Re: [Full-disclosure] security industry software license
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Fiat licensure laws are invariably used (if not intended) to restrict new entrants in a profession. The idea is to benefit existing members in that profession (who are "grandfathered" into licensure by virtue of having worked in that profession for a duration) and to constrict, by law, labor competition with those who are already in that profession. In the short term, existing members benefit at the expense of the consumer of the products/services generated by members of the profession in question. In the longer term, it's possible that aggregate loss of competitiveness of the profession in question might cause alternatives to emerge and for the protected, licensed members to achieve sub-optimal economic results even among themselves. A non-identical (but related) legal construct, unions, is causing this "aggregate loss" in the American "big 3" automobile manufacturers, as well as other economic factors. G - - Original Message - From: "Freeman Y." <[EMAIL PROTECTED]> To: "n3td3v" <[EMAIL PROTECTED]> Cc: Sent: Sunday, October 12, 2008 10:07 PM Subject: Re: [Full-disclosure] security industry software license > This always has been, and still is, a stupid idea. > > n3td3v wrote: >> It would be a good way for the government to leverage control of >> hackers and the people who use their tools though. Disclosure Scotland >> is already in operation, all you need is a new law to say everyone who >> uses security software must get a Disclosure Scotland background check >> first. >> >> > These security tools can be thought of as lock picks. Who uses them? > Burglars, for sure. But so do locksmiths and people who are locked out > of their homes. But is it possible to regulate these things? Really, a > lock pick can be as simple as a bent paper clip that you make yourself, > in the same way that even if you ban programs like Metasploit you can't > stop somebody from writing their own. >> I think the government will introduce the security industry software >> license scheme and change the law to support it. There is also an >> option where some tools wouldn't need a license, the government would >> grade different types of security software depending on their >> effectiveness and potential damage to infrastructure and computers. >> >> > I think they won't, because they know the futility of fighting with > 'advanced' computer users. If we really wanted those tools, we'd get > them, license or not. You're talking about hackers here. Do you really > think they can't obtain some software with a license on it? You put a > license on Metasploit and it'll be on Pirate Bay or something within a > few days. >> For instance, category A,B,C..."A" being metasploit, "C" being angry >> ip scanner (is angry ip scanner even classed as security software, >> thats something that needs to be discussed as well, what defines >> "security software"?). >> >> > Thats a good point - what is 'security software'? Is a web browser > considered one? After all, you could do many things with a browser, like > search up vulnerable websites and pen test their web apps. > >> Hackers may start to use the category of software as a scoreboard of >> how elite their software is, but who cares, its a reference for the >> scheme and for people who need to know which software needs a license >> and what type of license you need, and how deep a background check has >> been done on individuals who already have a license and are using >> software, or as an indicator to people who are about to apply for a >> license, how indepth the background check will be. >> > By the way, is this a global thing? I'm not really sure, but if it is, > how will this be organized? >> C would mean no background check needed, B would mean basic background >> check needed, with a "basic" security industry software license, and A >> would mean "advanced" background check needed, with an advanced >> software license type. >> >> So there would be two different licenses, "basic" and "advanced", and >> C for no license required. >> >> Moreover, the category system can be setup by any of you, you don't >> need to wait for this scheme to be introduced, securityfocus, sans >> diary or other vendors could start categorizing software on >> what"potential" damage could be caused with security software if the >> bad guys were to use them for evil things.---we can get the category >> system setup as part of a seperate project, even if the license scheme >> doesn't get the go-ahead, it would still be a useful thing for folks >> to do. >> >> > Do you mean like, the level of difficulty it takes for somebody to use a > tool to do something illegal? Or if its even possible with that tool? > Can GCC be classified as a security tool, because technically you could > use it to code any security tool in the world :) >> If anyone is bored and wants to compile a list of security software >> and categorise them all,
[Full-disclosure] ASLR
