Re: [Full-disclosure] [Mailing list Vulnerability] Troll exploit of mailing lists and newsgroups
Your Clock's off DOH! time for a beer Received: from lists.grok.org.uk (localhost [127.0.0.1]) by lists.grok.org.uk (Postfix) with ESMTP id CB44E1CB; Wed, 22 Jul 2009 15:45:17 +0100 (BST) X-Original-To: full-disclosure@lists.grok.org.uk Delivered-To: full-disclosure@lists.grok.org.uk Received-SPF: none (lists.grok.org.uk: domain of m...@propergander.org.uk does not designate permitted sender hosts) Received: from honeysuckle.london.02.net (honeysuckle.london.02.net [87.194.255.144]) by lists.grok.org.uk (Postfix) with ESMTP id B4746135 for ; Wed, 22 Jul 2009 15:45:12 +0100 (BST) Received: from [192.168.1.14] (78.105.162.60) by honeysuckle.london.02.net (8.5.016.1) id 4A23EDE603560281 for full-disclosure@lists.grok.org.uk; Wed, 22 Jul 2009 15:36:34 +0100 Message-ID: <4a69c725.4030...@propergander.org.uk> Date: Fri, 24 Jul 2009 15:37:25 +0100 From: mrx mrx wrote: > I am new to this list, I am new to IT security, I have so far > contributed very little if anything of actual value to this list. > I have gained much insight from the vast majority of posts here, I will > hopefully continue to do so. > > There are some intelligent and wise persons contributing to this list, > then there are the trolls and those that encourage them by responding to > their inane and or banal mutterings and diatribe. The temptation to > belittle the ignorant troll is there, it is always there, but this is > just food for them. > > This mail list is becoming more like a newsgroup with the bitching, > backbiting and childish behaviour. Regardless of skill or ability, > professionalism should reign supreme here. We are hardly paragons to our > ilk if we respond in such a churlish manner or even respond at all to > those who seek to disrupt the integrity of this list with mere words, > outlandish claims and immature ranting. > > All unmoderated mailing lists and newsgroups are ripe for the troll > exploit. However it can easily be mitigated, for without attention the > troll shrivels and dies. > > Please do not feed the trolls for they are never sated. Please do keep > the information flowing, I need all the help I can get. And thanks to > the professionals for their contributions make a difference. > > A leet version of this text is not available, however please feel free > to create one and keep it to yourself, full disclosure is not required > in this instance. > > respetfully > Acr0nym > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
That's what keeps me subscribed - when I've had a particularly bad day, I always know I can come over here and have a great laugh! 2009/7/21 Rob Fuller I'm sorry, log time reader of FD, it's a great mashup of hilarity and vuln > disclosure. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
Exactly! 2009/7/21 Josh Wheeler > Anti-Sec > > We will pwn your pr0n. > > This is beginning to seem more and more like an exercise in > circle-jerking... > > On Tue, Jul 21, 2009 at 5:39 PM, Ed Carp wrote: > >> Do not fuck with anti-suck. LOL! >> >> ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Mailing list Vulnerability] Troll exploit of mailing lists and newsgroups
I'm not sure you understand the purpose. Full disclosure is a toll feed bag. A hacker soap opera of magic, mystery, and intrigue. Seriously, when you subscribed were you expecting an 0day factory? Serious security research discussions? Some retard help forum? Those all exist in other places. Full disclosure is the TV show I watch while my coffee cools down. If it didn't have so many damn commercials it would be perfect. - DEAN On Fri, Jul 24, 2009 at 7:37 AM, mrx wrote: > I am new to this list, I am new to IT security, I have so far > contributed very little if anything of actual value to this list. > I have gained much insight from the vast majority of posts here, I will > hopefully continue to do so. > > There are some intelligent and wise persons contributing to this list, > then there are the trolls and those that encourage them by responding to > their inane and or banal mutterings and diatribe. The temptation to > belittle the ignorant troll is there, it is always there, but this is > just food for them. > > This mail list is becoming more like