will
> > > increment up (80, 81, 82, etc.)
> > >
> > > Roger
> > >
> > > ***
> > > *Roger A. Grimes, Banneret Computer Security, Consultant *CPA,
> > > CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
> > > *email: [EMAIL PROTECTED]
> > > *Author of Honeypots for Windows (Apress)
> > > *http://www.apress.com/book/bookDisplay.html?bID=281
> > > ***
> > >
> > >
> > > -Original Message-
> > > From: Synister Syntax [mailto:[EMAIL PROTECTED]
> > > Sent: Wednesday, December 14, 2005 1:49 AM
> > > To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk;
> > > [EMAIL PROTECTED]; [EMAIL PROTECTED]
> > > Subject: RLA ("Remote LanD Attack")
> > >
> > > Below is a copy of my RLA exploit submission in ASCII.  Attached is
> > > a MSWord (.doc) version with rich formatting, created with ease of
> > > view in mind.
> > >
> > > Regards...
> > >
> > > --
> > >
> > > RLA
> > > ("Remote LanD Attack")
> > > 2005
> > >
> > >
> > > As discovered by:
> > >  Justin M. Wray
> > > ([EMAIL PROTECTED])
> > >
> > >
> > > Devices/Vendors Vulnerable:
> > > - Microsoft Windows XP, SP1 and SP2
> > > - Linksys Routers
> > > - Westell Routers/Modems
> > > - Motorola Modems/Routers
> > > - Cisco Firewalls, Switches, and Routers
> > > - DSL Modems
> > > - Cable Modems
> > > - Consumer Routers
> > > - All Central Connectivity Devices (any manufacturer)
> > >
> > > Devices/Vendors T

Re: [Full-disclosure] n3tdev shit

[cdowns]

my favorite thing about this list is watching people slap each other 
around hahahah.. only in the security industry...


5+ years in and I can always count on it ;)

~!>D

Scott Schappert wrote:

What a mangled version of J. Robert Oppenheimer’s statement. How 
pathetic.




*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of 
*(M.o.H.a.J.a.L.i)

*Sent:* Thursday, December 15, 2005 1:23 PM
*To:* Full Disclosue List
*Subject:* [Full-disclosure] n3tdev shit

if u have a gmail email or anyemail system that supports 
filters...then just filter anyemail containing the word n3td3v...




--
®.Now I Am Become DeathThe Destroyer Of Worlds©



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] oppenheimer quotes (was: n3tdev shit)

[Michael Holstein]

What a mangled version of J. Robert Oppenheimer’s statement.  How pathetic.


Bearing relevance to the current discussion, how about one of his other 
ones :


The open society, the unrestricted access to knowledge, the unplanned 
and uninhibited association of men for its furtherance - these are what 
may make a vast, complex, ever growing, ever changing, ever more 
specialized and expert technological world, nevertheless a world of 
human community. -- J. Robert Oppenheimer


That sort of mirrors the whole idea of "full-disclosure" eh?

(BTW: the original quote wasn't mangled .. the only thing was the extra 
word 'now' at the beginning of it).


~Mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] n3tdev shit

[Scott Schappert]

What a mangled
version of J. Robert Oppenheimer’s statement.  How pathetic. 

 









From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of (M.o.H.a.J.a.L.i)
Sent: Thursday, December 15, 2005
1:23 PM
To: Full Disclosue List
Subject: [Full-disclosure] n3tdev
shit



 



if u have a gmail email or anyemail system that supports filters...then
just filter anyemail containing the word n3td3v...







-- 
®.Now I Am Become DeathThe Destroyer Of Worlds© 








___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] a call for full-disclosure to become a moderatedlist

[Michael Holstein]

it seems to me that without a moderator (since there is the apparent
absence of people who are moderate, or even civilized), this list will
continue its degeneration into a never-ending pissing contest.


Ever seen a 1 man pissing contest? .. if you don't fall for "flame bait" 
then that's exactly what it'd be -- and it'd disappear in a hurry.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] n3tdev shit

[(M.o.H.a.J.a.L.i)]

if u have a gmail email or anyemail system that supports filters...then just filter anyemail containing the word n3td3v...
-- ®.Now I Am Become DeathThe Destroyer Of Worlds© 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Getting rid of n3td3v

[Stejerean, Cosmin]

I have a simple suggestion to get rid of the n3td3v problem. Aside from
creating a spam filter for every message that contains n3td3v or his email
address the next best thing to do is simply ignore all his posts. If you
feel the need to let him know what a big moron he is then please do so
directly to his email address and do not send it to the list. You do not
need to prove to anyone else that n3td3v is an idiot; anyone already on the
lists should know that by now. If we all ignore any messages from n3td3v and
any thread started by him I hope that he will go away and find someone else
that will pay attention to his "security research".

Cosmin Stejerean


smime.p7s
Description: S/MIME cryptographic signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] RE: Moderated lists

[FullDis . 20 . mandoskippy]

Yes, but with the ease of access to disposable e-mail accounts,
would that really work?  It might make it more difficult to be a troll,
but not much.  Or perhaps I don't grok what you mean.



Yes, it would make it only marginally more difficult, but instead of
getting 50 emails calling a troll immature (the actual feedback they are
looking to get) They get no feedback, just "Vote to remove netdev or
what ever"  based on a certain number, if it is reached, then the person
has to go create an account.  Eventually, without the flames to the
original troll, the person has to do work, i.e create another account
etc, and do it again, it is no longer convenient, and they are not
getting the reinforcement they  desire, so they just give up. Not only
that, they person also doesn't get the ability to have all the flames
attributed to one account.  Seem like a small thing?  Most of the trolls
have personality disorders where they seek attention, when they cannot
have the proper "credit" given to them for their trolls, it may lose
some of the luster. 






-Original Message-
From: John Omernik 
Sent: Thursday, December 15, 2005 11:07 AM
To:
'[EMAIL PROTECTED]
ourmet.com'
Subject: Moderated lists

Why not do a self-regulating list?  Something along the lines of keeping
track of signup dates and IP addresses, then when a yahoo starts
spouting crap, put it to a vote on list. (only members older then xyz
date have a vote) If the list's wish is to have the user banned, then so
be it... 




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] a call for full-disclosure to become a moderated list

[InfoSecBOFH]

Joe Average = n3td3v

So yeah.  Your opinion is greatly valued here.

On 12/15/05, Joe Average <[EMAIL PROTECTED]> wrote:
>
>
> On 12/15/05, Bart Lansing <[EMAIL PROTECTED]> wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > Mark, et al
> >
> > remotely possible that n3td3v or infosecBOFH (who seems to be
> > attempting to validate his choice of handles by being an
> > unmitigated ass whenever possible) might actually have something
> > constructive to contribute at some point...but I'll just have to
> > risk missing out on it going forward.
>
>
> netdev = legitimate researcher
>
> infosec = troll baiting netdev
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] a call for full-disclosure to become a moderatedlist

[Chris Locke]

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, December 15, 2005 12:20 AM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] a call for full-disclosure to become a moderatedlist

it seems to me that without a moderator (since there is the apparent
absence of people who are moderate, or even civilized), this list will
continue its degeneration into a never-ending pissing contest.

(some people don't seem to think that the social compact one accepts
when joining a list applies to them.

my most recent attempt to politely, in direct email, ask one of the 
offenders to stop doing this sort of thing on the list ...  was posted
with a twerpy reply right back to the list).  (no good deed goes
unpunished).

how many people who actually find value in this list (which i have,
since len rose set it up quite a long time ago) agree with this
position?

if you think there's a compelling reason for no moderation, i'd like to hear it.

i call to your attention three brief selections from the list charter,
which is at
http://lists.grok.org.uk/full-disclosure-charter.html
which i think have been violated recently:

"Members are expected to maintain a reasonable standard of netiquette when 
posting to the list."
"Disagreements, flames, arguments, and off-topic discussion should be taken 
off-list wherever possible."
"Gratuitous advertisement, product placement, or self-promotion is forbidden."




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


I have my own form of moderation, posts from certain parties and posts with 
certain words in the subject go directly to my trash folder. 


-chris
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.13.13/200 - Release Date: 12/14/2005
 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Administrivia: Requests for Moderation

[InfoSecBOFH]

On 12/15/05, Joe Average <[EMAIL PROTECTED]> wrote:

> i spoke with netdev and i asked him not to respond to bait mail from known
> nicknames

How about from this account too.  Do you really believe that we don't
know who "yahooinsider" is.  ROFL.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] OT: Amazing, the Diebold insider said.

[Dude VanWinkle]

p.s.: http://www.house.gov/mckinney/voterrights.htm
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Administrivia: Requests for Moderation

[Geo.]

I have an idea, how about every time there is a little noise on the list, we
generate 100X that amount of noise talking about ways to deal with the noise
and in the process drive the noise makers away because of too much noise?

Geo. 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] OT: Amazing, the Diebold insider said.

[Dude VanWinkle]

On 12/13/05, Jei <[EMAIL PROTECTED]> wrote:
> Shortly before the election, ten days to two weeks, we were told that the date
> in the machine was malfunctioning, the source recalled. So we were told 'Apply
> this patch in a big rush. Later, the Diebold insider learned that the patches
> were never certified by the state of Georgia, as required by law.

I voted in Georgia's 4th congressional district. I helped to re-elect
Cynthia McKinney via a Diebold machine, so their subversive app cant
be working all that well ;-)

I heard many tales from reputable individuals about diebold machines
and their woes, and from my 11 years experience working in the IT
industry; I believe every one of them.

I have also worked with federal and state government. My favorite tale
was about a government contractor who was charged with creating a test
module for the first strike detection (read: WWIII automation) at
NORAD. My friend looked at the assembly for the test module and found
out that all the device did was flash lights on and off, not actually
test the system that was almost capable of ending all life on earth.

The reason I say almost is that the Military knows that no system
should be completely automated, no important system that is. The
previous paragraph illustrates why: Some douchebag thought his million
dollars was more important than all life on earth.

Guess no one holds that kind of import for our electoral process.

-JP
"Dont blame me, I voted Saddam"
-JP
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Administrivia: Requests for Moderation

[Christopher Carpenter]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Micheal
Espinola Jr
Sent: Thursday, December 15, 2005 10:16 AM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Administrivia: Requests for Moderation

Hows about instead of moderation, we try vote-kicking?
---

Yes, but with the ease of access to disposable e-mail accounts, would
that really work?  It might make it more difficult to be a troll, but
not much.  Or perhaps I don't grok what you mean.

Chris

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME A MODERATED LIST

[trains]

You'd think guys could learn to ignore the trolls, but such is life.


Reply not to find out for whom the belle trolls, she trolls for thee.




-
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact:[EMAIL PROTECTED]


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: OT: Amazing, the Diebold insider said.

[Dave Korn]

Paul Schmehl wrote in 
news:[EMAIL PROTECTED]
> --On December 14, 2005 3:59:23 AM +0200 Jei <[EMAIL PROTECTED]> wrote:
>>
>> Harris revealed that a program patch titled rob-georgia.zip was left on
>
> 
> My bs detector just went off.

  Your bs detector is generating false positives, you need to tighten it up 
a bit!

  There *was* a program patch and it *was* called rob-georgia.zip.

