Re: [Full-disclosure] Apache Killer
On Tue, Aug 30, 2011 at 08:18:41AM +0200, matteo filippetto wrote: 2011/8/29 Georgi Guninski gunin...@guninski.com: As of now (29.08.2011) apache d3v3lop3rs released an advisory not mentioning neither Kingcope nor Zalewski and citing the cve sh1t which is VIRTUALLY EMPTY as of now - check for yourself (citing empty stuff appears strange to me). In the advisory of 26.08.2011 http://article.gmane.org/gmane.comp.apache.announce/59 they link both Kingcope and Zalewski Regards -- Matteo Filippetto http://www.op83.eu Thanks, I was wrong. Missed this apache advisory and saw another one without direct credit (24.aug): http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3c20110824161640.122d38...@minotaur.apache.org%3E ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is This MITM Attack to Gmail's SSL ?
On Mon, Aug 29, 2011 at 7:46 PM, coderman coder...@gmail.com wrote: On Mon, Aug 29, 2011 at 4:35 PM, coderman coder...@gmail.com wrote: ... tech details http://pastebin.com/ff7Yg663 doh, try http://pastebin.com/SwCZqskV It looks like Mozilla will be revoking trust in the DigiNotar root, http://blog.mozilla.com/security/. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is This MITM Attack to Gmail's SSL ?
On Tue, Aug 30, 2011 at 11:58 AM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Aug 29, 2011 at 7:46 PM, coderman coder...@gmail.com wrote: On Mon, Aug 29, 2011 at 4:35 PM, coderman coder...@gmail.com wrote: ... tech details http://pastebin.com/ff7Yg663 doh, try http://pastebin.com/SwCZqskV It looks like Mozilla will be revoking trust in the DigiNotar root, http://blog.mozilla.com/security/. google also: http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Apache HTTPd Range Header Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Apache HTTPd Range Header Denial of Service Vulnerability Advisory ID: cisco-sa-20110830-apache Revision 1.0 For Public Release 2011 August 30 1600 UTC (GMT) Summary === The Apache HTTPd server contains a denial of service vulnerability when it handles multiple, overlapping ranges. Multiple Cisco products may be affected by this vulnerability. Mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=24024 This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20110830-apache.shtml Affected Products = Cisco is currently evaluating products for possible exposure to this vulnerability. Products will only be listed in the Vulnerable Products or Products Confirmed Not Vulnerable sections of this security advisory when a final determination about exposure is made. Products that are not listed in either of these two sections are still being evaluated. Vulnerable Products +-- This section will be updated when more information is available. The following products are confirmed to be affected by this vulnerability: * Cisco MDS 9000 NX-OS Software releases prior to 4.2.x are affected. Cisco MDS 9000 NX-OS Software releases 4.2.x and later are not affected. * Cisco NX-OS Software for Cisco Nexus 7000 Series Switches releases prior to 4.2.x are affected. Cisco NX-OS Software for Cisco Nexus 7000 Series Switches versions 4.2.x and later are not affected. * Cisco TelePresence Video Communication Server (Cisco TelePresence VCS) * Cisco Video Surveillance Manager (VSM) * Cisco Video Surveillance Operations Manager (VSOM) * Cisco Wireless Control System (WCS) Products Confirmed Not Vulnerable + The following products are confirmed not vulnerable: * Cisco ASA 5500 Series Adaptive Security Appliances * Cisco Catalyst 6500 Series ASA Services Module * Cisco Catalyst 6500 Series Firewall Services Module * Cisco Fabric Manager * Cisco Identity Services Engine * Cisco Intercompany Media Engine * Cisco IOS Software * Cisco IOS XE Software * Cisco IOS XR Software * Cisco IP Interoperability and Collaboration System (IPICS) * Cisco Unified IP Phones * Cisco MDS 9000 NX-OS Software releases 4.2.x or later (prior versions are affected) * Cisco NX-OS Software for Nexus 7000 Series Switches releases 4.2.x or