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anyone tried setting the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages key (which, by default, does not exist) so as to mandate ASLR coverage (value of -1 to mandate coverage on all PEs)? Anyone had success (or big problems) with this, such as major s/w vendors' apps not being compatible? Thanks, G -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.8.3 (Build 4028) - not licensed for commercial use: www.pgp.com Charset: utf-8 wj8DBQFI0/x4SGIRT5oVahwRAuUDAJsGpz06/hPyH88DrUh66TqAFMNn9ACfTA8I hmJ/KxgPLZiEjmkfd962qBw= =pR8I -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] so this is FD...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Suggestion - check out the array of good security blogs if you're not already doing so. G - - Original Message - From: "Lucio Crusca" <[EMAIL PROTECTED]> To: Sent: Friday, June 27, 2008 4:46 AM Subject: [Full-disclosure] so this is FD... > I've been reading bugtraq in several short periods of my life, from year > 2000 on. Then I started finding it boring, maybe after it was acquired by > someone I don't remember right now. I'm not a security expert by any > means, I just like staying informed about new security issues. I almost > understand security alerts and a few of the inner workings of an exploit, > but only a few. Never managed to have a PoC working on my box. That's to > introduce > myself. As you can see I don't hide. > > After bugtraq I looked for a place in the old bugtraq spirit, and > eventually I decided FD was that place, so I started reading it. Now, > after a few > months of FD reading, I feel bored again. I've never replied to any of > the trolls and trolls-feeders on this list, but I've always been hardly > hoping it was a transient situation, not the main (and sometimes only) > topic of the list. Hell, if you filter out trolls postings and relative > replies, the rest is more or less what debian-security has to offer. > > Now I have to choose: go on reading this, er... shit? in the hope it will > get better in the future or leave all of you alone, trolls and others, > and seek for another place. I know, no one here cares about me or what > I'm > going to do. I'm just posting this to tell you that there are many people > out there that could be interested in reading this list, maybe not > posting for lack of skills, but with such a noise you are making them go > away, and they usually go away without telling you, like I'm doing. > > If you want this list to live on, I think (for what's worth) you should > find a solution. Don't know what the solution can actually be. Maybe a > wiki in the wikipedia style, but with specific rules, community driven, > would serve better than a unmoderated list? > > Lucio. > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.8.3 (Build 4028) - not licensed for commercial use: www.pgp.com Charset: utf-8 wj8DBQFIZOaGSGIRT5oVahwRAorbAJ0V/4BOCdRORevVVlIbXn4DoCbhnQCfSvOC uyn8oAF8C+YdVAwQjsUwTOQ= =shMS -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Joel Esler comment on Sans ISC podcast
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Responding to such "playground tactics" will only perpetuate the foolishness, as has already been demonstrated repeatedly. For the sake of everyone, I strongly recommend you just add him/they to your filter list. G - - Original Message - From: "Ureleet" <[EMAIL PROTECTED]> To: "n3td3v" <[EMAIL PROTECTED]> Cc: Sent: Thursday, June 19, 2008 11:21 AM Subject: Re: [Full-disclosure] Fwd: Joel Esler comment on Sans ISC podcast > look everyone. playground tactics! > > On Thu, Jun 19, 2008 at 8:32 AM, n3td3v <[EMAIL PROTECTED]> wrote: > [absurd message removed] >> All the best, >> >> n3td3v > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.8.3 (Build 4028) - not licensed for commercial use: www.pgp.com Charset: utf-8 wj8DBQFIWoqsSGIRT5oVahwRArSvAJ0amQrcnwoQTEGGCJaFtSpBWMs+jgCdHyt/ il2Vj34NYOaPZ0NFq/Oze20= =Niia -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] OT: Re: Joel Esler comment on Sans ISC podcast
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Again, please add annoying/offensive people to your email filters. Keep in mind that, to them, any attention at all is good, even if it's negative attention. G - - Original Message - From: "Ureleet" <[EMAIL PROTECTED]> To: "n3td3v" <[EMAIL PROTECTED]> Cc: "n3td3v" <[EMAIL PROTECTED]>; Sent: Wednesday, June 18, 2008 1:15 PM Subject: Re: [Full-disclosure] Joel Esler comment on Sans ISC podcast > On Wed, Jun 18, 2008 at 12:26 PM, n3td3v <[EMAIL PROTECTED]> wrote: >> Joel Esler said he doesn't switch his phone off on flights and that >> anyone who is on a plane with him should watch out. >> > > do u make money from saying his name? you use it in enuff of ur emails. > > joel - ignore him. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.8.3 (Build 4028) - not licensed for commercial use: www.pgp.com Charset: utf-8 wj8DBQFIWVC9SGIRT5oVahwRApOaAJ9ZVNYxjBSu0VhKTydAcJ2pQSEC5ACgqNmD GcPeBXuUF0mvt8ZlgaFyxBk= =M0qz -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mambo Cookie Authentication Bypass Exploit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 And situations involving social interaction are not for you. Please avoid them at all costs until social skills improve. Oh, and please read the list charter that was recently distributed. On it, you will see that offensive language and personal attacks are disallowed. G - - Original Message - From: <[EMAIL PROTECTED]> To: Cc: <[EMAIL PROTECTED]> Sent: Tuesday, June 10, 2008 3:05 AM Subject: Re: [Full-disclosure] Mambo Cookie Authentication Bypass Exploit > So to perform this 'bypass' you need the password in the first > place? You absolute fucking morons, the security scene is not for > you. I hope someone stabs you over a food stamp. Faggots. > > > Halabaluza Team Halabaluza Team halabaluza.team at gmail.com > Sun Jun 8 12:29:56 BST 2008 > >* Previous message: [Full-disclosure] avira update.exe >* Next message: [Full-disclosure] [ GLSA 200806-03 ] Imlib 2: > User-assisted execution of arbitrary code >* Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] > > for mambo <= 4.5.5 and <= 4.6.2 maybe others > > GET http://[TARGET]/index.php > Host: [TARGET] > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b5) > Gecko/2008050509 Firefox/3.0b5 > Accept: > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/ > plain;q=0.8,image/png,*/*;q=0.5 > Keep-Alive: 300 > Connection: keep-alive > Cookie: usercookie[username]=[USERNAME];usercookie[password]=[MD5] > Cache-Control: max-age=0 > > FREE TIBET! > > > -- > Smart Girls Secret Weapon > Read Unbiased Beauty Product Reviews, Get Helpful Tips, Tricks and Sam > http://tagline.hushmail.com/fc/JKFkuIjyaUM3E9zcp2f7ppavbouTIiiPdCquThperf > oYTGho1dzYFq/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.8.3 (Build 4028) - not licensed for commercial use: www.pgp.com Charset: utf-8 wj8DBQFITn9RSGIRT5oVahwRAvPpAKCG3E5/0eqUAqXDy/+wMucj4JqtkQCeICbU R106Zq59OTfeb8s0RFcXY10= =FPM3 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] POP QUIZ
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Add offensive list subscribers to your email filter rather than baiting them to continue their offensive posts. - - Original Message - From: Robert Holgstad To: Professor Micheal Chatner ; full-disclosure@lists.grok.org.uk Sent: Monday, June 09, 2008 5:46 PM Subject: Re: [Full-disclosure] POP QUIZ This is not even a question. When you become more familiar with english then come back and attempt to insult people on a mailing list randomly. On Sun, Jun 8, 2008 at 10:19 PM, Professor Micheal Chatner <[EMAIL PROTECTED]> wrote: [ offensive junk removed ] -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.8.3 (Build 4028) - not licensed for commercial use: www.pgp.com Charset: utf-8 wj8DBQFITabCSGIRT5oVahwRArzSAJsFuKJPYCatWpk2vfgYWxkq3ClQcwCg0pOT Cet/WvG+U1bhndtxYd0a3x8= =BKkV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [offtopic] Fwd: Comments on: PhoenixMarsLander site hacked
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 That's why there are email filters. Pls start using them if you value your sanity. The kind of "publicity" he/they're getting only encourages the naughty behavior. - - Original Message - From: "Patrick Nolan" <[EMAIL PROTECTED]> To: Sent: Wednesday, June 04, 2008 10:42 PM Subject: Re: [Full-disclosure] [offtopic] Fwd: Comments on: PhoenixMarsLander site hacked >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v >> Sent: Wednesday, June 04, 2008 12:29 PM >> >> I'm not a troll, i'm a serious security researcher. >> > > A few articles or counter-articles > http://www.theregister.co.uk/2006/10/23/linguist_fingers_security_troll/p > age 2.html > > http://blogs.ittoolbox.com/security/dmorrill/archives/security-trolls-n3t > d3v -12460 > >> I was misrepresented in the media by SecurityFocus Robert >> Lemos who ruined my image. >> >> The findings have been post, >> >> http://smear-campaign-against-n3td3v.blogspot.com/2007/12/smea >> r-campaign-against-n3td3v.html >> >> All the best, >> n3td3v > > > Other links of non-interest... > > http://ph33r.org/updates/2006/10/20/n3td3v-true-identity-finally-discover > ed. html > > http://sunbeltblog.blogspot.com/2006/10/hunt-for-n3td3v.html > > http://www.hackerfactor.com/papers/who_is_n3td3v.pdf > > > .=Pn. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) - not licensed for commercial use: www.pgp.com wj8DBQFIR9wcSGIRT5oVahwRAteOAJ0fqQPsNO4s5YQKE/svcVZ0jwoLcQCg3Ire ojNE/DKSidd08WmcIovQk0s= =ZkaS -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Greetz security community members
