Re: [Full-disclosure] Free Iraq
Valdis, Good point, I didn't know that. I did find a link to Fitna, that politically censored movie. Indirectly related to the thread. Now I have to brush up on my Dutch. http://www.liveleak.com/view?i=ee4_1206625795 Bil Stout - Original Message > From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > To: Paul Schmehl <[EMAIL PROTECTED]> > Cc: full-disclosure@lists.grok.org.uk > Sent: Thursday, March 27, 2008 11:19:02 AM > Subject: Re: [Full-disclosure] Free Iraq > > On Thu, 27 Mar 2008 12:03:15 CDT, Paul Schmehl said: > > your head in the sand. The Pentagon has been paying $900.00 for toilet seats > > Of course, understanding what a "toilet seat" actually *was* might help. > > "The $640 toilet seat was, in fact, a large molded plastic cover for the > entire > toilet system of a P-3 aircraft" > > http://books.google.com/books?id=5YH5rPgWvzUC&pg=PA69&lpg=PA69&dq="air+force"+"toilet+seats"&source=web&ots=3jFk3Wu4dA&sig=jdG3MPvTixyge2jld59d2yAkytQ&hl=en#PPA70,M1 > > While we're there.. > > "... that the famous $3,046 coffee pot was actually designed for the huge C5-A > aircraft, which carries as many as 365 people. Major airlines, he pointed out, > had purchased similar coffee makers for about the same price, > $3,107".___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] clustering question
This is security related? Clustered firewall/vpn appliances have to be the same family as they replicate configuration (and sometimes state info) to each other. Usually the size of the appliance is related to user licenses and options like SSL accelleration, so from the hardware perpsective they have to have the same components. [Early '90s' answer] If you're talking about a firewall configuration, as long as the services failover differently sized systems will be fine. The cluster can be full capacity when both are up, and operate in degraded capacity mode with all services running on one server, or if a service fails over to a smaller system it will run in degraded mode. I configured a Dec Seal1 gatekeeper cluster on Digital Ultrix for a west coast bank way back when, they had some services (FTP, SSL) on one server and other services on a another (NTP, SMTP). The clustering software handled service (screend) and virtual IP failover and the configuration files on the shared RAIDset. The systems were equally sized. I haven't seen an application firewall cluster since then. Bill Stout - Original Message From: shadow floating <[EMAIL PROTECTED]> To: full-disclosure@lists.grok.org.uk Sent: Tuesday, February 26, 2008 5:35:17 AM Subject: [Full-disclosure] clustering question Hi all, just a simple question when i'm building a cluster, do i have to have all machines in the cluster be exactly the same capacity ,configuration and brand? (cpu power, storage,network connectivity and memory) thank alot regards, ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Save XP
Tyler, You're correct. 2009 Windows Se7en RTM http://en.wikipedia.org/wiki/Windows_7 2012 Vista Basic EOL http://support.microsoft.com/lifecycle/?p1=11731 2014 XP Home xEOL http://support.microsoft.com/lifecycle/?p1=3221 2014 XP Pro xEOL http://support.microsoft.com/lifecycle/?p1=3223 2017 Vista Bus xEOL http://support.microsoft.com/lifecycle/?p1=11707 2017 Vista Ent xEOL http://support.microsoft.com/lifecycle/?p1=11737 Still, there's a big difference in lifecycle. XP was introduced in 2001, and planned EOL is 2009 (eight year lifecycle). Vista was introduced in 2007, and planned EOL is 2012 (five year lifecycle). That's pretty short product lifecycle for a $10B* development effort. *Ref: http://seattletimes.nwsource.com/html/businesstechnology/2003460386_btview04.html Bill Stout - Original Message From: Tyler Reguly <[EMAIL PROTECTED]> To: scott <[EMAIL PROTECTED]> Cc: full-disclosure@lists.grok.org.uk Sent: Thursday, January 31, 2008 2:52:23 AM Subject: Re: [Full-disclosure] Save XP Sometimes I'm reminded of why Full Disclosure amuses me and why I stay subscribed On 1/30/08, scott <[EMAIL PROTECTED]> wrote: Yes and MS quietly extended 98 for a few more years until they came out with 2000.A much better OS than ME at the time,IMHO. Windows ME Release Date: Sept. 14, 2000 Windows 2000 Release Date: Feb. 17, 2000 Windows 2000 was out half a year ahead of Windows ME... so something tells me they didn't "quietly extend 98 for a few more years until they came out with 2000"... even if you were talking XP (which was Oct 2001) it would be a year, not a few years. Bill: You aren't being fair with our EOL dates. You are comparing XP Pro (Officially a business operating system) to Vista Home Premium (a Home operating System)... you have to compare XP Pro to a Business version of Vista and when you do that you get Vista Business with an EOL of 2017 ( http://support.microsoft.com/lifecycle/?p1=11707 ), 3 years after XP Pro. Tyler. -Inline Attachment Follows- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Save XP
Vista will be replaced by Windows 7, so for most corporations with a 3-year desktop lifecycle, it does not make sense to blend Vista with XP when Windows 7 will come out in two-three years. Windows 7 on Wikipedia: http://en.wikipedia.org/wiki/Windows_7 Windows 7 screenshot: http://www.tgdaily.com/images/stories/article_images/windows7/windows7_1.jpg I think Microsoft realizes this, and XP will be supported longer than Vista. Vista end of life is 10/4/2012, and XP support was extended to 4/12/2014. Vista EOL: http://support.microsoft.com/lifecycle/?LN=en-us&p1=11712&x=9&y=14 XP EOL: http://support.microsoft.com/lifecycle/?LN=en-gb&x=16&y=12&C2=1173 Bill Stout - Original Message From: scott <[EMAIL PROTECTED]> To: full-disclosure@lists.grok.org.uk Sent: Monday, January 28, 2008 12:43:51 PM Subject: [Full-disclosure] Save XP For all those who believe Vista is still not up to par,you can help stop MS from forcing us to go to Vista. For those who don't know,MS is planning on stopping XP sales after June 30,2008.There are a few options for enterprise users,but Joe XP user will not be able to go to any store and buy a copy of XP after that date.Or at least after the stores sell out of what they have on hand. You can sign a petition at InfoWorld that may delay or stop MS from forcing us to use Vista. Sign the petition here: http://reg.itworld.com/servlet/Frs.frs?Context=LOGENTRY&Source=savexpblog080114&Source_BC=13&Script=/LP/80276783/reg&; Maybe we can stop this. Regards, Scott -Inline Attachment Follows- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hardware-based full disk encryption