a newsgroup with the bitching, > backbiting and childish behaviour. Regardless of skill or ability, > professionalism should reign supreme here. We are hardly paragons to our > ilk if we respond in such a churlish manner or even respond at all to > those who seek to disrupt the integrity of this list with mere words, > outlandish claims and immature ranting. > > All unmoderated mailing lists and newsgroups are ripe for the troll > exploit. However it can easily be mitigated, for without attention the > troll shrivels and dies. > > Please do not feed the trolls for they are never sated. Please do keep > the information flowing, I need all the help I can get. And thanks to > the professionals for their contributions make a difference. > > A leet version of this text is not available, however please feel free > to create one and keep it to yourself, full disclosure is not required > in this instance. > > respetfully > Acr0nym > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
Won't somebody PLEASE think of the CHILDREN!!?! On Wed, Jul 22, 2009 at 10:50 AM, Dean Pierce wrote: > Won't somebody PLEASE thing of the CHILDREN!!?! > > On Wed, Jul 22, 2009 at 9:52 AM, Ferdinand Klinzer wrote: >> lol @white hats >> >> Cheers >> >> >> Am 22.07.2009 um 14:00 schrieb wishi: >> >>> Hmmh, >>> >>> I personally see a lack of defense and a need for more white hats, who >>> aren't constantly trying to gain media attention by breaking stuff. - >>> Because most stuff is already broken - as we see. Even trolls nowadays >>> can course some damage. >>> If you need a good example to proof that we need new security >>> concepts, >>> look at what even idiots can do. And sell this as a good argument, for >>> sure!! ;) My 5 year old niece could have hacked this 4chan site. >>> >>> I'm still waiting for this so called ssh thingy. Hack something real: >>> release an OpenSSH patch. >>> >>> >>> Have fun, >>> wishi >>> >>> >>> Ed Carp schrieb: Do not fuck with anti-suck. LOL! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> ___ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
lol @white hats Cheers Am 22.07.2009 um 14:00 schrieb wishi: > Hmmh, > > I personally see a lack of defense and a need for more white hats, who > aren't constantly trying to gain media attention by breaking stuff. - > Because most stuff is already broken - as we see. Even trolls nowadays > can course some damage. > If you need a good example to proof that we need new security > concepts, > look at what even idiots can do. And sell this as a good argument, for > sure!! ;) My 5 year old niece could have hacked this 4chan site. > > I'm still waiting for this so called ssh thingy. Hack something real: > release an OpenSSH patch. > > > Have fun, > wishi > > > Ed Carp schrieb: >> Do not fuck with anti-suck. LOL! >> >> >> >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] hackforums is back online
www.hackforums.net --LM ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-798-1] Firefox and Xulrunner vulnerabilities
=== Ubuntu Security Notice USN-798-1 July 22, 2009 firefox-3.0, xulrunner-1.9 vulnerabilities CVE-2009-2462, CVE-2009-2463, CVE-2009-2464, CVE-2009-2465, CVE-2009-2466, CVE-2009-2467, CVE-2009-2469, CVE-2009-2472 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: firefox-3.0 3.0.12+build1+nobinonly-0ubuntu0.8.04.1 xulrunner-1.9 1.9.0.12+build1+nobinonly-0ubuntu0.8.04.1 Ubuntu 8.10: abrowser3.0.12+build1+nobinonly-0ubuntu0.8.10.1 firefox-3.0 3.0.12+build1+nobinonly-0ubuntu0.8.10.1 xulrunner-1.9 1.9.0.12+build1+nobinonly-0ubuntu0.8.10.2 Ubuntu 9.04: abrowser3.0.12+build1+nobinonly-0ubuntu0.9.04.1 firefox-3.0 3.0.12+build1+nobinonly-0ubuntu0.9.04.1 xulrunner-1.9 1.9.0.12+build1+nobinonly-0ubuntu0.9.04.1 After a standard system upgrade you need to restart Firefox and any applications that use xulrunner, such as Epiphany, to effect the necessary changes. Details follow: Several flaws were discovered in the Firefox browser and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-2462, CVE-2009-2463, CVE-2009-2464, CVE-2009-2465, CVE-2009-2466, CVE-2009-2469) Attila Suszter discovered a flaw in the way Firefox processed Flash content. If a user were tricked into viewing and navigating within a specially crafted Flash object, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-2467) It