Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread coderman 
On Wed, Jun 16, 2010 at 2:08 PM,   wrote:
> ...
> There was no hack?  ATT didn't have 144K user's info pilfered?

that is yet to be decided in the judiciary and/or a jury of peers.
AT&T's data spill due to their own negligence seems obvious, the rest
of the culpability is yet to be assigned

for a similar argument see Google's wifi snarfing mea culpa while
still proclaiming adherence to 18 U.S.C. §2511(2)(g)(1), 18 U.S.C.
§2510(16), etc.; and considering public good intent of the obfuscated
release, rather than fraud per 18 U.S.C. §1029(a)(8) for example, the
cause is weak.

however, the realities for wee vs particular situation, across the
federal, state, municipal and/or city jurisdictions is pretty poor.
they're going to screw you on almost anything for almost any time
period costing you almost any exorbitant defense if you've
sufficiently pissed off the right resources. James Atkinson is
currently getting screwed for over the counter proton pump inhibitors
in unlabeled bottles among other trumped up state charges* ultimately
driven by blow back for his whistle blowing and coast guard
incompetence exposure before congress.

* details too numerous to list here, but this is the abridged digest
summary of the situation.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Valdis . Kletnieks 
On Wed, 16 Jun 2010 13:49:26 EDT, T Biehn said:

> The FBI was investigating the AT&T incident, presumably the AT&T incident
> was what the fed were serving against.

"presumably".  In other words, you don't know for certain.  Or even have
a clue about what really went down.  Doesn't help your credibility when
you say the search warrant won't hold up when you're apparently not even
sure what warrant it actually was...

Keep in mind that the vast majority of search warrants *are* proper, because
there is *nothing* that pisses off a DA than having to stand there in the
judge's chambers and be told that all the evidence they got has been thrown out
because the search warrant had a problem. Especially since if the suspect has
half a brain, the evidence will be gone by the time they get another search
warrant. "Intentionally destroying evidence? Why no your honor, my client just
repartitioned the drive and decided to do a destructive bad-block check while
he was there..."

> What possible valid search warrant could be executed? There was no hack,
> breach, illegal access of data, or anything else for that matter.

There was no hack?  ATT didn't have 144K user's info pilfered?  Claims like
that don't help your credibility.  Mind you, I've always supported
the right of the accused (and their supporters) to put forward any and all
plausible "he was framed" or "the cops got the wrong guy" theory.  But
saying "It didn't happen" puts you out there in left field with the
Holocaust deniers.

(There, have I Godwined the thread yet? ;)


pgpkKLwUtTSr6.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread coderman 
On Wed, Jun 16, 2010 at 10:05 AM, Josh Wheeler  wrote:
> Turtles aren't evil, they're just honeytraps out to get andrew.

it's honey turtles, all the way down ...



 as to those of you speculating on identities, please defer to the
expertise of Dr. Neal Krawetz, Ph.D. in this regard.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Byron Sonne 
> To sum up what full-disclosure has become:
> random arrested and charged with drug possession = 30+ posts
> unreal ircd backdoored = 4? responses.

There's nothing surprising about software that has a bug - all software
is shit and shot through with holes. We expect that (please forgive the
arrogance of me using 'we' as if I speak for a group).

Like I should care that much about some shite IRC daemon? The fact that
it got any responses at all is interesting. Holy cow, water's wet? I
better respond! :)

Whereas the issue with andrew/weev/soon-to-be-assgaped is a bit of a
surprise and hilarious. I dunno what you mean by 'random' but sadly, at
the risk of feeding his ego, he has some history around these parts.

-- 
 Byron L. Sonne :: blso...@halvdan.com :: www.halvdan.com
gpg: 0x69D9EAA6, C651 EF07 1298 58B3 615D 4019 E196 BAE1 69D9 EAA6

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Nick FitzGerald 
ghost wrote:

> To sum up what full-disclosure has become:
> 
> random arrested and charged with drug possession = 30+ posts
> 
> unreal ircd backdoored = 4? responses.

But, most of us immediately understand the issues from the IRCD 
backdoor, whereas at least the discussion worth reading in the 
"Congratulations Andrew" thread has actually been on-topic, clarifying 
common (at least among the ignorati that style themselves "hackers" 
these days) misunderstandings about what constitutes authorized access 
_and_ is also (loosley) on-topic for the actual thread as this issue 
seems likely to be at the heart of any case involving the iPad/AT&T 
data "leak", in which the person who is the actual subject of the 
"Congratulations Andrew" thread also seems likely to be involved...

So your stats are rather misleading.



Regards,

Nick FitzGerald


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Nick FitzGerald 
bk to wilder_jeff Wilder:

> > By that same standard.. if you leave your house unlocked does
> > that give someone the right to enter it? 
> > 
> > just my thoughts
> 
> Sending from the right account this time...
> 
> It wasn't an unlocked house.  It was a table on the sidewalk with
> all the neighbors' Girlscout cookie order sheets on it.  Someone
> just happened to pickup not only their order sheet, but everyone
> else's too. 

That may be what _you_ see as a relevant analogy, but that's not how 
most legal systems will see it.  To most legal systems it matters not 
that the folk ostensibly responsible for "protecting" the data 
effectively just laid it all out (more or less) in public view.  The 
pertinent legal questions will likely revolve around whether the 
accessor could reasonably claim they did not know they were not 
authorized to access that data.

And how will the courts assess whether the accessor was authorized to 
access that data?  Simple -- they ask the "owner" of the data (AT&T) 
who will surely say "we did not authorize the defendant to access that 
data", and they will probably blandly add something like "and we took 
industry-standard measures to reasonably protect the data against 
unauthorized access".  Whilst the latter is apparently rather easily 
debunked, doing so is pretty irrelevant to defending an unauthorized 
access" charge, as regardless of how easily (trivially in this case) 
the access was obtained, the issue is "was that access authorized".

Many apparently stupid things have been built into our computer and 
technology laws.  These often don't actually make much sense if you 
think the objective of such laws should be to encourage data guardians 
to do a better job of their charge, but mostly these laws have been 
made to make it relatively easy to obtain prosecutions.

> Think you could get a theft prosecution for that?

And touche' to Valdis' response making fun of this part of your post 
too!



Regards,

Nick FitzGerald


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Stephen Mullins 
My response to the "Full disclosure is cyber terrorism" thread, which
was unpublished to the list, was:

"I think the ultimate goal is to dissuade people from getting into
hacking at all.  Black hat, white hat, it doesn't matter what you call
yourself if what you're doing is illegal regardless of intent and you
hear a continuous stream of people going to prison in the news.  It's
all fun and games on the internets until you decide to "hack" Sarah
Palin's email and end up in prison with your life irrevocably
destroyed."

"It seems clear that the goal of most legislation regarding "cyber
crime" is to prevent anyone from independently developing the
capability to discover
and disclose secrets through fear of severe penalties while
simultaneously preventing citizens from having the ability to keep
secrets of their own (bans on encryption technology in various
countries).  This does not bode well for a certain kind of personality
type that doesn't like to take "no" for
an answer and has the curiosity and intelligence to dig deeper than
accepting "access denied" as the final answer."

The proof is in the pudding.  The current state of "cyber crime"
legislation amounts to, "do something involving computers that a
powerful interest doesn't like and you will go down -- hard."

Better learn to start taking "no" for an answer.

Steve Mullins

On Wed, Jun 16, 2010 at 11:06 AM,   wrote:
> On Wed, 16 Jun 2010 16:44:06 +0200, "Jan G.B." said:
>
>> Oh and by the way.. he's still lobbying against FD, as you can see here:
>> "Full disclosure is cyber terrorism" =>
>> http://www.securityfocus.com/archive/105/511801/30/0/threaded
>
> Dude needs to learn to be consistent.  Kinda hard to support "FD is cyber
> terrorism" while also whining about overinflated claims of cyberwarfare.
>
> In any case, his basic thesis is flawed. The fact that "most people seem to
> agree with me" doesn't in fact mean it's true, only that most CNet readers are
> just as confused as he is.  Full disclosure is *not* terrrorism, any more
> than the weather service issuing a tornado alert is terrorism.  It may mean
> I have more work ahead, but that's true for a tornado alert as well.  And most
> importantly, I'm not terrorized - I'm fully informed and can take actions
> accordingly.  It's *partial* disclosure that's terrorism.
>
> Consider the following two scenarios:
>
> "There are bombs at the following 7 specific locations, set to go off at 4PM
> local time. The trash bin behind 1123 Haymarket, in a box under the steps at
> 904 Maple, (etc etc)"
>
> "The Department of Homeland Security has received information indicating
> an increased threat against building that have a 7 in the street address,
> cars with a Q or J in the plate number, and turtles".
>
> Which one scares more people?
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread ghost 
To sum up what full-disclosure has become:

random arrested and charged with drug possession = 30+ posts

unreal ircd backdoored = 4? responses.


*sigh*

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Nick FitzGerald 
T Biehn wrote:

> Furthermore if I access an online resource and I notice that the information
> ends and the URL has a &page=1 on the end and no link exists on that page to
> say... &page=2 is that illegal?

IANAL, but I recall a few years back a huge uproar over a case in 
Germany where the ruling effectively was that what you just described 
would be considered "illegal access" (or "unauthorized access" or 
whatever the actual wording of the relevant German law is, translated 
into English).  IIRC, the precise details in that case revolved around 
the technically simpler act of crawling back up the directory tree 
exposed by a publicly disclosed URI.  That is, the judge (??) ruled 
that accessing a URI like:

   http://www.example.com/1/2/

was in breach of whatever law when, in fact, only a URI like:

   http://www.example.com/1/2/3/

or:

   http://www.example.com/1/2/foo.htm

had ever been explicitly published or provided in an authorized page as 
a link.

Again, as I understand that ruling, it effectively said that accessing 
any URI that had not been explicitly published as a link was deemed to 
be unauthorized access.

In and/or from Germany, of course...

> On the same note, if I notice something that looks like a SELECT statement
> in a URL (due to excellent coding) is it illegal for me to modify that
> SELECT statement to return other information?

To _return_ (that is "only read") other data?  That's getting greyer...

However, under most jurisdictions with some legal notion of "authorized 
access" the answer is probably "fairly clearly yes" if you alter such 
URIs in ways that are likely to alter the contents of the database.  
The reasoning here goes something like if you have the ability to 
recognize that that is what those parts of the URI are for, then it is 
likely to be deemed reasonable that you should also understand the 
implications of altering those parts of such a URI.  If you then issue 
a request for such a modified URI that you reasonably should have been 
aware would alter data in whatever database, then you are knowingly 
altering data that you do not know you have authorization to alter (or, 
worse, that you know you do not have authorization to alter).

> Is the legality of access to the resource something that must be explicitly
> granted to me or is it some abstract property depending on the content I've
> accessed? Is it legal to randomly fuzz web service arguments without knowing
> the data that it will return?

Good questions, but in general, in jurisdictions with notions of 
authorized access, you should be very careful with _other people's_ 
data, as it is unlikely the courts will have much sympathy for you 
tweaking anything that is not explicitly "yours", particularly if you 
appear to be aware that accessing or changing someone else's data that 
you reasonably should know you were not entitled to access/change in 
that way was a likely outcome.

That is, just because you can doesn't mean you should...

> Usually systems of this nature will have an EXPLICIT notice that you cannot
> access data on it unless you're authorized OR will require (as it does now)
> authentication.

AFAIK, most "authorized access" type legislation puts the onus _on the 
accessor_ to be _sure_ that they have the proper authority for whatever 
they are doing, and _not_ on the access provider to _prevent_ anything 
but authorized access.

> Did the ICCID count as authentication if it is not explicitly labeled by
> AT&T as such? A field like:
> &password would clearly be illegal to brute force.
> 
> An analogy to a case with CLEARLY AND EXPLICITLY defined law regarding
> private property doesn't really seem to fit.

Sorry -- don't know what US (and even possibly which state) legislation 
would cover this case.  Presumably some ugly intersection of federal 
laws and those of the the states where the perpetrator(s) resided 
(and/or obtained access from), the state(s) where the accessed AT&T 
server(s) were, perhaps even the state where AT&T is incorporated 
and/or has its head office, and perhaps even the state(s) where the 
network access services, proxy devices, etc used by the perpetrators 
were?



Regards,

Nick FitzGerald


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Byron Sonne 
> Looks like Andrew/weev/n3td3v finally gets to do what he likes the most
> Performing fellatio on his fellow inmates
> http://www.theregister.co.uk/2010/06/16/auernheimer_arrested/

Oh man, pretty sweet! I've been waiting years to see weev eat a dick,
and the time has come at last.

Maybe there is a god.

-- 
 Byron L. Sonne :: blso...@halvdan.com :: www.halvdan.com
gpg: 0x69D9EAA6, C651 EF07 1298 58B3 615D 4019 E196 BAE1 69D9 EAA6

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Introducing TGP...

2010-06-16 Thread Brandon Enright 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 16 Jun 2010 22:23:04 +
"Thor (Hammer of God)"  wrote:

> > You're using a 1024 bit key here which seems a bit gutsy ;-)
> > 
> > Without better attacks, you basically have:
> > 
> > Brute force AES 256 -> O(2^256)
> > Bruce force your 20 char password -> roughly O(2^(20*7)) ==
> > O(2^140) Factor your 1024 bit public modulus -> roughly O(2^80)
> > 
> > Since a 768 bit RSA key has already been factored I'd say you only
> > have a few years before a moderately sized cluster could factor
> > your public key.
> > 
> > Of course, as I write this I realize I'm about to sign this message
> > with a 1024 bit DSA key...
> 
> Actually it's 2048, which I was comfortable with.  And don't forget
> the 16bit salt on that password ;)
> 
> t

- From your message:

PFJTQUtleVZhbHVlPjxNb2R1bHVzPjJkWVdFWjNNN1R2TXdlV2V4M0ZrWDkxR285bXpWOFp6YkZNQnNVckRtMjNReXZ5dFNhWk0veE5WT3hQTnFwMFhmd0ZZazQvdWpUTnJkOWt0TkRubGN0Y0dFL2hGQ1YzeTJMV0d5L2dTY2hFTUt4bUVjbk80KzVycnJNWnZlaFFmVUE5U1R0bDdWenNOTjJjdnpGOUlRY0lyYzdubHdiZ0JrcnZLNFFIRktVTT08L01vZHVsdXM+PEV4cG9uZW50PkFRQUI8L0V4cG9uZW50PjwvUlNBS2V5VmFsdWU+

Which decodes to:

2dYWEZ3M7TvMweWex3FkX91Go9mzV8ZzbFMBsUrDm23QyvytSaZM/xNVOxPNqp0XfwFYk4/ujTNrd9ktNDnlctcGE/hFCV3y2LWGy/gSchEMKxmEcnO4+5rrrMZvehQfUA9STtl7VzsNN2cvzF9IQcIrc7nlwbgBkrvK4QHFKUM=AQAB

So your encrypting exponent is 65537, pretty standard choice.

And your modulus is:

0xd9d616119dcced3bccc1e59ec771645fdd46a3d9b357c6736c5301b14ac39b6dd0cafcad49a64cff13553b13cdaa9d177f0158938fee8d336b77d92d3439e572d70613f845095df2d8b586cbf81272110c2b19847273b8fb9aebacc66f7a141f500f524ed97b573b0d37672fcc5f4841c22b73b9e5c1b80192bbcae101c52943

Which is a 1024 bit number -- roughly 1.53 * 10^308 or 2^1023.7671


Also, the cipher text of your encrypted AES key is 1024 bits --
consistent with being encrypted with 1024 bit RSA.

Finally, your example KeyNaCl:

d9OkMGXGWswbSqhxw2VsUw==

Is 16 bytes, not 16 bits.

A reasonable assumption is that the attackers already have your private
key fob and so they have the salt.  That is, a salt doesn't add to a
brute force complexity when you are attacking just a single password.

Brandon

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.15 (GNU/Linux)

iEYEARECAAYFAkwZV50ACgkQqaGPzAsl94L0VwCdGH+s4vGTfERg+R6U6H39GB+u
KWwAoMfHmW1g5t4eBUILltBpsC2M70H6
=/CHN
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Introducing TGP...

2010-06-16 Thread Thor (Hammer of God) 
> > You're using a 1024 bit key here which seems a bit gutsy ;-)
> >
> > Without better attacks, you basically have:
> >
> > Brute force AES 256 -> O(2^256)
> > Bruce force your 20 char password -> roughly O(2^(20*7)) == O(2^140)
> > Factor your 1024 bit public modulus -> roughly O(2^80)
> >
> > Since a 768 bit RSA key has already been factored I'd say you only
> > have a few years before a moderately sized cluster could factor your public
> key.
> >
> > Of course, as I write this I realize I'm about to sign this message
> > with a 1024 bit DSA key...
> 
> Actually it's 2048, which I was comfortable with.  And don't forget the 16bit
> salt on that password ;)

I stand corrected-that key was indeed 1024, not 2048.  LSI still has some hope 
in cracking my key and getting that scan of my passport since I used "ancient 
encryption" after all!  FWIW, v1.1.07 actually uses 4096 bit keys, which I will 
update shortly.  Not sure if I'm going to make that configurable or not.  I'm 
thinking no, because there's no real value in using a smaller key in this 
application.

t

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] yahoomail dom based xss vulnerability

2010-06-16 Thread ㅤ ㅤRockey 
Thanks for your information pratul

I do know about DOM and XSS, I wasn't able to reproduce this bug on my end
that's why i requested you to post video on that.

I do agree with vipul that this is not working, and I checked this bug twice
already so i am quite sure about it that this flaw isn't working on
yahoomail. If in case this works then please come up with a POC video :)

Looking forward for your response :)

Cheers,
Rockey

On Tue, Jun 15, 2010 at 10:29 PM, Vipul Agarwal wrote:

> Hello Pratul!
>
> I'm sure that the flaw was working on 13th June when you disclosed it on
> the list.
> But its not working today and input is being filtered. Please check it out.
>
>
>
> On Wed, Jun 16, 2010 at 9:49 AM, pratul agrawal wrote:
>
>> Thanks Brother,
>>
>>   See, how this occurred, Basically in most of the
>> cases Developers  Simply design a APIs and when the client request for any
>> page this APIs gets Stored in the Client side. its main task is to takes the
>> user input and shows the result immediately  to the client without sending
>> request to the server. so when this type of APIs is vulnerable to XSS this
>> is called the DOM based XSS.
>>
>> Now in this case, when we click on [New Folder] for creating any new
>> folder and provide any javascript, it directly took by the API stored in the
>> client side when the inbox page is load in the client side in yahoomail, and
>> get reflected.
>>
>> that's all the story Bro, hope you understand what i really want to say.
>>
>> Thanks,
>> Pratul Agrawal
>>
>> --- On *Tue, 15/6/10, Benji * wrote:
>>
>>
>> From: Benji 
>>
>> Subject: Re: [Full-disclosure] yahoomail dom based xss vulnerability
>> To: "pratul agrawal" 
>> Cc: "skg...@gmail.com" , "
>> full-disclosure@lists.grok.org.uk" , "
>> secur...@yahoo.com" , "i...@cert-in.org.in" <
>> i...@cert-in.org.in>
>> Date: Tuesday, 15 June, 2010, 9:57 AM
>>
>>
>> Sup bro
>>
>> I waz checkin owt ur javascriptz skriptz and waz wonderin if u cud explain
>> how diz shiz werks.
>>
>> Peaze.
>>
>> Sent from my iPhone
>>
>> On 15 Jun 2010, at 09:18, pratul agrawal 
>> http://mc/compose?to=pratu...@yahoo.com>>
>> wrote:
>>
>> Its working Bro.  I think u had done some mistakes so u try it again with
>> check that javascript execution feature is enable in your browser. and bro
>> for execution of script it is must to use proper syntax that contain special
>> characters. just put ">

[Full-disclosure] How much jail / prison for weev aka Andrew Auernheimer?

2010-06-16 Thread n3ptun3 

 

 Hello,

http://freeweev.us/

He does in fact look like a Biblical figure. Wise? We'll see.

It's a great day to see a criminal locked up. It feels elated to be here with 
you. Crime doesn't pay. And there won't be much IRC lulz waiting for our friend 
Mr. Auernheimer. 

3 drug possession felonies. Probable Title 18 USC 1030 charges pending.

How much prison? I hear local courts plea down drug charges like that and do 
funky things. w/ 3 felonies though? Any permanent loss of freedoms?

His first court date is the 18th, what will happen? When will warrant be 
released? When he's presumably arraigned for federal hacking charges?

Thank you.

P.S. Also is there anyone here who has a Starcraft 2 beta key, please send it.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 06.16.10: Samba 3.3.12 Memory Corruption Vulnerability

2010-06-16 Thread iDefense Labs 
iDefense Security Advisory 06.16.10
http://labs.idefense.com/intelligence/vulnerabilities/
Jun 16, 2010

I. BACKGROUND

Samba is an open-source Unix server application used to implement
Windows file sharing and domain controlling functionality. For more
information, please visit: http://www.samba.org

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability within Samba
Project's Samba could allow an attacker to execute arbitrary code with
root privileges.
This vulnerability exists in a certain function within Samba, where an
attacker could trigger a memory corruption by sending specially crafted
SMB requests resulting in heap memory overwritten with attacker supplied
data, which can allow attackers to execute code remotely.

III. ANALYSIS

Exploitation allows attackers to execute arbitrary code on the targeted
host with root privileges. To exploit this vulnerability, an attacker
would need to send a malicious SMB packet to a vulnerable Samba server.
It should be noted that this vulnerability works on samba default
configuration, no authentication is needed and no user action is
required. Unsuccessful exploitation attempts may cause the process
serving the request to crash and may leave evidence of an attack in
logs.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Samba
version 3.3.12. Previous versions are suspected to be affected.Samba
3.4.0 and newer versions rewrite the whole logic of the vulnerable
function and thus are not affected by this vulnerability.

V. WORKAROUND

iDefense is currently unaware of any workaround for this issue.
Firewalls should be utilized to prevent unauthorized connections to
samba ports.

VI. VENDOR RESPONSE

Samba has released patches to address this issue. Information about
downloadable vendor updates can be found by clicking on the URL shown.
http://www.samba.org/samba/security/

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2010-2063 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

06/04/2010  Initial Vendor Notification
06/04/2010  Initial Vendor Reply
06/16/2010  Coordinated Public Disclosure

IX. CREDIT

This vulnerability was discovered by Jun Mao, iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2010 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerserv...@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Introducing TGP...

2010-06-16 Thread Thor (Hammer of God) 
> You're using a 1024 bit key here which seems a bit gutsy ;-)
> 
> Without better attacks, you basically have:
> 
> Brute force AES 256 -> O(2^256)
> Bruce force your 20 char password -> roughly O(2^(20*7)) == O(2^140) Factor
> your 1024 bit public modulus -> roughly O(2^80)
> 
> Since a 768 bit RSA key has already been factored I'd say you only have a few
> years before a moderately sized cluster could factor your public key.
> 
> Of course, as I write this I realize I'm about to sign this message with a 
> 1024
> bit DSA key...

Actually it's 2048, which I was comfortable with.  And don't forget the 16bit 
salt on that password ;)

t

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Introducing TGP...

2010-06-16 Thread Brandon Enright 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, 14 Jun 2010 09:52:12 -0700
"Thor (Hammer Of God)"  wrote:

> You don't think I considered it?  Really?  You think that I would go  
> through the trouble of designing and implenting a standards based  
> encrytion application without considering that it could be cracked?
> 
> You are incorrect. I certainly considered it. I just know that when  
> brute forcing AES256 becomes feasible, a scan of mynpssport will be  
> the last thing on anyone mind.

Brute forcing AES256 will never be feasible.  Factoring your RSA key
will be -- soon too.

> 
> How does this differ from SSL, and why do you think I would have to
> be "live on the wire" to crack it?
> 
> If your entire argument is "it can be cracked at some point" then
> you argue against *any* type of encrytion.
> 
> Postulative statements in the obvious are a waste of people's time.
> 
> T


You're using a 1024 bit key here which seems a bit gutsy ;-)  

Without better attacks, you basically have:

Brute force AES 256 -> O(2^256)
Bruce force your 20 char password -> roughly O(2^(20*7)) == O(2^140)
Factor your 1024 bit public modulus -> roughly O(2^80)

Since a 768 bit RSA key has already been factored I'd say you only have
a few years before a moderately sized cluster could factor your public
key.

Of course, as I write this I realize I'm about to sign this message
with a 1024 bit DSA key...

Brandon

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.15 (GNU/Linux)

iEYEARECAAYFAkwZSvkACgkQqaGPzAsl94JK4ACdGT1kX/nKOhR1Ko4UcqHVVW0N
F/4An1+n1k1MqKOKQ8QV4Hc2GjLvR6eO
=AXX2
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fwd: Congratulations Andrew

2010-06-16 Thread n3ptun3 

 http://sites.google.com/site/n3td3v/

 


 "I watch people  who pose a risk or act a bit weird, and may have a mental 
illness. Some  of them are unpredictable and will do or say anything for 
attention or a  cause."

Naturally.

 

-Original Message-
From: Thor (Hammer of God) 
To: wilder_jeff Wilder ; full-disclosure@lists.grok.org.uk 

Sent: Wed, Jun 16, 2010 7:34 pm
Subject: Re: [Full-disclosure] Congratulations Andrew



By the same logic, then yes you would.  Which is why the statement “if a system 
has no password, then you have a legal right to whatever data is on it” is 
complete horse hockey.  
 
Don’t take technical advice from your lawyer, and don’t take legal advice from 
people on security lists.
 
t
 


From: full-disclosure-boun...@lists.grok.org.uk 
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of wilder_jeff 
Wilder
Sent: Wednesday, June 16, 2010 11:56 AM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Congratulations Andrew

 

By that same standard.. if you leave your house unlocked does that give 
someone the right to enter it?

just my thoughts


Date: Wed, 16 Jun 2010 19:58:27 +0200
From: uuf6...@gmail.com
To: tbi...@gmail.com
CC: full-disclosure@lists.grok.org.uk; valdis.kletni...@vt.edu
Subject: Re: [Full-disclosure] Congratulations Andrew

Reminds be of Al Capone and tax evasion ;-)

Good ol' America.





On Wed, Jun 16, 2010 at 7:49 PM, T Biehn  wrote:
Yes.
The FBI was investigating the AT&T incident, presumably the AT&T incident was 
what the fed were serving against.
What possible valid search warrant could be executed? There was no hack, 
breach, illegal access of data, or anything else for that matter.

If you leave a system online with no password which allows you to scrape 
content you have a legal right to scrape that content.

-Travis

 

On Wed, Jun 16, 2010 at 11:10 AM,  wrote:

On Wed, 16 Jun 2010 10:09:22 EDT, T Biehn said:

> I doubt the search warrant will hold up in court.

Do you have any actual basis for saying that?  Sure, the warrant might be
bullshit, it might be solid - the article doesn't give us enough info either
way to tell.

"Auernheimer was also arrested in March for giving a false name to law
enforcement officers responding to a parking complaint."

Sad.  The dude may have the intelligence to pull the hack, but not have the
wisdom to not dig a hole deeper. Just man up and take the frikking parking
ticket. ;)






-- 
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 


The New Busy is not the old busy. Search, chat and e-mail from your inbox. Get 
started.

=
 
___

Full-Disclosure - We believe in it.

Charter: http://lists.grok.org.uk/full-disclosure-charter.html

Hosted and sponsored by Secunia - http://secunia.com/


 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Valdis . Kletnieks 
On Wed, 16 Jun 2010 13:51:37 PDT, bk said:

(Yet another person goes off with an analogy without bothering to actually
examine what the statute and case law is in that jurisdiction...)

> It wasn't an unlocked house.  It was a table on the sidewalk with all
> the neighbors' Girlscout cookie order sheets on it.  Someone just
> happened to pickup not only their order sheet, but everyone else's too.
>
> Think you could get a theft prosecution for that?

Never do the DA's work for him.  Do you *really* want for the jury to
associate your client with the idea that it's OK to steal the Girl Scout's
cookie money because it was sitting on the table? :)



pgpVP1H8jyhXu.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [Onapsis Security Advisory 2010-005] SAP J2EE Telnet Administration Security Check Bypass

2010-06-16 Thread Onapsis Research Labs 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Onapsis Security Advisory 2010-005: SAP J2EE Telnet Administration Security 
Check Bypass

This advisory can be downloaded in PDF format from 
http://www.onapsis.com/research.html.
By downloading this advisory from the Onapsis Resource Center, you will gain 
access to beforehand information on upcoming advisories, presentations
and new research projects from the Onapsis Research Labs, as well as exclusive 
access to special promotions for upcoming trainings and conferences.


1. Impact on Business
=

By exploiting this vulnerability, an internal or external attacker would be 
able to retrieve sensitive technical information from the SAP J2EE system.

This information can be used to replay authentication credentials and perform 
sensitive operations over the SAP landscape, possibly taking remote
control of the affected systems.

- - Risk Level: Medium


2. Advisory Information
===

- - Release Date: 2010-06-16

- - Last Revised: 2010-06-16

- - Security Advisory ID: ONAPSIS-2010-005

- - Onapsis SVS ID: ONAPSIS-3

- - Researcher: Mariano Nuñez Di Croce


3. Vulnerability Information


- - Vendor: SAP

- - Affected Components:

. SAP-JEECOR 6.40
. SAP-JEECOR 7.00
. SAP-JEECOR 7.01
. SAP-JEECOR 7.02
. SERVERCORE 7.10
. SERVERCORE 7.11
. SERVERCORE 7.20
. SERVERCORE 7.30
(Check SAP Note 1425847 for detailed information on affected releases)

- - Vulnerability Class: SMB Relay

- - Remotely Exploitable: Yes

- - Locally Exploitable: Yes

- - Authentication Required: Yes

- - Original Advisory: 
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2010-005


4. Affected Components Description
==

The SAP J2EE Engine is a key component of the SAP NetWeaver application 
platform, which enables the development and execution of Java solutions in SAP
landscapes.

The J2EE Engine is the component on which, for example, the SAP Enterprise 
Portal solution is built and executed.


5. Vulnerability Details


The J2EE Engine contains a Telnet interface, which enables the administration 
of certain components of the SAP J2EE instances. Due to an error in the
validation of command arguments, it is possible to bypass certain security 
restrictions and perform SMB relay attacks against the system.

Onapsis is not distributing technical details about this issue to the general 
public at this moment in order to provide enough time to affected
customers to patch their systems and protect against the exploitation of the 
described vulnerability.


6. Solution
===

SAP has released SAP Note 1425847, which provides a patched version of the 
affected components.

This patch can be downloaded from 
https://service.sap.com/sap/support/notes/1425847

Onapsis strongly recommends SAP customers to download the related security fix 
and apply it to the affected components in order to reduce business risks.


7. Report Timeline
==

. 2009-11-24: Onapsis provides vulnerability information to SAP.
. 2009-11-24: SAP confirms reception of vulnerability submission.
. 2010-05-12: SAP releases security patch.
. 2010-06-16: Onapsis releases security advisory.


About Onapsis Research Labs
===

Onapsis is continuously investing resources in the research of the security of 
business critical systems and applications.

With that objective in mind, a special unit – the Onapsis Research Labs – has 
been developed since the creation of the company. The experts involved
in this special team lead the public research trends in this matter, having 
discovered and published many of the public security vulnerabilities in
these platforms.

The outcome of this advanced and cutting-edge research is continuously provided 
to the Onapsis Consulting and Development teams, improving the quality
of our solutions and enabling our customers to be protected from the latest 
risks to their critical business information.

Furthermore, the results of this research projects are usually shared with the 
general security and professional community, encouraging the sharing of
information and increasing the common knowledge in this field.


About Onapsis
=

Onapsis is the leading provider of solutions for the security of ERP and 
business-critical systems and applications.

Through different innovative products and services, Onapsis helps its global 
customers to effectively increase the security level of their core
business platforms, protecting their information and decreasing financial fraud 
risks.

Onapsis is built upon a team of world-renowned experts in the SAP security 
field, with several years of experience in the assessment and protection of
critical platforms in world-wide customers, such as Fortune-500 companies and 
government

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread bk 

On Jun 16, 2010, at 11:56 AM, wilder_jeff Wilder wrote:

> 
> By that same standard.. if you leave your house unlocked does that give 
> someone the right to enter it?
> 
> just my thoughts

Sending from the right account this time...

It wasn't an unlocked house.  It was a table on the sidewalk with all the 
neighbors' Girlscout cookie order sheets on it.  Someone just happened to 
pickup not only their order sheet, but everyone else's too.

Think you could get a theft prosecution for that?

--
chort___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Thor (Hammer of God) 
On all those points, I agree.  But that's the problem - there is no explicit 
granting of rights unless, well, they are explicit.  That's why *I* get to say 
what is legal or not as the owner.

If you telnet to 80 on my box, and type HEAD / HTTP/1.0 then that's fine.  But 
if you type HEAD / HTTP/SIRHACKALOT then I can say you were trying to hack into 
my system.  And I could probably get some DA somewhere who's looking for press 
to buy into it.

That's the real problem here.  It's like Apple having the cops break down the 
door of the journalist who wrote about the phone.  That's Stormtrooper stuff if 
you asked me, but yet, he's got to defend himself against the charges.  And 
that costs money.

Anyway, I agree with you in theory on everything you've said, but the 
unfortunate truth is that there your implicit rights to data do not translate 
into explicit.

t

From: T Biehn [mailto:tbi...@gmail.com]
Sent: Wednesday, June 16, 2010 1:18 PM
To: Thor (Hammer of God)
Cc: wilder_jeff Wilder; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Congratulations Andrew

Lets just call a spade a spade here:
AT&T got butthurt at the media ruin and forced the man to come down hard on 
someone.
A perfect someone to restore public faith in the order of the world was Weev.

So AT&Ts lawyers drafted some bum legal pretense under which to raid weev 
looking for some related incriminating content and handed it off to the cops. 
Of course they were going to find something illegal on his premises, have you 
seen half the shit he writes online?

This is another instance of Corporate Policy leading to unjustified Policing 
action; it is the second such occurrence in the past few months. Maybe AT&T 
schooled Apple in mobile networking and in turn Apple schooled AT&T in 
corporate control of public police forces.

-Travis
On Wed, Jun 16, 2010 at 4:12 PM, T Biehn 
mailto:tbi...@gmail.com>> wrote:
Furthermore if I access an online resource and I notice that the information 
ends and the URL has a &page=1 on the end and no link exists on that page to 
say... &page=2 is that illegal?
On the same note, if I notice something that looks like a SELECT statement in a 
URL (due to excellent coding) is it illegal for me to modify that SELECT 
statement to return other information?
Is the legality of access to the resource something that must be explicitly 
granted to me or is it some abstract property depending on the content I've 
accessed? Is it legal to randomly fuzz web service arguments without knowing 
the data that it will return?

Usually systems of this nature will have an EXPLICIT notice that you cannot 
access data on it unless you're authorized OR will require (as it does now) 
authentication.

Did the ICCID count as authentication if it is not explicitly labeled by AT&T 
as such? A field like:
&password would clearly be illegal to brute force.

An analogy to a case with CLEARLY AND EXPLICITLY defined law regarding private 
property doesn't really seem to fit.

-Travis


On Wed, Jun 16, 2010 at 3:58 PM, T Biehn 
mailto:tbi...@gmail.com>> wrote:
So what grants you legal access to aol.com (HTTP port 80 get / 
)?
I'm confused? Does search engine indexing grant legal access to online 
resources?

-Travis

On Wed, Jun 16, 2010 at 3:34 PM, Thor (Hammer of God) 
mailto:t...@hammerofgod.com>> wrote:
By the same logic, then yes you would.  Which is why the statement "if a system 
has no password, then you have a legal right to whatever data is on it" is 
complete horse hockey.

Don't take technical advice from your lawyer, and don't take legal advice from 
people on security lists.

t

From: 
full-disclosure-boun...@lists.grok.org.uk
 
[mailto:full-disclosure-boun...@lists.grok.org.uk]
 On Behalf Of wilder_jeff Wilder
Sent: Wednesday, June 16, 2010 11:56 AM
To: full-disclosure@lists.grok.org.uk

Subject: Re: [Full-disclosure] Congratulations Andrew


By that same standard.. if you leave your house unlocked does that give 
someone the right to enter it?

just my thoughts

Date: Wed, 16 Jun 2010 19:58:27 +0200
From: uuf6...@gmail.com
To: tbi...@gmail.com
CC: 
full-disclosure@lists.grok.org.uk; 
valdis.kletni...@vt.edu
Subject: Re: [Full-disclosure] Congratulations Andrew

Reminds be of Al Capone and tax evasion ;-)

Good ol' America.


On Wed, Jun 16, 2010 at 7:49 PM, T Biehn 
mailto:tbi...@gmail.com>> wrote:
Yes.
The FBI was investigating the AT&T incident, presumably the AT&T incident was 
what the fed were serving against.
What possible valid search warrant could be executed? There was no hack, 
breach, illegal access of data, or anything else for that matter.

If you leave a system online with no password w

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Christian Sciberras 
So you're telling us we should all be getting our cupboards filled with
drugs so the next time we deface Whitehouse we get away with *just* drug
trafficking?

I'm not arguing that they were right or not, I'm just saying that a felony
is to be tried, regardless of conditions (it's how democracy should work
anyway).

That said, I also agree, no one should be stupid enough to mess up with
corporate servers and drugs at the same time, especially if s/he knows
they're after him.





On Wed, Jun 16, 2010 at 10:17 PM, T Biehn  wrote:

> Lets just call a spade a spade here:
> AT&T got butthurt at the media ruin and forced the man to come down hard on
> someone.
> A perfect someone to restore public faith in the order of the world was
> Weev.
>
> So AT&Ts lawyers drafted some bum legal pretense under which to raid weev
> looking for some related incriminating content and handed it off to the
> cops. Of course they were going to find something illegal on his premises,
> have you seen half the shit he writes online?
>
> This is another instance of Corporate Policy leading to unjustified
> Policing action; it is the second such occurrence in the past few months.
> Maybe AT&T schooled Apple in mobile networking and in turn Apple schooled
> AT&T in corporate control of public police forces.
>
> -Travis
>
>
> On Wed, Jun 16, 2010 at 4:12 PM, T Biehn  wrote:
>
>> Furthermore if I access an online resource and I notice that the
>> information ends and the URL has a &page=1 on the end and no link exists on
>> that page to say... &page=2 is that illegal?
>> On the same note, if I notice something that looks like a SELECT statement
>> in a URL (due to excellent coding) is it illegal for me to modify that
>> SELECT statement to return other information?
>> Is the legality of access to the resource something that must be
>> explicitly granted to me or is it some abstract property depending on the
>> content I've accessed? Is it legal to randomly fuzz web service arguments
>> without knowing the data that it will return?
>>
>> Usually systems of this nature will have an EXPLICIT notice that you
>> cannot access data on it unless you're authorized OR will require (as it
>> does now) authentication.
>>
>> Did the ICCID count as authentication if it is not explicitly labeled by
>> AT&T as such? A field like:
>> &password would clearly be illegal to brute force.
>>
>> An analogy to a case with CLEARLY AND EXPLICITLY defined law regarding
>> private property doesn't really seem to fit.
>>
>> -Travis
>>
>>
>>
>> On Wed, Jun 16, 2010 at 3:58 PM, T Biehn  wrote:
>>
>>> So what grants you legal access to aol.com (HTTP port 80 get / )?
>>> I'm confused? Does search engine indexing grant legal access to online
>>> resources?
>>>
>>> -Travis
>>>
>>>
>>> On Wed, Jun 16, 2010 at 3:34 PM, Thor (Hammer of God) <
>>> t...@hammerofgod.com> wrote:
>>>
 By the same logic, then yes you would.  Which is why the statement “if a
 system has no password, then you have a legal right to whatever data is on
 it” is complete horse hockey.



 Don’t take technical advice from your lawyer, and don’t take legal
 advice from people on security lists.



 t



 *From:* full-disclosure-boun...@lists.grok.org.uk [mailto:
 full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *wilder_jeff
 Wilder
 *Sent:* Wednesday, June 16, 2010 11:56 AM
 *To:* full-disclosure@lists.grok.org.uk

 *Subject:* Re: [Full-disclosure] Congratulations Andrew




 By that same standard.. if you leave your house unlocked does that
 give someone the right to enter it?

 just my thoughts
 --

 Date: Wed, 16 Jun 2010 19:58:27 +0200
 From: uuf6...@gmail.com
 To: tbi...@gmail.com
 CC: full-disclosure@lists.grok.org.uk; valdis.kletni...@vt.edu
 Subject: Re: [Full-disclosure] Congratulations Andrew

 Reminds be of Al Capone and tax evasion ;-)

 Good ol' America.



 On Wed, Jun 16, 2010 at 7:49 PM, T Biehn  wrote:

 Yes.
 The FBI was investigating the AT&T incident, presumably the AT&T
 incident was what the fed were serving against.
 What possible valid search warrant could be executed? There was no hack,
 breach, illegal access of data, or anything else for that matter.

 If you leave a system online with no password which allows you to scrape
 content you have a legal right to scrape that content.

 -Travis



 On Wed, Jun 16, 2010 at 11:10 AM,  wrote:

 On Wed, 16 Jun 2010 10:09:22 EDT, T Biehn said:

 > I doubt the search warrant will hold up in court.

 Do you have any actual basis for saying that?  Sure, the warrant might
 be
 bullshit, it might be solid - the article doesn't give us enough info
 either
 way to tell.

 "Auernheimer was also arrested in March for giving a

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Thor (Hammer of God) 
"Acceptable use" and "reasonable and customary" clauses, plus a host of other 
legal associations.

I'm not disputing the *logic* behind what you are saying - I would have to say 
that I of all people think that if you have a search box, that it is perfectly 
"legal" for me to type 'or 1=1-into it without fear of some whimpering jackass 
calling the cops on you--  I'm just noting that there is *no law* that 
explicitly grants you legal right to data simply because it is not otherwise 
protected.

It was your use of "legal right" that I was disputing.  The unfortunate truth 
is that we live in a world where the owner of the asset, even if they can't 
properly deploy or secure a site, is the one who gets to determine what access 
was being granted, and what access exceeds their intended usage.

Sorry if my "complete horse hockey" response was a bit strong :)
t

From: T Biehn [mailto:tbi...@gmail.com]
Sent: Wednesday, June 16, 2010 12:59 PM
To: Thor (Hammer of God)
Cc: wilder_jeff Wilder; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Congratulations Andrew

So what grants you legal access to aol.com (HTTP port 80 get / 
)?
I'm confused? Does search engine indexing grant legal access to online 
resources?

-Travis
On Wed, Jun 16, 2010 at 3:34 PM, Thor (Hammer of God) 
mailto:t...@hammerofgod.com>> wrote:
By the same logic, then yes you would.  Which is why the statement "if a system 
has no password, then you have a legal right to whatever data is on it" is 
complete horse hockey.

Don't take technical advice from your lawyer, and don't take legal advice from 
people on security lists.

t

From: 
full-disclosure-boun...@lists.grok.org.uk
 
[mailto:full-disclosure-boun...@lists.grok.org.uk]
 On Behalf Of wilder_jeff Wilder
Sent: Wednesday, June 16, 2010 11:56 AM
To: full-disclosure@lists.grok.org.uk

Subject: Re: [Full-disclosure] Congratulations Andrew


By that same standard.. if you leave your house unlocked does that give 
someone the right to enter it?

just my thoughts

Date: Wed, 16 Jun 2010 19:58:27 +0200
From: uuf6...@gmail.com
To: tbi...@gmail.com
CC: 
full-disclosure@lists.grok.org.uk; 
valdis.kletni...@vt.edu
Subject: Re: [Full-disclosure] Congratulations Andrew

Reminds be of Al Capone and tax evasion ;-)

Good ol' America.


On Wed, Jun 16, 2010 at 7:49 PM, T Biehn 
mailto:tbi...@gmail.com>> wrote:
Yes.
The FBI was investigating the AT&T incident, presumably the AT&T incident was 
what the fed were serving against.
What possible valid search warrant could be executed? There was no hack, 
breach, illegal access of data, or anything else for that matter.

If you leave a system online with no password which allows you to scrape 
content you have a legal right to scrape that content.

-Travis

On Wed, Jun 16, 2010 at 11:10 AM, 
mailto:valdis.kletni...@vt.edu>> wrote:
On Wed, 16 Jun 2010 10:09:22 EDT, T Biehn said:

> I doubt the search warrant will hold up in court.
Do you have any actual basis for saying that?  Sure, the warrant might be
bullshit, it might be solid - the article doesn't give us enough info either
way to tell.

"Auernheimer was also arrested in March for giving a false name to law
enforcement officers responding to a parking complaint."

Sad.  The dude may have the intelligence to pull the hack, but not have the
wisdom to not dig a hole deeper. Just man up and take the frikking parking
ticket. ;)


--
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


The New Busy is not the old busy. Search, chat and e-mail from your inbox. Get 
started.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



--
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread T Biehn 
Lets just call a spade a spade here:
AT&T got butthurt at the media ruin and forced the man to come down hard on
someone.
A perfect someone to restore public faith in the order of the world was
Weev.

So AT&Ts lawyers drafted some bum legal pretense under which to raid weev
looking for some related incriminating content and handed it off to the
cops. Of course they were going to find something illegal on his premises,
have you seen half the shit he writes online?

This is another instance of Corporate Policy leading to unjustified Policing
action; it is the second such occurrence in the past few months. Maybe AT&T
schooled Apple in mobile networking and in turn Apple schooled AT&T in
corporate control of public police forces.

-Travis

On Wed, Jun 16, 2010 at 4:12 PM, T Biehn  wrote:

> Furthermore if I access an online resource and I notice that the
> information ends and the URL has a &page=1 on the end and no link exists on
> that page to say... &page=2 is that illegal?
> On the same note, if I notice something that looks like a SELECT statement
> in a URL (due to excellent coding) is it illegal for me to modify that
> SELECT statement to return other information?
> Is the legality of access to the resource something that must be explicitly
> granted to me or is it some abstract property depending on the content I've
> accessed? Is it legal to randomly fuzz web service arguments without knowing
> the data that it will return?
>
> Usually systems of this nature will have an EXPLICIT notice that you cannot
> access data on it unless you're authorized OR will require (as it does now)
> authentication.
>
> Did the ICCID count as authentication if it is not explicitly labeled by
> AT&T as such? A field like:
> &password would clearly be illegal to brute force.
>
> An analogy to a case with CLEARLY AND EXPLICITLY defined law regarding
> private property doesn't really seem to fit.
>
> -Travis
>
>
>
> On Wed, Jun 16, 2010 at 3:58 PM, T Biehn  wrote:
>
>> So what grants you legal access to aol.com (HTTP port 80 get / )?
>> I'm confused? Does search engine indexing grant legal access to online
>> resources?
>>
>> -Travis
>>
>>
>> On Wed, Jun 16, 2010 at 3:34 PM, Thor (Hammer of God) <
>> t...@hammerofgod.com> wrote:
>>
>>> By the same logic, then yes you would.  Which is why the statement “if a
>>> system has no password, then you have a legal right to whatever data is on
>>> it” is complete horse hockey.
>>>
>>>
>>>
>>> Don’t take technical advice from your lawyer, and don’t take legal advice
>>> from people on security lists.
>>>
>>>
>>>
>>> t
>>>
>>>
>>>
>>> *From:* full-disclosure-boun...@lists.grok.org.uk [mailto:
>>> full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *wilder_jeff
>>> Wilder
>>> *Sent:* Wednesday, June 16, 2010 11:56 AM
>>> *To:* full-disclosure@lists.grok.org.uk
>>>
>>> *Subject:* Re: [Full-disclosure] Congratulations Andrew
>>>
>>>
>>>
>>>
>>> By that same standard.. if you leave your house unlocked does that
>>> give someone the right to enter it?
>>>
>>> just my thoughts
>>> --
>>>
>>> Date: Wed, 16 Jun 2010 19:58:27 +0200
>>> From: uuf6...@gmail.com
>>> To: tbi...@gmail.com
>>> CC: full-disclosure@lists.grok.org.uk; valdis.kletni...@vt.edu
>>> Subject: Re: [Full-disclosure] Congratulations Andrew
>>>
>>> Reminds be of Al Capone and tax evasion ;-)
>>>
>>> Good ol' America.
>>>
>>>
>>>
>>> On Wed, Jun 16, 2010 at 7:49 PM, T Biehn  wrote:
>>>
>>> Yes.
>>> The FBI was investigating the AT&T incident, presumably the AT&T incident
>>> was what the fed were serving against.
>>> What possible valid search warrant could be executed? There was no hack,
>>> breach, illegal access of data, or anything else for that matter.
>>>
>>> If you leave a system online with no password which allows you to scrape
>>> content you have a legal right to scrape that content.
>>>
>>> -Travis
>>>
>>>
>>>
>>> On Wed, Jun 16, 2010 at 11:10 AM,  wrote:
>>>
>>> On Wed, 16 Jun 2010 10:09:22 EDT, T Biehn said:
>>>
>>> > I doubt the search warrant will hold up in court.
>>>
>>> Do you have any actual basis for saying that?  Sure, the warrant might be
>>> bullshit, it might be solid - the article doesn't give us enough info
>>> either
>>> way to tell.
>>>
>>> "Auernheimer was also arrested in March for giving a false name to law
>>> enforcement officers responding to a parking complaint."
>>>
>>> Sad.  The dude may have the intelligence to pull the hack, but not have
>>> the
>>> wisdom to not dig a hole deeper. Just man up and take the frikking
>>> parking
>>> ticket. ;)
>>>
>>>
>>>
>>> --
>>> FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
>>> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
>>> http://pastebin.com/f6fd606da
>>>
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread T Biehn 
Furthermore if I access an online resource and I notice that the information
ends and the URL has a &page=1 on the end and no link exists on that page to
say... &page=2 is that illegal?
On the same note, if I notice something that looks like a SELECT statement
in a URL (due to excellent coding) is it illegal for me to modify that
SELECT statement to return other information?
Is the legality of access to the resource something that must be explicitly
granted to me or is it some abstract property depending on the content I've
accessed? Is it legal to randomly fuzz web service arguments without knowing
the data that it will return?

Usually systems of this nature will have an EXPLICIT notice that you cannot
access data on it unless you're authorized OR will require (as it does now)
authentication.

Did the ICCID count as authentication if it is not explicitly labeled by
AT&T as such? A field like:
&password would clearly be illegal to brute force.

An analogy to a case with CLEARLY AND EXPLICITLY defined law regarding
private property doesn't really seem to fit.

-Travis


On Wed, Jun 16, 2010 at 3:58 PM, T Biehn  wrote:

> So what grants you legal access to aol.com (HTTP port 80 get / )?
> I'm confused? Does search engine indexing grant legal access to online
> resources?
>
> -Travis
>
>
> On Wed, Jun 16, 2010 at 3:34 PM, Thor (Hammer of God) <
> t...@hammerofgod.com> wrote:
>
>> By the same logic, then yes you would.  Which is why the statement “if a
>> system has no password, then you have a legal right to whatever data is on
>> it” is complete horse hockey.
>>
>>
>>
>> Don’t take technical advice from your lawyer, and don’t take legal advice
>> from people on security lists.
>>
>>
>>
>> t
>>
>>
>>
>> *From:* full-disclosure-boun...@lists.grok.org.uk [mailto:
>> full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *wilder_jeff
>> Wilder
>> *Sent:* Wednesday, June 16, 2010 11:56 AM
>> *To:* full-disclosure@lists.grok.org.uk
>>
>> *Subject:* Re: [Full-disclosure] Congratulations Andrew
>>
>>
>>
>>
>> By that same standard.. if you leave your house unlocked does that
>> give someone the right to enter it?
>>
>> just my thoughts
>> --
>>
>> Date: Wed, 16 Jun 2010 19:58:27 +0200
>> From: uuf6...@gmail.com
>> To: tbi...@gmail.com
>> CC: full-disclosure@lists.grok.org.uk; valdis.kletni...@vt.edu
>> Subject: Re: [Full-disclosure] Congratulations Andrew
>>
>> Reminds be of Al Capone and tax evasion ;-)
>>
>> Good ol' America.
>>
>>
>>
>> On Wed, Jun 16, 2010 at 7:49 PM, T Biehn  wrote:
>>
>> Yes.
>> The FBI was investigating the AT&T incident, presumably the AT&T incident
>> was what the fed were serving against.
>> What possible valid search warrant could be executed? There was no hack,
>> breach, illegal access of data, or anything else for that matter.
>>
>> If you leave a system online with no password which allows you to scrape
>> content you have a legal right to scrape that content.
>>
>> -Travis
>>
>>
>>
>> On Wed, Jun 16, 2010 at 11:10 AM,  wrote:
>>
>> On Wed, 16 Jun 2010 10:09:22 EDT, T Biehn said:
>>
>> > I doubt the search warrant will hold up in court.
>>
>> Do you have any actual basis for saying that?  Sure, the warrant might be
>> bullshit, it might be solid - the article doesn't give us enough info
>> either
>> way to tell.
>>
>> "Auernheimer was also arrested in March for giving a false name to law
>> enforcement officers responding to a parking complaint."
>>
>> Sad.  The dude may have the intelligence to pull the hack, but not have
>> the
>> wisdom to not dig a hole deeper. Just man up and take the frikking parking
>> ticket. ;)
>>
>>
>>
>> --
>> FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
>> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
>> http://pastebin.com/f6fd606da
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>> --
>>
>> The New Busy is not the old busy. Search, chat and e-mail from your inbox.
>> Get 
>> started.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
> FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
> http://pastebin.com/f6fd606da
>



-- 
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and spo

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Michael Holstein 

> So what grants you legal access to aol.com (HTTP port 80 get / )?
> I'm confused? Does search engine indexing grant legal access to online
> resources?
>
>   

The activity in question (sequentially guessing serial numbers and
submitting them to a form) is more like SSH brute-force than it is to
stumble upon a random HTTP site with no authentication.

Having a bunch of drugs laying about when $agency comes to ask about it
.. also a bad idea.

My $0.02, IANAL, etc.

Michael Holstein
Cleveland State University

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread gillis jones 
Typically I just lurk and watch the much more opinionated of the list
discuss. However,


I'm gunna disagree here, If you put something up on a publically facing
webpage, and it's supposed to be confidential information. It sure as hell
better have a non-default password, let alone a password period! It would be
like the military putting up confidential battle plans online w/o a barrier
and expecting the enemy not to use them. It's simply idiotic, and ridiculous
to try and prosecute someone for your idiocy.

Now that I've said my two cents, Im going to sink back into the depths.

On Wed, Jun 16, 2010 at 11:34 AM, Thor (Hammer of God)  wrote:

>  By the same logic, then yes you would.  Which is why the statement “if a
> system has no password, then you have a legal right to whatever data is on
> it” is complete horse hockey.
>
>
>
> Don’t take technical advice from your lawyer, and don’t take legal advice
> from people on security lists.
>
>
>
> t
>
>
>
> *From:* full-disclosure-boun...@lists.grok.org.uk [mailto:
> full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *wilder_jeff
> Wilder
> *Sent:* Wednesday, June 16, 2010 11:56 AM
> *To:* full-disclosure@lists.grok.org.uk
>
> *Subject:* Re: [Full-disclosure] Congratulations Andrew
>
>
>
>
> By that same standard.. if you leave your house unlocked does that give
> someone the right to enter it?
>
> just my thoughts
>  --
>
> Date: Wed, 16 Jun 2010 19:58:27 +0200
> From: uuf6...@gmail.com
> To: tbi...@gmail.com
> CC: full-disclosure@lists.grok.org.uk; valdis.kletni...@vt.edu
> Subject: Re: [Full-disclosure] Congratulations Andrew
>
> Reminds be of Al Capone and tax evasion ;-)
>
> Good ol' America.
>
>
>
>  On Wed, Jun 16, 2010 at 7:49 PM, T Biehn  wrote:
>
> Yes.
> The FBI was investigating the AT&T incident, presumably the AT&T incident
> was what the fed were serving against.
> What possible valid search warrant could be executed? There was no hack,
> breach, illegal access of data, or anything else for that matter.
>
> If you leave a system online with no password which allows you to scrape
> content you have a legal right to scrape that content.
>
> -Travis
>
>
>
> On Wed, Jun 16, 2010 at 11:10 AM,  wrote:
>
> On Wed, 16 Jun 2010 10:09:22 EDT, T Biehn said:
>
> > I doubt the search warrant will hold up in court.
>
> Do you have any actual basis for saying that?  Sure, the warrant might be
> bullshit, it might be solid - the article doesn't give us enough info
> either
> way to tell.
>
> "Auernheimer was also arrested in March for giving a false name to law
> enforcement officers responding to a parking complaint."
>
> Sad.  The dude may have the intelligence to pull the hack, but not have the
> wisdom to not dig a hole deeper. Just man up and take the frikking parking
> ticket. ;)
>
>
>
>  --
> FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
> http://pastebin.com/f6fd606da
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>  --
>
> The New Busy is not the old busy. Search, chat and e-mail from your inbox. Get
> started.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread T Biehn 
So what grants you legal access to aol.com (HTTP port 80 get / )?
I'm confused? Does search engine indexing grant legal access to online
resources?

-Travis

On Wed, Jun 16, 2010 at 3:34 PM, Thor (Hammer of God)
wrote:

> By the same logic, then yes you would.  Which is why the statement “if a
> system has no password, then you have a legal right to whatever data is on
> it” is complete horse hockey.
>
>
>
> Don’t take technical advice from your lawyer, and don’t take legal advice
> from people on security lists.
>
>
>
> t
>
>
>
> *From:* full-disclosure-boun...@lists.grok.org.uk [mailto:
> full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *wilder_jeff
> Wilder
> *Sent:* Wednesday, June 16, 2010 11:56 AM
> *To:* full-disclosure@lists.grok.org.uk
>
> *Subject:* Re: [Full-disclosure] Congratulations Andrew
>
>
>
>
> By that same standard.. if you leave your house unlocked does that give
> someone the right to enter it?
>
> just my thoughts
> --
>
> Date: Wed, 16 Jun 2010 19:58:27 +0200
> From: uuf6...@gmail.com
> To: tbi...@gmail.com
> CC: full-disclosure@lists.grok.org.uk; valdis.kletni...@vt.edu
> Subject: Re: [Full-disclosure] Congratulations Andrew
>
> Reminds be of Al Capone and tax evasion ;-)
>
> Good ol' America.
>
>
>
> On Wed, Jun 16, 2010 at 7:49 PM, T Biehn  wrote:
>
> Yes.
> The FBI was investigating the AT&T incident, presumably the AT&T incident
> was what the fed were serving against.
> What possible valid search warrant could be executed? There was no hack,
> breach, illegal access of data, or anything else for that matter.
>
> If you leave a system online with no password which allows you to scrape
> content you have a legal right to scrape that content.
>
> -Travis
>
>
>
> On Wed, Jun 16, 2010 at 11:10 AM,  wrote:
>
> On Wed, 16 Jun 2010 10:09:22 EDT, T Biehn said:
>
> > I doubt the search warrant will hold up in court.
>
> Do you have any actual basis for saying that?  Sure, the warrant might be
> bullshit, it might be solid - the article doesn't give us enough info
> either
> way to tell.
>
> "Auernheimer was also arrested in March for giving a false name to law
> enforcement officers responding to a parking complaint."
>
> Sad.  The dude may have the intelligence to pull the hack, but not have the
> wisdom to not dig a hole deeper. Just man up and take the frikking parking
> ticket. ;)
>
>
>
> --
> FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
> http://pastebin.com/f6fd606da
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> --
>
> The New Busy is not the old busy. Search, chat and e-mail from your inbox. Get
> started.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Darryl Jones 
On Wed, 16 Jun 2010 16:44:06 +0200, "Jan G.B." said:

> Oh and by the way.. he's still lobbying against FD, as you can see here:
> "Full disclosure is cyber terrorism" =>
> http://www.securityfocus.com/archive/105/511801/30/0/threaded

Yes, he is surely on crack, or some other white substance. I'm going to stick 
my neck out here and say that there are likely many people on the list who work 
in various government, be it national or federal, state, regional or local 
agencies, who wouldn't be associated with FD if it was a cyber terror list. 
Admittedly, FD is a mere shadow of what it was between 04 and 06, but it's 
still completely useful and relevant. Except, of course, for the Andrews of 
this world ==D

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Thor (Hammer of God) 
By the same logic, then yes you would.  Which is why the statement "if a system 
has no password, then you have a legal right to whatever data is on it" is 
complete horse hockey.

Don't take technical advice from your lawyer, and don't take legal advice from 
people on security lists.

t

From: full-disclosure-boun...@lists.grok.org.uk 
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of wilder_jeff 
Wilder
Sent: Wednesday, June 16, 2010 11:56 AM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Congratulations Andrew


By that same standard.. if you leave your house unlocked does that give 
someone the right to enter it?

just my thoughts

Date: Wed, 16 Jun 2010 19:58:27 +0200
From: uuf6...@gmail.com
To: tbi...@gmail.com
CC: 
full-disclosure@lists.grok.org.uk; 
valdis.kletni...@vt.edu
Subject: Re: [Full-disclosure] Congratulations Andrew

Reminds be of Al Capone and tax evasion ;-)

Good ol' America.



On Wed, Jun 16, 2010 at 7:49 PM, T Biehn 
mailto:tbi...@gmail.com>> wrote:
Yes.
The FBI was investigating the AT&T incident, presumably the AT&T incident was 
what the fed were serving against.
What possible valid search warrant could be executed? There was no hack, 
breach, illegal access of data, or anything else for that matter.

If you leave a system online with no password which allows you to scrape 
content you have a legal right to scrape that content.

-Travis

On Wed, Jun 16, 2010 at 11:10 AM, 
mailto:valdis.kletni...@vt.edu>> wrote:
On Wed, 16 Jun 2010 10:09:22 EDT, T Biehn said:

> I doubt the search warrant will hold up in court.
Do you have any actual basis for saying that?  Sure, the warrant might be
bullshit, it might be solid - the article doesn't give us enough info either
way to tell.

"Auernheimer was also arrested in March for giving a false name to law
enforcement officers responding to a parking complaint."

Sad.  The dude may have the intelligence to pull the hack, but not have the
wisdom to not dig a hole deeper. Just man up and take the frikking parking
ticket. ;)


--
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


The New Busy is not the old busy. Search, chat and e-mail from your inbox. Get 
started.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-10-110: Adobe Flash Player Multiple Tag JPEG Parsing Remote Code Execution Vulnerability

2010-06-16 Thread ZDI Disclosures 
ZDI-10-110: Adobe Flash Player Multiple Tag JPEG Parsing Remote Code Execution 
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-110
June 16, 2010

-- CVE ID:
CVE-2010-2171

-- Affected Vendors:
Adobe

-- Affected Products:
Adobe Flash Player

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Adobe Flash Player. User interaction is
required in that a target must visit a malicious website.

The specific flaw exists within the code for parsing embedded image data
within SWF files. The DefineBits tag and several of its variations are
prone to a parsing issue while handling JPEG data. Specifically, the
vulnerability is due to decompression routines that do not validate
image dimensions sufficiently before performing operations on heap
memory. An attacker can exploit this vulnerability to execute arbitrary
code under the context of the user running the browser.

-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:

http://www.adobe.com/support/security/bulletins/apsb10-14.html

-- Disclosure Timeline:
2010-06-08 - Vulnerability reported to vendor
2010-06-16 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Anonymous
* Tielei Wang, from ICST-ERCIS, Peking University

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-10-109: Adobe Flash Player Multiple Atom MP4 Parsing Remote Code Execution Vulnerability

2010-06-16 Thread ZDI Disclosures 
ZDI-10-109: Adobe Flash Player Multiple Atom MP4 Parsing Remote Code Execution 
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-109
June 16, 2010

-- CVE ID:
CVE-2010-2162

-- Affected Vendors:
Adobe

-- Affected Products:
Adobe Flash Player

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 9397. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of the Adobe Flash Player. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within the code responsible for parsing
embedded MP4 files. When handling the STSC, STSZ, and STCO atoms the
player can be made to improperly calculate length values later used as
size parameters during memory copy operations. By providing a specially
crafted file an attacker can corrupt heap memory and execute arbitrary
code under the context of the currently logged in user.

-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:

http://www.adobe.com/support/security/bulletins/apsb10-14.html

-- Disclosure Timeline:
2009-10-27 - Vulnerability reported to vendor
2010-06-16 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Damian Put

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread wilder_jeff Wilder 


By that same standard.. if you leave your house unlocked does that give 
someone the right to enter it?

just my thoughts

Date: Wed, 16 Jun 2010 19:58:27 +0200
From: uuf6...@gmail.com
To: tbi...@gmail.com
CC: full-disclosure@lists.grok.org.uk; valdis.kletni...@vt.edu
Subject: Re: [Full-disclosure] Congratulations Andrew

Reminds be of Al Capone and tax evasion ;-)

Good ol' America.





On Wed, Jun 16, 2010 at 7:49 PM, T Biehn  wrote:

Yes.
The FBI was investigating the AT&T incident, presumably the AT&T incident was 
what the fed were serving against.

What possible valid search warrant could be executed? There was no hack, 
breach, illegal access of data, or anything else for that matter.


If you leave a system online with no password which allows you to scrape 
content you have a legal right to scrape that content.

-Travis

On Wed, Jun 16, 2010 at 11:10 AM,   wrote:


On Wed, 16 Jun 2010 10:09:22 EDT, T Biehn said:



> I doubt the search warrant will hold up in court.



Do you have any actual basis for saying that?  Sure, the warrant might be

bullshit, it might be solid - the article doesn't give us enough info either

way to tell.



"Auernheimer was also arrested in March for giving a false name to law

enforcement officers responding to a parking complaint."



Sad.  The dude may have the intelligence to pull the hack, but not have the

wisdom to not dig a hole deeper. Just man up and take the frikking parking

ticket. ;)





-- 
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on


http://pastebin.com/f6fd606da


___

Full-Disclosure - We believe in it.

Charter: http://lists.grok.org.uk/full-disclosure-charter.html

Hosted and sponsored by Secunia - http://secunia.com/

  
_
The New Busy is not the old busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-10-108: HP OpenView NNM ovwebsnmpsrv.exe Command Line Argument Remote Code Execution Vulnerability

2010-06-16 Thread ZDI Disclosures 
ZDI-10-108: HP OpenView NNM ovwebsnmpsrv.exe Command Line Argument Remote Code 
Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-108
June 16, 2010

-- CVE ID:
CVE-2010-1964

-- Affected Vendors:
Hewlett-Packard

-- Affected Products:
Hewlett-Packard OpenView Network Node Manager

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 9283. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Hewlett-Packard OpenView Network Node
Manager. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the ovwebsnmpsrv.exe process which can
be reached remotely through the jovgraph.exe CGI program. By supplying
overly large values to variables passed through an HTTP request a strcpy
call within the main() function can be made to overflow a static buffer.
An attacker can leverage this to execute arbitrary code under the
context of the user running the webserver.

-- Vendor Response:
Hewlett-Packard has issued an update to correct this vulnerability. More
details can be found at:

http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439

-- Disclosure Timeline:
2010-02-02 - Vulnerability reported to vendor
2010-06-16 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Anonymous

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ MDVSA-2010:117 ] cacti

2010-06-16 Thread security 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:117
 http://www.mandriva.com/security/
 ___

 Package : cacti
 Date: June 16, 2010
 Affected: Enterprise Server 5.0
 ___

 Problem Description:

 A vulnerability has been discovered and corrected in cacti:
 
 SQL injection vulnerability in graph.php in Cacti 0.8.7e and earlier
 allows remote attackers to execute arbitrary SQL commands via the
 rra_id parameter in a GET request in conjunction with a valid rra_id
 value in a POST request or a cookie, which bypasses the validation
 routine (CVE-2010-2092).
 
 The updated packages have been patched to correct this issue.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2092
 ___

 Updated Packages:

 Mandriva Enterprise Server 5:
 140770c1974e522397b5c39744ec8422  
mes5/i586/cacti-0.8.7e-11.2mdvmes5.1.noarch.rpm 
 e227dce4f0cb120ab103f895ac62a2ca  mes5/SRPMS/cacti-0.8.7e-11.2mdvmes5.1.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 2c7396c682f13d1bb2bb64ee1da5bf31  
mes5/x86_64/cacti-0.8.7e-11.2mdvmes5.1.noarch.rpm 
 e227dce4f0cb120ab103f895ac62a2ca  mes5/SRPMS/cacti-0.8.7e-11.2mdvmes5.1.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFMGOglmqjQ0CJFipgRAjwYAJ9E5t1zgtPlTK3+QUVsV+g8iULLMwCfSUcB
M/vvmVRhfUbEIj7hmbUjz3k=
=Go+e
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Christian Sciberras 
Reminds be of Al Capone and tax evasion ;-)

Good ol' America.





On Wed, Jun 16, 2010 at 7:49 PM, T Biehn  wrote:

> Yes.
> The FBI was investigating the AT&T incident, presumably the AT&T incident
> was what the fed were serving against.
> What possible valid search warrant could be executed? There was no hack,
> breach, illegal access of data, or anything else for that matter.
>
> If you leave a system online with no password which allows you to scrape
> content you have a legal right to scrape that content.
>
> -Travis
>
>
> On Wed, Jun 16, 2010 at 11:10 AM,  wrote:
>
>> On Wed, 16 Jun 2010 10:09:22 EDT, T Biehn said:
>>
>> > I doubt the search warrant will hold up in court.
>>
>> Do you have any actual basis for saying that?  Sure, the warrant might be
>> bullshit, it might be solid - the article doesn't give us enough info
>> either
>> way to tell.
>>
>> "Auernheimer was also arrested in March for giving a false name to law
>> enforcement officers responding to a parking complaint."
>>
>> Sad.  The dude may have the intelligence to pull the hack, but not have
>> the
>> wisdom to not dig a hole deeper. Just man up and take the frikking parking
>> ticket. ;)
>>
>>
>
>
> --
> FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
> http://pastebin.com/f6fd606da
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread T Biehn 
Yes.
The FBI was investigating the AT&T incident, presumably the AT&T incident
was what the fed were serving against.
What possible valid search warrant could be executed? There was no hack,
breach, illegal access of data, or anything else for that matter.

If you leave a system online with no password which allows you to scrape
content you have a legal right to scrape that content.

-Travis

On Wed, Jun 16, 2010 at 11:10 AM,  wrote:

> On Wed, 16 Jun 2010 10:09:22 EDT, T Biehn said:
>
> > I doubt the search warrant will hold up in court.
>
> Do you have any actual basis for saying that?  Sure, the warrant might be
> bullshit, it might be solid - the article doesn't give us enough info
> either
> way to tell.
>
> "Auernheimer was also arrested in March for giving a false name to law
> enforcement officers responding to a parking complaint."
>
> Sad.  The dude may have the intelligence to pull the hack, but not have the
> wisdom to not dig a hole deeper. Just man up and take the frikking parking
> ticket. ;)
>
>


-- 
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-951-1] Samba vulnerability

2010-06-16 Thread Kees Cook 
===
Ubuntu Security Notice USN-951-1  June 16, 2010
samba vulnerability
CVE-2010-2063
===

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  samba   3.0.22-1ubuntu3.12

Ubuntu 8.04 LTS:
  samba   3.0.28a-1ubuntu4.12

Ubuntu 9.04:
  samba   2:3.3.2-1ubuntu3.5

In general, a standard system update will make all the necessary changes.

Details follow:

Jun Mao discovered that Samba did not correctly validate SMB1 packet
contents.  An unauthenticated remote attacker could send specially crafted
network traffic that could execute arbitrary code as the root user.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.22-1ubuntu3.12.diff.gz
  Size/MD5:   166533 ebe8e632a3bbcbf6837f3bca3b0014c3

http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.22-1ubuntu3.12.dsc
  Size/MD5: 1244 9a4b993d13e3dc7fee5e119b537f9449
http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.22.orig.tar.gz
  Size/MD5: 17542657 5c39505af17cf5caf3d6ed8bab135036

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-doc-pdf_3.0.22-1ubuntu3.12_all.deb
  Size/MD5:  6595100 7ffc8e73f4e02f0092d59cba8d301aaf

http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-doc_3.0.22-1ubuntu3.12_all.deb
  Size/MD5:  6902846 0a70aa9dc46263ad96f7689ed537e19f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/s/samba/libpam-smbpass_3.0.22-1ubuntu3.12_amd64.deb
  Size/MD5:   427566 629d5b63502e4ebe94627b3041211354

http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient-dev_3.0.22-1ubuntu3.12_amd64.deb
  Size/MD5:   113276 91c513afd62e87337bf581ebc01fd08e

http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient_3.0.22-1ubuntu3.12_amd64.deb
  Size/MD5:   799282 25b6de9d6e7a182b466b1ee1e5d05ec1

http://security.ubuntu.com/ubuntu/pool/main/s/samba/python2.4-samba_3.0.22-1ubuntu3.12_amd64.deb
  Size/MD5:  5977338 7fc8d8d74dbafed03a91187b23c6149c

http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-common_3.0.22-1ubuntu3.12_amd64.deb
  Size/MD5:  2416680 aeb566c2c282efa5cabef7f9a3af2d3d

http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-dbg_3.0.22-1ubuntu3.12_amd64.deb
  Size/MD5: 11896974 15f85956cdc72d9bcbb948b898fddfa0

http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.22-1ubuntu3.12_amd64.deb
  Size/MD5:  3406174 86bb9564e09174f37f716ba371b32a59

http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbclient_3.0.22-1ubuntu3.12_amd64.deb
  Size/MD5:  4044652 c71caa24d9db3b0cf431138693f746e3

http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbfs_3.0.22-1ubuntu3.12_amd64.deb
  Size/MD5:   450904 4352cd4aae779373a6657268a3723876

http://security.ubuntu.com/ubuntu/pool/main/s/samba/swat_3.0.22-1ubuntu3.12_amd64.deb
  Size/MD5:   834476 f6341daf23447d68249ef78d7684f459

http://security.ubuntu.com/ubuntu/pool/main/s/samba/winbind_3.0.22-1ubuntu3.12_amd64.deb
  Size/MD5:  1932538 e6fe5585057ba413407422688e48f137

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/s/samba/libpam-smbpass_3.0.22-1ubuntu3.12_i386.deb
  Size/MD5:   367220 02a37f6bbb282fa317fa98988f552351

http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient-dev_3.0.22-1ubuntu3.12_i386.deb
  Size/MD5:   113282 5d64bba1f5d8af695c7d4456038dac71

http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient_3.0.22-1ubuntu3.12_i386.deb
  Size/MD5:   684360 324473ddb9f41faf78fd3bb6f815bcd5

http://security.ubuntu.com/ubuntu/pool/main/s/samba/python2.4-samba_3.0.22-1ubuntu3.12_i386.deb
  Size/MD5:  5071762 b8f02a2f923d2f279119feabe4a03ff9

http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-common_3.0.22-1ubuntu3.12_i386.deb
  Size/MD5:  2079642 dcf78857c7760b74ae98b413757781e3

http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-dbg_3.0.22-1ubuntu3.12_i386.deb
  Size/MD5:  9813638 92a908d9802b943dde54d7be7345a8d0

http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.22-1ubuntu3.12_i386.deb
  Size/MD5:  2854146 4bb44cd9d98f75a46dc7356177c6c21e

http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbclient_3.0.22-1ubuntu3.12_i386.deb
  Size/MD5:  3355536 8cafd535336ed98e78a926c728ca56ee

http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbfs_3.0.22-1ubuntu3.12_i386.deb

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Josh Wheeler 
Turtles aren't evil, they're just honeytraps out to get andrew.



On Wed, Jun 16, 2010 at 7:22 AM, Christian Sciberras wrote:

> Turtles are scarier than a bomb on the other side of earth.
> They're evil!
>
>
> ;-)
>
>
>
>   On Wed, Jun 16, 2010 at 5:06 PM,  wrote:
>
>>   On Wed, 16 Jun 2010 16:44:06 +0200, "Jan G.B." said:
>>
>> > Oh and by the way.. he's still lobbying against FD, as you can see here:
>> > "Full disclosure is cyber terrorism" =>
>> > http://www.securityfocus.com/archive/105/511801/30/0/threaded
>>
>> Dude needs to learn to be consistent.  Kinda hard to support "FD is cyber
>> terrorism" while also whining about overinflated claims of cyberwarfare.
>>
>> In any case, his basic thesis is flawed. The fact that "most people seem
>> to
>> agree with me" doesn't in fact mean it's true, only that most CNet readers
>> are
>> just as confused as he is.  Full disclosure is *not* terrrorism, any more
>> than the weather service issuing a tornado alert is terrorism.  It may
>> mean
>> I have more work ahead, but that's true for a tornado alert as well.  And
>> most
>> importantly, I'm not terrorized - I'm fully informed and can take actions
>> accordingly.  It's *partial* disclosure that's terrorism.
>>
>> Consider the following two scenarios:
>>
>> "There are bombs at the following 7 specific locations, set to go off at
>> 4PM
>> local time. The trash bin behind 1123 Haymarket, in a box under the steps
>> at
>> 904 Maple, (etc etc)"
>>
>> "The Department of Homeland Security has received information indicating
>> an increased threat against building that have a 7 in the street address,
>> cars with a Q or J in the plate number, and turtles".
>>
>> Which one scares more people?
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Christian Sciberras 
Turtles are scarier than a bomb on the other side of earth.
They're evil!


;-)



On Wed, Jun 16, 2010 at 5:06 PM,  wrote:

> On Wed, 16 Jun 2010 16:44:06 +0200, "Jan G.B." said:
>
> > Oh and by the way.. he's still lobbying against FD, as you can see here:
> > "Full disclosure is cyber terrorism" =>
> > http://www.securityfocus.com/archive/105/511801/30/0/threaded
>
> Dude needs to learn to be consistent.  Kinda hard to support "FD is cyber
> terrorism" while also whining about overinflated claims of cyberwarfare.
>
> In any case, his basic thesis is flawed. The fact that "most people seem to
> agree with me" doesn't in fact mean it's true, only that most CNet readers
> are
> just as confused as he is.  Full disclosure is *not* terrrorism, any more
> than the weather service issuing a tornado alert is terrorism.  It may mean
> I have more work ahead, but that's true for a tornado alert as well.  And
> most
> importantly, I'm not terrorized - I'm fully informed and can take actions
> accordingly.  It's *partial* disclosure that's terrorism.
>
> Consider the following two scenarios:
>
> "There are bombs at the following 7 specific locations, set to go off at
> 4PM
> local time. The trash bin behind 1123 Haymarket, in a box under the steps
> at
> 904 Maple, (etc etc)"
>
> "The Department of Homeland Security has received information indicating
> an increased threat against building that have a 7 in the street address,
> cars with a Q or J in the plate number, and turtles".
>
> Which one scares more people?
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Valdis . Kletnieks 
On Wed, 16 Jun 2010 10:09:22 EDT, T Biehn said:

> I doubt the search warrant will hold up in court.

Do you have any actual basis for saying that?  Sure, the warrant might be
bullshit, it might be solid - the article doesn't give us enough info either
way to tell.

"Auernheimer was also arrested in March for giving a false name to law
enforcement officers responding to a parking complaint."

Sad.  The dude may have the intelligence to pull the hack, but not have the
wisdom to not dig a hole deeper. Just man up and take the frikking parking
ticket. ;)



pgpjk3Nr74Der.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Valdis . Kletnieks 
On Wed, 16 Jun 2010 16:44:06 +0200, "Jan G.B." said:

> Oh and by the way.. he's still lobbying against FD, as you can see here:
> "Full disclosure is cyber terrorism" =>
> http://www.securityfocus.com/archive/105/511801/30/0/threaded

Dude needs to learn to be consistent.  Kinda hard to support "FD is cyber
terrorism" while also whining about overinflated claims of cyberwarfare.

In any case, his basic thesis is flawed. The fact that "most people seem to
agree with me" doesn't in fact mean it's true, only that most CNet readers are
just as confused as he is.  Full disclosure is *not* terrrorism, any more
than the weather service issuing a tornado alert is terrorism.  It may mean
I have more work ahead, but that's true for a tornado alert as well.  And most
importantly, I'm not terrorized - I'm fully informed and can take actions
accordingly.  It's *partial* disclosure that's terrorism.

Consider the following two scenarios:

"There are bombs at the following 7 specific locations, set to go off at 4PM
local time. The trash bin behind 1123 Haymarket, in a box under the steps at
904 Maple, (etc etc)"

"The Department of Homeland Security has received information indicating
an increased threat against building that have a 7 in the street address,
cars with a Q or J in the plate number, and turtles".

Which one scares more people?



pgp9VS0o6whgI.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Jan G.B. 
Sorry, but since when is n3td3v A.K.A. Andrew Wallace the person that
goes by the name Weev?

Sure sign that *he is not* weev, is that n3td3v is still tweeting..
http://twitter.com/xploitable
http://sites.google.com/site/n3td3v/

Oh and by the way.. he's still lobbying against FD, as you can see here:
"Full disclosure is cyber terrorism" =>
http://www.securityfocus.com/archive/105/511801/30/0/threaded

Regards


2010/6/16 huj huj huj :
> Looks like Andrew/weev/n3td3v finally gets to do what he likes the most
>
> Performing fellatio on his fellow inmates
>
> http://www.theregister.co.uk/2010/06/16/auernheimer_arrested/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread T Biehn 
Didn't Philip K. Dick wrote about this sort of thing in Radio Free Albemuth?
I doubt the search warrant will hold up in court.

-Travis

On Wed, Jun 16, 2010 at 9:27 AM, Milan Berger <
m.ber...@project-mindstorm.net> wrote:

> > Looks like Andrew/weev/n3td3v finally gets to do what he likes the
> > most
> > Performing fellatio on his fellow inmates
> > http://www.theregister.co.uk/2010/06/16/auernheimer_arrested/
>
> looks to good to be true.
> Is the longlife FD really away? Would be great!
>
> --
> Kind Regards
>
> Milan Berger
> Project-Mindstorm Technical Engineer
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-16 Thread Milan Berger 
> Looks like Andrew/weev/n3td3v finally gets to do what he likes the
> most
> Performing fellatio on his fellow inmates
> http://www.theregister.co.uk/2010/06/16/auernheimer_arrested/

looks to good to be true.
Is the longlife FD really away? Would be great!

-- 
Kind Regards

Milan Berger
Project-Mindstorm Technical Engineer

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Congratulations Andrew

2010-06-16 Thread huj huj huj 
Looks like Andrew/weev/n3td3v finally gets to do what he likes the most

Performing fellatio on his fellow inmates

http://www.theregister.co.uk/2010/06/16/auernheimer_arrested/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] yahoomail dom based xss vulnerability

2010-06-16 Thread Vipul Agarwal 
Hello Pratul!

I'm sure that the flaw was working on 13th June when you disclosed it on the
list.
But its not working today and input is being filtered. Please check it out.


On Wed, Jun 16, 2010 at 9:49 AM, pratul agrawal  wrote:

> Thanks Brother,
>
>   See, how this occurred, Basically in most of the
> cases Developers  Simply design a APIs and when the client request for any
> page this APIs gets Stored in the Client side. its main task is to takes the
> user input and shows the result immediately  to the client without sending
> request to the server. so when this type of APIs is vulnerable to XSS this
> is called the DOM based XSS.
>
> Now in this case, when we click on [New Folder] for creating any new folder
> and provide any javascript, it directly took by the API stored in the client
> side when the inbox page is load in the client side in yahoomail, and get
> reflected.
>
> that's all the story Bro, hope you understand what i really want to say.
>
> Thanks,
> Pratul Agrawal
>
> --- On *Tue, 15/6/10, Benji * wrote:
>
>
> From: Benji 
>
> Subject: Re: [Full-disclosure] yahoomail dom based xss vulnerability
> To: "pratul agrawal" 
> Cc: "skg...@gmail.com" , "
> full-disclosure@lists.grok.org.uk" , "
> secur...@yahoo.com" , "i...@cert-in.org.in" <
> i...@cert-in.org.in>
> Date: Tuesday, 15 June, 2010, 9:57 AM
>
>
> Sup bro
>
> I waz checkin owt ur javascriptz skriptz and waz wonderin if u cud explain
> how diz shiz werks.
>
> Peaze.
>
> Sent from my iPhone
>
> On 15 Jun 2010, at 09:18, pratul agrawal 
> http://mc/compose?to=pratu...@yahoo.com>>
> wrote:
>
> Its working Bro.  I think u had done some mistakes so u try it again with
> check that javascript execution feature is enable in your browser. and bro
> for execution of script it is must to use proper syntax that contain special
> characters. just put ">