[Full-disclosure] new backframe release
just for Christmas, there is a new backframe release: http://www.gnucitizen.org/backframe/ http://www.gnucitizen.org/projects/backframe/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] comparing information security to other industries
Am Dienstag, den 19.12.2006, 12:16 -0800 schrieb KT: How do we compare to other industries like construction, engineering, finance? What I am trying to figure out is how mature we are and how long will it take for to get stable? Mature? Are you kidding? Computer security ist still mainly only changing pampers after each incident. That's because the common systems (software/hardware/social) are not built for security but for money or fame. All other industries you have mentioned are having established procedures, rules and laws how to build their products and verify the quality. Computer industry hasn't. Just imagine a construction company who sells their houses only to people who sign a legally binding contract, that they accept the house as it it, without any guaranty that it is possible to live in it. If the house breaks down over you and your family you are elegible to get the money back - and no more. If burglars celebrate parties in the house while you are at the office, because it is well known that the backdoor-keys are identical in all houses of that construction company and key-duplicates can be found wherever you find two homeless people doing a chat, you are told to buy a separate product called SecuyKeys (which costs at least 20% of the original price for the house). You are not allowed to take the wallpapers from the wall and look behind to see how the house is constructed and get sued when you publish these so called vulnerabilities (which are in effect only the results of incomplete, greedy and careless construction-work) Just because companies are making money with computer security doesn't make it into an industry. Why not answer two questions for yourself: a) are the computer systems at large nowadays more secure than - say - ten years ago? b) how much more money is spent for computer security since then? The answers point directly to the net effect of what you call an industry. And we - the IT-people - are responseable. Greetings Michael ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] comparing information security to other industries
On 12/24/06, Michael Zimmermann [EMAIL PROTECTED] wrote: are the computer systems at large nowadays more secure than - say - ten years ago? Some systems are. But not because the software has gotten any better. Organizations have gotten better at defense-in-depth. Consider patch management systems. A decade ago, most companies barely had one at all. Today, companies are evaluating, verifying, and pushing out patches within days of their release. More networks are isolated behind firewalls, and lots of workstations are using host-based firewalls. Even the low-end consumers have gotten better at this: lots more people are using SOHO routers with firewalls instead of a cable modem with a wide open internet connection. The attackers have gotten better as well. But even when the attackers successfully exploit a new vulnerability, organizations are better prepared to deal with the consequences. You might see another codered type vulnerability in IIS, but there is no way it would do as much damage as the original worm. Regards, Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TimberWolf 1.2.2 vulnerable to XSS
-=[ADVISORY---]=- TimberWolf 1.2.2 Author: CorryL[EMAIL PROTECTED] -=[]=- -=[+] Application:TimberWolf -=[+] Version:1.2.2 -=[+] Vendor's URL: http://cms.gamezrule.org/index.php -=[+] Platform: Windows\Linux\Unix -=[+] Bug type: Cross-Site Script -=[+] Exploitation: Remote -=[-] -=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~ -=[+] Reference: www.x0n3-h4ck.org -=[+] Virtual Office: http://www.kasamba.com/CorryL -=[+] Irc Chan: irc.darksin.net #x0n3-h4ck -=[+] Special Thanks: Merry Christmas for All, Thanks for all #x0n3-h4ck member, un saluto a tutti gli avolesi nel mondo. ..::[ Descriprion ]::.. TimberWolf is Powered by PHP and runs off an MySQL database. It has quite a few distinctive features amongst others. It is 100% Freeware. It is 100% easy to skin, and use. It is 100% of everything you need. The Admin Control Panel is Very simple, whereas the site itself looks the opposite. ..::[ Bug ]::.. this software is vulnerable to a type of called bug cross-site script, a remote attaker is able to exploit this vulnerability to draw information ..::[ Proof Of Concept ]::.. http://remote site/shownews.php?nid='ScRiPt%20%0a%0dalert(1261667191)%3B/ScRiPt ..::[ Workaround ]::.. ..::[ Disclousure Timeline ]::.. [19/12/2006] - Vendor notification [24/12/2006] - Public disclousure ** Registrati ad Alice Basic e scarica Alice Messenger, il nuovo instant messenger che ti fa chattare GRATIS con i tuoi amici! Per maggiori informazioni vai su: http://adsl.alice.it/servizi/alicebasic.html?pmk=psmail_foot01 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Distributed Rainbow Table Project
Since November the folks at theminouche.net hashbreaker.com have been working on a distributed rainbowtable project using BOINC. The project finished it's testing phase and went public as of yesterday. See http://www.topsight.net/ for more info on the project ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DNS-Pinning demo
DNS-Pinning demo. http://www.jumperz.net/index.php?i=2a=1b=7 Thanks to Martin Johns for the great article: http://shampoo.antville.org/stories/1451301/ -- Kanatoko[EMAIL PROTECTED] Open Source WebAppFirewall http://guardian.jumperz.net/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Merry Christmas Youtube! (XSS vuln)
The following URL will cause javascript to execute in the context of youtube
http://www.youtube.com/p.swf?video_id=eVFF98kNg8Qeurl=t=iurl=javascript:alert('Javascript%20executed!\r\n\r\nLocation:
