[Full-disclosure] Rapid integer factorization = end of RSA?

2007-04-26 Thread Eugene Chukhlomin 
Hi list!
I discovered a new method of integer factorization for any precision 
numbers, probable it should be an end of RSA era.
Details:
Let N - the ring and N = p*q
Then, (-p) in terms of ring(N) is equal (N-p)
Lemma:
p*(-q)=p*q*(-p)
and respective:
(-p)*q=p*q*(-q)
Proof:
p*(-q)=p*(N-q) - by the data, then 
p*(-q)=p*(p*q-q)=p*pq-p*q=p*q*p-p*q=(p-1)*(p*q)
(-p)*q=q*(N-p) - by the data, then 
(-p)*q=(p*q-p)*q=p*q*q-p*q=p*q*q-p*q=(q-1)*(p*q)
Q. E. D.
Gypothesis:
Let N = p*q = A1*B1 + A2*B2... + An*Bn
Then exists some subset(A1...An) and respective subset(B1...Bn), which 
satisfies for equality:
A1*(-B1)+A2*(-B2)...+An*(-Bn) = p*(-q)=p*q*(p-1)
or
A1*(-B1)+A2*(-B2)...+An*(-Bn) = (-p)*q=p*q*(q-1)

If found such (A1...An) and (B1...Bn), we can find p or q by dividing 
p*(q-1) on p*q:
p*(q-1)=p*q*(p-1) = (p*(q-1))/(p*q)=(p-1) = (p-1)+1 = p
or
(p-1)*q=p*q*(q-1)=((-p)*q)/(p*q)=(q-1) = (q-1)+1 = q

Sample: 21 = 3*7
Let's view a binary representation of this number: 10101 = 2^4 + 2^2 + 
1 = 4*4+2*2+1*1
Then, we can try to find 7*(-3) in terms of ring(21):
4*(-4) + 2(-2) + 1*(-1) = 4*(21-4)+2*(21-2)+1*(21-1)=4*17+2*19+1*20 = 
68+38+20=
68+38+20 = 126 = 6*21
6+1=7
This implementation of my gypothesis has very hard complexity (about a 
log2(N)! comparations), but exists a short way with fixed complexity for 
implementation of hypothesis (plan B) - but, by ethical reason, I'll 
not post it here.
Regards,
Eugene Chukhlomin

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Rapid integer factorization = end of RSA?

2007-04-26 Thread Stanislaw Klekot 
On Thu, Apr 26, 2007 at 10:53:56AM +0400, Eugene Chukhlomin wrote:
 Hi list!
 I discovered a new method of integer factorization for any precision 
 numbers, probable it should be an end of RSA era.
 Details:
 Let N - the ring and N = p*q
 Then, (-p) in terms of ring(N) is equal (N-p)
 Lemma:
 p*(-q)=p*q*(-p)
 and respective:
 (-p)*q=p*q*(-q)
 Proof:
 p*(-q)=p*(N-q) - by the data, then 
 p*(-q)=p*(p*q-q)=p*pq-p*q=p*q*p-p*q=(p-1)*(p*q)
 (-p)*q=q*(N-p) - by the data, then 
 (-p)*q=(p*q-p)*q=p*q*q-p*q=p*q*q-p*q=(q-1)*(p*q)
 Q. E. D.

Funny way to pull the -1 out from the parenthesis.
p * (-q) = p * (-1) * q = p * q * (-1)   (mod pq)
That is, p * (-q) = 0  (mod pq).

 Gypothesis:
 Let N = p*q = A1*B1 + A2*B2... + An*Bn
 Then exists some subset(A1...An) and respective subset(B1...Bn), which 
 satisfies for equality:
 A1*(-B1)+A2*(-B2)...+An*(-Bn) = p*(-q)=p*q*(p-1)
 or
 A1*(-B1)+A2*(-B2)...+An*(-Bn) = (-p)*q=p*q*(q-1)

For example, whole A_k and B_k, k = {1..n} sets? Second and third
expressions in both lines are congruent to 0 mod pq.

 If found such (A1...An) and (B1...Bn), we can find p or q by dividing 
 p*(q-1) on p*q:
 p*(q-1)=p*q*(p-1) = (p*(q-1))/(p*q)=(p-1) = (p-1)+1 = p
  ^
This is untrue.
  p * (q - 1) = p * q - p = -p != 0   (mod pq)
  p * q * (p - 1) = 0 * (p - 1) = 0   (mod pq)

 p*(q-1)=p*q*(p-1) = (p*(q-1))/(p*q)=(p-1) = (p-1)+1 = p
   ^^^
Dividing by zero in _any ring_ is illegal.

By the way, if you find x = p * (q - 1) you can use Euclidean algorithm
to find GCD(x, pq). Since GCD(q - 1, q) = 1, you get GCD(x, p), and that
would be p as p divides x.

 Sample: 21 = 3*7
 Let's view a binary representation of this number: 10101 = 2^4 + 2^2 + 
 1 = 4*4+2*2+1*1
 Then, we can try to find 7*(-3) in terms of ring(21):
   ^^
 4*(-4) + 2(-2) + 1*(-1) = 4*(21-4)+2*(21-2)+1*(21-1)=4*17+2*19+1*20 = 
 68+38+20=
 68+38+20 = 126 = 6*21
 6+1=7

OK, but where did you get 7 and -3 (from underscored expression) from?
3*7 is public, but both 3 and 7, as elements of multiplication, are
private. And if you get (7, -3) pair, why didn't you simply multiplicate
the second element of this pair by -1?

