[Full-disclosure] Lazy bum approach to security
On Wed, Nov 26, 2008 at 5:49 PM, Mike C [EMAIL PROTECTED] wrote: I'm sure theres no reason to doubt that. The fact remains full-disclosure is where it all happens. You're taking yourself into a false sense of security there. If you sit on a mailing list like full-disclosure and expect everything to be brought to you on a plate you are mistaken. You can't take the lazy bum approach to security and say, everything I need to know is on full-disclosure. From my experience the majority of stuff goes on in the underground communities, full-disclosure is only essentially an announcement list, the rest is going on in individual communities. What you need to do is get yourself dug into the underground communities, you need to get yourself informants and build relationships with members of communities, you _really_ can't sit on full-disclosure and expect every security community and hacker community to bring everything to you. I'm not talking about the n3td3v group here because luckily I forward the key stuff to full-disclosure for the lazy bums who can't be bothered to engaged in individual communities and their members. Let me say though, the real intelligence isn't on full-disclosure its elsewhere. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security industry software license
On Sat, Nov 29, 2008 at 10:17 AM, andrew. wallace [EMAIL PROTECTED] wrote: snip Now what the DHS need to do if they want to counter hackers and cyber terrorism is to focus on worth while things like developing a security industry software license scheme that vets everybody using software and gets better regulation into the industry. This is the way ahead, Yes, indeed. Freedom is always served by taking it away from those who can't afford the credentials. It's why gun control works so well. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security industry software license
On Sat, Nov 29, 2008 at 7:32 PM, Kurt Buff [EMAIL PROTECTED] wrote: On Sat, Nov 29, 2008 at 10:17 AM, andrew. wallace [EMAIL PROTECTED] wrote: snip Now what the DHS need to do if they want to counter hackers and cyber terrorism is to focus on worth while things like developing a security industry software license scheme that vets everybody using software and gets better regulation into the industry. This is the way ahead, Yes, indeed. Freedom is always served by taking it away from those who can't afford the credentials. It's why gun control works so well. Kurt Gun control in Britian actually works pretty well I don't know where you live. Its all about effective management of the control, you put in bad management you're going to have bad control. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security industry software license
On Sat, Nov 29, 2008 at 11:52 AM, andrew. wallace [EMAIL PROTECTED] wrote: On Sat, Nov 29, 2008 at 7:32 PM, Kurt Buff [EMAIL PROTECTED] wrote: On Sat, Nov 29, 2008 at 10:17 AM, andrew. wallace [EMAIL PROTECTED] wrote: snip Now what the DHS need to do if they want to counter hackers and cyber terrorism is to focus on worth while things like developing a security industry software license scheme that vets everybody using software and gets better regulation into the industry. This is the way ahead, Yes, indeed. Freedom is always served by taking it away from those who can't afford the credentials. It's why gun control works so well. Kurt Gun control in Britian actually works pretty well I don't know where you live. Its all about effective management of the control, you put in bad management you're going to have bad control. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security industry software license
On Sat, Nov 29, 2008 at 11:52 AM, andrew. wallace [EMAIL PROTECTED] wrote: On Sat, Nov 29, 2008 at 7:32 PM, Kurt Buff [EMAIL PROTECTED] wrote: On Sat, Nov 29, 2008 at 10:17 AM, andrew. wallace [EMAIL PROTECTED] wrote: snip Now what the DHS need to do if they want to counter hackers and cyber terrorism is to focus on worth while things like developing a security industry software license scheme that vets everybody using software and gets better regulation into the industry. This is the way ahead, Yes, indeed. Freedom is always served by taking it away from those who can't afford the credentials. It's why gun control works so well. Kurt Gun control in Britian actually works pretty well I don't know where you live. Excellent - avoid the main point, focus on the minor point. To get back to the major point, I'll ask a question: How is freedom served by your recommendation? If you wish to know where I live, google me. Its all about effective management of the control, you put in bad management you're going to have bad control. This kind of management is always bad, in that it means decreasing the ability of free people to ply their trade, or even to explore the world and gain knowledge on their own. To rebut your response on the minor point, I'll ask another question - how much do you think home invasion burglaries would diminish in your country if ordinary folks could own effective means of defense? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1673-1] New wireshark packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1673-1 [EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff November 29, 2008 http://www.debian.org/security/faq - Package: wireshark Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2008-3137 CVE-2008-3138 CVE-2008-3141 CVE-2008-3145 CVE-2008-3933 CVE-2008-4683 CVE-2008-4684 CVE-2008-4685 Several remote vulnerabilities have been discovered network traffic analyzer Wireshark. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-3137 The GSM SMS dissector is vulnerable to denial of service. CVE-2008-3138 The PANA and KISMET dissectors are vulnerable to denial of service. CVE-2008-3141 The RMI dissector could disclose system memory. CVE-2008-3145 The packet reassembling module is vulnerable to denial of service. CVE-2008-3933 The zlib uncompression module is vulnerable to denial of service. CVE-2008-4683 The Bluetooth ACL dissector is vulnerable to denial of service. CVE-2008-4684 The PRP and MATE dissectors are vulnerable to denial of service. CVE-2008-4685 The Q931 dissector is vulnerable to denial of service. For the stable distribution (etch), these problems have been fixed in version 0.99.4-5.etch.3. For the upcoming stable distribution (lenny), these problems have been fixed in version 1.0.2-3+lenny2. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your wireshark packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/w/wireshark/wireshark_0.99.4.orig.tar.gz Size/MD5 checksum: 13306790 2556a31d0d770dd1990bd67b98bd2f9b http://security.debian.org/pool/updates/main/w/wireshark/wireshark_0.99.4-5.etch.3.dsc Size/MD5 checksum: 1066 ece7cc5dd8e70c0b5c13bfbf6e8c6eee http://security.debian.org/pool/updates/main/w/wireshark/wireshark_0.99.4-5.etch.3.diff.gz Size/MD5 checksum:48388 2918d72a79fafde4759afe72db727d6f alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/w/wireshark/ethereal-common_0.99.4-5.etch.3_alpha.deb Size/MD5 checksum:22872 2ac3fe313364295340483294f1e9fb91 http://security.debian.org/pool/updates/main/w/wireshark/tethereal_0.99.4-5.etch.3_alpha.deb Size/MD5 checksum:22504 e67991e3aa09ce8bd8a44833fe7e3883 http://security.debian.org/pool/updates/main/w/wireshark/wireshark-common_0.99.4-5.etch.3_alpha.deb Size/MD5 checksum: 9318436 d88e91f579849725048a4f5d9155871d http://security.debian.org/pool/updates/main/w/wireshark/wireshark-dev_0.99.4-5.etch.3_alpha.deb Size/MD5 checksum: 181432 bd619bdb6fdc69e10dd31241268fac22 http://security.debian.org/pool/updates/main/w/wireshark/ethereal_0.99.4-5.etch.3_alpha.deb Size/MD5 checksum:22498 b6e13d7c505bceb09cd278c5f07c7c40 http://security.debian.org/pool/updates/main/w/wireshark/wireshark_0.99.4-5.etch.3_alpha.deb Size/MD5 checksum: 674820 b6a532ff5292b3e1aa4cfc2fd577 http://security.debian.org/pool/updates/main/w/wireshark/ethereal-dev_0.99.4-5.etch.3_alpha.deb Size/MD5 checksum:22510 eafc125f4a6f9084880fdd2a557b9814 http://security.debian.org/pool/updates/main/w/wireshark/tshark_0.99.4-5.etch.3_alpha.deb Size/MD5 checksum: 117502 d829953f80e3402ea53f96b5a60010a4 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/w/wireshark/wireshark-dev_0.99.4-5.etch.3_amd64.deb Size/MD5 checksum: 181784 be30e7ac952ecec26ed7cf9d73cf07ca http://security.debian.org/pool/updates/main/w/wireshark/wireshark_0.99.4-5.etch.3_amd64.deb Size/MD5 checksum: 619708 b97e43ebf7fb339df7210c0fed2de92b http://security.debian.org/pool/updates/main/w/wireshark/ethereal_0.99.4-5.etch.3_amd64.deb Size/MD5 checksum:22502 24d2101cd90f05f7206ed1b222cf2655 http://security.debian.org/pool/updates/main/w/wireshark/wireshark-common_0.99.4-5.etch.3_amd64.deb Size/MD5 checksum: 9119506 67bc221048a9a1909e0780547e267956
Re: [Full-disclosure] Security industry software license
Oh well. Let's reverse this, the problem is not metasploit, because metasploit is not a 0days finder. Metasploit is develloped for well know vulnerability, and it's intended for penetration purpose. So if some lazy sys-admin doesn't patch them software, it's close to them own fault if they get hijacked. It's almost criminal, because they put our security (in a scenario we're a client on this network arch) totally in danger, for some money reasons. Them work is also to make sure the env is safe, so if you act only as a production mode, where money contract drive the network arch design, you're playing a game that will hurt one day or another, it's just about time. You talk about a possible danger about metasploit, so as i sayed let's reverse this, the danger