Hi Frank, If it's to protect against computer loss or theft, FDE offers zero protection when the theif boots the computer. The disk is unencrypted as far as the filesystem drivers are concerned. Some vendors offer a pre-boot password, then the protection is as strong as the password. FDE is of value if you throw a disk away and it also prevents CD bootable password clearing tools from editing the SAM. Volume or container encryption will protect data, and is also useful to hide tools from an AV file scan. Cryptainer is one example, available in both free and commercial versions. Volume encryption won't encrypt temp directories, there are many temp directory locations depending on from what source you opened a file (email, browser, filesystem, word, etc). Volume encryption products like Credant solve this problem by encrypting temp files. HTH Bill Stout - Original Message From: Frank Sanders <[EMAIL PROTECTED]> To: full-disclosure@lists.grok.org.uk Sent: Wednesday, January 16, 2008 4:53:39 AM Subject: [Full-disclosure] Hardware-based full disk encryption Can any one recommend such system ? What are the Pros and Cons and from which vendor(s) do you know that they already integrated it with which security model ? -Inline Attachment Follows- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OOT] Thesis for master degree
Here are a few ideas: - The threat of rogue Virtual machines - the inside man - Disassembling Vista Security - Investigating organized computer crime - The mythical network perimeter - Data flow analysis of confidential information within corporations - Distribution and access of personal data Just suggestions, but your thesis should be of a topic which is a passion for you and holds your interest. Your thesis topic may affect your next few years of employment, so invest in something that will be around for awhile (don't write about a technology approaching end of life). Bill Stout From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fajar Edisya Putera Sent: Friday, December 15, 2006 1:45 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] [OOT] Thesis for master degree Hello everyone, sorry for wasting your bandwidth I'm currently trying to find an interesting topic in computer networking security for my master degree thesis, I've read a lot of jurnal that related with computer networking and security. All journal seem to advanced for me, sometimes the journal has mathematical formula that I don't understand what is the point for. Maybe someone here willing to help me? an idea? or another journal website? Thanks Sincerely yours Fajar ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Yet another 0day for IE (Disabling Javascript no longer a fix)
http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-be ing.html "This exploit can be mitigated by turning off Javascripting. Update: Turning off Javascripting is no longer a valid mitigation. A valid mitigation is unregistering the VML dll. " Bill Stout -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Stout Sent: Saturday, September 23, 2006 12:11 AM To: Gadi Evron; bugtraq@securityfocus.com Cc: botnets@whitestar.linuxbox.org; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Yet another 0day for IE Hi all, If anyone finds a site where the 0day still lives, please let me know. All the URLs I've found are off the air. I did find a websense update not listed here: http://www.websense.com/securitylabs/alerts/alert.php?AlertID=632 There's another websense blog says the code has been posted (where?): http://www.websense.com/securitylabs/blog/blog.php?BlogID=81 If you're intentionally digging in the Internet muck for this Trojan (like I am), now is a good time to put our gloves around your browser. http://www.download.com/GreenBorder-Pro-with-SafeFiles/3000-2092_4-10581 692.html (Wraps IE, FF, and other apps) Here's the Microsoft Advisory: http://www.microsoft.com/technet/security/advisory/925568.mspx Securiteam has a blog on this as well http://blogs.securiteam.com/index.php/archives/624 Many companies (e.g. software development) have users running as local admins. To quote from Securiteam: "Also worth mentioning is that the current in-the-wild exploits attempt system-wide software installations, as do most zero-day exploits for such vulnerabilities. If your browser is not running under an account with administrative privileges, this will not succeed." Thanks, Bill Stout My opinions are my own, and my keyboard is often accompanied by glass of wine or whiskey. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gadi Evron Sent: Tuesday, September 19, 2006 2:47 PM To: bugtraq@securityfocus.com Cc: botnets@whitestar.linuxbox.org; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Yet another 0day for IE Webattacker is a hacker kit for preparing a website to exploit users, infecting them. It has statistics on OS, browser type, etc. As well as on how many got infected by what exploit, etc. Nick FitzGerald, Roger Thompson and now Dan Hubbard (http://www.websense.com/securitylabs/blog/blog.php?BlogID=80) report that sites seen exploiting this 0day in-the-wild have previously been seen utilizing Webattacker. If Webattacker indeed uses this 0day... it will be spread far and wide. No patch in sight. Easy to exploit. Gadi. On Tue, 19 Sep 2006, Gadi Evron wrote: > Sunbelt Software released a warning on a new IE 0day they detected > in-the-wild, to quote them: > "The exploit uses a bug in VML in Internet Explorer to overflow a buffer > and inject shellcode. It is currently on and off again at a number of > sites. > Security researchers at Microsoft have been informed. This story is > developing and research is ongoing. Security professionals can contact > me for collaboration or further information. This exploit can be mitigated > by turning off Javascripting." > > They also notified some closed and vetted security information sharing > groups on the matter, with further details. You can find their blog entry > here: > http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-be ing.html > > That's that. > > Why do I call it a 0day? Because it has indeed been