 This implementation of my gypothesis has very hard complexity (about a 
 log2(N)! comparations), but exists a short way with fixed complexity for 
 implementation of hypothesis (plan B) - but, by ethical reason, I'll 
 not post it here.
 Regards,
 Eugene Chukhlomin

-- 
Stanislaw Klekot

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Rapid integer factorization = end of RSA?

2007-04-26 Thread Eugene Chukhlomin 
Funny way to pull the -1 out from the parenthesis.
p * (-q) = p * (-1) * q = p * q * (-1)   (mod pq)
That is, p * (-q) = 0  (mod pq).

Well, let's proof:
some days ago RSA-640 was factored, therefore I'll use this number for proofing.
N = p*q = 
3107418240490043721350750035888567930037346022842727545720161948823206440518081504556346829671723286782437916272838033415471073108501919548529007337724822783525742386454014691736602477652346609
 
p = 
1634733645809253848443133883865090859841783670033092312181110852389333100104508151212118167511579
q = 
190087128166482211312685157393541397547189678996851549338539088027103802104498957191261465571

Hence p*(-q) = p*(N-q), we have: 
1634733645809253848443133883865090859841783670033092312181110852389333100104508151212118167511579*(3107418240490043721350750035888567930037346022842727545720161948823206440518081504556346829671723286782437916272838033415471073108501919548529007337724822783525742386454014691736602477652346609-190087128166482211312685157393541397547189678996851549338539088027103802104498957191261465571)
 = 
5079801149330465928652035530544913704964519649664113022948507643221268839586387905945718488562426349551024378408981587404238854112680081565808050803367178098655476230508056302202082021498932996241380749611265431048278537997959344921052965979997472486960464297533557254211807262177876539002;

and, by my gypothesis:
p*(-q) = p*q *(p-1) = p*(N-q)
163473364580925384844313388386509085984178363092312181110852389333100104508151212118167511579*190087128166482211312685157393541397547189678996851549338539088027103802104498957191261465571*1634733645809253848443133883865090859841783670033092312181110852389333100104508151212118167511578
 = 
5079801149330465928652035530544913704964519649664113022948507643221268839586387905945718488562426349551024378408981587404238854112680081565808050803367178098655476230508056302202082021498932996241380749611265431048278537997959344921052965979997472486960464297533557254211807262177876539002;
Q.E.D

Any new idea?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Rapid integer factorization = end of RSA?

2007-04-26 Thread Stanislaw Klekot 
On Thu, Apr 26, 2007 at 02:07:31PM +0400, Eugene Chukhlomin wrote:
 Funny way to pull the -1 out from the parenthesis.
 p * (-q) = p * (-1) * q = p * q * (-1)   (mod pq)
 That is, p * (-q) = 0  (mod pq).
 
 Well, let's proof:
 some days ago RSA-640 was factored, therefore I'll use this number for 
 proofing.
 N = p*q = 
 3107418240490043721350750035888567930037346022842727545720161948823206440518081504556346829671723286782437916272838033415471073108501919548529007337724822783525742386454014691736602477652346609
  
 p = 
 1634733645809253848443133883865090859841783670033092312181110852389333100104508151212118167511579
 q = 
 190087128166482211312685157393541397547189678996851549338539088027103802104498957191261465571
 
 Hence p*(-q) = p*(N-q), we have: 
 1634733645809253848443133883865090859841783670033092312181110852389333100104508151212118167511579*(3107418240490043721350750035888567930037346022842727545720161948823206440518081504556346829671723286782437916272838033415471073108501919548529007337724822783525742386454014691736602477652346609-190087128166482211312685157393541397547189678996851549338539088027103802104498957191261465571)
  = 
 5079801149330465928652035530544913704964519649664113022948507643221268839586387905945718488562426349551024378408981587404238854112680081565808050803367178098655476230508056302202082021498932996241380749611265431048278537997959344921052965979997472486960464297533557254211807262177876539002;
 
 and, by my gypothesis:
 p*(-q) = p*q *(p-1) = p*(N-q)
 163473364580925384844313388386509085984178363092312181110852389333100104508151212118167511579*190087128166482211312685157393541397547189678996851549338539088027103802104498957191261465571*1634733645809253848443133883865090859841783670033092312181110852389333100104508151212118167511578
  = 
 5079801149330465928652035530544913704964519649664113022948507643221268839586387905945718488562426349551024378408981587404238854112680081565808050803367178098655476230508056302202082021498932996241380749611265431048278537997959344921052965979997472486960464297533557254211807262177876539002;
 Q.E.D

Of course it's equal. And equal to zero modulo n, as I pointed.

#v+
gap p;
163473364580925384844313388386509085984178367003309231218111085238933310010450\
8151212118167511579
gap q;
19008712816648221131268515739354139754718967899685154933853908802710380210\
4498957191261465571
gap n := p * q;
310741824049004372135075003588856793003734602284272754572016194882320644051808\
150455634682967172328678243791627283803341547107310850191954852900733772482278\
3525742386454014691736602477652346609
gap (p * (n - q)) mod n;
0
gap 
#v-

What is it supposed to proove?

-- 
Stanislaw Klekot

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Rapid integer factorization = end of RSA?

2007-04-26 Thread Eugene Chukhlomin 
#v+
gap p;
163473364580925384844313388386509085984178367003309231218111085238933310010450\
8151212118167511579
gap q;
19008712816648221131268515739354139754718967899685154933853908802710380210\
4498957191261465571
gap n := p * q;
310741824049004372135075003588856793003734602284272754572016194882320644051808\
150455634682967172328678243791627283803341547107310850191954852900733772482278\
3525742386454014691736602477652346609
gap (p * (n - q)) mod n;
0
gap 
#v-

What is it supposed to proove?