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 No begging necessary, Michael. Just update your email filters to weed out offensive or junk email. - - Original Message - From: "Micheal Turner" <[EMAIL PROTECTED]> To: Sent: Thursday, May 29, 2008 3:35 PM Subject: Re: [Full-disclosure] Greetz security community members n3td3v although we aren't a scene release request group. The good folks at EuSec West took some time to fill your request. whats wrong kiddo? snoozing means you loosing. please please just go away. please. see? this is me begging you. get some lego, duplex maybe a facial or anything just go away. into a crawl space? a cupboard? anything other than at that damn keyboard of yours. - --- n3td3v <[EMAIL PROTECTED]> wrote: > Its time to come over and to my place and post some > messages ;-) > > http://n3td3v.googlepages.com/ > > n3td3v predictz Sebastian Muniz of CORE Security > Technologies is about > to release his Cisco IOS rootkit presentation to the > web. > > n3td3v says because Cisco released an out of cycle > patch release last > week for IOS that he, Sebastian Muniz was asked to > give it a week to > let the patches circulate with the Cisco customer > base before > releasing the rootkit presentation to the web. > > The security community are now ready to receive your > carbon copy of > the presentation you gave at EUSecWest 2008. > > The government, the security industry and the > underground now have had > enough time to come to terms with the situation and > are ready to take > on the challenges that face us to protect our > national infrastructure > from cyber attack. > > Yes, I was scared at the imminent release at first, > but the time zone > for discussion and panic has passed, its now time > for a full Cisco IOS > rootkit EUSecWest presentation release to the > mailing lists. > > n3td3v > > ___ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - > http://secunia.com/ > __ Sent from Yahoo! Mail. A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html - --- - - > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) - not licensed for commercial use: www.pgp.com wj8DBQFIQABYSGIRT5oVahwRAp/cAKDpjsRu/FrTIhTEtEzvaCHjux4ePQCfRRNo Rm972R4PMStRnZp4u037BtM= =SEaR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Need some help with management
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Appeal to them with language that they understand. Since they don't seem to be as technical as you are, appeal to them with a financial and/or legal liability argument. Managers understand liability and the bottom line. - - Original Message - From: Daniel Sichel To: full-disclosure@lists.grok.org.uk Sent: Thursday, May 22, 2008 12:51 PM Subject: [Full-disclosure] Need some help with management My management here wants to put a server on our LAN, not administered by us (the IT department) and use a share on it to serve files and data to our workstations. They do not understand why having a server with a file share that is NOT part of our secure infrastructure represents a threat to the computers accessing it. Keep in mind this is an all Windows network. Sooo, if you guys can succinctly explain why having a trusted computer trust an untrusted computer is a problem, that would be helpful. Keep in mind we are talking to management here. It's kind of like trying to explain why, when you are in the United States, it's a bad idea to drive on the left hand side of the road. It's just so basic it's not documented anywhere. So, please help me explain why netbios and file shares on machines not within your network are bad ideas. Thanks, Daniel Sichel, CCNP, MCSE,MCSA,MCTS (Windows 2008) Network Engineer Ponderosa Telephone (559) 868-6367 - --- - - ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) - not licensed for commercial use: www.pgp.com wj8DBQFINbscSGIRT5oVahwRAtbUAJsHjlOzn3WqAIO5k1EMJ8Y6ywWNoACgrBxV MyCkC2BZGDS5l2R7HMAwR8k= =NbUq -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Working exploit for Debian generated SSH Keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yep, agreed. - - G Salut, Garrett, On Mon, 19 May 2008 13:51:29 -0400, Garrett M. Groff wrote: > Generating pseudo-random numbers isn't hard given a good API, but > writing that API is non-trivial (assuming you want high entropy/low > predictability). And, apparently, screwing up that API is also very > easy. Generating real pseudo-random streams is a hard problem which is way more than what people can handle. Usually, PRNGs are composed of various periodic elements which, in the end, all combined produce a repeating stream of pseudo-random numbers. OpenSSL uses a modified MAC for this as a state machine and extracts some state bits as random stream on every access. We're not debating the PRNG itself here but the _seed_. OpenSSL supports various ways to influence the state of the PRNG at various stages by XORing in new material; however, Debian chose to only support pre-seeding with uninitialized memory and the Process ID. With the elimination of the uninitialized memory as seed, the seed for the MAC was entirely comprised by the PID. So we're not debating a weakness in the PRNG here at all, which is a _very_ delicate subject. Tonnerre - -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 Güterstrasse 86 Fax:+41 61 383 14 67 4053 Basel Web:www.sygroup.ch [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) - not licensed for commercial use: www.pgp.com wj8DBQFIMsjuSGIRT5oVahwRAlLrAJ9O7/osiw1tbwq7tjWPV0jjn/53dQCgwjik IZ7FHvEZJsdKXiRkRvE5uN4= =/qAR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Working exploit for Debian generated SSH Keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I think the "wheel" in this context refers to exploit code, not PRNG code. