Re: [Full-disclosure] pause for reflection
Hi Gadi, In answer to your last question: Enough whining though. Who is next on the target list? :) Look at KnujOn's Top Ten Worst Registrars list. Joker and BLI have been handed breach notices by ICANN. EST will follow, then eNOM, then... There is no need to worry about their bread, that's just the criminals trying to make us feel guilty. KnujOn was told that if we did not back off, a particular Chinese registrar was going to fire its low level abuse staff. These guys do not care about the people who work for them. They only care about their own bread. Please don't give in to their guilt trip. The time has come for the criminals to find honest work, like the rest of us. There is plenty to do. We are all of the Internet. -- bob On Sun, 5 Oct 2008, Gadi Evron wrote: I started answering an email an hour ago, and it was important enough to spend time on. It also ended up being too long, so I dumped it in a blog post if you prfer reading in a web browser. http://gadievron.blogspot.com/2008/10/time-for-self-reflection.html Time for self reflection More seriously, why do I care so much? I have dual citizenship. Along with my homeland citizenship, I am of the Internet, and see it as my personal duty to try and make the Internet safe. Gadi Evron, Of the Internet. -- Dr. Robert Bruen Cold Rain Knujon http://coldrain.net http://knujon.com +1.802.579.6288 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Free Tibet..
Hi Jerome, This is the only time I will participate in this thread. We all know lots about Tibet and we all know that China invaded Tibet, a free country. The Dalai Lama is the true head of state of the Tibet government in exile. The Han should stop murdering the people of Tibet and leave them in peace. -- bob On Tue, 25 Mar 2008, Jerome Jar wrote: Please, I humbly think that you know possibly nothing about Tibet, the province of China. A lot of Chinese people, who used to take western medias as the representation of good will and perhaps democracy, do feel sick of the misleading news article pieces produced by such medias on this very topic of Tibet. If all of your knowledge about the Tibet event comes from such sources, just ignore them. On Tue, Mar 25, 2008 at 8:57 AM, Gerald Maggro [EMAIL PROTECTED] wrote: ..with purchase of one country of equal or greater value? Seriously though, those cocksuckers in the Chinese gov't are at it again... wait, they never stopped. Murderous freedom hating ways. Just not right. How about a bigger target than Scientology this time? China's got the Olympics coming up, that makes them more sensitive than usual. The Dalai Lama can be as peaceful as he wants... more action is needed. Alot more. Anyone want to pick a fight with the Chinese? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Dr. Robert Bruen Cold Rain Knujon http://coldrain.net http://knujon.com +1.802.579.6288 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] QuietMove ( D - )
Well, I guess this settles how you should be judged. Spelling is hard, especially when complaining about somebody else. Is it quitemove.com or quietmove.com? Not quite, eh? -- bob On Mon, 31 Dec 2007, secreview wrote: QuiteMove, located at http://www.quitemove.com is a small Professional IT Security Services Provider that offers Training services, Incident Response Services, Web Application Security Services and Penetration Testing Services. QuiteMove was started by Adam Munter in 2006 along with Jeffrey Rassas, and James Garvey, Jr. You can read their mission statement here http://www.mywikibiz.com/Directory:QuietMove; (but its pretty basic).When reviewing the QuiteMove website and people we were not the least bit impressed. The QuiteMove website is packed full of grammatical errors and many of the services don't even have descriptions. The services that do have descriptions are very poorly written and very poorly defined. Take a look at their Penetration Testing service offering as an example. If you want to see an example of no content check out their Social Engineering offering.Since we were unable to extract anything useful from the materials provided to us by QuiteMove we decided to focus on the talent behind QuietMove. Unfortunately we were equally unimpressed. The only technically oriented team members that we were able to identify within QuietMove were Adam Munter, who is a founder and Marcin Wielgoszewsk, who is a very green consultant. Seeing as Adam Munter is being positioned as the technical visionary for QuietMove, we decided to focus on him and not on Marcin.Adam's Linkedin Bio: http://tinyurl.com/yt9j2yAs it turns out Adam Munter worked for Accuvant, a company that competes directly with Adam's QuietMove; prior to founding QuietMove. Adam's role at Accuvant was to lead consultants on IT Security Engagements for large orginazations. In conjunction with this, Adam also spoke at