  

My gypothesis: if exists subsets(A1...An) and (B1...Bn) which satisfies 
equality: A1*B1 +...An*Bn =  N = p*q, then exists some of them, which 
satisfies equality A1*(-B1)+...An*(-Bn)=p*q*(q-1)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Rapid integer factorization = end of RSA?

2007-04-26 Thread Stanislaw Klekot 
On Thu, Apr 26, 2007 at 03:04:39PM +0400, Eugene Chukhlomin wrote:
 #v+
 gap p;
 163473364580925384844313388386509085984178367003309231218111085238933310010450\
 8151212118167511579
 gap q;
 19008712816648221131268515739354139754718967899685154933853908802710380210\
 4498957191261465571
 gap n := p * q;
 310741824049004372135075003588856793003734602284272754572016194882320644051808\
 150455634682967172328678243791627283803341547107310850191954852900733772482278\
 3525742386454014691736602477652346609
 gap (p * (n - q)) mod n;
 0
 gap 
 #v-
 
 What is it supposed to proove?
 
   
 
 My gypothesis: if exists subsets(A1...An) and (B1...Bn) which satisfies 
 equality: A1*B1 +...An*Bn =  N = p*q, then exists some of them, which 
 satisfies equality A1*(-B1)+...An*(-Bn)=p*q*(q-1)

But what does that proof have to do with your gypothesis? Except that
  p*q * (q-1) = p*q = p*q * (-1) = p*q * (N-1) = 0   (mod N)
what is obvious equality.

-- 
Stanislaw Klekot

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-453-2] rdesktop regression

2007-04-26 Thread Martin Pitt 
=== 
Ubuntu Security Notice USN-453-2 April 26, 2007
rdesktop regression
https://launchpad.net/bugs/104332
===

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  rdesktop 1.4.1-1.1ubuntu0.6.06

Ubuntu 6.10:
  rdesktop 1.4.1-1.1ubuntu0.6.10

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

USN-453-1 provided an updated libx11 package to fix a security
vulnerability. This triggered an error in rdesktop so that it crashed
on startup. This update fixes the problem.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.06.diff.gz
  Size/MD5:11767 3b0afb1bdeee63391599a725fdcd4ded

http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.06.dsc
  Size/MD5:  648 30e95d4a2c8d71edf12ef992684a8dfe

http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1.orig.tar.gz
  Size/MD5:   218413 ce6b2369d633128ff00a2a8ae7c18ef8

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.06_amd64.deb
  Size/MD5:   111736 5d132e2fc201ff3fa5e8d45856b230bc

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.06_i386.deb
  Size/MD5:   100916 3a88d294358e5c6446c52d22a07b564c

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.06_powerpc.deb
  Size/MD5:   119442 878ccd8dfcf9eb10e9a1747fe4be8fdb

  sparc architecture (Sun SPARC/UltraSPARC)


http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.06_sparc.deb
  Size/MD5:   108146 759f8693ef44422dde20f7ea0f6996a4

Updated packages for Ubuntu 6.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.10.diff.gz
  Size/MD5:11766 816d50a1cd3069c9c482d27e04def3a1

http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.10.dsc
  Size/MD5:  648 97e92e04c71fabcc7e65d708a870660e

http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1.orig.tar.gz
  Size/MD5:   218413 ce6b2369d633128ff00a2a8ae7c18ef8

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.10_amd64.deb
  Size/MD5:   116906 7057e7d2f8ecdf54ede239298e6d8f89

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.10_i386.deb
  Size/MD5:   104828 eeb7a363602301690bd9faf7582a6fe8

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.10_powerpc.deb
  Size/MD5:   122984 87696d76d41f1cc76c77a1958d306e80

  sparc architecture (Sun SPARC/UltraSPARC)


http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.10_sparc.deb
  Size/MD5:   109380 c299593db906b4c4165d152f18da2bdf


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Rapid integer factorization = end of RSA?

2007-04-26 Thread Brendan Dolan-Gavitt 
If you have, in fact, come up with a fast method of integer
factorization, the currently unfactored challenges (RSA-704 and above)
would be better proof, no?

Are you by any chance related to James Harris?
http://www.crank.net/harris.html

-Brendan

On 4/26/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 Hello,

 Eugene Chukhlomin wrote:
  Well, let's proof: some days ago RSA-640 was factored, therefore I'll
   use this number for proofing.
  N = p*q = 3107418240490043721... [...] Q.E.D

 that's an example. Not a *proof*.

 GTi

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WordPress v2.1.3 remote file include~

2007-04-26 Thread Tod Beardsley 
On 26 Apr 2007 14:44:02 -, [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
 None of these exploits you're posting actually work.

It's like Full-Disclosure, but with more waiting for the moderation
queue! I guess Symantec now justs moderate out spam, allowing
unsupported hoaxes and rumors passage.

Month of April Fools posts?

-- 
[EMAIL PROTECTED] | ICQ: 335082155 | Note: Due to Google's
privacy policy http://tinyurl.com/5xbtl and the United States'
policy on electronic surveillance http://tinyurl.com/muuyl,
please do not IM/e-mail me anything you wish to remain secret.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Rapid integer factorization = end of RSA?

2007-04-26 Thread virus 
Hello,

Brendan Dolan-Gavitt wrote:
 If you have, in fact, come up with a fast method of integer
 factorization, the currently unfactored challenges (RSA-704 and above)
 would be better proof, no?

no. We're talking about mathemetics, aren't we? So, an example for a 
assumption is not a *proof*. Neither are two or three...

 Are you by any chance related to James Harris?

Nope. Trying to prove Fermat's theorem is not from interest for me :)

GTi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Rapid integer factorization = end of RSA?