is this sys-admin and corporation i was mentionning. See , with this attitude to say, oh there's a tool which can hurt us, we should ban this tool from the Internet you only contribute to make a dummier world than it is. We need to solve the root problem, which is well knowed, people got crash-landed on the internet, with the government help( i remember a period where the gov was giving 500 $ to the familly to get a computer and get on the internet) and they dont fucking know about how, why, but they go !. And compagny's are doing the same, they see a treath in metasploit,nmap,nessus,etc but it isn't ... none of them are a 0days finder, and if they should be something treated as potentiall dangerous, it's themself, and right after, the people crash-landed on the internet. So patch your fucking software, make some basic monitoring, and read FD,milw0rm,secfocus as a daily task. That's what the net is about, that's the rules , if you don't like this game, then don't put your network on the internet and go to hell, dont blame such software. See Mr wallace, this is the kind of attitude who will blow any freedom on the internet, and you contribute to this, as many others. That's the facility solution , and it's a mirror of our society. Cheers J-F ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Lazy bum approach to security
Hi I agree with you. It's just these 'underground communities' tend to be a bunch of kiddies playing with milworm, bots, and asking help with basic programming. Where's the original ideas, the research, and the worth-while discussion? I guess I described an extreme scenario, but you get the picture. Really, tell me. If there was a friendly, 'academic'(as aposed to 'business-like') online community then show me, I'd join up in a flash. -- I'm your best best friend. Usually I like it when you contradict me, it might help me learn. Just don't be so angry. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Indian allegations alarm Pakistan
On Sunday 30 Nov 2008, n3td3v wrote: Indian-Pakistan war is about to kick off folks... http://news.bbc.co.uk/1/hi/world/south_asia/7757031.stm I know it's not going to happen, but can I request you once again shut the fuck up about events that you have no clue about? At least try to keep your sensationalist retarded drivel to your own backyard. -- Raju -- Raj Mathur[EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance Chill: http://schizoid.in/ || It is the mind that moves ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security industry software license
Just to summarise what's been said and what I think so we can get back on topic, and conclude something: No-one hacks using metasploit! Go back to 2003. Terrorists with metasploit! What to you have a picture in your head of Mr. Jihad Bigbeard using metasploit to shutdown a powergrid? Reasons Why It's Hard to archive: - It violates freedom. - It's hard to enforce without: invading privacy, expending too much money/resources. - Most writers of these tools won't want to have to do this (most writers of security tools are hackers, you-know: back orifice, pinch, exploit kits, phising kits, malware creation kits, the entire contents of milworm, bots, THCs Hydra... it goes on. - Geographical constraints. All governments doing the exact same thing at the same time? Or one organisation forcing it onto the net (with no power to put people in jail or anything). - You cant/shouldn't moderate the internet. Reasons Why It's Pointlessly ineffective: - Piratebay. - People writing tools intended for hackers. - The massive number of tools that you'd have to moderate to be effective. - If not everything is a dangerous security tool then it's reduced in effectiveness. - Most big hacks you see don't take many tools. Like a big database being dumped with a browser/scripts. - You don't solve the problem, at all. Maybe reduce it a little. Reasons Why It Wouldn't Happen: - Most developed western governments like to keep they're 1984 I'm watching you crap behind the curtains. - Most governments only do these things because something bad happened and they have to make up a law to cover their asses, or something bigger than your rapidshare passes is at stake. - I'd protest - I'd go to my countries(UK) capital and march in protest! Reasons Why It Sucks: - It violates freedom (programs are intellectual property - you can't do that kind of thing to them and call it nice). - It would ruin the internet and break a load of enthusiastic geeks' harts. - It would force the underground hackers deeper underground. - It would discourage security professionals. Pointless things that people mentioned that made them look like a child in front of a shit load of subscribers: - Personal comments. - Attacks at the way someone writes something instead of what they write about. Questions for to think about/answer: - Would you deserve a license. Really? (me: NO!) - Would you wish you had one. (me; yeh!) - How many of the tools that'd be outlawed have you already written an equivalent of? (me: loads). - If you had to outlaw things, would you outlaw tor? (me: I don't wanna!) It's a silly idea. Final Question: - Are we finished? Is it over? Is it established that it's a bad idea now? -- I'm your best best friend. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Indian allegations alarm Pakistan