conferences. He worked here for 1 year and 1 month.Prior to working for Accuvant, Adam worked for Pegasus Solutions Inc. as the acting Chief Security Officer. Pegasus is the largest hotel reservation distribution system vendor and a major vendor of Hotel Management systems. Adam did get some Sarbanes Oxley work under his belt as he helped Pegasus to successfully marshall through their first audit. Adam also initiated the program to help get Pegasus to be Visa CISP compliant, including evaluating and changing their handling of payment Cardholder data. He worked here for 2 years and 1 month.From August 2000 to January 2003 Adam was a Founding member of IBM's Ethical Hacking Center of Competency. His responsibilities included being a technical interviewer for new hires, a Penetration Testing Subject Matter Expert, and the performance of consulting engagements for clients ranging from midsize companies and government agencies to the fortune 500. Adam worked for IBM for 2 years and 6 months.So if we add up the relevant experience that Adam has had according to his linked in bio we get 1 year and 1 month + 2 years and 6 months, which is a grand total of 3 years and 7 months of professional IT Security Consulting Experience. Not sure about our readers, but to us at Secreview that hardly makes Adam an IT Security Expert.But wait, now we have a discrepancy...According to the QuietMove website, Adam has over 14 years of experience in information security, software, and product RD with 8 years being dedicated solely to security. His QuietMove bio goes on to say Adam???s particular talents include penetration testing of web and binary applications, networks, systems, and SCADA, ???social engineering??? and physical penetration of facilities, and in developing professional services offerings. This just doesn't add up.Anyway, remember we didn't set out to bash anyone here, but Adam/QuietMove put himself/themselves in the line of fire. QuietMove appears to be a very small and disorganized shop. Their website is half-assed and incomplete and we can't say anything better about their talent profile. We suggest that QuietMove complete their website and review their talent profile, then we'll set out to do another review and see if they score better. As of right now, we can't give them more than a D-. We'll keep an eye on their website and redo this review if they ever fix their issues.Score Card (Click to Enlarge) -- Posted By secreview to Professional IT Security Providers - Exposed at 12/31/2007 11:32:00 AM -- Dr. Robert Bruen Cold Rain Knujon http://coldrain.net http://knujon.com +1.802.579.6288 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Anyone have a reason for 2x the email flow today?
Hey JP, People who live in glass houses should not throw rocks at other people, especially in public. I still have not forgotten that you stole that CD set of SUSE 9.0 from me. The CD set may not be worth much, but I loaned them to you after you begged for someone on the list to bail you out of a tough situation. I was the fool that did. It looks like this is just another example of your lack of integrity. -- bob On Wed, 5 Dec 2007, Dude VanWinkle wrote: On Dec 5, 2007 6:47 PM, Jay Dephallia [EMAIL PROTECTED] wrote: Its not spam email. You can seriously make yourself bigger with this pill. [EMAIL PROTECTED] has all the info. Just email him about it. Also, ask him about the size of his cock. What a surprise you use a gmail account to send cowardly attacks anonymously. I bet if I met you on the street you would just mess yourself and run back to your mama's womb. -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Dr. Robert Bruen Cold Rain Knujon http://coldrain.net http://knujon.com +1.802.579.6288 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] spammer wades into US Presidential race
Hi James. Spam may be part of our lives, but to roll over and accept it is not really the best approach. Fight back. -- bob On Thu, 8 Nov 2007, James Matthews wrote: Spam is a part of our lives On Nov 8, 2007 1:34 PM, lsi [EMAIL PROTECTED] wrote: 4. Analysis of spam for the benefit of the group. -- Dr. Robert Bruen Cold Rain Knujon http://knujon.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wachovia Bank website sends confidential information