used in-the-wild > before it was publicly discovered. People are CURRENTLY and for a while > now, being exploited. > > Lately we call every exploit being released in full disclosure mode a > 0day. That's a 1-day or at least it has to be from now on, as there are > just too many of those and there are more to come. > > This trend started with Websense detecting an IE 0day (not really IE > - WMF) used in-the-wild by spyware, to infect users. > "Responsible disclosure" is important, but when it takes so long to get a > response or a fix with "Irresponsible vendors", and with so much money to > be made by not disclosing vulnerabilities at all - it is becoming > passe. New exploits don't need to be gleamed from patches or feared in > full disclosure. Someone just pays for a 0day.. it's their business and > they invest in it. > > So: > 1. Lots more coming. > 2. Please call it a 1-day if it's full disclosure mode, and 0day if it > has been seen in-the-wild. > > The motivation has now moved from "let's be responsible" or "let's have > fun" to "let's make money" or "let's stop waiting and be mocked by &
Re: [Full-disclosure] Yet another 0day for IE
Hi all, If anyone finds a site where the 0day still lives, please let me know. All the URLs I've found are off the air. I did find a websense update not listed here: http://www.websense.com/securitylabs/alerts/alert.php?AlertID=632 There's another websense blog says the code has been posted (where?): http://www.websense.com/securitylabs/blog/blog.php?BlogID=81 If you're intentionally digging in the Internet muck for this Trojan (like I am), now is a good time to put our gloves around your browser. http://www.download.com/GreenBorder-Pro-with-SafeFiles/3000-2092_4-10581 692.html (Wraps IE, FF, and other apps) Here's the Microsoft Advisory: http://www.microsoft.com/technet/security/advisory/925568.mspx Securiteam has a blog on this as well http://blogs.securiteam.com/index.php/archives/624 Many companies (e.g. software development) have users running as local admins. To quote from Securiteam: "Also worth mentioning is that the current in-the-wild exploits attempt system-wide software installations, as do most zero-day exploits for such vulnerabilities. If your browser is not running under an account with administrative privileges, this will not succeed." Thanks, Bill Stout My opinions are my own, and my keyboard is often accompanied by glass of wine or whiskey. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gadi Evron Sent: Tuesday, September 19, 2006 2:47 PM To: bugtraq@securityfocus.com Cc: botnets@whitestar.linuxbox.org; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Yet another 0day for IE Webattacker is a hacker kit for preparing a website to exploit users, infecting them. It has statistics on OS, browser type, etc. As well as on how many got infected by what exploit, etc. Nick FitzGerald, Roger Thompson and now Dan Hubbard (http://www.websense.com/securitylabs/blog/blog.php?BlogID=80) report that sites seen exploiting this 0day in-the-wild have previously been seen utilizing Webattacker. If Webattacker indeed uses this 0day... it will be spread far and wide. No patch in sight. Easy to exploit. Gadi. On Tue, 19 Sep 2006, Gadi Evron wrote: > Sunbelt Software released a warning on a new IE 0day they detected > in-the-wild, to quote them: > "The exploit uses a bug in VML in Internet Explorer to overflow a buffer > and inject shellcode. It is currently on and off again at a number of > sites. > Security researchers at Microsoft have been informed. This story is > developing and research is ongoing. Security professionals can contact > me for collaboration or further information. This exploit can be mitigated > by turning off Javascripting." > > They also notified some closed and vetted security information sharing > groups on the matter, with further details. You can find their blog entry > here: > http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-be ing.html > > That's that. > > Why do I call it a 0day? Because it has indeed been used in-the-wild > before it was publicly discovered. People are CURRENTLY and for a while > now, being exploited. > > Lately we call every exploit being released in full disclosure mode a > 0day. That's a 1-day or at least it has to be from now on, as there are > just too many of those and there are more to come. > > This trend started with Websense detecting an IE 0day (not really IE > - WMF) used in-the-wild by spyware, to infect users. > "Responsible disclosure" is important, but when it takes so long to get a > response or a fix with "Irresponsible vendors", and with so much money to > be made by not disclosing vulnerabilities at all - it is becoming > passe. New exploits don't need to be gleamed from patches or feared in > full disclosure. Someone just pays for a 0day.. it's their business and > they invest in it. > > So: > 1. Lots more coming. > 2. Please call it a 1-day if it's full disclosure mode, and 0day if it > has been seen in-the-wild. > > The motivation has now moved from "let's be responsible" or "let's have > fun" to "let's make money" or "let's stop waiting and be mocked by > irresponsible vendors". This is not about everybody, it's about how things are. > > Even idefense and zdi can't pay enough when compared with people who make > money from what the 0day gives them - exploited users and a money making > botnet. > > Thanks, > > Gadi. > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Browzar Footprints
There are a number of index.dat readers out there. Like Index Dat Spy http://indexdatspy.stevengould.org/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vidar Løkken Sent: Monday, September 04, 2006 3:44 AM To: Colin Copley Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Browzar Footprints On Sat, 2 Sep 2006, Colin Copley wrote: > but leaves the last visited url in "E:\Documents and > Settings\-username-\LocalSettings\Temporary Internet > Files\Content.IE5\index.dat" However, they do claim in their FAQ that this is irrelevant, since you need sophisticated methods to read index.dat... - aka http://browzar.com/faq/index.html#28a So I'd say this is smelling snake-oil -- MVH, Vidar There is no time like the pleasant. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Tempest today
You have your answer, but I'll add some background anyway.