  That's because the guy whose job it was to install it was called Robert, 
or "Rob" for short, and he was Diebold's service contractor in Georgia, 
which was where the machines on which he was to install it were located.

cheers,
  DaveK
-- 
Can't think of a witty .sigline today 



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: WSLabs, Phishing Alert: Internal Revenue (FAO Todd Towles)

[Joe Average]

On 12/15/05, GroundZero Security <[EMAIL PROTECTED]> wrote:
how offten do i need to tell you ? you are pathetic!this just prooves that you are an idiot.- Original Message -
From: "n3td3v" <[EMAIL PROTECTED]>To: Sent: Thursday, December 15, 2005 7:46 PM
Subject: [Full-disclosure] Fwd: WSLabs,Phishing Alert: Internal Revenue (FAO Todd Towles)> Heres proof I have infulence over the biggest of corporations!
 
 
we've heard your opinion of netdev,
 
 
back off 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: WSLabs, Phishing Alert: Internal Revenue (FAO Todd Towles)

[GroundZero Security]

how offten do i need to tell you ? you are pathetic!
this just prooves that you are an idiot. 
- Original Message - 
From: "n3td3v" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, December 15, 2005 7:46 PM
Subject: [Full-disclosure] Fwd: WSLabs,Phishing Alert: Internal Revenue (FAO 
Todd Towles)


> Heres proof I have infulence over the biggest of corporations!
> 
> -- Forwarded message --
> From: Websense Security Labs <[EMAIL PROTECTED]>
> Date: Dec 15, 2005 6:40 PM
> Subject: WSLabs, Phishing Alert: Internal Revenue Service
> To: [EMAIL PROTECTED]
> 
> 
> Websense(r) Security Labs(TM) has received reports of a new phishing
> attack that targets American taxpayers and claims to be the Internal
> Revenue Service. Users receive a spoofed email message, which claims
> they may access and track their tax refund information online. Upon
> clicking the link in the email, users are taken to a fraudulent
> website. The fraudulent website prompts users for their first and last
> name, social security number, mailing and email address, credit card
> number, CVV2, and ATM pin.
> 
> 
> This phishing site is hosted in Italy and was down at the time of this alert.
> 
> Phishing email:
> 
> *Subject:* Refund notice
> 
> You filed your tax return and you're expecting a refund. You have just
> one question and you want the answer now - Where's My Refund?
> 
> Access this secure Web site to find out if the IRS received your
> return and whether your refund was processed and sent to you.
> 
> **New program enhancements** allow you to begin a refund trace online
> if you have not received your check within 28 days from the original
> IRS mailing date. Some of you will also be able to correct or change
> your mailing address within this application if your check was
> returned to us as undelivered by the U.S. Postal Service. "Where's My
> Refund?" will prompt you when these features are available for your
> situation.
> 
> To get to your refund status, you'll need to provide the following
> information as shown on your return:
> 
> * Your first and last name
> 
> * Your Social Security Number (or IRS Individual Taxpayer
> 
> Identification Number)
> 
> * Your Credit Card Information (for the successful complete of the
> 
> process)
> 
> 
> Okay now, **Where's My Refund
> 
> 
> 
> Note: If you have trouble while using this application, please check
> the Requirements
>  to make
> sure you have the correct browser software for this application to
> function properly and check to make sure our system is available
> .
> 
> Phishing screenshot available with full alert.
> 
> For additional details and information on how to detect and prevent
> this type of attack:
> http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=372
> 
> 
> 
> =-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-
> Websense Security Labs discovers and investigates today's advanced
> internet threats and publishes its findings enabling
> organizations to best protect employee computing environments from
> increasingly sophisticated and dangerous internet threats.
> 
> 
> To unsubscribe: http://www.websensesecuritylabs.com/unsubscribe
> FAQs: http://www.websensesecuritylabs.com/about/
> Download a free 30 day trial: http://www.websense.com/downloads/SecurityLabs/
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Moderated lists

[bkfsec]

Todd Towles wrote:

Why not do a self-regulating list?  Something along the lines 
of keeping track of signup dates and IP addresses, then when 
a yahoo starts spouting crap, put it to a vote on list. (only 
members older then xyz date have a vote) If the list's wish 
is to have the user banned, then so be it... 
   



Then 5 mins later the user is back..using a proxy to sign up another
address...

 

Not to mention that this is a list of people whose specialization 
regards subverting technology. 


Something like that is crying for some petty individual to rig the system.

-bkfsec


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] RE: RLA ("Remote LanD Attack")

[Roger A. Grimes]

Just to clarify, so that people don't think this affects Windows XP SP2.
I've tested SP2 again, and the LAND attack no longer works. This
announcement concerns gateway network devices that computers may attach
to (the announcement is a little confusing at first).

Also, to pull off the hping2 example, you'll need the -k parameter to
make sure the source port stays at port 80, else it will increment up
(80, 81, 82, etc.)

Roger

***
*Roger A. Grimes, Banneret Computer Security, Consultant 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: [EMAIL PROTECTED]
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
***


-Original Message-
From: Synister Syntax [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, December 14, 2005 1:49 AM
To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk;
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RLA ("Remote LanD Attack")

Below is a copy of my RLA exploit submission in ASCII.  Attached is a
MSWord (.doc) version with rich formatting, created with ease of view in
mind.

Regards...

--

RLA
("Remote LanD Attack")
2005


As discovered by:
 Justin M. Wray
([EMAIL PROTECTED])


Devices/Vendors Vulnerable:
- Microsoft Windows XP, SP1 and SP2
- Linksys Routers
- Westell Routers/Modems
- Motorola Modems/Routers
- Cisco Firewalls, Switches, and Routers
- DSL Modems
- Cable Modems
- Consumer Routers
- All Central Connectivity Devices (any manufacturer)

Devices/Vendors Tested:
- Linksys BEFW11S4
- Linksys WRT54GS
- Westell  Versalink 327W (Verizon Modem)
- Cisco Catalyst Series (Multiple)
- Scientific Atlantic DPX2100 (Comcast Modem)

Definition:
A LAND attack is a DoS (Denial of Service) attack that consists of
sending a special poison spoofed packet to a computer, causing it to
lock up. The security flaw was first discovered in 1997 by someone using
the alias "m3lt", and has resurfaced many years later in operating
systems such as Windows Server 2003 and Windows XP SP2.
(http://en.wikipedia.org/wiki/LAND_attack)

Explanation of LanD:
LanD uses a specially crafted ICMP  echo packet which has the same
source and destination address.  The receiving system stalls due to the
erroneous packet and not having instructions to handle the unique
packet.  In Windows 9x  variants, the systems will "blue screen. "  On
modern NT  variants, the systems will hang for approximately 30 seconds
with full CPU usage before discarding the packet.  With a looped script,
the attacker can render the system useless.  UNIX variants have been
able to use a firewall rule to drop LanD packets - leaving most systems
patched.

Microsoft originally released an initial patch that secured Windows 9x
variants - causing the exploit to lose popularity and become somewhat
obscure.  Later, when Windows NT variants were released, Microsoft
neglected to patch the security flaw; this caused Windows XP Service
Pack 2 to remain susceptible to such an attack.  Within the last four
(4) months, Microsoft has released a patch for Windows NT variants.

LanD versus Remote LanD:
LanD was originally introduced in the late 1990s and was very popular
with educational and business networks.  The original LanD attack had to
be executed internally on the local network - thereby giving rise to the
name "LanD" (indicating that access has been granted to the local
premises).  However, with a remote attack (Remote LanD), crafting
special packets and spoofing the destination and source IP addresses
will cause the attack to be carried out remotely against the central
connectivity device.

Exploit / Proof of Concept:
There is no handwritten code needed to exploit this vulnerability. 
The only requirement is an IP packet creation utility (such as HPing2 or
IPSorcery). Below are some HPing2 examples:
Victim's IP Address: 63.24.122.59
Victim's Router IP Address: 192.168.1.1
hping2 -A -S -P -U 63.24.122.59 -s 80 -p 80 -a
192.168.1.1

Remote LanD Specifications:
Although the exploit will work without the Ack, Syn, Push, and Urg
(flags), the device does not seem to shut off without these flags. 
Sending just the LanD part of the packet seems to only create high
amounts of latency on the victim's end.  The spoofed source address must
be the address of the central connectivity device; although the normal
default is 192.168.1.1, some manufacturers use different addresses (such
as 192.168.1.100 or 192.168.0.1).  As a result, the IP address should be
checked prior to initiating any test.  Additionally, a broadcast address
will work for a source address as well, thereby flooding the network
with responses from all the machines connected to the network.  Although
it will not stale the Central Connectivity Device, it will maximize the
entire network usage - crippling the network with extremely high
late

Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME A MODERATED LIST

[Paul Schmehl]

--On Thursday, December 15, 2005 19:28:43 +0100 Enrico Kern 
<[EMAIL PROTECTED]> wrote:



forget it,

we discussed this a few weeks ago, most of the guys on this list just
love to get spam and bullshit. The one side says "well yeah omg its no
full-disclosure anymore with moderation" (penguin fucker style) and the
others want the trash sorted out.

Well from my point of view a moderated list will help to enhance the
quality on full-disclosure, moderation doesnt mean that full-disclosure
of a vulnerability isnt posslible anymore (hello wtf is wrong with you?
we just want the trash sorted out).


That's known as [EMAIL PROTECTED]  You're welcome to subscribe at 
any time.  If you really want a moderated version of full-disclosure, 
subscribe to the ones that already exist.  (E.g. 
)


Actually Full-Disclosure lost so much of the art and quality it had in
the past, its just sad. "omg omg why do you read FD if you dont like it"
replys are wrong here, Full-Disclosure is still a great list, but its
full of trash lately.

I am a "charter" subscriber (probably second or third one to do so, 
immediately after Len announced the creation of the list.)  There's not a 
bit of difference between the list now and the list when it began or any 
time in between.  It is what it is.  Sometimes there's a lot of noise, and 
sometimes there isn't.


One thing this list is really good for is trolling.  One troll usually 
results in at least 20 or 30 responses.  You'd think guys could learn to 
ignore the trolls, but such is life.


Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Fwd: WSLabs, Phishing Alert: Internal Revenue (FAO Todd Towles)

[Kurt Manske]

Must..stop...this..thread

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of n3td3v
Sent: Thursday, December 15, 2005 1:13 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Fwd: WSLabs,Phishing Alert: Internal Revenue
(FAO Todd Towles)

On 12/15/05, Todd Towles <[EMAIL PROTECTED]> wrote:
> You are dreaming, you have what 5 e-mail address? Websense has hundreds
> all over the world, just like internet protection company. I myself
> never stated it is "over all the news".

Are you saying if I and my advisors hadn't decided to go live with the
advisory yesterday, that WS would still have released this advisory?
Please, get off your sleeping pills.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Fwd: WSLabs, Phishing Alert: Internal Revenue (FAO Todd Towles)

[Jason Jones]

I already give Uncle Sam enough money. I wouldn't give him my credit
card number to go shopping at Macy's. Anyone that would do this would
truly be an ID10T.

If you have such a big influence over big corporations, then why do you
need so badly to prove to the people on FD to believe you?

That would be like Superman trying to convince every one that he's Clark
Kent.

Sounds like you have a social problem more than anything.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of n3td3v
Sent: Thursday, December 15, 2005 12:57 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Fwd: WSLabs,Phishing Alert: Internal
Revenue (FAO Todd Towles)

Accordng to your friends, this was disclosed on the 30th of November to
the Online Media Community? If you look back at my original phishing
advisory, you'll see people were saying "old news, go away".
If its such old news, why did WSLabs in less than 24 hours issue an
advisory? Get real, its totally related to my FD post.