While it is true that lots of folk pick on vendors for a few minutes of fame, the Wachovia case is slightly different. They do have an attitude problem and are technically challenged. The basis for this is a law enforcement conference about six months ago. During a pressentation a Wachovia representative told a speaker to stop blaming the banks for problems. This was the third presentation this individual has listened to in which each speaker had blamed the banks for not doing enough and the frustration level was a bit high. This only comes up because of the current Wachovia web site issue. It shows that there is an internal problem, worse than most, endind with the current situation. And no I will not indentify any of the players. --bob On Wed, 11 Jul 2007, J. Oquendo wrote: [EMAIL PROTECTED] wrote: On Tue, 10 Jul 2007 21:39:33 EDT, Jim Popovitch said: 7 days? industry practice? Come on Bob I know you know that large corporations can't feed a cat in 7 days let alone make unscheduled website changes that fast. Change control approvals alone would include 14 or more days in most enterprises. Why the rush to say so? On the other hand, I think that they *could* manage at least a Wow d00dz, we really *do* have a hole there reply and at least give a handwaving about when they'd fix it. Of course, actually *fixing* a design flaw that big is going to take them *months*. Driver walks into a dealer and speaks to customer service: These brake pads are extremely vulnerable to slipping during X conditions on a 90 degree slalom says the driver. Puzzled and not knowing squat about slaloms, or the breaking system, the customer service rep send the driver to a mechanic. These brake pads are extremely vulnerable to slipping during X conditions on a 90 degree slalom. Someone will die! says the driver to the mechanic... Not being able to change the auto's design nor engineering, the mechanic is puzzled and offers to take the information although he is even more puzzled on who this should be directed to. Two days later driver rambles on news stations nationwide: Their arrogance will get people killed. I warned them repeatedly People moan and grumble, etc., recalls, fixes... This Wachovia thread is pointless. I see no mention or posting to perhaps any security list (and I'm on many both public and private) saying: Hey is there anyone who can put me in touch with someone in the know at Wachovia on any list. All I see is... I called customer service. So what, if you're a security professional you will know damn well you're getting nowhere with them. I spoke to their w3bm4ster. And? Either the poster is looking for attention or a complete and utter idiot. If his or her true intention was to provide a report of a security woe concerning said business or product, he or she could have easily jumped on any security mailing list and found the right connection instead of rambling on the sky is falling... Let me see: wachovia security cissp incident +network via Google This looks interesting: http://www.bryceporter.com/ I would have contacted someone on this level to put me in touch with the right person. But hey, guess its more hip to add stupid little tags next to your resume or webpage: I broke $INSERT_VENDOR_HERE -- Dr. Robert Bruen Cold Rain Technologies http://coldrain.net +1.802.579.6288 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wachovia Bank website sends confidential information
Hi Jim, No, I did not declare the whole of Wachovia technically challenged based on the one incident at a security conference.. What I was pointing out is that the current problem of their failure to put up a secure web and their failure to respond to notification about has another data point from 6 about months ago. In general enterprises send only a small group of people to any given conference, so no, the whole of Wachovia did not attend. Nevertheless, when you are the one attending, you are a representive of that enterprise. You seemed to have missed the point that I was adding to a discussion, not trying to create a new one. My point was in the dustbin, where it would have stayed, until the current discussion appeared. -- bob On Wed, 11 Jul 2007, Jim Popovitch wrote: On Wed, 2007-07-11 at 12:03 -0400, Bob Bruen wrote: While it is true that lots of folk pick on vendors for a few minutes of fame, the Wachovia case is slightly different. They do have an attitude problem and are technically challenged. The basis for this is a law enforcement conference about six months ago. During a pressentation a Wachovia representative told a speaker to stop blaming the banks for problems. This was the third presentation this individual has listened to in which each speaker had blamed the banks for not doing enough and the frustration level was a bit high. So you declare the whole of Wachovia technically challenged based on the one incident at a security conference (did all of Wachovia attend?) six months ago? Come on. ;-) Wachovia, like every other large enterprise, has good, mediocre, and bad employees. It's a fact of life, but not a news worthy story. I'm sure that some days the best and brightest represent Wachovia at some conference somewhere, and I am equally sure that some days the worst and most deplorable represent Wachovia at some conference somewhere. It happens. -Jim P. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Dr. Robert Bruen Cold Rain Technologies http://coldrain.net +1.802.579.6288 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/