was discovered that Firefox did not properly handle some SVG content. An attacker could exploit this to cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-2469) A flaw was discovered in the JavaScript engine. If a user were tricked into viewing a malicious website, an attacker could exploit this perform cross-site scripting attacks. (CVE-2009-2472) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.12+build1+nobinonly-0ubuntu0.8.04.1.diff.gz Size/MD5: 106186 0fefc2826bef349f082f07c124370cab http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.12+build1+nobinonly-0ubuntu0.8.04.1.dsc Size/MD5: 2781 083aede7f3a57261bfb3530882c46198 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.12+build1+nobinonly.orig.tar.gz Size/MD5: 11626085 12bf56262b97b2d02f18b37f1b28c70e http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.12+build1+nobinonly-0ubuntu0.8.04.1.diff.gz Size/MD5:79382 8fe7650dcccb65aad092dd0a115a09f6 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.12+build1+nobinonly-0ubuntu0.8.04.1.dsc Size/MD5: 2832 9ef4ffbacb6dd35fc1d5de50ab0ef49f http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.12+build1+nobinonly.orig.tar.gz Size/MD5: 40698440 151d33f808ff6ad2ba1d36770ced1507 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-dev_3.0.12+build1+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66252 ae7ac5d696cb15b10a4587f02d0d25bc http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-gnome-support_3.0.12+build1+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66264 d5d5aa5bd7f03ef4d504755107b6c3b6 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-granparadiso-dev_3.0.12+build1+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66226 69ecbe79d90ee5a03e6bd9c3bb36b4a3 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-trunk-dev_3.0.12+build1+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66206 3c54c612880194252fb40a39037b00bc http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox_3.0.12+build1+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66366 c6baf7afda7a6743ee57ea6d9da7ac20 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-3.0-dom-inspector_3.0.12+build1+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66270 d64b3e41006835cb5cc209c41c1a5d62 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-3.0-venkman_3.0.12+build1+nobinonly-0ubuntu0.8.04.1_all.deb
Re: [Full-disclosure] (no subject)
I think that some kind of nazi party would be a better deal, maybe someone of these guys understand this "revenge against the full disclosure zionist hegemony"-shit, because I don't - I'm just to stupid for demogagy. valdis.kletni...@vt.edu schrieb: > On Tue, 21 Jul 2009 20:27:38 CDT, anti sec said: >> Our heroic anti-sec warriors have carried out a blessed raid against >> 4chanarchive.org. 4chan users are now burning with fear, terror and panic >> on their /b/, /gif/, /r9k/, and /a/ boards. > > Great. Now you pissed off anon. Why didn't you pick on something *safe*, > like the NSA or the Russian crime syndicates? > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Mailing list Vulnerability] Troll exploit of mailing lists and newsgroups
I am new to this list, I am new to IT security, I have so far contributed very little if anything of actual value to this list. I have gained much insight from the vast majority of posts here, I will hopefully continue to do so. There are some intelligent and wise persons contributing to this list, then there are the trolls and those that encourage them by responding to their inane and or banal mutterings and diatribe. The temptation to belittle the ignorant troll is there, it is always there, but this is just food for them. This mail list is becoming more like a newsgroup with the bitching, backbiting and childish behaviour. Regardless of skill or ability, professionalism should reign supreme here. We are hardly paragons to our ilk if we respond in such a churlish manner or even respond at all to those who seek to disrupt the integrity of this list with mere words, outlandish claims and immature ranting. All unmoderated mailing lists and newsgroups are ripe for the troll exploit. However it can easily be mitigated, for without attention the troll shrivels and dies. Please do not feed the trolls for they are never sated. Please do keep the information flowing, I need all the help I can get. And thanks to the professionals for their contributions make a difference. A leet version of this text is not available, however please feel free to create one and keep it to yourself, full disclosure is not required in this instance. respetfully Acr0nym ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