I continue to work as a security researcher behind the scenes with
Gooogle, Yahoo, WS and others


On 12/15/05, Todd Towles <[EMAIL PROTECTED]> wrote:
> FAO me? Please...you didn't report anything. You think a company that 
> scan 70 million sites a night didn't have the information before you?
> You really are dreaming...
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > n3td3v
> > Sent: Thursday, December 15, 2005 12:47 PM
> > To: full-disclosure@lists.grok.org.uk
> > Subject: [Full-disclosure] Fwd: WSLabs,Phishing Alert:
> > Internal Revenue (FAO Todd Towles)
> >
> > Heres proof I have infulence over the biggest of corporations!
> >
> > -- Forwarded message --
> > From: Websense Security Labs <[EMAIL PROTECTED]>
> > Date: Dec 15, 2005 6:40 PM
> > Subject: WSLabs, Phishing Alert: Internal Revenue Service
> > To: [EMAIL PROTECTED]
> >
> >
> > Websense(r) Security Labs(TM) has received reports of a new phishing

> > attack that targets American taxpayers and claims to be the Internal

> > Revenue Service. Users receive a spoofed email message, which claims

> > they may access and track their tax refund information online. Upon 
> > clicking the link in the email, users are taken to a fraudulent 
> > website. The fraudulent website prompts users for their first and 
> > last name, social security number, mailing and email address, credit

> > card number, CVV2, and ATM pin.
> >
> >
> > This phishing site is hosted in Italy and was down at the time of 
> > this alert.
> >
> > Phishing email:
> >
> > *Subject:* Refund notice
> >
> > You filed your tax return and you're expecting a refund. You have 
> > just one question and you want the answer now - Where's My Refund?
> >
> > Access this secure Web site to find out if the IRS received your 
> > return and whether your refund was processed and sent to you.
> >
> > **New program enhancements** allow you to begin a refund trace 
> > online if you have not received your check within 28 days from the 
> > original IRS mailing date. Some of you will also be able to correct 
> > or change your mailing address within this application if your check

> > was returned to us as undelivered by the U.S. Postal Service. 
> > "Where's My Refund?"
> > will prompt you when these features are available for your
situation.
> >
> > To get to your refund status, you'll need to provide the following 
> > information as shown on your return:
> >
> > * Your first and last name
> >
> > * Your Social Security Number (or IRS Individual Taxpayer
> >
> > Identification Number)
> >
> > * Your Credit Card Information (for the successful complete of the
> >
> > process)
> >
> >
> > Okay now, **Where's My Refund
> >
> > 
> >
> > Note: If you have trouble while using this application, please check

> > the Requirements 
> > 
> > to make sure you have the correct browser software for this 
> > application to function properly and check to make sure our system 
> > is available 
> > .
> >
> > Phishing screenshot available with full alert.
> >
> > For additional details and information on how to detect and prevent 
> > this type of attack:
> > http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=372
> >
> >
> >
> > =-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-
> > Websense Security Labs discovers and investigates today's advanced 
> > internet threats and publishes its findings enabling organizations 
> > to best protect employee computing environments from increasingly 
> > sophisticated and dangerous internet threats.
> >
> >
> > To unsubscribe: http://www.websensesecuritylabs.com/unsubscribe
> > FAQs: http://www.websensesecuritylabs.com/about/
> > Download a free 30 day trial:
> > http://www.websense.com/downloads/SecurityLabs/
> > _

RE: [Full-disclosure] TPM - will it work as pushed to the public?

[Todd Towles]

 
Valdis wrote :
> You totally missed the point (which the TPM proponents *are* 
> trying hard to gloss over, so it's not surprising)...
> 
> TPM isn't about protecting you.  It's about protecting the 
> owner of the DRM and related crap that will be forced down 
> your throat.

Well if that is the point, then I am glad I am missing it and I will
contiune to miss it when I don't use it. Lol

-Todd
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: WSLabs, Phishing Alert: Internal Revenue (FAO Todd Towles)

[n3td3v]

On 12/15/05, Todd Towles <[EMAIL PROTECTED]> wrote:
> You are dreaming, you have what 5 e-mail address? Websense has hundreds
> all over the world, just like internet protection company. I myself
> never stated it is "over all the news".

Are you saying if I and my advisors hadn't decided to go live with the
advisory yesterday, that WS would still have released this advisory?
Please, get off your sleeping pills.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Someone is running his mouth again... [Hackerattacks in US linked to Chinese military: researchers]

[Dave Korn]

[EMAIL PROTECTED] wrote in 
news:[EMAIL PROTECTED]
On Wed, 14 Dec 2005 16:27:57 PST, Geoff Shively said:
>> In the attacks, Paller said, the perpetrators "were in and out with no
>> keystroke errors and left no fingerprints, and created a backdoor in less
>> than 30 minutes. How can this be done by anyone other than a military
>> organization?"
>> [/snip]
>>
>> Yes, it must have been military, becuase they rooted the box in under 30
>> minutes, BAH!
>
>On the other hand, let's think about this for a moment.  They weren't *IN*
>in 30 minutes, they were *IN AND OUT* in 30 minutes.
>
>Sure, *anybody* can just r00t a box and leave a backdoor in 30 seconds. 
>But
>that doesn't actually *accomplish* anything

  Your argument here isn't addressing the issue.  We're tackling the false 
assumption that "anyone other than a military organization" *could* do this. 
You're tackling the issue of whether anyone other than a military 
organization *would* do it.

  I agree with Geoff: it's a massive and essentially fraudulent 
extrapolation to go from "in and out in 30 minutes" and "didn't make typos" 
to "must have been done by a military organisation", because neither of 
those things are things that only military organisations can do.

>You hack into a big Oracle server. You're sitting there looking at a '#'
>prompt. *NOW* what do you do?

>You hack into a file server.  You're sitting there looking at a '#' prompt.
>*NOW* what do you do?

  As it suggests in the article, I don't do anything except create a 
backdoor and leave.  Then I can come back at my leisure, perhaps repeatedly 
over a long period, taking my time to see what's on the filing system and 
making as many un-logged typos as I wish.

cheers,
  DaveK
-- 
Can't think of a witty .sigline today 



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TPM - will it work as pushed to the public?

[Valdis . Kletnieks]

On Thu, 15 Dec 2005 12:47:10 CST, Todd Towles said:

> http://www.msnbc.msn.com/ID/10441443
> 
> Is it me or is this totally not going to work for normal people?

You totally missed the point (which the TPM proponents *are* trying hard to
gloss over, so it's not surprising)...

TPM isn't about protecting you.  It's about protecting the owner of the DRM
and related crap that will be forced down your throat.


pgpR68p9z0UP9.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Fwd: WSLabs, Phishing Alert: Internal Revenue (FAO Todd Towles)

[Todd Towles]

> Accordng to your friends, this was disclosed on the 30th of 
> November to the Online Media Community? If you look back at 
> my original phishing advisory, you'll see people were saying 
> "old news, go away".
> If its such old news, why did WSLabs in less than 24 hours 
> issue an advisory? Get real, its totally related to my FD post.

You are dreaming, you have what 5 e-mail address? Websense has hundreds
all over the world, just like internet protection company. I myself
never stated it is "over all the news". 


> I continue to work as a security researcher behind the scenes 
> with Gooogle, Yahoo, WS and others

That is funny, Yahoo doesn't seem to think you have done
anythingaren't u in your northern england on dial-up and a windows
98 computer?? This type of...look at me I am a script kiddie attiuide is
the exact reason why people don't like you. People see right past all
your bull man...it is better to stop pretending to be "super leet"
researcher and treat everyone with respect. Claiming to be something you
aren't...doesn't help your image at all.

-Todd
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: WSLabs, Phishing Alert: Internal Revenue (FAO Todd Towles)

[womber]

On 12/15/05, n3td3v <[EMAIL PROTECTED]> wrote:
> Heres proof I have infulence over the biggest of corporations!
>

Sorry, but I fail to see the logic in your "proof".
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: WSLabs, Phishing Alert: Internal Revenue (FAO Todd Towles)

[n3td3v]

Accordng to your friends, this was disclosed on the 30th of November
to the Online Media Community? If you look back at my original
phishing advisory, you'll see people were saying "old news, go away".
If its such old news, why did WSLabs in less than 24 hours issue an
advisory? Get real, its totally related to my FD post.

I continue to work as a security researcher behind the scenes with
Gooogle, Yahoo, WS and others


On 12/15/05, Todd Towles <[EMAIL PROTECTED]> wrote:
> FAO me? Please...you didn't report anything. You think a company that
> scan 70 million sites a night didn't have the information before you?
> You really are dreaming...
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v
> > Sent: Thursday, December 15, 2005 12:47 PM
> > To: full-disclosure@lists.grok.org.uk
> > Subject: [Full-disclosure] Fwd: WSLabs,Phishing Alert:
> > Internal Revenue (FAO Todd Towles)
> >
> > Heres proof I have infulence over the biggest of corporations!
> >
> > -- Forwarded message --
> > From: Websense Security Labs <[EMAIL PROTECTED]>
> > Date: Dec 15, 2005 6:40 PM
> > Subject: WSLabs, Phishing Alert: Internal Revenue Service
> > To: [EMAIL PROTECTED]
> >
> >
> > Websense(r) Security Labs(TM) has received reports of a new
> > phishing attack that targets American taxpayers and claims to
> > be the Internal Revenue Service. Users receive a spoofed
> > email message, which claims they may access and track their
> > tax refund information online. Upon clicking the link in the
> > email, users are taken to a fraudulent website. The
> > fraudulent website prompts users for their first and last
> > name, social security number, mailing and email address,
> > credit card number, CVV2, and ATM pin.
> >
> >
> > This phishing site is hosted in Italy and was down at the
> > time of this alert.
> >
> > Phishing email:
> >
> > *Subject:* Refund notice
> >
> > You filed your tax return and you're expecting a refund. You
> > have just one question and you want the answer now - Where's
> > My Refund?
> >
> > Access this secure Web site to find out if the IRS received
> > your return and whether your refund was processed and sent to you.
> >
> > **New program enhancements** allow you to begin a refund
> > trace online if you have not received your check within 28
> > days from the original IRS mailing date. Some of you will
> > also be able to correct or change your mailing address within
> > this application if your check was returned to us as
> > undelivered by the U.S. Postal Service. "Where's My Refund?"
> > will prompt you when these features are available for your situation.
> >
> > To get to your refund status, you'll need to provide the
> > following information as shown on your return:
> >
> > * Your first and last name
> >
> > * Your Social Security Number (or IRS Individual Taxpayer
> >
> > Identification Number)
> >
> > * Your Credit Card Information (for the successful complete of the
> >
> > process)
> >
> >
> > Okay now, **Where's My Refund
> >
> > 
> >
> > Note: If you have trouble while using this application,
> > please check the Requirements
> > 
> > to make sure you have the correct browser software for this
> > application to function properly and check to make sure our
> > system is available
> > .
> >
> > Phishing screenshot available with full alert.
> >
> > For additional details and information on how to detect and
> > prevent this type of attack:
> > http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=372
> >
> >
> >
> > =-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-
> > Websense Security Labs discovers and investigates today's
> > advanced internet threats and publishes its findings enabling
> > organizations to best protect employee computing environments
> > from increasingly sophisticated and dangerous internet threats.
> >
> >
> > To unsubscribe: http://www.websensesecuritylabs.com/unsubscribe
> > FAQs: http://www.websensesecuritylabs.com/about/
> > Download a free 30 day trial:
> > http://www.websense.com/downloads/SecurityLabs/
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: WSLabs, Phishing Alert: Internal Revenue (FAO Todd Towles)

[Valdis . Kletnieks]

On Thu, 15 Dec 2005 18:46:47 GMT, n3td3v said:
> Heres proof I have infulence over the biggest of corporations!
> 
> -- Forwarded message --
> From: Websense Security Labs <[EMAIL PROTECTED]>
> Date: Dec 15, 2005 6:40 PM
> Subject: WSLabs, Phishing Alert: Internal Revenue Service
> To: [EMAIL PROTECTED]