TEMPEST is old stuff (US/UK). Anyone who's ever worked in COMSEC
(Government Communications Security) knows about TEMPEST, it was a big
deal during the cold war. Most of the basic stuff was declassified in
1995.
It's simply the ability to block any and all unintentional signals
('electro-magnetic radiation') which may emanate from communication or
data processing equipment. There's two parts of COMSEC equipment, the
part than handles the plain text data like I/O, processor and memory
(red side), and the part that's not involved in unencrypted data like
power supplies and I/O that carries encrypted data (black side). One of
the earlier examples of a TEMPEST leak was the ability to pick up typed
text from the power lines into teletype equipment or even the IBM
Selectric typewriters. Some of the embassies on both sides of the cold
war were found to have innocent wires stretched across the ceiling of
the comm center but with both ends unterminated, which apparently
operated as a simplistic amplifier or pickup. Many bugs picked up and
repeated electronic, not audio signals. The U.S. Embassy in the USSR
had to be rebuilt in the '80s because the concrete was peppered with
passive electronic components (things like resistors and real bugs).
A simple demonstration of TEMPEST vulnerability is by using a telco
impedance pickup. The impedance pickup will amplify voice (or data) on
a phone wire without needing to touch the metal wire. It picks up the
varying magnetic field around a wire which expands and collapses as the
signal changes. (It also buzzes radically when near fluorescent bulbs,
old high-leakage CRT monitors, some LCDs, some keyboards, and some
mice).
Another related term you might want to google is SIGINT, or Signals
Intelligence. It covers the ability to collect, and process, signals.
There's more to it than meets the eye. The position of a signal can be
triangulated electronically within a few milliseconds, 'position' is
data. The keystrokes or other characteristics of encrypted data can
tell you who the operator is, 'characteristic' is data you can link with
HUMINT (Human Intelligence). Then there's the conversation, sorta tells
you who's talking to who and what's been escalated up to or repeated
from headquarters (makes life easy if someone in the conversation passes
along a message using weak crypto or a compromised key). Many INTEL
satellites are SIGINT, more like radioscopes pointed down which join the
hubble-sister telescopes pointed down.
(Note: Encryption applies privacy only temporarily. Encryptions of the
past are obsolete and weak today, and can be decrypted at leisure.)
That's what TEMPEST is worried about. Leaking signal from red side to
black side, that signal getting picked up by some guy with telco gear, a
bug in the wall or an antenna in the ceiling, or a trio of satellites
above. Doesn't help you used that 3DES PGP key 5 years ago.
Bill Stout
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
Sebastian Ziegler
Sent: Friday, August 18, 2006 9:45 AM
To: full-disclosure
Subject: [Full-disclosure] Tempest today
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi list,
I've seen some fuss about the technique called "tempest" lately. Some
people claim it would be "the thing" in modern security. This bugs me
somehow because first of all I think it is way to much of an effort
compared to the more casual techniques used today. Also all information
that I can find on the Internet refers to some stuff the NSA released in
the mid-nineties. Now that is not really a good and reliable source of
information in my believe. :)
Can anybody tell me how far evolved this technique is today and who uses
it? Maybe some reference to a whitepaper or something similar. Would be
great.
Thanks
Paul
Brief definition of tempest for those who have never heard of it:
Picking up the radiation produced by a monitor or cables that connect
the graphics-card or graphics-chipset with the monitor in order to spy
the screen of the user. Kind of like getting access to a VNC server on
the box without having input yourself. The interesting part is that it
is technically undetectable.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFE5e6XaHrXRd80sY8RCg/9AKCBAs2SjvitArRFHs+6moRb0UX4GQCfbCo9
wi9z1V+h5m0YJFdz9IZK+EI=
=2pu2
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Looking for any vulnerabilities in GreenBorder Pro - Download please, and let me know
Hi Andre, Thanks, though I'm not promoting, rather I'm looking for problems. I should've left out the count, when I tried to explain the continued free license. Trust me, the company I work for would rather me NOT ask for vulnerabilities on public lists. My habit is to find problems sooner than later. I did ask the lists for beta testers during beta, since I'd much rather find issues in beta than in a GA release. Some of the list members did beta test and provided feedback which helped a lot. My intent is I'd like to discover vulnerabilities before the software is installed on too many desktops. The more eyes the better, and what better talent is there, than on bugtraq and full-disclosure to pry into it? Plus, I'm guaranteed that the feedback here is 'direct and terse' (-M.W.), and not toned down and tempered which is what I don't want. Bill Stout -Original Message- From: Andre Gagne [mailto:[EMAIL PROTECTED] On Behalf Of Andre Gagne Sent: Friday, July 14, 2006 9:26 AM To: Bill Stout; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Looking for any vulnerabilities in GreenBorder Pro - Download please, and let me know From the list charter, "Gratuitous advertisement, product placement, or self-promotion is forbidden." I feel that you're boarder-line here, others may feel differently. If you want testers, try contacting people individually. And no, I don't have enough experience to try and crack it. Just thought I'd let you know. Bill Stout wrote: > > Hi guys, > > I'm looking for vulnerabilities or other weaknesses in our GreenBorder > Pro (application virtualization and isolation) product. I invite you > to download and hammer it. Please tell me of any vulnerability you may > find. > > If you download and activate it, the email used for activation will be > responded to with a license key for a year. The feedback we've gained > is invaluable, for example our Saturday build will include NOD32 > compatibility and updated installer checks. It requires XP or 2K Pro > and NTFS. Please see Software compatibility in our knowledge base > here: > _http://supportcenteronline.com/ics/support/default.asp?deptID=4049_. > > If you notice we're beyond 37,000 downloads and have read that free > licenses are only for the first 10,000, we've quietly extended the > year free license to anyone who downloads by July 28, 2006. This is > because of both the valuable feedback, and a support load of less than > 2%. The download can be found at _www.greenborder.com_ > <http://www.greenborder.com>. > > Thanks, > > Bill Stout > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Looking for any vulnerabilities in GreenBorder Pro - Download please, and let me know