4chan, heart of the White Hat. ROFLMAO. OKay this is bloody funny. Dude, get a life. On Wed, Jul 22, 2009 at 6:00 AM, wrote: > Send Full-Disclosure mailing list submissions to >full-disclosure@lists.grok.org.uk > > To subscribe or unsubscribe via the World Wide Web, visit >https://lists.grok.org.uk/mailman/listinfo/full-disclosure > or, via email, send a message with subject or body 'help' to >full-disclosure-requ...@lists.grok.org.uk > > You can reach the person managing the list at >full-disclosure-ow...@lists.grok.org.uk > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Full-Disclosure digest..." > > > Note to digest recipients - when replying to digest posts, please trim your > post appropriately. Thank you. > > > Today's Topics: > > 1. (no subject) (anti sec) > 2. Re: (no subject) (Ed Carp) > 3. Re: (no subject) (anti...@hushmail.com) > 4. Re: (no subject) (Rob Fuller) > 5. Re: Update: [GSEC-TZO-44-2009] One bug to rulethem all - > Firefox, IE, Safari, Opera, Chrome, Seamonkey,iPhone, iPod, Wii, > PS3 (Andrew Farmer) > > > -- > > Message: 1 > Date: Tue, 21 Jul 2009 20:27:38 -0500 > From: "anti sec" > Subject: [Full-disclosure] (no subject) > To: full-disclosure@lists.grok.org.uk > Message-ID: <20090722012738.4a82fbe4...@ws1-9.us4.outblaze.com> > Content-Type: text/plain; charset="iso-8859-1" > > We, the worldwide anti-sec movement have landed yet another coup that > will strike full-disclosurizers into the very hearts and soul of their > being. > > Fellow anti-sec'ers and freedom-lovers: Rejoice, for it is time to take > revenge against the full disclosure zionist hegemony in retaliation for > the damage white hats? have been committing against the security world. > Our heroic anti-sec warriors have carried out a blessed raid against > 4chanarchive.org. 4chan users are now burning with fear, terror and panic > on their /b/, /gif/, /r9k/, and /a/ boards. > > The white hat world will soon be asunder and the enemies will flee from > our holy power! > > We have repeatedly warned the security industry and the people in it. DO > NOT FUCK WITH ANTI-SEC! Statistically speaking, every white hat is using > 4chan or at least has heard of it. Thus we struck into the very core of > their existence. We have fulfilled our promise and carried out our > blessed hacking attack on 4chanarchive after our warriors exerted > strenuous efforts over a long period of time to ensure the success of the > attack. > > We continue to warn the websites of governmentsecurity and hackforums and > all full disclosure public as a whole that they will be punished in the > same way if they do not withdraw from their erroneous ways of living and > see that white hats are the scum of the earth. Those who warn are > excused. > > The list will be released at the usual places. those in the know do > realize where that is. > > ANTI-SEC FOR LIFE! > > -- > How Strong is Your Score? > Click here to see yours for $0! > By FreeCreditReport.com > > -- next part -- > An HTML attachment was scrubbed... > URL: > http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090721/e9123ac2/attachment-0001.html > > -- > > Message: 2 > Date: Tue, 21 Jul 2009 20:39:48 -0500 > From: Ed Carp > Subject: Re: [Full-disclosure] (no subject) > To: full-disclosure > Message-ID: ><1b0d006c0907211839l3e605edekf8e3dd19b6aa4...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Do not fuck with anti-suck. LOL! > -- next part -- > An HTML attachment was scrubbed... > URL: > http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090721/5d4e492b/attachment-0001.html > > -- > > Message: 3 > Date: Tue, 21 Jul 2009 21:56:07 -0400 > From: anti...@hushmail.com > Subject: Re: [Full-disclosure] (no subject) > To: full-disclosure@lists.grok.org.uk, anti-sec4l...@email.com > Message-ID: <20090722015607.95b1d20...@smtp.hushmail.com> > Content-Type: text/plain; charset="UTF-8" > > Awww, seriously? Can you leave governmentsecurity alone? I don't > want you fucking with my backdoorz. It's not my fault they run > litespeed. > > On Tue, 21 Jul 2009 21:27:38 -0400 anti sec sec4l...@email.com> wrote: > >We, the worldwide anti-sec movement have landed yet another coup > >that > >will strike full-disclosurizers into the very hearts and soul of > >their > >being. > > > >Fellow anti-sec'ers and freedom-lovers: Rejoice, for it is time to > >take > >revenge against the full disclosure zionist hegemony in > >retaliation for > >the damage white hats? have been committing against the security > >world. > >Our heroic anti-sec warriors have carried out a blessed raid > >against > >4chanarchive.org. 4chan users are now burning with fear, terror > >and panic > >on their /b/,
Re: [Full-disclosure] (no subject)
because those poor guys don't know what NSA or crime syndicates are ... because those poor guys don't know what's outside of their room ... my dear 'anti-sec', open the door of your home and take a look outside ... do you really think we need skiddies like you in these (economic) crisis times ? . what about going back to school and learn basics of 'living in society' ? or you can continue on your way, personally you're the sun which makes me laugh during these poor project-end days ... ps : have a sex time, it helps ;) -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of valdis.kletni...@vt.edu Sent: mercredi 22 juillet 2009 15:46 To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] (no subject) On Tue, 21 Jul 2009 20:27:38 CDT, anti sec said: > Our heroic anti-sec warriors have carried out a blessed raid against > 4chanarchive.org. 4chan users are now burning with fear, terror and > panic on their /b/, /gif/, /r9k/, and /a/ boards. Great. Now you pissed off anon. Why didn't you pick on something *safe*, like the NSA or the Russian crime syndicates? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
because those poor guys don't know what NSA or crime syndicates are ... because those poor guys don't know what's outside of their room ... my dear 'anti-sec', open the door of your home and take a look outside ... do you really think we need skiddies like you in these (economic) crisis times ? . what about going back to school and learn basics of 'living in society' ? or you can continue on your way, personally you're the sun which makes me laugh during these poor project-end days ... ps : have a sex time, it helps ;) -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of valdis.kletni...@vt.edu Sent: mercredi 22 juillet 2009 15:46 To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] (no subject) On Tue, 21 Jul 2009 20:27:38 CDT, anti sec said: > Our heroic anti-sec warriors have carried out a blessed raid against > 4chanarchive.org. 4chan users are now burning with fear, terror and > panic on their /b/, /gif/, /r9k/, and /a/ boards. Great. Now you pissed off anon. Why didn't you pick on something *safe*, like the NSA or the Russian crime syndicates? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
On Tue, 21 Jul 2009 20:27:38 CDT, anti sec said: > Our heroic anti-sec warriors have carried out a blessed raid against > 4chanarchive.org. 4chan users are now burning with fear, terror and panic > on their /b/, /gif/, /r9k/, and /a/ boards. Great. Now you pissed off anon. Why didn't you pick on something *safe*, like the NSA or the Russian crime syndicates? pgpC2P8M8Q0Zo.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
Hmmh, I personally see a lack of defense and a need for more white hats, who aren't constantly trying to gain media attention by breaking stuff. - Because most stuff is already broken - as we see. Even trolls nowadays can course some damage. If you need a good example to proof that we need new security concepts, look at what even idiots can do. And sell this as a good argument, for sure!! ;) My 5 year old niece could have hacked this 4chan site. I'm still waiting for this so called ssh thingy. Hack something real: release an OpenSSH patch. Have fun, wishi Ed Carp schrieb: > Do not fuck with anti-suck. LOL! > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Update: [GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari, Opera, Chrome, Seamonkey, iPhone, iPod, Wii, PS3....