Umm. I don't see any "biggest of corporations" mentioned here.



pgp89BcUjMGOD.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Fwd: WSLabs, Phishing Alert: Internal Revenue (FAO Todd Towles)

[Todd Towles]

FAO me? Please...you didn't report anything. You think a company that
scan 70 million sites a night didn't have the information before you?
You really are dreaming... 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v
> Sent: Thursday, December 15, 2005 12:47 PM
> To: full-disclosure@lists.grok.org.uk
> Subject: [Full-disclosure] Fwd: WSLabs,Phishing Alert: 
> Internal Revenue (FAO Todd Towles)
> 
> Heres proof I have infulence over the biggest of corporations!
> 
> -- Forwarded message --
> From: Websense Security Labs <[EMAIL PROTECTED]>
> Date: Dec 15, 2005 6:40 PM
> Subject: WSLabs, Phishing Alert: Internal Revenue Service
> To: [EMAIL PROTECTED]
> 
> 
> Websense(r) Security Labs(TM) has received reports of a new 
> phishing attack that targets American taxpayers and claims to 
> be the Internal Revenue Service. Users receive a spoofed 
> email message, which claims they may access and track their 
> tax refund information online. Upon clicking the link in the 
> email, users are taken to a fraudulent website. The 
> fraudulent website prompts users for their first and last 
> name, social security number, mailing and email address, 
> credit card number, CVV2, and ATM pin.
> 
> 
> This phishing site is hosted in Italy and was down at the 
> time of this alert.
> 
> Phishing email:
> 
> *Subject:* Refund notice
> 
> You filed your tax return and you're expecting a refund. You 
> have just one question and you want the answer now - Where's 
> My Refund?
> 
> Access this secure Web site to find out if the IRS received 
> your return and whether your refund was processed and sent to you.
> 
> **New program enhancements** allow you to begin a refund 
> trace online if you have not received your check within 28 
> days from the original IRS mailing date. Some of you will 
> also be able to correct or change your mailing address within 
> this application if your check was returned to us as 
> undelivered by the U.S. Postal Service. "Where's My Refund?" 
> will prompt you when these features are available for your situation.
> 
> To get to your refund status, you'll need to provide the 
> following information as shown on your return:
> 
> * Your first and last name
> 
> * Your Social Security Number (or IRS Individual Taxpayer
> 
> Identification Number)
> 
> * Your Credit Card Information (for the successful complete of the
> 
> process)
> 
> 
> Okay now, **Where's My Refund
> 
> 
> 
> Note: If you have trouble while using this application, 
> please check the Requirements 
>  
> to make sure you have the correct browser software for this 
> application to function properly and check to make sure our 
> system is available 
> .
> 
> Phishing screenshot available with full alert.
> 
> For additional details and information on how to detect and 
> prevent this type of attack:
> http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=372
> 
> 
> 
> =-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-
> Websense Security Labs discovers and investigates today's 
> advanced internet threats and publishes its findings enabling 
> organizations to best protect employee computing environments 
> from increasingly sophisticated and dangerous internet threats.
> 
> 
> To unsubscribe: http://www.websensesecuritylabs.com/unsubscribe
> FAQs: http://www.websensesecuritylabs.com/about/
> Download a free 30 day trial: 
> http://www.websense.com/downloads/SecurityLabs/
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] TPM - will it work as pushed to the public?

[Todd Towles]

http://www.msnbc.msn.com/ID/10441443

Is it me or is this totally not going to work for normal people?

"Of course you could always "fool" the system by starting your computer with 
your unique PIN or fingerprint and then letting another person use it, but 
that's a choice similar to giving someone else your credit
card.) "

Umm you mean like a backdoor installed on the system, VNC injection..the 
attacker can "use" your computer and your 
TPM chip from anywhere in the world. This will protect huge corporations by 
stopping attackers from using username/passwords on other computer systems, but 
how is this going to protect grandma (aka people that don't patch and therefore 
get infected anyways). MITM attack will still 
work, even with TPM

Of course, people will find a way to spoof the TPM by using another computer 
infront of their own or someother trick. This seems to be just another left jab 
in the ongoing boxing match...not a "cure".

-Todd
 
 
 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fwd: WSLabs, Phishing Alert: Internal Revenue (FAO Todd Towles)

[n3td3v]

Heres proof I have infulence over the biggest of corporations!

-- Forwarded message --
From: Websense Security Labs <[EMAIL PROTECTED]>
Date: Dec 15, 2005 6:40 PM
Subject: WSLabs, Phishing Alert: Internal Revenue Service
To: [EMAIL PROTECTED]


Websense(r) Security Labs(TM) has received reports of a new phishing
attack that targets American taxpayers and claims to be the Internal
Revenue Service. Users receive a spoofed email message, which claims
they may access and track their tax refund information online. Upon
clicking the link in the email, users are taken to a fraudulent
website. The fraudulent website prompts users for their first and last
name, social security number, mailing and email address, credit card
number, CVV2, and ATM pin.


This phishing site is hosted in Italy and was down at the time of this alert.

Phishing email:

*Subject:* Refund notice

You filed your tax return and you're expecting a refund. You have just
one question and you want the answer now - Where's My Refund?

Access this secure Web site to find out if the IRS received your
return and whether your refund was processed and sent to you.

**New program enhancements** allow you to begin a refund trace online
if you have not received your check within 28 days from the original
IRS mailing date. Some of you will also be able to correct or change
your mailing address within this application if your check was
returned to us as undelivered by the U.S. Postal Service. "Where's My
Refund?" will prompt you when these features are available for your
situation.

To get to your refund status, you'll need to provide the following
information as shown on your return:

* Your first and last name

* Your Social Security Number (or IRS Individual Taxpayer

Identification Number)

* Your Credit Card Information (for the successful complete of the

process)


Okay now, **Where's My Refund



Note: If you have trouble while using this application, please check
the Requirements
 to make
sure you have the correct browser software for this application to
function properly and check to make sure our system is available
.

Phishing screenshot available with full alert.

For additional details and information on how to detect and prevent
this type of attack:
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=372



=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-
Websense Security Labs discovers and investigates today's advanced
internet threats and publishes its findings enabling
organizations to best protect employee computing environments from
increasingly sophisticated and dangerous internet threats.


To unsubscribe: http://www.websensesecuritylabs.com/unsubscribe
FAQs: http://www.websensesecuritylabs.com/about/
Download a free 30 day trial: http://www.websense.com/downloads/SecurityLabs/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME A MODERATEDLIST

[Todd Towles]

 
Enrico worte :
> What about making a second full-disclosure list with 
> moderated content (sorting out the kids) of the original list?

Here you go..get on it - http://www.securityfocus.com/archive/1

Is it like everyone is speaking french? If you want moderation, go
somewhere else. John said it isn't going to be moderated, case closed.
Geezz..

-Todd
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Someone is running his mouth again... [Hacker attacks in US linked to Chinese military: researchers]

[Valdis . Kletnieks]

On Wed, 14 Dec 2005 16:27:57 PST, Geoff Shively said:

> In the attacks, Paller said, the perpetrators "were in and out with no
> keystroke errors and left no fingerprints, and created a backdoor in less
> than 30 minutes. How can this be done by anyone other than a military
> organization?"
> [/snip]
> 
> Yes, it must have been military, becuase they rooted the box in under 30
> minutes, BAH!

On the other hand, let's think about this for a moment.  They weren't *IN*
in 30 minutes, they were *IN AND OUT* in 30 minutes.

Sure, *anybody* can just r00t a box and leave a backdoor in 30 seconds.  But
that doesn't actually *accomplish* anything unless your penis size is controlled
by the number of boxes you've pnwed this week.  These guys are hacking boxes
with an actual *goal* in mind

You hack into a big Oracle server. You're sitting there looking at a '#'
prompt. *NOW* what do you do?  Which database instances and tables and rows and
columns are of interest?  How long does it take you to find where in that
database the CC numbers are stored? Think you can do that without mistyping
a table name at least once?

You hack into a file server.  You're sitting there looking at a '#' prompt.
*NOW* what do you do?  Which home directories have interesting/useful
information on them?   Sure, you can do a 'find /home -type f | xargs grep',
but what do you grep for? Do you know all the words/phrases you're likely to
find on *this* server (remember that one box may have troop training info,
while another may have deployment info, and so on)? How long does it take to
sort the useful stuff from the trash? Think you can do that without mistyping a
filename at least once?





pgpYtQBnfcDK8.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME A MODERATED LIST

[(M.o.H.a.J.a.L.i)]

This list is supposed to be unmoderated
if u don't like this list then unsubscribe from it...and go to some moderated list...like...bugtraq
just my oponion 
On 12/15/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
I WOULD JUST LIKE TO EXPRESS MY DEEP SUPPORT FOR THIS IDEA.  MAKINGTHE LIST MODERATED WOULD REALLY HELP MY JOB AS A SECURITY
RESEARCHER.  I COULD MAKE QUICKER, MORE WELL INFORMED CHOICES IN MYDAY TO DAY TASKS OF PEN TESTING LEGITIMATELY.  I WILL ONLY GET THEGOOD STUFF AND NONE OF THIS PISSING CONTEST WHICH IS KILLING THISLIST.  MODERATING WOULD MAKE THE LIST MUCH MORE PROFESSIONAL AND
WOULD BRING IT ONE STEP ABOVE SECURITY FOCUS.ONCE AGAIN.  I AM 150% FOR THE MODERATION OF FULL-DISCLOSURE.Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480Get the best prices on SSL certificates from Hushmailhttps://www.hushssl.com?l=485
___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/-- ®.Now I Am Become DeathThe Destroyer Of Worlds© 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Administrivia: Requests for Moderation

[Soderland, Craig]

After keeping out of all the noise, unless I have some 
signal to add I figured I've got a little unused bandwidth to make one 
observation. 
 
1. Arguing on the Internet, full-disclosure, or any 
mailing list is just like competing in the special Olympics, no matter who wins 
the argument you're all still retarded. 
 
2. You may wish to continue with your arguments, flames 
etc... thereby proving point 1. 
 
Anyone taking exception, see point 1, then route all 
flames to /dev/null


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of N3T of 
Th4 d3vzSent: Thursday, December 15, 2005 12:50 PMTo: 
full-disclosure@lists.grok.org.ukSubject: Re: [Full-disclosure] 
Administrivia: Requests for Moderation
On Thu, 15 Dec 2005 17:25:28 +Joe Average <[EMAIL PROTECTED]> wrote:> On 12/15/05, 
GroundZero Security < [EMAIL PROTECTED] > wrote:> >> > >i spoke 
with netdev and i asked him not to respond to bait mail> > >from 
known nicknamesMr. Average Joe (or should I call you n3td4v?), what's 
the amount of active voices inside your head atm? > >> > 
please also ask him not to post any phishing or xss related> > 
information. we do not care. tell him to go learn about IT security> > 
first and then come back in a few years when he has grown up. > 
>> > all xss be banned or just netdev xss? not good 
ideaMoron, stop it, save lists.grok.org.uk bandwidth, 
shut the ... up, cut the crap, no more bullshit, the end, finale. You're wasting 
lots of resources, go away, get a life, a girlfriend, whatever, just stop it!!! 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME A MODERATED LIST

[Enrico Kern]

forget it,

we discussed this a few weeks ago, most of the guys on this list just love 
to get spam and bullshit. The one side says "well yeah omg its no 
full-disclosure anymore with moderation" (penguin fucker style) and the 
others want the trash sorted out.