later (prior versions are affected) * Cisco Prime Central * Cisco Prime Optical * Cisco Prime Performance Manager * Cisco TelePresence Server * Cisco Unified Communications Manager (formerly Cisco CallManager) * Cisco Unity * Cisco Unity Connection * Cisco Wireless LAN Controllers (WLC) This section will be updated when more information is available. Details === The Apache HTTPd server contains a denial of service vulnerability when it handles multiple overlapping ranges. Multiple Cisco products may be affected by this vulnerability. The following Cisco bug IDs are being used to track potential exposure to this vulnerability. The following Cisco bug IDs do not confirm that a product is vulnerable; rather, the Cisco bug IDs indicate that the product is under investigation by the appropriate product teams. ++ | Cisco Product | Cisco bug ID | |+---| | Cisco ACE 4710 Appliance | CSCts35635 | |+---| | Cisco ACE Application Control Engine Module| CSCts35610 | |+---| | Cisco ACE GSS 4400 Series Global Site Selector (GSS) | CSCts33313 | |+---| | Cisco ACE XML Gateway | CSCts33321 | |+---| | Cisco Active Network Abstraction | CSCts33317 | |+---| | Cisco ASA 5500 Series Adaptive Security Appliances | CSCts33180 | |+---| | Cisco CNS Network Registrar| CSCts36064
[Full-disclosure] Vulnerabilities in com_bookman for Joomla
Hello list! I want to warn you about Insufficient Anti-automation and Denial of Service vulnerabilities in com_bookman for Joomla. Also this component is included in Reservation Manager for Joomla. This is another one of few advisories which I've made in April 2010. In this advisory I'm continue to inform readers of mailing lists about vulnerable web applications which are using CaptchaSecurityImages.php. - Affected products: - Vulnerable are all versions of com_bookman and all versions of Reservation Manager for Joomla. I've already wrote last year the recommendations about fixing these issues in another my advisory concerning vulnerable web application with CaptchaSecurityImages.php. As I wrote earlier (http://www.securityfocus.com/archive/1/511023), developers of CaptchaSecurityImages.php fixed this hole at 27.03.2007. So one of the way to fix these issues is to use fixed version of the script or to make appropriate changes in com_bookman's version of the script. -- Details: -- These are Insufficient Anti-automation and Denial of Service vulnerabilities. The vulnerabilities exist in captcha script CaptchaSecurityImages.php, which is using in this system. I already wrote at my site about vulnerabilities in CaptchaSecurityImages (http://websecurity.com.ua/4043/). Insufficient Anti-automation (WASC-21): http://site/components/com_bookman/functions/CaptchaSecurityImages.php?width=150height=100characters=2 Captcha bypass is possible via half-automated or automated (with using of OCR) methods, which were mentioned before (http://websecurity.com.ua/4043/). DoS (WASC-10): http://site/components/com_bookman/functions/CaptchaSecurityImages.php?width=1000height=9000 With setting of large values of width and height it's possible to create large load at the server. Timeline: 2010.04.10 - disclosed at my site. 2010.04.11 - informed developers of com_bookman and Reservation Manager for Joomla. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4117/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RAID 2011 (Sep. 20-21, Menlo Park, CA) - Final Call for Participation
Call for Participation 14th International Symposium on Recent Advances in Intrusion Detection (RAID'2011) September 20-21, 2011 SRI International, Menlo Park, CA http://www.raid2011.org Register online now! http://www.raid2011.org/ === About the conference: For the fourteenth year, the intrusion detection community will converge at RAID'2011 to discuss cutting-edge research in malware, application security, anomaly detection, special environments and sandboxing, web security and social networks, and network security. You are invited to join us at RAID for two days this September at SRI International, Menlo Park, CA. The annual symposium brings together leading researchers and practitioners from academia, government, and industry to discuss issues and technologies related to intrusion detection and defense. RAID 2011 features an exciting technical program, with presentations addressing topics such as dynamic analysis of malicious shellcode, world's fastest taint tracker, anomaly detection using software defined networking, defending legacy embeded systems, web and social network security, and cross-analysis of botnet victims. A poster session during the symposium will provide lively face-to-face discussions of work in progress. === Program this year: **Tuesday September 20th** 8:45  9:45 Keynote: Kevin Fu The Cutting Edge of Medical Device Security and Privacy 10:00  12:00 Session 1 (Malware) Chair: Guofei Gu 10:00  10:30 Shellzer: a tool for the dynamic analysis of malicious shellcode Yanick Fratantonio (Politecnico di Milano), Christopher Kruegel and Giovanni Vigna (University of California, Santa Barbara) 10:30  11:00 KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani and Cristiano Giuffrida (Vrije Universiteit) and Bruno Crispo (University of Trento) 11:00  11:30 Packed, Printable, and Polymorphic Return-Oriented Programming Kangjie Lu and Dabi Zou (Singapore Management University), Weiping Wen (Peking University), and Debin Gao (Singapore Management University) 11:30  12:00 On the Expressiveness of Return-into-libc Attacks Minh Tran, Mark Etheridge, Tyler Bletsch, Xuxian Jiang, Vincent Freeh, and Peng Ning (North Carolina State University) 12:00  13:30 Lunch 13:30  15:00 Session 2 (Application Security) Chair: Debin Gao 13:30  14:00 Minemu: The World's Fastest Taint Tracker Erik Bosman, Asia Slowinska, and Herbert Bos (Vrije Universiteit Amsterdam) 14:00  14:30 Dymo: Tracking Dynamic Code Identity Bob Gilbert, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna (University of California, Santa Barbara) 14:30  15:00 Automated Identification of Cryptographic Primitives in Binary Programs Felix Gröt (Ruhr-University Bochum), Carsten Willems (University of Mannheim), and Thorsten Holz (Ruhr-University Bochum) 15:00  15:30 Health Break 15:30  17:00 Session 3 (Anomaly Detection) Chair: Mathieu Couture 15:30  16:00 Cross-domain Collaborative Anomaly Detection: So Far Yet So Close Nathaniel Boggs (Columbia University), Sharath Hiremagalore and Angelos Stavrou (George Mason University), and Salvatore J. Stolfo (Columbia University) 16:00  16:30 Revisiting Traffic Anomaly Detection using Software Defined Networking Syed Akbar Mehdi, Junaid Khalid, and Syed Ali Khayam (National University of Sciences and Technology, Pakistan) 16:30  17:00 Modeling User Search Behavior for Masquerade Detection Malek Ben Salem and Salvatore J. Stolfo (Columbia University) 17:00  19:00 Poster Session (lobby) 19:30 Banquet at Oak City Restaurant (walk from conference) **Wednesday September 21st** 8:00 - 8:30 Continental Breakfast 8:30  10:00 Session 4 (Special Environments and Sandboxing) Chair: Angelos Stavrou 8:30  9:00 Defending Legacy Embedded Systems with Software Symbiotes Ang Cui and Salvatore J. Stolfo (Columbia University) 9:00  9:30 What if you can't trust your network card? LoïDuflot, Yves-Alexis Perez, and Benjamin Morin (ANSSI) 9:30  10:00 Detecting Environment-Sensitive Malware Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti (Vienna University of Technology) 10:00  10:15 Health Break 10:15  11:45 Panel Discussion: State and Future of Open-Source Network Intrusion Detection 11:45  13:15 Lunch 13:15  15:15 Session 5 (Web Security and Social Networks) Chair: Davide Balzarotti 13:15  13:45 Banksafe - Information Stealer Detection inside the Web Browser Armin Buescher (G Data Security Labs), Felix Leder (University of Bonn), and Thomas Siebert (G Data Security Labs) 13:45  14:15 IceShield: Detection and Mitigation of Malicious Websites with a Frozen DOM Mario Heiderich, Tilman Frosch, and Thorsten Holz (Ruhr-University Bochum) 14:15  14:45 Spam Filtering in Twitter using Sender-Receiver Relationship Jonghyuk
Re: [Full-disclosure] INSECT Pro - Free tool for pentest - New version release 2.7
Hello Jacqui, Jacqui Caren-home wrote: http://www.insecurityresearch.com/files/download/ From the readme's its an old version of metasploit under a wrapper. Also anyone from tightvnc want to see if gpl-violations are interested? INSECT Pro/exploits/framework/msf3/external/source/tightvnc/LICENCE.TXT GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Do I understand correctly that someone has included GPL-licensed source code from TightVNC to their software which is incompatible with GPL? What is a recommended procedure to stop the violation? -- Best Regards, Constantin Kaplinsky GlavSoft LLC ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2298-1] apache2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2298-1 secur...@debian.org http://www.debian.org/security/Stefan Fritsch August 29, 2011http://www.debian.org/security/faq - - Package: apache2 Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2010-1452 CVE-2011-3192 Two issues have been found in the Apache HTTPD web server: CVE-2011-3192 A vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server. This vulnerability allows an attacker to cause Apache HTTPD to use an excessive amount of memory, causing a denial of service. CVE-2010-1452 A vulnerability has been found in mod_dav that allows an attacker to cause a daemon crash, causing a denial of service. This issue only affects the Debian 5.0 oldstable/lenny distribution. For the oldstable distribution (lenny), these problems have been fixed in version 2.2.9-10+lenny10. For the stable distribution (squeeze), this problem has been fixed in version 2.2.16-6+squeeze2. For the testing distribution (wheezy), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 2.2.19-2. We recommend that you upgrade your apache2 packages. This update also contains updated apache2-mpm-itk packages which have been recompiled against the updated apache2 packages. The new version number for the oldstable distribution is 2.2.6-02-1+lenny5. In the stable distribution, apache2-mpm-itk has the same version number as apache2. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOW/+Mbxelr8HyTqQRAn+CAJ9s4JT+blC4eMB2rKEB1dLjtiA1+wCgvJDp /oid/eRrQ5zmnSp+KQ0R+Cs= =Svdo -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DDIVRT-2011-32 Axway SecureTransport '/icons/' Directory Traversal
Title - DDIVRT-2011-32 Axway SecureTransport '/icons/' Directory Traversal Severity High Date Discovered --- July 15, 2011 Discovered By - Digital Defense, Inc. Vulnerability Research Team Credit: sxkeebler and r@b13$ Vulnerability Description - The Axway SecureTransport device contains a directory traversal in the '/icons/' directory. An unauthenticated remote attacker can use this vulnerability to obtain arbitrary files from the root file system of the vulnerable host. Solution Description Axway Global Support has addressed this vulnerability in package: SecureTransport Server 4.8.2 Patch 12. Patch download: Axway Customers can download the patch using their support account at https://support.axway.com File Packages: STEE-4_8_2-Patch12-Windows-x86-Build420.jar MD5 checksum: 0401efe41ee05f2ee25d3adddca113ba Size: 928753 bytes See the Patch Readme file which is available on the vendor website for additional information. Tested Systems / Software - DDI tested: Axway SecureTransport 4.8.1 Axway tested: Axway tested all supported platforms for SecureTransport 4.8.x, 4.9.x, 5.0, and 5.1 and determined that the vulnerability only exists on the Windows platform for SecureTransport 4.8.x Vendor Contact -- Vendor Name: Axway Vendor Support Email: supp...@axway.com Phone: +1-866-AXWAY-US or - Go to https://support.axway.com - Click the Contact Axway Support link to display a list of regional support contact phone numbers. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [MOHSEP] Month Of Humorous Stefan Esser Photoshops - SUPER WEEKEND BUMPER EDITION!!!
ZOMG you are OBVIOUS complete *n00b*. this why women shudnt be aloud on internets. you obvious need to go back to SANS Advanced 'Units Of Time' Class For Log Analysis or whatever to learn what 'month' is. Then get back in kitchin and make me some brattwurst. Herr E Balls On Mon, Aug 29, 2011 at 3:43 PM, Kain, Rebecca (.) bka...@ford.com wrote: ** month of? isn't our month over of this silliness? -- *From:* full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *Herr E Balls *Sent:* Sunday, August 28, 2011 7:34 PM *To:* full-disclosure@lists.grok.org.uk *Subject:* [Full-disclosure] [MOHSEP] Month Of Humorous Stefan Esser Photoshops - SUPER WEEKEND BUMPER EDITION!!! Hi guys! I no that some of you worry that I got hit by car or sql mapped into 1992 but no I is ok! You know, has been few years since my dog died but still i have some problem. Normally i keep myself in control, but as soon as i have just even one glass of wine with dinner an thats it i am go complete crazy until i wake up 2 weeks later in some crack den in dresden. Is ok. As soon as got home again i smoke some meth and secanol and open photoshop and is all ok. Anyway here is today super mega bumper link!!! http://mohsepblog.blogspot.com/2011/08/weekend-super-bumper-pack.html Enjoy! Until tomorrow... Herr E Balls ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [MOHSEP] Month Of Humorous Stefan Esser Photoshops - 0x1d
Hi guys and welcome to second to second to last EVER MOHSEP (at least until next month). We got some real speshul ones comin up real soon now. make sure to be watch out! Ok here todays link: http://mohsepblog.blogspot.com/2011/08/monday-august-29-2011.html Until tomorrow!!! Herr E Balls ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is This MITM Attack to Gmail's SSL ?
You'll note that later versions of Chrome protect against this via HTTP Strict Transport Security. http://www.chromium.org/sts http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02 Google includes their cert fingerprints (see kGoogleAcceptableCerts) in: http://src.chromium.org/viewvc/chrome/trunk/src/net/base/transport_security_state.cc?view=markup In chrome: chrome://net-internals/#hsts - semenko On Mon, Aug 29, 2011 at 5:38 PM, Ferenc Kovacs tyr...@gmail.com wrote: http://www.google.co.uk/support/forum/p/gmail/thread?tid=2da6158b094b225ahl=en any thoughts? -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache Killer
2011/8/29 Georgi Guninski gunin...@guninski.com: As of now (29.08.2011) apache d3v3lop3rs released an advisory not mentioning neither Kingcope nor Zalewski and citing the cve sh1t which is VIRTUALLY EMPTY as of now - check for yourself (citing empty stuff appears strange to me). In the advisory of 26.08.2011 http://article.gmane.org/gmane.comp.apache.announce/59 they link both Kingcope and Zalewski Regards -- Matteo Filippetto http://www.op83.eu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is This MITM Attack to Gmail's SSL ?
On Mon, 29 Aug 2011 17:38:14 -0500, Ferenc Kovacs tyr...@gmail.com wrote: http://www.google.co.uk/support/forum/p/gmail/thread?tid=2da6158b094b225ahl=en any thoughts? Just saw this posted. Not sure of authenticity. http://pastebin.com/ff7Yg663 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] INSECT Pro - Free tool for pentest - New version release 2.7
On Tue, Aug 30, 2011 at 1:32 AM, Constantin Kaplinsky co...@tightvnc.com wrote: Hello Jacqui, Jacqui Caren-home wrote: http://www.insecurityresearch.com/files/download/ From the readme's its an old version of metasploit under a wrapper. Also anyone from tightvnc want to see if gpl-violations are interested? INSECT Pro/exploits/framework/msf3/external/source/tightvnc/LICENCE.TXT GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Do I understand correctly that someone has included GPL-licensed source code from TightVNC to their software which is incompatible with GPL? What is a recommended procedure to stop the violation? http://www.gnu.org/contact/: If you want to report a free software license violation that you have found, please read our license violation page [http://www.gnu.org/copyleft/gpl-violation.html], and then contact license-violat...@gnu.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] INSECT Pro - Free tool for pentest - New version release 2.7
On Tuesday 30 Aug 2011, Constantin Kaplinsky wrote: Jacqui Caren-home wrote: http://www.insecurityresearch.com/files/download/ From the readme's its an old version of metasploit under a wrapper. Also anyone from tightvnc want to see if gpl-violations are interested? INSECT Pro/exploits/framework/msf3/external/source/tightvnc/LICENCE.TXT GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Do I understand correctly that someone has included GPL-licensed source code from TightVNC to their software which is incompatible with GPL? What is a recommended procedure to stop the violation? Please note that just bundling a GPL program with a proprietary package is explicitly permitted by the GPL (all versions). There is only a violation if the proprietary package includes GPL code in it's own code at compile time. Regards, -- Raj -- Raj Mathurr...@kandalaya.org http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance Chill: http://schizoid.in/ || It is the mind that moves ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] INSECT Pro - Free tool for pentest - New version release 2.7
woah! OK so it is not that nice to deface another product, thats kinda why i do pick on it myself but about the GPL, well i have to help anyone on this one, including tighvnc themself, as they did release this as open src software remember, Let me try and explain this abit better/clearer.. Regarding the GPL, I dont think the guy has breached it directly or indirectly. Ofcourse, if he has, wich i dont thinkso* then he would be subject to being sued by either TighVNC group, or Metasploit. IF the INSECT pro exploit for tightvnc/code wich is used for that, is being manipulated AT ALL , that is at compile time, if it is modified from the original code, to the end user/product. IF that is the case, then tighVNC would be able to scrutinize the insect pro maker,and perhaps even take it to small claims or worse, direct defamation of product, wich would not be a good/smart thing todo for anyone. So, i think this should clear up alittle of this small debacle wich has broken about GPL... GPL is usually there to protect the src code in the GPL (named), but is also, not to be used in ways wich defame, wich is why it exists.. if tightvnc wanted to now, they could look at ALL its uses and scrutinize them in every case, and why the code is being used. It is something wich is verymuch now up to them and up to wether people have modified theyre code. regards, xd - This isnt a company making a big product, Im doing this because I like doing it. Good for you. I think that is great. But you are pretending to be a big company. Stop that. I am happy to see you removed that silly donation-for-download scheme. I'm not forcing you to use my software, if you don't like it please don't waste bandwith on it. Fantastic advice. We are working on a JAVA version in order to support multi-plataform, and because I really like to JAVA I did too, until I learned how to program. Oracle's purchase/murder also hastened my departure. Might I suggest C++/Qt? :-) Randy ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] INSECT Pro - Free tool for pentest - New version release 2.7
On Wed, 31 Aug 2011 13:36:12 +1000, GloW - XD said: So, i think this should clear up alittle of this small debacle wich has broken about GPL... GPL is usually there to protect the src code in the GPL (named), but is also, not to be used in ways wich defame, wich is why it exists.. if tightvnc wanted to now, they could look at ALL its uses and scrutinize them in every case, and why the code is being used. It is something wich is verymuch now up to them and up to wether people have modified theyre code. Ahem. What the GPL V2 actually says: 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. Not to defame is an additional restriction, as is scrutinize why the code is being used. You can't do either of those for a GPL-licensed package - you may be thinking of some of the Creative Commons licenses. pgpDpkaS7w79X.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] INSECT Pro - Free tool for pentest - New version release 2.7
So basically once you sign over a GPL v2 , you sign over any right to misuse even the code wich you have written ? i guess i thought this could be scrutinized outside of the GPL via means of a solicitor but, if the law is complacent about use and misse then, i guess thats that and your correct, i have actually yes, used myself the CC lisence and was thinking the gpl was just a simpler version but seems that is probably safer to go wityh CC i guess there atleast you have some say over mis-use in cases where you specify wich docunments in particular, ie: sourcecode1.cpp,source2.cpp and v.cpp must not be modified... the rest could be.., for example. Ohwell, that shoots any theory then of why it is even being mentioned in the list, other than to potentially harm all users of tightvnc src. Stranger things have happened i guess.. Sorry for my earlier report and, enjoy the code! lol xd cheers Valdis .. On 31 August 2011 14:14, valdis.kletni...@vt.edu wrote: On Wed, 31 Aug 2011 13:36:12 +1000, GloW - XD said: So, i think this should clear up alittle of this small debacle wich has broken about GPL... GPL is usually there to protect the src code in the GPL (named), but is also, not to be used in ways wich defame, wich is why it exists.. if tightvnc wanted to now, they could look at ALL its uses and scrutinize them in every case, and why the code is being used. It is something wich is verymuch now up to them and up to wether people have modified theyre code. Ahem. What the GPL V2 actually says: 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. Not to defame is an additional restriction, as is scrutinize why the code is being used. You can't do either of those for a GPL-licensed package - you may be thinking of some of the Creative Commons licenses. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