'%2bwindow.location%2b'\r\n\r\nCookie: '%2bdocument.cookie)
Cheers
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [YST] Full Disclosure - Paul Robinette / Renetto
*** _ _| | _ _ ___ _ _ _| |_ _ _| |__ _ gonna kick ur ass to | | | |/ _ \| | | (_ _) | | | _ \| ___ | the CURB | |_| | |_| | |_| | | |_| |_| | |_) ) | \__ |\___/|/ \__)/|/|_)2006. (/ _ __ ___ _| |_ _ _ _| |__| |_ _ _ /___|_ _)/ ___) ___ | ___ (_ _) (_ _) ___ ( |\ |___ | | |_| | | | | | |_ | |_| / ___ | | | | (___/ \__)_| |_)_) \__) \__)_)_|_|_|_| *** FULL DISCLOSURE: Paul Robinette, Youtube evangelist, greedy jew, pedo This document is the result of extensive research by the Youtube Street Team. The Youtube Street Team is privately funded in large part by people such Lindsay Doty (Bravesgirl5), Andrea Davis (Violetkitty411), Michael A. Michniewicz (Argent009), Dexarouskies, and ofcourse Fattoothlessoveralls. We are tired of this scum thinking he owns youtube. The street team will not stand for this. HIS YOUTUBE PAGE: http://www.youtube.com/profile?user=renetto Paul Robinette, also known as Paul Robinett without the e, is trying to build a corporate empire around his youtube name. The only way we can help this is by letting people know the truth, the street team will not stand for this. He spends his time posting pictures of his underage daughter to attract the attention of fellow pedophiles. 1.) Home 2.) Business * 1.) Home * Robinette, Andrea Paul 116 W Columbus St Canal Winchester, OH 43110 614-920-9535 Paul resides in Columbus, Ohio, with his wife Andrea and their four children, Chase, Gracie, Daisy, and Noah. He doesn't really seem to give a damn whether or not his children are placed in the public eye. http://www.youtube.com/watch?v=_fWflNc6k08 http://www.youtube.com/watch?v=1ICJCx0BaV0 http://www.youtube.com/watch?v=du-y8XBSdsM http://www.youtube.com/watch?v=Clin5j0_z_0 http://www.youtube.com/watch?v=ZFv1Ig2XmkM http://www.youtube.com/watch?v=8_oTweYTKDI http://www.youtube.com/watch?v=G0t5XQhv4As http://www.youtube.com/watch?v=j4U70n1C8d8 http://www.youtube.com/watch?v=X85YqHw43ZM http://www.youtube.com/watch?v=73OewoBNvYU (rape neone?) You can help by teaching him that the internet isn't a place for kids, and pedophilia is no laughing matter. * 2.) Business * He claims to have created this: http://www.paulrobinett.com/invention.php aka www.renetto.com which links to = http://www.canopychair.com/. a.) His business location === Paul Robinette owns candle store, ofcourse in an act of blatant narcissism and grandiose, marketing his face. It is located in the shortnorth arts district (www.shortnorth.org) find more at http://www.shortnorth.org/detail.asp?m=292 Paul Robinett 7 Buttles Avenue Columbus, OH 43215 614-221-7005 http://maps.google.com/maps?f=qhl=enq=7+Buttles+Ave+Columbus,+OH+43215-1450sll=37.0625,-95.677068sspn=35.768112,71.103516ie=UTF8z=18ll=39.976808,-83.003447spn=0.002113,0.006099t=hom=1 b.) For folding chair renetto llc steve tinto ([EMAIL PROTECTED]) +1.8887363886 Fax: +1.4802792318 8558 black star circle columbia, MD 21045 US Business partner c.) T-shirts Administrative Contact: Fox, Daniel [EMAIL PROTECTED] 1262 Bryden Rd. columbus, Ohio 43205 United States (614) 746-0333 Fax -- Business Partner d.) Other projects === Kelsyus portable hammock (patent 6,966,084) under: Kelsyus, LLC (Virginia Beach, VA) filed April 16, 2003 * That is all. * -- ___ Search for products and services at: http://search.mail.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] comparing information security to other industries
Hi Brian, you answer from the viewpoint of somebody engaged in modern 'computer security'. But with the phrase at large I was meaning a more global view: Two thirds of the PCs are estimated to contain malware. We are so used to receive all kinds of virusses, worms and trojans, that we NEED antivirus scanners and firewalls. Those defences are like medicine, which you MUSt take - and the more medicine you have to take, the more ill you are. In the early 1980ies it was _unthinkable_ that a program would run on your systems, which you wouldn't know it existed and had installed for yourself. Nowadays it's the rare exception, when a user knows what is running on his PC (and a professional system admin, who knows every program executing on his machine is also a rare thing, I think). Complexity has grown, but our basic security structures in hardware and software have have not. Unix/Linux security is based on the classic Unix design (was it 1974 when it was published?), DOS security is an unborn child while Windows security is not better than than of Linux. Why? The Intel hardware for PCs was chosen on the basis of marketing thinking and not because it was technically better than it's alternative - nothing to say about security concerns. An executable stack with decreasing addresses, unprotected memory and totally missing permission-scheme in the IBM PC and, and, and... Marketing/money decision ruled the IT-Industry since the first IBM PC was sold. Yet there have existed better system- and hardware-designs even before the IBM PC. Just to name two: Motorola processors or the Multics OS. Brian, IMO your argumentation is not a solution to improve over-all security but is symptomatic for the lack of it. A lot of patch-work and no broadly accepted security concept. Only during the last years that situation is changing slowly - but not yet in the Windows realm. But a functioning PC security is needed IMO, at least I don't want to live with a net, where hundred- thousands of zombies can bring my server down any moment or flood my MTA daily with thousands of crap-email. These daily fights may create a sort of dynamice equilibrium, but are not what I call security or stability. Greetings Michael ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Happy Holidays
Merry Christmas FD! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