Well from my point of view a moderated list will help to enhance the 
quality on full-disclosure, moderation doesnt mean that full-disclosure of 
a vulnerability isnt posslible anymore (hello wtf is wrong with you? we 
just want the trash sorted out).


Actually Full-Disclosure lost so much of the art and quality it had in the 
past, its just sad. "omg omg why do you read FD if you dont like it" 
replys are wrong here, Full-Disclosure is still a great list, but its full 
of trash lately.


What about making a second full-disclosure list with moderated content 
(sorting out the kids) of the original list?


--->
"Programming today is a race between software engineers striving to build
bigger and better idiot-proof programs, and the Universe trying to produce
bigger and better idiots. So far, the Universe is winning." (Rich Cook)

On Thu, 15 Dec 2005, Christoph Gruber wrote:


On Thursday 15 December 2005 17:16 [EMAIL PROTECTED] wrote:

I WOULD JUST LIKE TO EXPRESS MY DEEP SUPPORT FOR THIS IDEA.  MAKING
THE LIST MODERATED WOULD REALLY HELP MY JOB AS A SECURITY
RESEARCHER.  I COULD MAKE QUICKER, MORE WELL INFORMED CHOICES IN MY
DAY TO DAY TASKS OF PEN TESTING LEGITIMATELY.  I WILL ONLY GET THE
GOOD STUFF AND NONE OF THIS PISSING CONTEST WHICH IS KILLING THIS
LIST.  MODERATING WOULD MAKE THE LIST MUCH MORE PROFESSIONAL AND
WOULD BRING IT ONE STEP ABOVE SECURITY FOCUS.

ONCE AGAIN.  I AM 150% FOR THE MODERATION OF FULL-DISCLOSURE.


I am 200% for the repairing of your caps-lock-key.

--
Christoph Gruber
"If privacy is outlawed, only outlaws will have privacy." Philip Zimmermann
Fingerprint: A2A8 8AB0 6F30 A7DD 880B F74F BA6B 2182 646A 0649
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: RLA ("Remote LanD Attack")

[Synister Syntax]

To All:

 As requested:
MSWord (.doc):  http://www.teamtrinix.com/exploits/rla/RLA.doc
Plain Text (.txt):  http://www.teamtrinix.com/exploits/rla/RLA.txt
HTML: http://www.teamtrinix.com/exploits/rla/RLA.htm
PDF;  (Coming Soon)

 I will go ahead and create the PDF later this evening.  The HTML
version is by far the best in my opinion.  Feel free to share, link,
re-upload, etc.  But please do not edit any of the content.  Thanks...

On 12/15/05, Synister Syntax <[EMAIL PROTECTED]> wrote:
>  Agreed, this and all attacks like this, fall under DoS.  The
> reason I originally classified this attack as a Remote LanD, was I was
> originally testing a un-patched Windows SP2 machine, locally, and of
> course watching the box lock up for 30 seconds or so.  I then thought,
> there has to be a way for this to work remotely.  I started testing,
> this was about four (4) months ago.  I knew then that it worked, but I
> really wanted to find out what devices are susceptible to such
> attacks.  I knew it, seeing as it was both the Linksys and Westell it
> was more then just two vendors.
>
>  So, from there I just called it Remote LanD attack.  As I
> literally just tried sending LanD packets across the Internet.  (To a
> second party who was helping me test the exploit/vuneribity.  I did in
> fact have permission, with all the test I performed.)  It was then I
> discovered the packets were lagging my colleges network.  I started
> messing with an array of flag combinations, almost all caused some
> reaction, mainly latency.  I then found the ASPU combination which
> caused the most damage.
>
>  Thanks :-) I really took the time to make this write-up organized
> and understandable.   Hopefully the device vendors can more from here
> and fix the problem, a simply drop of LanD packets would do it.
>
>  Again, thanks for you comments.  If you have have anything else,
> please feel free to reply.
>
> On 12/15/05, service pack <[EMAIL PROTECTED]> wrote:
> > yeah i mean there is a fine line between the two. Sans has a good definition
> > as well
> >
> >  A packet that causes problems by having the same source and destination
> > (the target of course).
> >
> >  I still think of it as more if a talking yourself to death attack :)
> >
> >  They all fall under the umbrella of denial of service though.
> >
> >  Good write up I just thought the part about land was worded a little funny,
> > or was lacking.
> >
> >  Thanks
> >  SP
> >
> >
> > On 12/15/05, Synister Syntax <[EMAIL PROTECTED]> wrote:
> > >  I agree that this is in fact a DoS, however it is using the old
> > > LanD attack (from 1997) syntax/style.  That fact that it is a packet
> > > to itself, from it's self, obviously spoofed.  As this was the same
> > > way it was done back in the 90's.  The difference here, is the fact
> > > that the LanD attack can be performed remotely, whereas before the
> > > attack was only a Local (LAN) attack.
> > >
> > >  Also note that this is an attack on devices, not OS's.  Also let
> > > me note that the device is unusable until it is physically reset.
> > > Eitherway, I am fine by this being consedered a DoS, it is.  It will
> > > shut doen your switch (rendering your network usaless) or your router
> > > (keeping you from access the internet etc.).
> > >
> > > If you have any other questions, or comments please let me know.
> > > Thanks for the input, I think I did infact not state that the attack
> > > was a DoS.
> > >
> > > On 12/15/05, service pack <[EMAIL PROTECTED]> wrote:
> > > > Updated the wiki page. Your looking at a denial of service not a land
> > > > attack.
> > > >
> > > >  Land attacks are caused when a machine floods itself.
> > > >
> > > >  First example,  Echo and Chargen (ICMP and Character generator (old
> > unix
> > > > service)) Are services that reply to anything.
> > > >  A spoofed packet is sent from a machines echo (spoofed) to the chargen.
> > The
> > > > chargen replys with garbage, and the echo echo's it
> > > >  back and so on until the resources are consumed.
> > > >
> > > >  Anything that doesn't have this effect is a Denial of service.
> > > >
> > > >  Now SNMP and windows Kerberos can talk themselves to death (an example
> > of a
> > > > non-cross service land).
> > > >
> > > >  Makes sense? :)
> > > >
> > > >  SP
> > > >
> > > >
> > > > On 12/14/05, Synister Syntax < [EMAIL PROTECTED]> wrote:
> > > > > Below is a copy of my RLA exploit submission in ASCII.  Attached is a
> > > > > MSWord (.doc) version with rich formatting, created with ease of view
> > > > > in mind.
> > > > >
> > > > > Regards...
> > > > >
> > > > > --
> > > > >
> > > > > RLA
> > > > > ("Remote LanD Attack")
> > > > > 2005
> > > > >
> > > > >
> > > > > As discovered by:
> > > > > Justin M. Wray
> > > > > ([EMAIL PROTECTED])
> > > > >
> > > > >
> > > > > Devices/Vendors Vulnerable:
> > > > > - Microsoft Windows XP, SP1 and SP2
> > > > > - Linksys Routers
> > > > > - Westell Routers/Modems
> > > > >

Re: [Full-disclosure] Moderated lists

[Joe Average]

On 12/15/05,12/15/05, Andy Lindeman <
[EMAIL PROTECTED]> wrote: 




If the ultimate goal is to keep the "crap" factor down, moderationwill only add to the time it takes to read this list and increase the noise ratio.--A

a) moderate one user (turns list into bugtraq)
b) real disclosure is full-disclosure (bugtraq style modertation must be avoided)
c) even with the noise, we can all live with it (at least until the end of the month) 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] N3tdev has hacked my box!

[gwood]

Actually, it's just a solaris install progress report - but with all the
pointless bickering going on on here at the moment, I misread SUNWj3dev as
SUNWn3tdev when I saw it out of the corner of my eye

Anyway - my contribution to the noise:

1. An un-moderating list is no excuse for rubbish being posted to it.  My
motorbike lets me do 150mph - but I still don't do it through the middle
of town.

2. N3tdev in all his forms has as much right to post to here as anyone
else - which in turn doesn't mean that he /should/ post...

3. The signal to noise ratio is pretty amusing at the moment - if the
N3tdev character were the creation of someone to specifically cripple
'full-disclosure' then it seems to be working.

Anyway - I suppose what I'm trying to say is that I like the idea of an
un-moderated list, since it does allow much more 'freedom', but I wish
people would stop posting so much rubbish... :)

If you don't like something that's posted on here, you're probably not the
only one - but if we all post about how annoying it is we're going to end
up with lots of pointless bickering about things.

Oh look - that's where it seems to be going.

Anyway - I'd like to suggest that we drop the bickering.  We've had enough
posted to know that no-one is going to change their mind - the people we
each think are morons are going to carry on behaving that way, and the
people we think are saying sensible things are still going to be ignored
by the people with opposite views.

Graham

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Moderated lists

[Andy Lindeman]

If the ultimate goal is to keep the "crap" factor down, moderation
will only add to the time it takes to read this list and increase the
noise ratio.

--A

On 12/15/05, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
> Why not do a self-regulating list?  Something along the lines of keeping
> track of signup dates and IP addresses, then when a yahoo starts
> spouting crap, put it to a vote on list. (only members older then xyz
> date have a vote) If the list's wish is to have the user banned, then so
> be it...
>
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] AIX Heap Overflow paper

[David Litchfield]

I've just published a paper on AIX heap overflows. I wrote it back in August 
but wanted to wait until a couple of flaws I discovered whilst researching 
the topic were fixed by IBM. IBM released the patches today. You can get the 
paper at http://www.databasesecurity.com/dbsec/aix-heap.pdf

Cheers,
David Litchfield


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Moderated lists

[Todd Towles]

> Why not do a self-regulating list?  Something along the lines 
> of keeping track of signup dates and IP addresses, then when 
> a yahoo starts spouting crap, put it to a vote on list. (only 
> members older then xyz date have a vote) If the list's wish 
> is to have the user banned, then so be it... 

Then 5 mins later the user is back..using a proxy to sign up another
address...

-Todd
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Administrivia: Requests for Moderation

[N3T of Th4 d3vz]

On Thu, 15 Dec 2005 17:25:28 +Joe Average <[EMAIL PROTECTED]> wrote:> On 12/15/05, GroundZero Security <
[EMAIL PROTECTED]
> wrote:> >> > >i spoke with netdev and i asked him not to respond to bait mail> > >from known nicknamesMr. Average Joe (or should I call you n3td4v?), what's the amount of active voices inside your head atm?
> >> > please also ask him not to post any phishing or xss related> > information. we do not care. tell him to go learn about IT security> > first and then come back in a few years when he has grown up.
> >> > all xss be banned or just netdev xss? not good ideaMoron, stop it, save lists.grok.org.uk

bandwidth, shut the ... up, cut the crap, no more bullshit, the end,
finale. You're wasting lots of resources, go away, get a life, a
girlfriend, whatever, just stop it!!!
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Moderated lists

[FullDis . 20 . mandoskippy]

Why not do a self-regulating list?  Something along the lines of keeping
track of signup dates and IP addresses, then when a yahoo starts
spouting crap, put it to a vote on list. (only members older then xyz
date have a vote) If the list's wish is to have the user banned, then so
be it... 




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME A MODERATED LIST

[Christoph Gruber]

On Thursday 15 December 2005 17:16 [EMAIL PROTECTED] wrote:
> I WOULD JUST LIKE TO EXPRESS MY DEEP SUPPORT FOR THIS IDEA.  MAKING
> THE LIST MODERATED WOULD REALLY HELP MY JOB AS A SECURITY
> RESEARCHER.  I COULD MAKE QUICKER, MORE WELL INFORMED CHOICES IN MY
> DAY TO DAY TASKS OF PEN TESTING LEGITIMATELY.  I WILL ONLY GET THE
> GOOD STUFF AND NONE OF THIS PISSING CONTEST WHICH IS KILLING THIS
> LIST.  MODERATING WOULD MAKE THE LIST MUCH MORE PROFESSIONAL AND
> WOULD BRING IT ONE STEP ABOVE SECURITY FOCUS.
>
> ONCE AGAIN.  I AM 150% FOR THE MODERATION OF FULL-DISCLOSURE.

I am 200% for the repairing of your caps-lock-key.

-- 
Christoph Gruber
"If privacy is outlawed, only outlaws will have privacy." Philip Zimmermann
Fingerprint: A2A8 8AB0 6F30 A7DD 880B F74F BA6B 2182 646A 0649
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Symlink attack techniques

[Joachim Schipper]

On Thu, Dec 15, 2005 at 01:09:49PM +, Werner Schalk wrote:
> Hi,
> 
> thanks for all the replies, I really appreciate this.

> basically the cronjob is something like:
> 
> 15 4  * * 6  root  /usr/bin/find /home/userA -type f -print > /tmp/report.txt
> 
> Consequently as userB I have no way of influencing what information is 
> printed 
> by the find command to /tmp/report.txt but I can surely 
> control /tmp/report.txt. Any other ideas of how to exploit this to gain root 
> access?

This is not generally possible. It's likely to viewed, though, and you
can attack the viewing application (bad email clients, old vim versions,
and most browsers apply).

Of course, symlinking it to /etc/passwd is fun but ultimately pretty
useless.

Joachim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Administrivia: Requests for Moderation

[Joe Average]

On 12/15/05, GroundZero Security <[EMAIL PROTECTED]> wrote:

>i spoke with netdev and i asked him not to respond to bait mail from known nicknames
 
please also ask him not to post any phishing or xss related information.
we do not care. tell him to go learn about IT security first and then come back in a few years when he has grown up. 
 
all xss be banned or just netdev xss? not good idea
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME AMODERATEDLIST

[Jason Jones]

If it takes caps, or foul language to get you point across then it must
not be of importance and that's your only way to get attention. If
attention you want do something to make the national news. 

I guess some of us have way to much time on our hands and not enough
real work to do. FD doesn't need moderation, or vote kicking. It needs
the kiddies to grow up and get past puberty.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lane
Weast
Sent: Thursday, December 15, 2005 10:41 AM
To: full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME
AMODERATEDLIST

Please reject email from the rude people who insist on typing in all
caps.

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 15 Dec 2005 08:16:46 -0800
<[EMAIL PROTECTED]> wrote:

> I WOULD JUST LIKE TO EXPRESS MY DEEP SUPPORT FOR THIS IDEA.  MAKING 
> THE LIST MODERATED WOULD REALLY HELP MY JOB AS A SECURITY RESEARCHER.

> I COULD MAKE QUICKER, MORE WELL INFORMED CHOICES IN MY DAY TO DAY 
> TASKS OF PEN TESTING LEGITIMATELY.  I WILL ONLY GET THE GOOD STUFF AND

> NONE OF THIS PISSING CONTEST WHICH IS KILLING THIS LIST.  MODERATING 
> WOULD MAKE THE LIST MUCH MORE PROFESSIONAL AND WOULD BRING IT ONE STEP

> ABOVE SECURITY FOCUS.
> 
> ONCE AGAIN.  I AM 150% FOR THE MODERATION OF FULL-DISCLOSURE.

Moderation... moderation...
Well..

If you smoke a pipe and think about it you'll get 2 problems:

1. Moderation is a kind of cencorship
2. Who should moderate the list? 1 guy? 2? 3? 4?
   Do they realy know what IS importent for everybody?

I would angree that users who spam too much should get kicked of. But as
I said.. if you smoke a pipe you'll get some ideas:

You could delete e-Mails from such idiots. Or you could train "bmf". ;-)

Kind regards,
Rembrandt
- --
God did a bless on me,
So accapt the dark side in you.
Hate leads me to victory, so give me a war.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (OpenBSD)

iD8DBQFDoZqIHXWDTKj6tTkRAk6XAKCWyvXnKQGLyo9VrYk5Jlzgi4+dOQCgzJnL
Z8JKp0tI4vrcyeMR8UAzock=
=KSKI
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Administrivia: Requests for Moderation

[Micheal Espinola Jr]

Hows about instead of moderation, we try vote-kicking?

On 12/15/05, Joe Average <[EMAIL PROTECTED]> wrote:
>
>
> On 12/15/05, John Cartwright <[EMAIL PROTECTED]> wrote:
> > Hi
> >
> > Please do not request that global moderation of FD occur. It won't. As
> > others pointed out, that would defeat the entire purpose of the list.
> > I have no intention of changing anything so fundamental. To be frank,
> > those who feel that moderation is needed should be looking elsewhere
> > for their information, because this is one point I am not going to
> > concede.
> >
> > I'd also like to take this opportunity to thank everyone who isn't
> > adding to the noise at the moment, I'm currently dealing with a
> > massive spam problem caused by some Italian folks...
> >
> > Cheers
> > - John
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Administrivia: Requests for Moderation

[GroundZero Security]

>i 
spoke with netdev and i asked him not to respond to bait mail from known 
nicknames
 
please also ask him not to post any phishing 
or xss related information.
we do not care. tell him to go learn about IT 
security first and then come back in a few years 
when he has grown up. 
 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME AMODERATED LIST

[Lane Weast]

Please reject email from the rude people who insist on typing in all
caps.

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 15 Dec 2005 08:16:46 -0800
<[EMAIL PROTECTED]> wrote:

> I WOULD JUST LIKE TO EXPRESS MY DEEP SUPPORT FOR THIS IDEA.  MAKING
> THE LIST MODERATED WOULD REALLY HELP MY JOB AS A SECURITY 
> RESEARCHER.  I COULD MAKE QUICKER, MORE WELL INFORMED CHOICES IN MY 
> DAY TO DAY TASKS OF PEN TESTING LEGITIMATELY.  I WILL ONLY GET THE 
> GOOD STUFF AND NONE OF THIS PISSING CONTEST WHICH IS KILLING THIS 
> LIST.  MODERATING WOULD MAKE THE LIST MUCH MORE PROFESSIONAL AND 
> WOULD BRING IT ONE STEP ABOVE SECURITY FOCUS.
> 
> ONCE AGAIN.  I AM 150% FOR THE MODERATION OF FULL-DISCLOSURE.

Moderation... moderation...
Well..

If you smoke a pipe and think about it you'll get 2 problems:

1. Moderation is a kind of cencorship
2. Who should moderate the list? 1 guy? 2? 3? 4?
   Do they realy know what IS importent for everybody?

I would angree that users who spam too much should get kicked of. But as
I said.. if you smoke a pipe you'll get some ideas:

You could delete e-Mails from such idiots. Or you could train "bmf". ;-)

Kind regards,
Rembrandt
- -- 
God did a bless on me,
So accapt the dark side in you.
Hate leads me to victory, so give me a war.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (OpenBSD)

iD8DBQFDoZqIHXWDTKj6tTkRAk6XAKCWyvXnKQGLyo9VrYk5Jlzgi4+dOQCgzJnL
Z8JKp0tI4vrcyeMR8UAzock=
=KSKI
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Recall: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME AMODERATED LIST

[Lane Weast]

The sender would like to recall the message, "[Full-disclosure] A CALL FOR 
FULL-DISCLOSURE TO BECOME AMODERATED LIST".

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME A MODERATED LIST

[Todd Towles]

Joe 
Average wrote:
 >no 
need, 
 >a) ban 
all gmail addresses 
 >b) ban 
nicknames (real name only) 
 >c) start 
inforcing list policy for trouble makers who attack legitimate researchers like 
netdev 
 
 
Wow
 
1) 
n3td3v & you meet both your A and B requirement.
2) 
So..when are you leaving?
 
I 
have to add another requirement, ban those that use lame blue bar 
HTML.
 
-Todd
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Administrivia: Requests for Moderation

[Joe Average]

On 12/15/05, John Cartwright <[EMAIL PROTECTED]> wrote:
HiPlease do not request that global moderation of FD occur. It won't. Asothers pointed out, that would defeat the entire purpose of the list.
I have no intention of changing anything so fundamental. To be frank,those who feel that moderation is needed should be looking elsewherefor their information, because this is one point I am not going toconcede.
I'd also like to take this opportunity to thank everyone who isn'tadding to the noise at the moment, I'm currently dealing with amassive spam problem caused by some Italian folks...Cheers- John

 
 
i spoke with netdev and i asked him not to respond to bait mail from known nicknames 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME A MODERATED LIST

[Rembrandt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 15 Dec 2005 16:39:41 +
Joe Average <[EMAIL PROTECTED]> wrote:

> On 12/15/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> >
> > I WOULD JUST LIKE TO EXPRESS MY DEEP SUPPORT FOR THIS IDEA.  MAKING
> > THE LIST MODERATED WOULD REALLY HELP MY JOB AS A SECURITY
> > RESEARCHER.  I COULD MAKE QUICKER, MORE WELL INFORMED CHOICES IN MY
> > DAY TO DAY TASKS OF PEN TESTING LEGITIMATELY.  I WILL ONLY GET THE
> > GOOD STUFF AND NONE OF THIS PISSING CONTEST WHICH IS KILLING THIS
> > LIST.  MODERATING WOULD MAKE THE LIST MUCH MORE PROFESSIONAL AND
> > WOULD BRING IT ONE STEP ABOVE SECURITY FOCUS.
> >
> > ONCE AGAIN.  I AM 150% FOR THE MODERATION OF FULL-DISCLOSURE.
> 
> 
> no need,
> 
> a) ban all gmail addresses
> b) ban nicknames (real name only)
> c) start inforcing list policy for trouble makers who attack legitimate
> researchers like netdev

Even I could name myself Ben Bosten or Marc Yenkfield or
%any_other_kobination.

Such researchs could (and they are) be illegal in some countries.
Like writing Exploits is illegal in France...

Think twice before you write an e-mail.


A gentleman angreement would be fine of course.
I don't understand why peoples blamer others or even insult them.
So with a gentleman-angreement we may could solve this. :)

Kind regards,
Rembrandt
- -- 
God did a bless on me,
So accapt the dark side in you.
Hate leads me to victory, so give me a war.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (OpenBSD)

iD8DBQFDoZ7IHXWDTKj6tTkRAhs0AJ4lg7hrIc2sQZofeJ4bdWWslhosWQCgxzAF
JJD98YFPTxsaSHIzNzukS0M=
=Yjmn
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] a call for full-disclosure to become a moderated list

[Christoph Gruber]

On Thursday 15 December 2005 07:20 [EMAIL PROTECTED] wrote:

> how many people who actually find value in this list (which i have,
> since len rose set it up quite a long time ago) agree with this
> position?

I cannot answer a number, but I can speak for myself:
I don't want a moderated list, b'caus a moderated is what you called 
degenerated.
I saw a lot of lists (starting with nntp in the good old times) coming and 
going, and every died on regulations.
so put the assholes in here in your killfile and everything is fine.

BTW: don't answer list-postings with PM.

> if you think there's a compelling reason for no moderation, i'd like to
> hear it.
>
> i call to your attention three brief selections from the list charter,
> which is at
> http://lists.grok.org.uk/full-disclosure-charter.html
> which i think have been violated recently:
>
> "Members are expected to maintain a reasonable standard of netiquette when
> posting to the list." "Disagreements, flames, arguments, and off-topic
> discussion should be taken off-list wherever possible." "Gratuitous
> advertisement, product placement, or self-promotion is forbidden."

That's cool, anything else?

-- 
Christoph Gruber
"If privacy is outlawed, only outlaws will have privacy." Philip Zimmermann
Fingerprint: A2A8 8AB0 6F30 A7DD 880B F74F BA6B 2182 646A 0649
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Administrivia: Requests for Moderation

[John Cartwright]

Hi

Please do not request that global moderation of FD occur. It won't. As
others pointed out, that would defeat the entire purpose of the list.
I have no intention of changing anything so fundamental. To be frank,
those who feel that moderation is needed should be looking elsewhere
for their information, because this is one point I am not going to
concede.

I'd also like to take this opportunity to thank everyone who isn't
adding to the noise at the moment, I'm currently dealing with a
massive spam problem caused by some Italian folks...

Cheers
- John
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME A MODERATED LIST

[Joe Average]

On 12/15/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
I WOULD JUST LIKE TO EXPRESS MY DEEP SUPPORT FOR THIS IDEA.  MAKINGTHE LIST MODERATED WOULD REALLY HELP MY JOB AS A SECURITY
RESEARCHER.  I COULD MAKE QUICKER, MORE WELL INFORMED CHOICES IN MYDAY TO DAY TASKS OF PEN TESTING LEGITIMATELY.  I WILL ONLY GET THEGOOD STUFF AND NONE OF THIS PISSING CONTEST WHICH IS KILLING THISLIST.  MODERATING WOULD MAKE THE LIST MUCH MORE PROFESSIONAL AND
WOULD BRING IT ONE STEP ABOVE SECURITY FOCUS.ONCE AGAIN.  I AM 150% FOR THE MODERATION OF FULL-DISCLOSURE.
 
no need,
 
a) ban all gmail addresses
b) ban nicknames (real name only)
c) start inforcing list policy for trouble makers who attack legitimate researchers like netdev 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME A MODERATEDLIST

[Todd Towles]

> I WOULD JUST LIKE TO EXPRESS MY DEEP SUPPORT FOR THIS IDEA.  
> MAKING THE LIST MODERATED WOULD REALLY HELP MY JOB AS A 
> SECURITY RESEARCHER.  I COULD MAKE QUICKER, MORE WELL 
> INFORMED CHOICES IN MY DAY TO DAY TASKS OF PEN TESTING 
> LEGITIMATELY.  I WILL ONLY GET THE GOOD STUFF AND NONE OF 
> THIS PISSING CONTEST WHICH IS KILLING THIS LIST.  MODERATING 
> WOULD MAKE THE LIST MUCH MORE PROFESSIONAL AND WOULD BRING IT 
> ONE STEP ABOVE SECURITY FOCUS.
> 
> ONCE AGAIN.  I AM 150% FOR THE MODERATION OF FULL-DISCLOSURE.

I am in 150% support of you not using CAPS. As if it needs to be said
again, there are moderated lists you can join...go join them and quit
trying to change FD.

As I stated on FD in March, "if you wanted a clean list that is
moderated, I would suggest 
you start with Security Basics or Bugtraq." -
http://archives.neohapsis.com/archives/fulldisclosure/2005-03/0737.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME A MODERATED LIST

[Rembrandt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 15 Dec 2005 08:16:46 -0800
<[EMAIL PROTECTED]> wrote:

> I WOULD JUST LIKE TO EXPRESS MY DEEP SUPPORT FOR THIS IDEA.  MAKING 
> THE LIST MODERATED WOULD REALLY HELP MY JOB AS A SECURITY 
> RESEARCHER.  I COULD MAKE QUICKER, MORE WELL INFORMED CHOICES IN MY 
> DAY TO DAY TASKS OF PEN TESTING LEGITIMATELY.  I WILL ONLY GET THE 
> GOOD STUFF AND NONE OF THIS PISSING CONTEST WHICH IS KILLING THIS 
> LIST.  MODERATING WOULD MAKE THE LIST MUCH MORE PROFESSIONAL AND 
> WOULD BRING IT ONE STEP ABOVE SECURITY FOCUS.
> 
> ONCE AGAIN.  I AM 150% FOR THE MODERATION OF FULL-DISCLOSURE.

Moderation... moderation...
Well..

If you smoke a pipe and think about it you'll get 2 problems:

1. Moderation is a kind of cencorship
2. Who should moderate the list? 1 guy? 2? 3? 4?
   Do they realy know what IS importent for everybody?

I would angree that users who spam too much should get kicked of.
But as I said.. if you smoke a pipe you'll get some ideas:

You could delete e-Mails from such idiots. Or you could train "bmf". ;-)

Kind regards,
Rembrandt
- -- 
God did a bless on me,
So accapt the dark side in you.
Hate leads me to victory, so give me a war.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (OpenBSD)

iD8DBQFDoZqIHXWDTKj6tTkRAk6XAKCWyvXnKQGLyo9VrYk5Jlzgi4+dOQCgzJnL
Z8JKp0tI4vrcyeMR8UAzock=
=KSKI
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] a call for full-disclosure to become a moderated list

[Joe Average]

On 12/15/05, Bart Lansing <[EMAIL PROTECTED]> wrote:
-BEGIN PGP SIGNED MESSAGE-Hash: SHA1Mark, et alremotely possible that n3td3v or infosecBOFH (who seems to be
attempting to validate his choice of handles by being anunmitigated ass whenever possible) might actually have somethingconstructive to contribute at some point...but I'll just have torisk missing out on it going forward.

 
 
netdev = legitimate researcher
 
infosec = troll baiting netdev
  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME A MODERATED LIST

[uber]

I WOULD JUST LIKE TO EXPRESS MY DEEP SUPPORT FOR THIS IDEA.  MAKING 
THE LIST MODERATED WOULD REALLY HELP MY JOB AS A SECURITY 
RESEARCHER.  I COULD MAKE QUICKER, MORE WELL INFORMED CHOICES IN MY 
DAY TO DAY TASKS OF PEN TESTING LEGITIMATELY.  I WILL ONLY GET THE 
GOOD STUFF AND NONE OF THIS PISSING CONTEST WHICH IS KILLING THIS 
LIST.  MODERATING WOULD MAKE THE LIST MUCH MORE PROFESSIONAL AND 
WOULD BRING IT ONE STEP ABOVE SECURITY FOCUS.

ONCE AGAIN.  I AM 150% FOR THE MODERATION OF FULL-DISCLOSURE.





Concerned about your privacy? Instantly send FREE secure email, no account 
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: RLA ("Remote LanD Attack")

[Synister Syntax]

 Agreed, this and all attacks like this, fall under DoS.  The
reason I originally classified this attack as a Remote LanD, was I was
originally testing a un-patched Windows SP2 machine, locally, and of
course watching the box lock up for 30 seconds or so.  I then thought,
there has to be a way for this to work remotely.  I started testing,
this was about four (4) months ago.  I knew then that it worked, but I
really wanted to find out what devices are susceptible to such
attacks.  I knew it, seeing as it was both the Linksys and Westell it
was more then just two vendors.

 So, from there I just called it Remote LanD attack.  As I
literally just tried sending LanD packets across the Internet.  (To a
second party who was helping me test the exploit/vuneribity.  I did in
fact have permission, with all the test I performed.)  It was then I
discovered the packets were lagging my colleges network.  I started
messing with an array of flag combinations, almost all caused some
reaction, mainly latency.  I then found the ASPU combination which
caused the most damage.

 Thanks :-) I really took the time to make this write-up organized
and understandable.   Hopefully the device vendors can more from here
and fix the problem, a simply drop of LanD packets would do it.

 Again, thanks for you comments.  If you have have anything else,
please feel free to reply.

On 12/15/05, service pack <[EMAIL PROTECTED]> wrote:
> yeah i mean there is a fine line between the two. Sans has a good definition
> as well
>
>  A packet that causes problems by having the same source and destination
> (the target of course).
>
>  I still think of it as more if a talking yourself to death attack :)
>
>  They all fall under the umbrella of denial of service though.
>
>  Good write up I just thought the part about land was worded a little funny,
> or was lacking.
>
>  Thanks
>  SP
>
>
> On 12/15/05, Synister Syntax <[EMAIL PROTECTED]> wrote:
> >  I agree that this is in fact a DoS, however it is using the old
> > LanD attack (from 1997) syntax/style.  That fact that it is a packet
> > to itself, from it's self, obviously spoofed.  As this was the same
> > way it was done back in the 90's.  The difference here, is the fact
> > that the LanD attack can be performed remotely, whereas before the
> > attack was only a Local (LAN) attack.
> >
> >  Also note that this is an attack on devices, not OS's.  Also let
> > me note that the device is unusable until it is physically reset.
> > Eitherway, I am fine by this being consedered a DoS, it is.  It will
> > shut doen your switch (rendering your network usaless) or your router
> > (keeping you from access the internet etc.).
> >
> > If you have any other questions, or comments please let me know.
> > Thanks for the input, I think I did infact not state that the attack
> > was a DoS.
> >
> > On 12/15/05, service pack <[EMAIL PROTECTED]> wrote:
> > > Updated the wiki page. Your looking at a denial of service not a land
> > > attack.
> > >
> > >  Land attacks are caused when a machine floods itself.
> > >
> > >  First example,  Echo and Chargen (ICMP and Character generator (old
> unix
> > > service)) Are services that reply to anything.
> > >  A spoofed packet is sent from a machines echo (spoofed) to the chargen.
> The
> > > chargen replys with garbage, and the echo echo's it
> > >  back and so on until the resources are consumed.
> > >
> > >  Anything that doesn't have this effect is a Denial of service.
> > >
> > >  Now SNMP and windows Kerberos can talk themselves to death (an example
> of a
> > > non-cross service land).
> > >
> > >  Makes sense? :)
> > >
> > >  SP
> > >
> > >
> > > On 12/14/05, Synister Syntax < [EMAIL PROTECTED]> wrote:
> > > > Below is a copy of my RLA exploit submission in ASCII.  Attached is a
> > > > MSWord (.doc) version with rich formatting, created with ease of view
> > > > in mind.
> > > >
> > > > Regards...
> > > >
> > > > --
> > > >
> > > > RLA
> > > > ("Remote LanD Attack")
> > > > 2005
> > > >
> > > >
> > > > As discovered by:
> > > > Justin M. Wray
> > > > ([EMAIL PROTECTED])
> > > >
> > > >
> > > > Devices/Vendors Vulnerable:
> > > > - Microsoft Windows XP, SP1 and SP2
> > > > - Linksys Routers
> > > > - Westell Routers/Modems
> > > > - Motorola Modems/Routers
> > > > - Cisco Firewalls, Switches, and Routers
> > > > - DSL Modems
> > > > - Cable Modems
> > > > - Consumer Routers
> > > > - All Central Connectivity Devices (any manufacturer)
> > > >
> > > > Devices/Vendors Tested:
> > > > - Linksys BEFW11S4
> > > > - Linksys WRT54GS
> > > > - Westell  Versalink 327W (Verizon Modem)
> > > > - Cisco Catalyst Series (Multiple)
> > > > - Scientific Atlantic DPX2100 (Comcast Modem)
> > > >
> > > > Definition:
> > > > A LAND attack is a DoS (Denial of Service) attack that consists of
> > > > sending a special poison spoofed packet to a computer, causing it to
> > > > lock up. The security flaw was first discovered in 1997 by someone
> > > > using

[Full-disclosure] POC tools?

[Gaz Wilson]

I'm sorry to post this on FD, but I could do with an answer and other lists I
am subbed to seem fairly quiet at the moment (everyone xmas shopping?)