2007-04-26 Thread Kurt Buff 
Get it peer-reviewed, or go away.

On 4/25/07, Eugene Chukhlomin [EMAIL PROTECTED] wrote:
 Hi list!
 I discovered a new method of integer factorization for any precision
 numbers, probable it should be an end of RSA era.
 Details:
 Let N - the ring and N = p*q
 Then, (-p) in terms of ring(N) is equal (N-p)
 Lemma:
 p*(-q)=p*q*(-p)
 and respective:
 (-p)*q=p*q*(-q)
 Proof:
 p*(-q)=p*(N-q) - by the data, then
 p*(-q)=p*(p*q-q)=p*pq-p*q=p*q*p-p*q=(p-1)*(p*q)
 (-p)*q=q*(N-p) - by the data, then
 (-p)*q=(p*q-p)*q=p*q*q-p*q=p*q*q-p*q=(q-1)*(p*q)
 Q. E. D.
 Gypothesis:
 Let N = p*q = A1*B1 + A2*B2... + An*Bn
 Then exists some subset(A1...An) and respective subset(B1...Bn), which
 satisfies for equality:
 A1*(-B1)+A2*(-B2)...+An*(-Bn) = p*(-q)=p*q*(p-1)
 or
 A1*(-B1)+A2*(-B2)...+An*(-Bn) = (-p)*q=p*q*(q-1)

 If found such (A1...An) and (B1...Bn), we can find p or q by dividing
 p*(q-1) on p*q:
 p*(q-1)=p*q*(p-1) = (p*(q-1))/(p*q)=(p-1) = (p-1)+1 = p
 or
 (p-1)*q=p*q*(q-1)=((-p)*q)/(p*q)=(q-1) = (q-1)+1 = q

 Sample: 21 = 3*7
 Let's view a binary representation of this number: 10101 = 2^4 + 2^2 +
 1 = 4*4+2*2+1*1
 Then, we can try to find 7*(-3) in terms of ring(21):
 4*(-4) + 2(-2) + 1*(-1) = 4*(21-4)+2*(21-2)+1*(21-1)=4*17+2*19+1*20 =
 68+38+20=
 68+38+20 = 126 = 6*21
 6+1=7
 This implementation of my gypothesis has very hard complexity (about a
 log2(N)! comparations), but exists a short way with fixed complexity for
 implementation of hypothesis (plan B) - but, by ethical reason, I'll
 not post it here.
 Regards,
 Eugene Chukhlomin

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1282-1] New php4 packages fix several vulnerabilities

2007-04-26 Thread Moritz Muehlenhoff 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1282-1[EMAIL PROTECTED]
http://www.debian.org/security/ Moritz Muehlenhoff
April 26th, 2006http://www.debian.org/security/faq
- --

Package: php4
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID : CVE-2007-1286 CVE-2007-1380 CVE-2007-1521 CVE-2007-1711 
CVE-2007-1718 CVE-2007-1777

Several remote vulnerabilities have been discovered in PHP, a
server-side, HTML-embedded scripting language, which may lead to the
execution of arbitrary code. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2007-1286
Stefan Esser discovered an overflow in the object reference handling
code of the unserialize() function, which allows the execution of
arbitrary code if malformed input is passed from an application.

CVE-2007-1380
Stefan Esser discovered that the session handler performs
insufficient validation of variable name length values, which allows
information disclosure through a heap information leak.

CVE-2007-1521
Stefan Esser discovered a double free vulnerability in the
session_regenerate_id() function, which allows the execution of
arbitrary code. 

CVE-2007-1711
Stefan Esser discovered a double free vulnerability in the session
management code, which allows the execution of arbitrary code. 

CVE-2007-1718
Stefan Esser discovered that the mail() function performs
insufficient validation of folded mail headers, which allows mail
header injection.

CVE-2007-1777
Stefan Esser discovered that the extension to handle ZIP archives
performs insufficient length checks, which allows the execution of
arbitrary code.

For the oldstable distribution (sarge) these problems have been fixed in
version 4.3.10-20.

For the stable distribution (etch) these problems have been fixed
in version 4.4.4-8+etch2.

For the unstable distribution (sid) these problems have been fixed in
version 4.4.6-1. php4 will be removed from sid; thus you are strongly
advised to migrate to php5 if you prefer to follow the unstable
distribution.

We recommend that you upgrade your PHP packages. Packages for the arm,
m68k and mipsen architectures are not yet available. They will be
provided later.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:

http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10-20.dsc
  Size/MD5 checksum: 1686 01afd17e8897a2ef890c00ab7946f4a6
http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10-20.diff.gz
  Size/MD5 checksum:   530810 0cd90e33b3c9b935e2a70ccb52c00b31
http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10.orig.tar.gz
  Size/MD5 checksum:  4892209 73f5d1f42e34efa534a09c6091b5a21e

  Architecture independent components:


http://security.debian.org/pool/updates/main/p/php4/php4-pear_4.3.10-20_all.deb
  Size/MD5 checksum:   249996 044f2497171ee49cb5e8ad9e72c9ebcf
http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10-20_all.deb
  Size/MD5 checksum: 1140 a6884d893fc7798b47cd32601d71351c

  Alpha architecture:


http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-20_alpha.deb
  Size/MD5 checksum:  1701574 8a139d9e3e8c1570ae49f3c78c933dd0

http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-20_alpha.deb
  Size/MD5 checksum:  1699008 878413e740d5e5a48a1d15198290962c

http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-20_alpha.deb
  Size/MD5 checksum:  3466160 cd6100331fd994559b4a3bae498679b5

http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-20_alpha.deb
  Size/MD5 checksum:  1743734 bbc30d1750d4401acee705a835de15cd

http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-20_alpha.deb
  Size/MD5 checksum:   168528 449ff53d83073cd6269bf3405ba8e691

http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-20_alpha.deb
  Size/MD5 checksum:18134 e7c509c845627791dc4b07174576f6ba

http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-20_alpha.deb
  Size/MD5 checksum:   328142 2f464c465adaaed4c3e41134e7d3ff57

Re: [Full-disclosure] Rapid integer factorization = end of RSA?