Title: Looking for any vulnerabilities in GreenBorder Pro - Download please, and let me know Hi guys, I’m looking for vulnerabilities or other weaknesses in our GreenBorder Pro (application virtualization and isolation) product. I invite you to download and hammer it. Please tell me of any vulnerability you may find. If you download and activate it, the email used for activation will be responded to with a license key for a year. The feedback we’ve gained is invaluable, for example our Saturday build will include NOD32 compatibility and updated installer checks. It requires XP or 2K Pro and NTFS. Please see Software compatibility in our knowledge base here: http://supportcenteronline.com/ics/support/default.asp?deptID=4049. If you notice we’re beyond 37,000 downloads and have read that free licenses are only for the first 10,000, we’ve quietly extended the year free license to anyone who downloads by July 28, 2006. This is because of both the valuable feedback, and a support load of less than 2%. The download can be found at www.greenborder.com. Thanks, Bill Stout ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Browser bugs hit IE, Firefox today (SANS)
http://news.com.com/Browser+bugs+hit+IE%2C+Firefox/2100-1002_3-6089817.h tml?tag=nefd.top Published: June 29, 2006, 3:14 PM PDT I couldn't find more info on SANS site. Anyone have a link to the SANS description? Bill Stout GreenBorder http://www.greenborder.com Free licenses first 10,000 downloads (we're above 4,000 at 5:17pm PDT) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Browser bugs hit IE, Firefox today (SANS)
Title: Browser bugs hit IE, Firefox today (SANS) http://news.com.com/Browser+bugs+hit+IE%2C+Firefox/2100-1002_3-6089817.html?tag=nefd.top Published: June 29, 2006, 3:14 PM PDT I couldn’t find more info on SANS site. Anyone have a link to the SANS description? Bill Stout GreenBorder http://www.greenborder.com Free licenses first 10,000 downloads (we’re above 4,000 at 5:17pm PDT) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Thanks for the feedback! GreenBorder License inside - with new options - valid to end of year
Hello List, Thank you all for the feedback I've received so far. Some of the feedback I'm receiving is that it might also serve as a malware analysis tool if we improve logging messages. In thanks to the list, and in the hope more security experts will stress test the software, here's an extended period license: D34OOW2267INS22JFDSOICKCCOE22EDX This is valid until the end of the year. This also adds a 'safe file' option - right-click on any executable or questionable file to open it in virtual space. Note: Many but not all programs will run in virtual space, support for Firefox, IM, and other networking programs is not official and have not been fully QA'd. Also, we've added more security by adding a firewall between virtual space and local network ports. The binary was updated late on Friday (6/9), and is available from here: http://www.greenborder.com/earlyaccess/ Bill Stout ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Want to test this desktop barrier?, (Unauthorized offer) 0day protection
Hi Dan,
There's a couple of ways it differs.
1. Programs running in DROPMYRIGHTS and RunAs can still access files and
directories to which 'everyone' has access. It's not common for someone
to check rights of every single directory in a computer to check who has
access to what. A virtualized environment controls what directories the
environment has access to, to prevent dropping files in unwanted areas,
and to prevent reading confidential data from files. For example;
MS-Word launched in the virtualized space to open a download shouldn't
be able to open files in 'My Documents'.
2. DROPMYRIGHTS and RunAs exclude membership of the lowered user from
known privileged user groups, but not custom privileged user groups.
For example; you may have created a new group for backup (backup_exec),
and since that new group is not a known privileged group, membership of
the lowered user of that group is ignored. See tables in:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/
html/secure11152004.asp
3. Changing the access permissions of a program to certain resources
often causes the program to crash. It's a problem if the only
permissions available are read/write/modify/delete/enumerate, and it's
undesirable to write or modify a value, and a program has to write or
modify a value to run. For usability reasons, effectively having a
'virtualize' permission is useful. This way only a copy of the value or
a temporary value is changed, which permits the program to run without
crashingin a controlled environment. This virtualization can be done
for filesystem and registry, but also system calls and COM can be
virtualized (spoofed) to the virtual environment.
HTH
Bill Stout
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan
Renner
Sent: Thursday, June 08, 2006 10:33 AM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Want to test this desktop
barrier?,(Unauthorized offer) 0day protection
This is definitely has more luxury features, but couldn't you do pretty
much the same with MSDN's DROPMYRIGHTS program?
It runs {whatever} program as a guest user, effectively dropping the
capabilities of that program to do nefarious things.
--
Sincerely,
Dan Renner
President
Los Angeles Computerhelp
http://losangelescomputerhelp.com
818.352.8700
[EMAIL PROTECTED] wrote:
> Message: 9
>
>Date: Thu, 8 Jun 2006 10:14:21 -0700
>From: "Bill Stout" <[EMAIL PROTECTED]>
>Subject: [Full-disclosure] Want to test this desktop barrier?
> (Unauthorized offer) 0day protection
>To:
>Message-ID:
> <[EMAIL PROTECTED]>
>Content-Type: text/plain; charset="us-ascii"
>
>Hello All,
>
>We have an early release of consumer desktop safety software that I'd
>like some feedback on.
>
>http://www.greenborder.com/earlyaccess/
>
>Our software runs on XP SP2, and creates an application-level virtual
>environment primarily (for now) for Internet Explorer. This prevents
>modification of the base system by any content in the virtual
>environment. We refer to the virtual environment as 'x-space', or
>'within GreenBorder'. We apply access control from the virtual
>environment to; the filesystem, registry, user shell, COM objects, and
>system calls.
>
>Although only Internet Explorer and applications which open downloaded
>attachments are supported, other applications can be launched in the
>GreenBorder environment. Any processes running or temporary files or
>temporary registry entries are wiped from the virtual environment by an
>application reset. Files can be saved to a specific directory only,
and
>applications in this environment are prevented from reading files
>outside this one directory (applies confidentiality).
>
>We don't determine what application running in the virtual environment
>is malicious or not, so therefore this is not a replacement for
>signature based protection systems. Most anything can run in the
>environment, it just can't modify local resources. This is great
>protection for 0-day exploits, and lets administrators wait to apply
>patches off-hours.
>
>Hammer on our software by running malware of your choice in the
software
>environment. Please email me or the marketing email of your results.
>If you're running intensive tests, I would still recommend using a
>scratch system.
>
>We also have an enterprise version which uses a central whitelist to
>determine in which environment to open a site requested or Outlook
>message received.
>
>Bill Stout
>www.greenborder.com
>
>
>Appended below is our marketing spiel:
>
>
>
>"We are very pleased to give you special, early acce
RE: [Full-disclosure] Want to test this desktop barrier? (Unauthorized offer) 0day protection
<> Hi Thierry, It is conceptually different than AV or AS products, which is which is why I fall back to analogies. Even experienced security folk automatically categorize something new with existing products, and presuppose there is nothing new under the sun. If you generally categorize anything that does virtualization as a sandbox, then it's a sandbox. I mean, some people consider virtual machines a way to create a sandbox. Wikipedia does. Personally I think running VMware or Virtual PC just to run a browser securely is way too intrusive for the average user. So to avoid the user experience of booting a virtual OS, why not create a virtual application instance that can't contaminate the computer? I say that like it's easy, but it requires kernel knowledge to develop. Otherwise you only virtualize a few directories and some registry entries, and are exposed to attacks which leverage system calls, COM objects, User Shell, etc.. I believe this list is read by some of the best and most aggressive hackers that exist, and this is the best place to expose a new security product. I am interested in what the list has to say. Bill Stout _ From: Thierry Zoller [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 3:04 PM To: Bill Stout Cc: full-disclosure@lists.grok.org.uk Subject:Re: [Full-disclosure] Want to test this desktop barrier? (Unauthorized offer) 0day protection Dear Bill Stout, Your are posting to Full-disclosure, not your average mailinglist, you don't need stories about toddlers and gloves, or "shots". ;) >If you see a toddler >about to touch a dead animal, it's best they're wearing gloves rather >than being up to date on their shots. First it's a bad analogy, second it's plain wrong. > We refer to the virtual environment as 'x-space', or 'within GreenBorder'. let's stick to some standards should we ? S A N D B O X -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 --- Begin Message --- Dear Bill Stout, Your are posting to Full-disclosure, not your average mailinglist, you don't need stories about toddlers and gloves, or "shots". ;) >If you see a toddler >about to touch a dead animal, it's best they're wearing gloves rather >than being up to date on their shots. First it's a bad analogy, second it's plain wrong. > We refer to the virtual environment as 'x-space', or 'within GreenBorder'. let's stick to some standards should we ? S A N D B O X -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 --- End Message --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Want to test this desktop barrier? (Unauthorized offer) 0day protection
Hi Joxean, I can open any spyware, virus, or other malware in my browser and not infect my computer. This is as a local administrator, with Active-X/Java/Javascript enabled in the browser. Also, I can open any infected downloaded file (as long as it's in the GreenBorder files directory) and not infect my computer. The next version will have activity lights which indicate attempts to modify registry, filesystem, etc. depending on what the product manager (and feedback) decides, which is useful for determining what the heck some particular application is attempting. The advantage is that this is proactive protection, this effectively provides 'gloves' for handling internet content, whereas AV or AS, since they're detection-based, are like 'flu shots'. If you see a toddler about to touch a dead animal, it's best they're wearing gloves rather than being up to date on their shots. Virtualizing at the application level is not as intrusive as sandboxing techniques. Virtualization provides the ability to enumerate or read selected real resources, and the protection is more transparent to the user. Bill Stout -Original Message- From: Joxean Koret [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 10:57 AM To: Full Disclosure Cc: Bill Stout Subject: [Full-disclosure] Want to test this desktop barrier? (Unauthorized offer) 0day protection Hi, >We don't determine what application running in the virtual environment >is malicious or not, so therefore this is not a replacement for >signature based protection systems. Most anything can run in the >environment, it just can't modify local resources. This is great >protection for 0-day exploits, and lets administrators wait to apply >patches off-hours. So it is a propietary application like the Open Source Winpooch (http://winpooch.free.fr/home/) that can't be use with an antivirus to have real protection as Winpooch does. Sorry but, Is there any advantage? -- Zer gutxi balio duen langileen bizitza ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Want to test this desktop barrier? (Unauthorized offer) 0day protection
Title: Want to test this desktop barrier? (Unauthorized offer) 0day protection Hello All, We have an early release of consumer desktop safety software that I’d like some feedback on. http://www.greenborder.com/earlyaccess/ Our software runs on XP SP2, and creates an application-level virtual environment primarily (for now) for Internet Explorer. This prevents modification of the base system by any content in the virtual environment. We refer to the virtual environment as ‘x-space’, or ‘within GreenBorder’. We apply access control from the virtual environment to; the filesystem, registry, user shell, COM objects, and system calls. Although only Internet Explorer and applications which open downloaded attachments are supported, other applications can be launched in the GreenBorder environment. Any processes running or temporary files or temporary registry entries are wiped from the virtual environment by an application reset. Files can be saved to a specific directory only, and applications in this environment are prevented from reading files outside this one directory (applies confidentiality). We don’t determine what application running in the virtual environment is malicious or not, so therefore this is not a replacement for signature based protection systems. Most anything can run in the environment, it just can’t modify local resources. This is great protection for 0-day exploits, and lets administrators wait to apply patches off-hours. Hammer on our software by running malware of your choice in the software environment. Please email me or the marketing email of your results. If you’re running intensive tests, I would still recommend using a scratch system. We also have an enterprise version which uses a central whitelist to determine in which environment to open a site requested or Outlook message received. Bill Stout www.greenborder.com Appended below is our marketing spiel: “We are very pleased to give you special, early access to GreenBorder Pro, the new consumer edition of our patented enterprise technology (that’s already protecting thousands of users in some of the most demanding environments). With GreenBorder Pro, NOTHING CAN BREAK INTO YOUR PC from the Web. You can: • Search & browse ANY website—without putting your PC, files or private identity data at risk (or leaving any trace on your PC of where you have been :) • Shop & bank in privacy—without anything spying on your personal info, bank account and credit card numbers, passwords or online transactions • Use any downloads—without worrying about anything nasty hidden inside Simply click on the link below to get to the GreenBorder Pro VIP page. There, you can see a guided tour, learn about the software, and download your own copy. Here is a special VIP license key to copy & paste when you install: 34422VS279429422K44W Click here to get GreenBorder Pro We would greatly appreciate any comments or suggestions you might have along the way. Just email us at [EMAIL PROTECTED] or click on the GreenBorder icon and select Contact Customer Support in the software itself!” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] How many vendors knowingly ship GA product with security vulnerabilities?
Thanks Vladis, That's an excellent and well thought out reply. Sounds like you have some experience in delivering software. It would seem that if a few days buffer were built into the system, specifically to check in security fixes prior to QA; that would be a huge 'CYA' benefit to prevent those 'CLM' moves and to protect the consumers of the software. Bill Stout -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 03, 2006 11:10 PM To: Bill Stout Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How many vendors knowingly ship GA product with security vulnerabilities? On Wed, 03 May 2006 22:23:42 PDT, Bill Stout said: > If a patch is ready in just a few days, and QA for a patch takes several > weeks, it would seem the vendor already knew about the vulnerability and > had a fix ready, either for next release or vulnerability discovery, It would *seem* that way, yes. But it often doesn't work that way. Quite often, the bug is a Homer Simpson "D'Oh!" error (such as most buffer overruns), so a "first cut" of a patch can be done in a few *hours*. > which ever came first. Otherwise the fix would take weeks to test and > release in order to test all compatibilities related to the bug fix, > correct? But it can *still* take a while to actually integrate and test the fix, especially if it involves an API change. For instance, a buffer overflow may be fixed by passing in a new "length" parameter. Then you have to find and fix all the places that call the function, to also pass the length, and then find all the places that call those places, and so far... And if you're *really* unlucky, the API change goes to multiple code repositories for multiple products... and things get *really* ugly. Try it sometime - pull down the source for Firefox or OpenOffice, which are "average" sized for large software systems. Unpack it someplace (make sure you have multiple gigabytes of disk available). Now find some random foo.h file somewhere in the tree. Find a 'struct' in that .h, and add one more thing to that struct. 'int blat;' is good enough. Now see how long it takes you to find every use of that struct, and add a 'foo_struct.blat = 5;' (or 6, or 9, or different value at each use). Then have fun tracking down all the *implicit* uses - code that uses sizeof(), or places where the code blows up if 'sizeof(struct foo_struct)' is over the size you can store in a certain field in a database. Oh, and don't forget to find that XML file that generates the marshal/demarshal code for this ;) > So, my question is, if the vendor knew about vulnerabilities before a > product was released, why wouldn't they simply delay the ship a few days > in order to QA the patch for vulnerabilities they already knew about? There's this thing called a 'freeze date', and it's often several *months* before the planned 'ship date'. You have to freeze the code at *some* point, do the QA, and at some point produce a .ISO or similar to send to burn CDs. Then you have to send the CD off to be duplicated (even a *big* duplicating shop is going to take a while to produce 10,000,000 burned, custom artwork, manuals, into a box and shrink wrapped and sent to Office Max and Best Buy and Walmart and everyplace else. Oh, and you need to send copies to whatever PC manufacturers bundle it, so Dell and HP and Levono can integrate it into the images *they* install. So you're sitting there, 3 million CD's burned, Dell and HP ramping up and Levono ready to go tomorrow - and you want to *delay a few days* because there might be a bug Somebody's gonna *pay* for that fuck-up. It's a CLM (Career-Limiting Move). http://today.reuters.com/business/newsArticle.aspx?type=technology&story ID=nN02271704 Vista is slipping *again*. And the news took MSFT stock down 0.22 to $24.07. That's a 1% hit in market value. And that means that Gates's $40B in MSFT stock just dropped $400M in value. That means Gates is gonna rip Ballmer a new one (wouldn't *you* if you just lost $400M?). Ballmer is gonna rip somebody a new one, and so on down the line. You wanna be the software engineer at the end of that line? You're gonna get ripped so many new ones, you're gonna be called "Swiss Cheese" at your next job... And it's not limited to proprietary software either - the guys over at Firefox just released 1.5.0.3 to fix a nasty flaw. Now, *somebody* had to make the hard call "We ship 1.5.0.3 *now* to fix this bug, and the stuff that *was* targeted for 0.3 is going to slip to 0.4". Do you want to be the software engineer that tries to say "Umm.. can we hold 0.3 for a week and a half while we get these 3 minor bugfixes finished?" ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] How many vendors knowingly ship GA product with security vulnerabilities?