Anyway, we juist acquired a smaller company and some of their boxes are a bit
out of date, so I was wanting to take the opporuinity to set up a workshop
with the staff we are keeping to discuss security practices etc, and along
with some telnet session hijacking stuff, I also want to show some SSH
exploits as a proof of concept.

One of the internal boxes is running OpenSSH 3.1p1, and I was wondering
if anyone has any tools to exploit this as a teaching aid to our new
staff members?

Replies off-list welcome if preferred.

Many thanks

GW

-- 
   /   Gary Wilson, aka dragon/dragonlord/dragonv480\
 .'(_.--.  e: [EMAIL PROTECTED] MSN: dragonv480   .--._)`.
<   _   |  Skype:dragonv480 ICQ:342070475 AIM:dragonv480   |   _   >
 `.( `--' w: http://volvo480.northernscum.org.uk   `--' ).'
   \w: http://www.northernscum.org.uk   /
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: RLA ("Remote LanD Attack")

[Synister Syntax]

 I agree that this is in fact a DoS, however it is using the old
LanD attack (from 1997) syntax/style.  That fact that it is a packet
to itself, from it's self, obviously spoofed.  As this was the same
way it was done back in the 90's.  The difference here, is the fact
that the LanD attack can be performed remotely, whereas before the
attack was only a Local (LAN) attack.

 Also note that this is an attack on devices, not OS's.  Also let
me note that the device is unusable until it is physically reset. 
Eitherway, I am fine by this being consedered a DoS, it is.  It will
shut doen your switch (rendering your network usaless) or your router
(keeping you from access the internet etc.).

If you have any other questions, or comments please let me know. 
Thanks for the input, I think I did infact not state that the attack
was a DoS.

On 12/15/05, service pack <[EMAIL PROTECTED]> wrote:
> Updated the wiki page. Your looking at a denial of service not a land
> attack.
>
>  Land attacks are caused when a machine floods itself.
>
>  First example,  Echo and Chargen (ICMP and Character generator (old unix
> service)) Are services that reply to anything.
>  A spoofed packet is sent from a machines echo (spoofed) to the chargen. The
> chargen replys with garbage, and the echo echo's it
>  back and so on until the resources are consumed.
>
>  Anything that doesn't have this effect is a Denial of service.
>
>  Now SNMP and windows Kerberos can talk themselves to death (an example of a
> non-cross service land).
>
>  Makes sense? :)
>
>  SP
>
>
> On 12/14/05, Synister Syntax <[EMAIL PROTECTED]> wrote:
> > Below is a copy of my RLA exploit submission in ASCII.  Attached is a
> > MSWord (.doc) version with rich formatting, created with ease of view
> > in mind.
> >
> > Regards...
> >
> > --
> >
> > RLA
> > ("Remote LanD Attack")
> > 2005
> >
> >
> > As discovered by:
> > Justin M. Wray
> > ([EMAIL PROTECTED])
> >
> >
> > Devices/Vendors Vulnerable:
> > - Microsoft Windows XP, SP1 and SP2
> > - Linksys Routers
> > - Westell Routers/Modems
> > - Motorola Modems/Routers
> > - Cisco Firewalls, Switches, and Routers
> > - DSL Modems
> > - Cable Modems
> > - Consumer Routers
> > - All Central Connectivity Devices (any manufacturer)
> >
> > Devices/Vendors Tested:
> > - Linksys BEFW11S4
> > - Linksys WRT54GS
> > - Westell  Versalink 327W (Verizon Modem)
> > - Cisco Catalyst Series (Multiple)
> > - Scientific Atlantic DPX2100 (Comcast Modem)
> >
> > Definition:
> > A LAND attack is a DoS (Denial of Service) attack that consists of
> > sending a special poison spoofed packet to a computer, causing it to
> > lock up. The security flaw was first discovered in 1997 by someone
> > using the alias "m3lt", and has resurfaced many years later in
> > operating systems such as Windows Server 2003 and Windows XP SP2.
> > (http://en.wikipedia.org/wiki/LAND_attack)
> >
> > Explanation of LanD:
> > LanD uses a specially crafted ICMP  echo packet which has the same
> > source and destination address.  The receiving system stalls due to
> > the erroneous packet and not having instructions to handle the unique
> > packet.  In Windows 9x  variants, the systems will "blue screen. "  On
> > modern NT  variants, the systems will hang for approximately 30
> > seconds with full CPU usage before discarding the packet.  With a
> > looped script, the attacker can render the system useless.  UNIX
> > variants have been able to use a firewall rule to drop LanD packets –
> > leaving most systems patched.
> >
> > Microsoft originally released an initial patch that secured Windows 9x
> > variants – causing the exploit to lose popularity and become somewhat
> > obscure.  Later, when Windows NT variants were released, Microsoft
> > neglected to patch the security flaw; this caused Windows XP Service
> > Pack 2 to remain susceptible to such an attack.  Within the last four
> > (4) months, Microsoft has released a patch for Windows NT variants.
> >
> > LanD versus Remote LanD:
> > LanD was originally introduced in the late 1990s and was very popular
> > with educational and business networks.  The original LanD attack had
> > to be executed internally on the local network – thereby giving rise
> > to the name "LanD" (indicating that access has been granted to the
> > local premises).  However, with a remote attack (Remote LanD),
> > crafting special packets and spoofing the destination and source IP
> > addresses will cause the attack to be carried out remotely against the
> > central connectivity device.
> >
> > Exploit / Proof of Concept:
> > There is no handwritten code needed to exploit this vulnerability.
> > The only requirement is an IP packet creation utility (such as HPing2
> > or IPSorcery). Below are some HPing2 examples:
> > Victim's IP Address: 63.24.122.59
> > Victim's Router IP Address: 192.168.1.1
> > hping2 -A -S -P -U 63.24.122.59 -s 80 -p 80 -a 192.168.1.1
> >
> > Remote LanD Specifi

RE: [Full-disclosure] Someone is running his mouth again... [Hackerattacks in US linked to Chinese military: researchers]

[Paul Melson]

Subject: [Full-disclosure] Someone is running his mouth again...
[Hackerattacks in US linked to Chinese military: researchers]


> and unfortunately when Alan Paller runs his mouth, people listen.
DAMNIT. Gracias senore 
> Paller, lets poke china some more, great idea!

Paller is hardly the first to suggest that the Chinese government is
sponsoring hacker attacks against US government and defense targets.  It's
been mainstream media fodder for months:

http://www.time.com/time/archive/preview/0,10987,1098961,00.html


> In the attacks, Paller said, the perpetrators "were in and out with no
keystroke errors and 
> left no fingerprints, and created a backdoor in less than 30 minutes. How
can this be done 
> by anyone other than a military organization?" 

By using copy & paste?  :)  

Anyway, the use of the term 'fingerprints' in describing a remotely-executed
attack should give you a clue that he's exaggerating.  I take it to be more
hype and hysteria, which is one way that infosec vendors (like SANS) drive
sales.  If you can't make people believe in the value of your services,
maybe you can scare them into buying.  It's an old move.  (Remember the
Michelangelo virus circa 1992?)  And what with all of the upper-middle class
college kids that make up the old hacker demographic going to work for
American infosec vendors, they need a new boogie man.  Enter the Russian mob
and Chinese government.

PaulM


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] a call for full-disclosure to become a moderated list

[InfoSecBOFH]

Wow, we have another n3td3v here.  Editing your emails?  Sorry, not
guilty.  Replying to you on list so everyone can see you continue to
stir the pot, guilty.

My momma did not teach my any manners but I taught your momma that
thing she does with her tongue.

On 12/14/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> didn't your mamma teach you any manners?
>
> call me whatever you want, i will not reply to you on the list.
>
> taking private email and posting it on a list is not polite.
> editing it to remove context is even less polite.
>
>
> On Wed, Dec 14, 2005 at 11:58:41PM -0800, InfoSecBOFH wrote:
> > Hey cry baby, the only reason this list exists and has half the
> > subscribers it has is because of the lack of moderation.  If this list
> > was moderated it would be nothing more than Bugtraq
> >
> > On 12/14/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > > it seems to me that without a moderator (since there is the apparent
> > > absence of people who are moderate, or even civilized), this list will
> > > continue its degeneration into a never-ending pissing contest.
> > >
> > > (some people don't seem to think that the social compact one accepts
> > > when joining a list applies to them.
> > >
> > > my most recent attempt to politely, in direct email, ask one of the
> > > offenders to stop doing this sort of thing on the list ...  was posted
> > > with a twerpy reply right back to the list).  (no good deed goes
> > > unpunished).
> > >
> > > how many people who actually find value in this list (which i have,
> > > since len rose set it up quite a long time ago) agree with this
> > > position?
> > >
> > > if you think there's a compelling reason for no moderation, i'd like to 
> > > hear it.
> > >
> > > i call to your attention three brief selections from the list charter,
> > > which is at
> > > http://lists.grok.org.uk/full-disclosure-charter.html
> > > which i think have been violated recently:
> > >
> > > "Members are expected to maintain a reasonable standard of netiquette 
> > > when posting to the list."
> > > "Disagreements, flames, arguments, and off-topic discussion should be 
> > > taken off-list wherever possible."
> > > "Gratuitous advertisement, product placement, or self-promotion is 
> > > forbidden."
> > >
> > >
> > >
> > >
> > > ___
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] InfoSecBOFH and other trouble makers

[InfoSecBOFH]

I havent laughed this hard in a long time.  Sure n3tkiddie I'll leave
you alone.  Just leave the list alone with your stupidity first.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] InfoSecBOFH and other trouble makers

[sk / GroundZero]

so pathetic, n3td0rk already has 
to invent imaginary people which are on his side.
so its not always he against the FD list. oh well 
boy, you just proove once more how lame you are.
look at his 31337 social engineering skills! 
has so awsome..
 
but hey just in case you really really arent 
n3td3v himself, let me speak with the words of your friend:
"you never have contributed anything security 
related to this list so you have no right to be on this list"
or something like that... 
 
your name is funny too Joe Average ..anyone knows 
John Doe ? :P

  - Original Message - 
  From: 
  Joe 
  Average 
  To: full-disclosure@lists.grok.org.uk 
  
  Sent: Thursday, December 15, 2005 11:54 
  AM
  Subject: [Full-disclosure] InfoSecBOFH 
  and other trouble makers
  
  please leave list unless you stop the abuse against netdev
  
  

  ___Full-Disclosure - We 
  believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted 
  and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] a call for full-disclosure to become a

[Joachim Schipper]

On Thu, Dec 15, 2005 at 02:35:00PM +, Xyberpix wrote:
> I have to agree on this one that I don't think that moderation is the way to 
> go.
> This is a damn good list, with a load of really intelligent people on it, who
> really contribute a lot to the entire community.
> Just because a few of us got outta hand taking the piss out of n3td3v, it's no
> need to moderate the list. I know that I am guilty on this count, but 
> seriously
> anyone who hasn't had a good laugh in regard to the whole n3td3v saga 
> recently,
> probably doesn't have a sense of humor.
> 
> Maybe when taking the piss out of idiots we should come up with some sort of
> fronting for the subject? Kinda like [OT], or maybe in this case [n3td3v], 
> that
> way people can easily setup procmail filters and the like to filter out the 
> stuff
> that the don't want to. If we all agree on some sort of format, this could 
> really
> work. This way the list will stay unmodded, people will get out of it what 
> they
> want, and we can still take the piss?
> 
> Thoughts, comments, etc?

I see no reason to take a piss. Other than IRL, of course, where taking
a piss is a rather good idea once in a while.

But if it must happen, yes, please preface it with something like that.

The other alternatives are either moderating a select few (effective in
getting the message accross, but easily circumvented), or the
mailing-list equivalent of everybody getting killfiles.

Joachim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/