2007-04-26 Thread Stephan Gammeter 
[EMAIL PROTECTED] schrieb:
 Hello,

 Brendan Dolan-Gavitt wrote:
   
 If you have, in fact, come up with a fast method of integer
 factorization, the currently unfactored challenges (RSA-704 and above)
 would be better proof, no?
 

 no. We're talking about mathemetics, aren't we? So, an example for a 
 assumption is not a *proof*. Neither are two or three...

   
 Are you by any chance related to James Harris?
 

 Nope. Trying to prove Fermat's theorem is not from interest for me :)

 GTi

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

   
Just factor a damn RSA-Challenge, then we'll believe you without seeing 
an actual proof. If not, you're just waisting our time with spamtastic 
entertainment.



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Rapid integer factorization = end of RSA?

2007-04-26 Thread ShadowGamers 

Spamtastic you say?

GODWIN'S LAW GET?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Rapid integer factorization = end of RSA?

2007-04-26 Thread e.chukhlomin 
xxx xxx wrote:

 Lemma:
 p*(-q)=p*q*(-p)
 and respective:
 (-p)*q=p*q*(-q)
 Proof:
 p*(-q)=p*(N-q) - by the data, then
 p*(-q)=p*(p*q-q)=p*pq-p*q=p*q*p-p*q=(p-1)*(p*q)
 (-p)*q=q*(N-p) - by the data, then
 (-p)*q=(p*q-p)*q=p*q*q-p*q=p*q*q-p*q=(q-1)*(p*q)
 Q. E. D.


 Like  Stanislaw said before be,  this Lemma is  obvious. You're
 saying that 0=0, and man, this is a thautology!
 You ask why? let N = p*q.
 Then,
 p*q = 0 mod N
 Now, let be -1 the opposite of the unit ( usually called e...)
 0 = (-1)*0 = (-1)*p*q = (-1*p)*q = (-p)*q
 0 = 0*(-q) = p*q*(-q)

 Gypothesis:
 Let N = p*q = A1*B1 + A2*B2... + An*Bn
 Then exists some subset(A1...An) and respective subset(B1...Bn),
 which
 satisfies for equality:
 A1*(-B1)+A2*(-B2)...+An*(-Bn) = p*(-q)=p*q*(p-1)
 or
 A1*(-B1)+A2*(-B2)...+An*(-Bn) = (-p)*q=p*q*(q-1)


 This is another obvious thing!
 if N = sum(A_i*B_i), then
 -N = -1*N = -1*sum(A_i*B_i) = 0 mod N
 and, for the distributive propeties,
 -1*sum(A_i*B_i) = sum (-1*A_i*B_i) = 0 mod N
 

 If found such (A1...An) and (B1...Bn), we can find p or q by
 dividing
 p*(q-1) on p*q:
 p*(q-1)=p*q*(p-1) = (p*(q-1))/(p*q)=(p-1) = (p-1)+1 = p
 or
 (p-1)*q=p*q*(q-1)=((-p)*q)/(p*q)=(q-1) = (q-1)+1 = q


 Here there's a mistake: p*(q-1) != p*q*(p-1) mod N. in fact, let N =
 2*3.
 2*2 = 4 ! = 6*1 = 0!!!
 Beeing this assumption wrong, all the remaining demostration is
 obviously false...

ok, if your consequences are right, could you disprove this gypothesis?

Gypothesis:
Let N = p*q = A1*B1 + A2*B2... + An*Bn
Then exists some subset(A1...An) and respective subset(B1...Bn), which
satisfies for equality:
A1*B1+A2*B2...+An*Bn = p*q and:
A1*(-B1)+A2*(-B2)...+An*(-Bn) = p*(-q)=p*q*(p-1)
or
A1*(-B1)+A2*(-B2)...+An*(-Bn) = (-p)*q=p*q*(q-1)

in terms of this gypothesis, could you really prove: there are no one
subsets (A1..An) and respective (B1...Bn) which satisfies equality:
A1*(-B1)+A2*(-B2)...+An*(-Bn) = p*(-q)=p*q*(p-1)
or
A1*(-B1)+A2*(-B2)...+An*(-Bn) = (-p)*q=p*q*(q-1)
?

Another example in terms of gypothesis:
35 = 2^2*2^3 + 2*1 + 1
then one of possible subsets of 35 is: 4*8 + 2*1 + 1 (4,2,1) and (8,1,1)
try one of possible cases for test subsets (A1...An) and (B1...Bn):
4*(35-8)+2*(35-1)+1*(-1) = 4*27 + 2*34 + 1*(34) = 108 + 102 = 210
then, 210 / 35 = 6
6+1=7
gcd(35,7)=5
Gypothesis is right (or written above is exception?)
Your sample: 6 = 4 + 2 = 1*4 + 2*1
1*(6-4)+2*(6-1)=12
Divide result by 6: 12/6 = 2
Add one for 2: 2+1 = 3
Test: gcd(6,3)=2

Any other samples needed?

More over, while no one present valid proof of incorrectness, it is
correct, right?
Link.asp?CardId=69;6e;63;6f;72;72;65;63;74;6e;65;73;73;0;4c;69;6e;67;76;6f;55;6e;69;76;65;72;73;61;6c;20;28;45;6e;2d;52;75;29
Has somebody more constructive ideas?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Rapid integer factorization = end of RSA?