On Sun, Nov 30, 2008 at 7:39 AM, Raj Mathur [EMAIL PROTECTED] wrote: On Sunday 30 Nov 2008, n3td3v wrote: Indian-Pakistan war is about to kick off folks... http://news.bbc.co.uk/1/hi/world/south_asia/7757031.stm I know it's not going to happen, but can I request you once again shut the fuck up about events that you have no clue about? At least try to keep your sensationalist retarded drivel to your own backyard. Although a knee-jerk reaction, this post has some value. The tensions between the countries is on the rise, and the recent blasts in Bangalore would increase the chances of war. BTW, does anyone have an idea on what kind of cyber-warfare is currently underway between the two nations? -- MC ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Project Chroma: A color code for the state of cyber security
Hi, It is time to take an example from Homeland Security and define codes of color for cyber-warfare threat levels. I propose the following: Green level: There is negligible threat to online security. Yellow level : There is a minimal level of threat, and this must be monitored and contained. Orange level: This level of threat indicates there are parties who are actively engaging in cyber-warfare. Caution is required when online. Red level: This level indicates a full blown cyber-war. It indicates very high probability of all communications being intercepted. While homeland security's implementation does not seem to have a real world merit, such a threat level would certainly be very useful in the online security realm. Please disseminate this announcement of the project Chroma levels for online security. The immediate mission of the project is to be picked up by the antivirus and security tools vendors, so as to add the color codes to their products and provide users with a tangible measure of their online security. Current status: Threat level Yellow. -- MC Security Researcher Lead, Project Chroma. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Indian allegations alarm Pakistan
On Sun, Nov 30, 2008 at 5:25 AM, Mike C [EMAIL PROTECTED] wrote: On Sun, Nov 30, 2008 at 7:39 AM, Raj Mathur [EMAIL PROTECTED] wrote: On Sunday 30 Nov 2008, n3td3v wrote: Indian-Pakistan war is about to kick off folks... http://news.bbc.co.uk/1/hi/world/south_asia/7757031.stm I know it's not going to happen, but can I request you once again shut the fuck up about events that you have no clue about? At least try to keep your sensationalist retarded drivel to your own backyard. Although a knee-jerk reaction, this post has some value. The tensions between the countries is on the rise, and the recent blasts in Bangalore would increase the chances of war. BTW, does anyone have an idea on what kind of cyber-warfare is currently underway between the two nations? -- MC There was a report earlier in the week via pcworld.com, but I don't think its connected to this conflict, maybe just a coincidence: http://www.pcworld.com/businesscenter/article/154544/feuding_india_pakistani_hackers_deface_web_sites.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Indian allegations alarm Pakistan
On Sun, Nov 30, 2008 at 11:11 AM, n3td3v [EMAIL PROTECTED] wrote: On Sun, Nov 30, 2008 at 5:25 AM, Mike C [EMAIL PROTECTED] wrote: On Sun, Nov 30, 2008 at 7:39 AM, Raj Mathur [EMAIL PROTECTED] wrote: On Sunday 30 Nov 2008, n3td3v wrote: Indian-Pakistan war is about to kick off folks... http://news.bbc.co.uk/1/hi/world/south_asia/7757031.stm I know it's not going to happen, but can I request you once again shut the fuck up about events that you have no clue about? At least try to keep your sensationalist retarded drivel to your own backyard. Although a knee-jerk reaction, this post has some value. The tensions between the countries is on the rise, and the recent blasts in Bangalore would increase the chances of war. BTW, does anyone have an idea on what kind of cyber-warfare is currently underway between the two nations? -- MC There was a report earlier in the week via pcworld.com, but I don't think its connected to this conflict, maybe just a coincidence: http://www.pcworld.com/businesscenter/article/154544/feuding_india_pakistani_hackers_deface_web_sites.html Thanks. I'm looking into this and will report on any further info. -- MC ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/