Title: How many vendors knowingly ship GA product with security vulnerabilities? Hello all, Here’s a question which is Full Disclosure specific. It’s a given that a vendor issues a patch for a vulnerability within a few days to a couple of weeks from date of vendor notification, after which all bets are off as far as public disclosure. Well, after some period of time (from 30days to vendor requested period?). If a patch is ready in just a few days, and QA for a patch takes several weeks, it would seem the vendor already knew about the vulnerability and had a fix ready, either for next release or vulnerability discovery, which ever came first. Otherwise the fix would take weeks to test and release in order to test all compatibilities related to the bug fix, correct? So, my question is, if the vendor knew about vulnerabilities before a product was released, why wouldn’t they simply delay the ship a few days in order to QA the patch for vulnerabilities they already knew about? Do vendors roll the dice on discoverability? Bill Stout ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Exploit/POC Database
Open source framework and plug-ins http://www.metasploit.com/ http://www.securityforest.com/ Exploit sites http://milw0rm.com/ http://www.offensivecomputing.net/ http://www.packetstormsecurity.nl/ http://www.securiteam.com/exploits/ http://securitydot.net/exploits.php http://www.elsenot.com/frsirt-google.html Subscription sites https://www.frame4.net/mdpro/index.php?cmd=files http://www.frsirt.com/english/ Bill Stout -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Doherty Sent: Friday, April 28, 2006 5:03 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Exploit/POC Database Hi, With Frsirt no longer making their collection of exploits public, can anyone advise on similar sites providing exploit code? Thanks T ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] What is wrong with schools these days?
Point taken; bkfsec, Michael, Valdis. Statistics are just that. There may be a better crafted comparison between the webservers than Secunia vulnerabilities. I think we're in agreement that an administrator has to be familiar with securing that particular OS. Bill Stout -Original Message- From: bkfsec [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 25, 2006 12:34 PM To: Bill Stout Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] What is wrong with schools these days? Bill Stout wrote: >You know, having made a few NTexploit lists in the past, I wanted to >make the point the M$ was less secure. Unfortunately the facts were >against me. > >Two IIS 6.0 vulnerabilities reported from 2003-2006 >http://secunia.com/product/1438/ >Twenty-eight Apache 2.0 vulnerabilities reported from 2003-2006 >http://secunia.com/product/73/ > >Paul is right. > >I would never suggest a Windows admin use UNIX, or visa-versa. A >product is only as secure as it's configured. > > > Facts and statistics are two different things, my friend. I'm not saying that Paul's specifically wrong... he's not. Just that those statistics aren't the end of the road for the "facts". Lots of other factors play into things. What I usually say is that if run by a clueful administrator with an eye to system audit, control, and security, a Free Software system _can_ be made more secure than a proprietary system, particularly a Microsoft based solution. Now, given equal setup time, resources, and management backing for the project -- well, that may be a different story. But you can't blame the *nix systems for being hamstrung by a lack of resources. :) I stand by that statement. And would happily point out that if you run any system without configuring it with an eye to security, you're probably going to have a problem. -bkfsec ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] What is wrong with schools these days?
You know, having made a few NTexploit lists in the past, I wanted to make the point the M$ was less secure. Unfortunately the facts were against me. Two IIS 6.0 vulnerabilities reported from 2003-2006 http://secunia.com/product/1438/ Twenty-eight Apache 2.0 vulnerabilities reported from 2003-2006 http://secunia.com/product/73/ Paul is right. I would never suggest a Windows admin use UNIX, or visa-versa. A product is only as secure as it's configured. Bill Stout www.greenborder.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Schmehl Sent: Tuesday, April 25, 2006 10:27 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] What is wrong with schools these days? CrYpTiC MauleR wrote: > All you had to say was Microsoft =oP > That's hilarious. The number one defaced website OS is Linux. (See Zone-H.org if you don't believe me.) The number one problem I have here is unix boxes. You know why? Because a lot of open-source bozos run around claiming unix is more secure than Windows. So a lot of clueless people think that, if they just set up a RedHat box, they won't have anything to worry about. Ask them what that little red ball with the X in it is - you know - the one flashing up there in the taskbar- and they'll say I dunno. No OS is secure by default. No OS can remain secure if it's not properly configured and maintained. Look at your box right now. How many of you have inetd or xinetd running? Why? What services does it provide that you need? Do you even know what chargen or rpc.statd is? If not, why are they running (if they are)? How many of you have a workstation running with more than just ssh enabled and *no* firewall running? You name the OS, and I can tell you of at least one incident of hacking. We haven't had a Windows box hacked in a long time. The last five were two Macs and three RedHat boxes. Does that mean Macs and RedHat are insecure? NO! It means, until the general public understands the problem and knows what the solution is, hacking will continue apace with no sign of letting up. The real problem is ignorance. -- Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