Hi Steven, [Removing a few addresses in CC that surely do not care too much about this discussion] SMC> I strongly suspect that as we collectively try to figure out how to solve SMC> resource-consumption issues for all kinds of software, we will quickly run SMC> into lots of complexity that may well enter the realm of undecidable SMC> problems First,nobodyhasto figure out how to "solve [all] resource consumption issues". That would be effort spent on a stupid idea. Design your software expecting it to run into these kind of problems and design proper generic mitigations, where possible. You are set. Has this been done before ? Yes, take google chrome as an example. In Google chrome, tabs are separated in such a way that well, only the tab affected closes, not the whole browser not the complete OS. So this is mitigating all these bugs by design and reducing the impact to a minimum, to a degree where I agree that it could be ignored and not called a "vulnerability". If someone designs software and claims that these problems cannot be mitigated andhence should be ignored or seen as "normal", in my personal opinion, should be looking for another job. Secondly, I really can't find anything related to the advisory in your posting. The bug at hand was an unclamped loop "within the browser code itself". NOT an loop feed by an external source. Comparing it to downloading huge files is comparing apples to oranges. Even the impact is another one, as that border case is accounted for. SMC> Web browsers are basically mini-operating systems (which others may have SMC> said before). Surely Product managers and marketing departments have said so, surely it can be designed to look like an OS. However comparing the current existing Browsers to an Operation system is ludicrous at best. SMC> Since they are very closely attached to their underlying SMC> operating system, Since when are browsers running Ring 0 ? SMC> But if you think of the infinite number of algorithms you could write in SMC> Javascript, then it becomes a recipe for the death of a thousand cuts. Infinite amount of possibilities does not necessarily equal infinite amounts of "defenses". - Browser detects loop or script that doesn't exit, asks user if he wants to stop it. Been there, done that. SMC> If you try to load the full XML downloads from cve.mitre.org into your SMC> browser, good luck with that - you get CPU and memory consumption very SMC> quickly (last time I checked). Apples and Oranges, nobody said CPU consumption is a vulnerability per se. The possible impact is what makes it a vulnerability or not, such as browser crashes, OS reboots, etc pp. I still have trouble to understand why some are not using the impact of a bug to rate it. The resulting impact (what can be done with it, what consequences this problem has for a user/system) is what defines the security aspect, not necessarily the root cause. SMC> But is that a vulnerability per se? It SMC> almost becomes a "laws-of-physics" vulnerability - if you send too much SMC> data to an underpowered system with a small pipe, then a DoS is going to SMC> occur because you can't violate the laws of physics. If you have not planed for that border case,for example the browser crashes or the OS reboots and it creates "damage" as in Dataloss - yes it is a vulnerability. Sorry, but stupidity or lack of effort has never protected somebody from calling it what it is. Last time I checked, software code didn't respect the laws of physics though. Pigs fly regularly in my "code". SMC> At some point a line needs to be drawn, though I don't SMC> know where that line is. I agree with Michal that a holistic approach SMC> could save a lot of people a lot of pain. These are empty words to my ears. "holistic approach" sounds like "war on terror". But maybe that's just me. -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Update: [GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari, Opera, Chrome, Seamonkey, iPhone, iPod, Wii, PS3....
On Tue, 21 Jul 2009, Michal Zalewski wrote: > The code created an oversized list, which does not seem to be that far > from creating an overly nested DOM tree, or drawing an oversized CANVAS > shape, or any other creating-too-many-things-for-the-renderer-to-handle > attacks... but really, I'm not trying to be dismissive, just saying that > a more holistic approach might be more beneficial in the long run. I agree here. I strongly suspect that as we collectively try to figure out how to solve resource-consumption issues for all kinds of software, we will quickly run into lots of complexity that may well enter the realm of undecidable problems, and/or whose only solutions would require the creation of an application-level resource monitor (thus killing performance) or having some kind of external control of resource allocation (whose solution is generally just to kill the application, still resulting in a DoS). I think that last sentence parsed OK... Web browsers are basically mini-operating systems (which others may have said before). Since they are very closely attached to their underlying operating system, it's not a surprise that they are some of the first to really get hit by these kinds of reports (anti-virus also comes to mind). But if you think of the infinite number of algorithms you could write in Javascript, then it becomes a recipe for the death of a thousand cuts. If you try to load the full XML downloads from cve.mitre.org into your browser, good luck with that - you get CPU and memory consumption very quickly (last time I checked). But is that a vulnerability per se? It almost becomes a "laws-of-physics" vulnerability - if you send too much data to an underpowered system with a small pipe, then a DoS is going to occur because you can't violate the laws of physics. If you enforce some resource restrictions, then you wind up with an incomplete rendering of data (incorrect behavior) at least. In this particular case there's very little effort that the attacker needs to make compared to the amount of CPU/memory that is produced, so the attack-to-benefit workload is asymmetric and it seems reasonable to call this a problem. At some point a line needs to be drawn, though I don't know where that line is. I agree with Michal that a holistic approach could save a lot of people a lot of pain. - Steve P.S. For those who are interested, some focused discussion on the topic starts at http://attrition.org/pipermail/vim/2006-January/000461.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/