2007-04-26 Thread Valdis . Kletnieks 
On Thu, 26 Apr 2007 22:31:08 +0400, e.chukhlomin said:

 More over, while no one present valid proof of incorrectness, it is
 correct, right?

Beware bugs in the above code; I have only proven it correct, not tested it.
-- famous quiche-eater Don Knuth


pgpq61YbrtJkV.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WordPress v2.1.3 remote file include~

2007-04-26 Thread Guasconi Vincent 
On 4/26/07, Tod Beardsley [EMAIL PROTECTED] wrote:
 On 26 Apr 2007 14:44:02 -, [EMAIL PROTECTED]
 [EMAIL PROTECTED] wrote:
 None of these exploits you're posting actually work.

 It's like Full-Disclosure, but with more waiting for the moderation
 queue! I guess Symantec now justs moderate out spam, allowing
 unsupported hoaxes and rumors passage.

 Month of April Fools posts?

OpenSSH, there's a off-by-one in access.c

-- 
Guasconi Vincent
Etudiant.
http://altmylife.blogspot.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] FW: Steganos Encrypted Safe NOT so safe

2007-04-26 Thread Dan Bambach 
I forwarded the original issue to Steganos as I am a user of their software
package.  This is their reply and also posted on Security Focus.

Regards
Dan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 26, 2007 6:56 AM
To: [EMAIL PROTECTED]
Subject: Re: Steganos Encrypted Safe NOT so safe

In response to frankrizzo604's comment, Steganos would like to dispel the
rumor that its Steganos Safe encryption software is easily cracked. Steganos
Safe enables users to create any number of secure virtual drives in which
data is safely stored and encrypted. However frankrizzo604 goes through
several steps 'teaching' users how to open others' encrypted files. In his
last step, he claims Steganos will 'PUNISH you by resetting your encrypted
drives passwords to 123 until you buy a registered copy', implying that
the password feature can be circumvented thus opening anyone's safe. He
conveniently left out that before he was able to reset the password to
123, he had to enter his original password to open the safe. Then, he saw
this message box:

http://www1.steganos.com/support/screenshots/safe8_123_infobox.png

It is absolutely not possible to open any Steganos Encrypted File without
having the original password. The Steganos support and development team
reconstructed the process he described. It is not possible to open a Safe
WITHOUT the original password. In the 2007 generation of Steganos products,
Steganos decided to set the Safe attributes to write protect. Steganos would
like its user to rest assured that their files are in fact still encrypted
and safe from hackers. 



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 04.26.07: Novell eDirectory NCP Fragment Denial of Service Vulnerability

2007-04-26 Thread iDefense Labs 
Novell eDirectory NCP Fragment Denial of Service Vulnerability

iDefense Security Advisory 04.26.07
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 26, 2007

I. BACKGROUND

Novell eDirectory is a cross-platform lightweight directory access
protocol (LDAP) server. In addition to LDAP, eDirectory also implements
NCP over IP. More information can be found on Novell's web site at the
following URL.

http://www.novell.com/products/edirectory/

II. DESCRIPTION

Remote exploitation of a denial of service (DoS) vulnerability in Novell
Inc.'s eDirectory product could allow an attacker to force the running
daemon to cease servicing requests.

The problem specifically exists within the NCP functionality of
eDirectory. Sending a sequence of specially crafted fragmented requests
will cause a DoS condition.

If the input is crafted properly, eDirectory will report to its error
log that a fragment has been received with an invalid length. The error
message includes the contents of the fragments in hexadecimal notation.
However, if the length is negative, eDirectory will try to dump data to
the log indefinitely. This results in a large amount of data being saved
to the log. Once the end of the heap segment is reached, a memory access
violation will occur and the server process will crash.

III. ANALYSIS

Successful exploitation of this vulnerability could allow an attacker to
crash the server process. No credentials are required. Repeated attacks
could allow the attacker to cause excessive disk space usage.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in version
8.8.1 of Novell Inc.'s eDirectory server with FTF1 applied. The
earliest version tested was 8.8. Earlier versions are suspected to be
vulnerable.

V. WORKAROUND

iDefense is unaware of any effective workaround for this issue.

VI. VENDOR RESPONSE

Novell has addressed this problem within FTF2 for eDirectory 8.8.1. More
information is available in Novell Document ID 3924657 at the following
URL.

http://www.novell.com/support/search.do?cmd=displayKCdocType=kcexternalId=3924657sliceId=SAL_Public

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-4520 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/17/2006  Initial vendor notification
08/18/2006  Initial vendor response
10/21/2006  Second vendor notification
10/23/2006  Vendor response
12/06/2006  Third vendor notification
12/18/2006  Vendor response
03/21/2007  Fourth vendor notification
04/25/2007  Fifth vendor notification
04/25/2007  Vendor advised that the fix was in FTF2
04/26/2007  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FW: Steganos Encrypted Safe NOT so safe

2007-04-26 Thread Steven Adair 
It is funny that this stuff ever comes to surface.  Now I am wondering if
this a case of trying to spread FUD or someone who just didn't pay any
attention to what was going on?

Steven
securityzone.org

 I forwarded the original issue to Steganos as I am a user of their
 software
 package.  This is their reply and also posted on Security Focus.

 Regards
 Dan

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Sent: Thursday, April 26, 2007 6:56 AM
 To: [EMAIL PROTECTED]
 Subject: Re: Steganos Encrypted Safe NOT so safe

 In response to frankrizzo604's comment, Steganos would like to dispel the
 rumor that its Steganos Safe encryption software is easily cracked.
 Steganos
 Safe enables users to create any number of secure virtual drives in which
 data is safely stored and encrypted. However frankrizzo604 goes through
 several steps 'teaching' users how to open others' encrypted files. In his
 last step, he claims Steganos will 'PUNISH you by resetting your encrypted
 drives passwords to 123 until you buy a registered copy', implying that
 the password feature can be circumvented thus opening anyone's safe. He
 conveniently left out that before he was able to reset the password to
 123, he had to enter his original password to open the safe. Then, he
 saw
 this message box:

 http://www1.steganos.com/support/screenshots/safe8_123_infobox.png

 It is absolutely not possible to open any Steganos Encrypted File without
 having the original password. The Steganos support and development team
 reconstructed the process he described. It is not possible to open a Safe
 WITHOUT the original password. In the 2007 generation of Steganos
 products,
 Steganos decided to set the Safe attributes to write protect. Steganos
 would
 like its user to rest assured that their files are in fact still encrypted
 and safe from hackers.



 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Rapid integer factorization = end of RSA?

2007-04-26 Thread Peter Kosinar 
Hello,

 If you have, in fact, come up with a fast method of integer
 factorization, the currently unfactored challenges (RSA-704 and above)
 would be better proof, no?

 no. We're talking about mathemetics, aren't we? So, an example for a
 assumption is not a *proof*. Neither are two or three...

Providing the factorization of a particular number (whose factorization is 
considered to be not known by anyone) is definitely a proof that you know 
the factorization of that number and that you had a method for finding it. 
Of course, it doesn't say anything about this method -- whether it is a 
general one or whether you were able to find the factors based on graph of 
temperature at the top of Elbrus :-)

On a more relevant note, let me try to explain the method described by the 
original poster, hopefully in a more readable way:

Take an unknown number N, which we are going to factor. Then, by some 
mysterious process, represent the number N, such that 
(I)   N = A1*B1 + A2*B2 + ... An*Bn
AND
(II)  A1*(N-B1) + A2*(N-B2) + ... + An*(N-Bn) = N*(q-1)
holds.

In the examples provided by the original poster, these numbers were always 
created by taking the usual binary expansion of the number and splitting 
each term into a product Ak*Bk. The problem is that not all (if any) such 
splits produce the desired results. The original poster correcly stated 
that the obvious method for obtaining such a split (if it really exists 
under these conditions) runs in log(N)! steps (that's factorial of log(N), 
not just an exclamation... clearly, this number is greater than N, thus 
rendering this approach worse than trial division). He also claimed to 
have a much faster approach, though.

Naturally, IF this can be done, one can find q-1 (thus also p,q) easily. 
In fact, the easy part of the algorithm can be even more simplified. The 
sum A1*(N-B1) + A2*(N-B2) + ... An*(N-Bn) can be rewritten as 
N*(A1+A2+...+An) - (A1*B1 + A2*B2 + ... An*Bn) = N*(A1+A2+...+An - 1) and 
the property (II) tells us that this number is equal to N*(q-1). In other 
words, q = (A1+A2+...An), so -once- we obtain the right sets A,B, finding 
the factorization is nothing but summing up a few numbers.

Now, here are two questions for the original poster:

1) Did I understand your factorization algorithm correctly?

2) Could you demonstrate how your algorithm works for the number
2^32+1, please? I have a quite good reason for asking about this
particular number.

Peter

-- 
[Name] Peter Kosinar   [Quote] 2B | ~2B = exp(i*PI)   [ICQ] 134813278

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FW: Steganos Encrypted Safe NOT so safe

2007-04-26 Thread Dan Bambach 
When this was first posted, I tried to duplicate the procedure written up
before sending it off to Steganos. I was unable to, so I thought maybe I was
missing something. Guess not...

Dan

Dan Bambach
R.T.C., Inc.
Engineering/Service Manager
915-584-6646
915-526-7635  (Cell)
915-584-6265  (Fax)

-Original Message-
From: Steven Adair [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 26, 2007 2:32 PM
To: Dan Bambach
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] FW: Steganos Encrypted Safe NOT so safe

It is funny that this stuff ever comes to surface.  Now I am wondering if
this a case of trying to spread FUD or someone who just didn't pay any
attention to what was going on?

Steven
securityzone.org

 I forwarded the original issue to Steganos as I am a user of their
 software
 package.  This is their reply and also posted on Security Focus.

 Regards
 Dan

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Sent: Thursday, April 26, 2007 6:56 AM
 To: [EMAIL PROTECTED]
 Subject: Re: Steganos Encrypted Safe NOT so safe

 In response to frankrizzo604's comment, Steganos would like to dispel the
 rumor that its Steganos Safe encryption software is easily cracked.
 Steganos
 Safe enables users to create any number of secure virtual drives in which
 data is safely stored and encrypted. However frankrizzo604 goes through
 several steps 'teaching' users how to open others' encrypted files. In his
 last step, he claims Steganos will 'PUNISH you by resetting your encrypted
 drives passwords to 123 until you buy a registered copy', implying that
 the password feature can be circumvented thus opening anyone's safe. He
 conveniently left out that before he was able to reset the password to
 123, he had to enter his original password to open the safe. Then, he
 saw
 this message box:

 http://www1.steganos.com/support/screenshots/safe8_123_infobox.png

 It is absolutely not possible to open any Steganos Encrypted File without
 having the original password. The Steganos support and development team
 reconstructed the process he described. It is not possible to open a Safe
 WITHOUT the original password. In the 2007 generation of Steganos
 products,
 Steganos decided to set the Safe attributes to write protect. Steganos
 would
 like its user to rest assured that their files are in fact still encrypted
 and safe from hackers.



 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/






___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FW: Steganos Encrypted Safe NOT so safe

2007-04-26 Thread James Matthews 

Alot of times people find there bugs but what can we do! How do we know that
the encrypted drives work?

On 4/26/07, Dan Bambach [EMAIL PROTECTED] wrote:


When this was first posted, I tried to duplicate the procedure written up
before sending it off to Steganos. I was unable to, so I thought maybe I
was
missing something. Guess not...

Dan

Dan Bambach
R.T.C., Inc.
Engineering/Service Manager
915-584-6646
915-526-7635  (Cell)
915-584-6265  (Fax)

-Original Message-
From: Steven Adair [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 26, 2007 2:32 PM
To: Dan Bambach
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] FW: Steganos Encrypted Safe NOT so safe

It is funny that this stuff ever comes to surface.  Now I am wondering if
this a case of trying to spread FUD or someone who just didn't pay any
attention to what was going on?

Steven
securityzone.org

 I forwarded the original issue to Steganos as I am a user of their
 software
 package.  This is their reply and also posted on Security Focus.

 Regards
 Dan

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Sent: Thursday, April 26, 2007 6:56 AM
 To: [EMAIL PROTECTED]
 Subject: Re: Steganos Encrypted Safe NOT so safe

 In response to frankrizzo604's comment, Steganos would like to dispel
the
 rumor that its Steganos Safe encryption software is easily cracked.
 Steganos
 Safe enables users to create any number of secure virtual drives in
which
 data is safely stored and encrypted. However frankrizzo604 goes through
 several steps 'teaching' users how to open others' encrypted files. In
his
 last step, he claims Steganos will 'PUNISH you by resetting your
encrypted
 drives passwords to 123 until you buy a registered copy', implying
that
 the password feature can be circumvented thus opening anyone's safe. He
 conveniently left out that before he was able to reset the password to
 123, he had to enter his original password to open the safe. Then, he
 saw
 this message box:

 http://www1.steganos.com/support/screenshots/safe8_123_infobox.png

 It is absolutely not possible to open any Steganos Encrypted File
without
 having the original password. The Steganos support and development team
 reconstructed the process he described. It is not possible to open a
Safe
 WITHOUT the original password. In the 2007 generation of Steganos
 products,
 Steganos decided to set the Safe attributes to write protect. Steganos
 would
 like its user to rest assured that their files are in fact still
encrypted
 and safe from hackers.



 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/






___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





--
http://www.goldwatches.com/watches.asp?Brand=39
http://www.wazoozle.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FW: Steganos Encrypted Safe NOT so safe

2007-04-26 Thread Dan Bambach 
I have tried to crack a safe drive and failed. I am not as crypto savvy as
many on this group are, so my efforts may be view as first level. I did have
a drive sent off to a recovery company a while ago and they were unable to
crack the safe drive. I would think if there was a simple crack like the one
posted, they would have been able to recover the drive.

 

Dan

  _  

From: James Matthews [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 26, 2007 7:27 PM
To: Dan Bambach
Cc: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] FW: Steganos Encrypted Safe NOT so safe

 

Alot of times people find there bugs but what can we do! How do we know that
the encrypted drives work?

On 4/26/07, Dan Bambach  [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 
wrote:

When this was first posted, I tried to duplicate the procedure written up 
before sending it off to Steganos. I was unable to, so I thought maybe I was
missing something. Guess not...

Dan

Dan Bambach
R.T.C., Inc.
Engineering/Service Manager
915-584-6646
915-526-7635  (Cell) 
915-584-6265  (Fax)

-Original Message-
From: Steven Adair [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 26, 2007 2:32 PM
To: Dan Bambach
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] FW: Steganos Encrypted Safe NOT so safe

It is funny that this stuff ever comes to surface.  Now I am wondering if 
this a case of trying to spread FUD or someone who just didn't pay any
attention to what was going on?

Steven
securityzone.org

 I forwarded the original issue to Steganos as I am a user of their 
 software
 package.  This is their reply and also posted on Security Focus.

 Regards
 Dan

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Sent: Thursday, April 26, 2007 6:56 AM
 To: [EMAIL PROTECTED]  mailto:[EMAIL PROTECTED] 
 Subject: Re: Steganos Encrypted Safe NOT so safe

 In response to frankrizzo604's comment, Steganos would like to dispel the
 rumor that its Steganos Safe encryption software is easily cracked. 
 Steganos
 Safe enables users to create any number of secure virtual drives in which
 data is safely stored and encrypted. However frankrizzo604 goes through
 several steps 'teaching' users how to open others' encrypted files. In his

 last step, he claims Steganos will 'PUNISH you by resetting your encrypted
 drives passwords to 123 until you buy a registered copy', implying that
 the password feature can be circumvented thus opening anyone's safe. He 
 conveniently left out that before he was able to reset the password to
 123, he had to enter his original password to open the safe. Then, he
 saw
 this message box:

 http://www1.steganos.com/support/screenshots/safe8_123_infobox.png

 It is absolutely not possible to open any Steganos Encrypted File without 
 having the original password. The Steganos support and development team
 reconstructed the process he described. It is not possible to open a Safe
 WITHOUT the original password. In the 2007 generation of Steganos 
 products,
 Steganos decided to set the Safe attributes to write protect. Steganos
 would
 like its user to rest assured that their files are in fact still encrypted
 and safe from hackers. 



 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html 
 Hosted and sponsored by Secunia - http://secunia.com/






___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/ 




-- 
http://www.goldwatches.com/watches.asp?Brand=39
http://www.wazoozle.com  http://www.wazoozle.com 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/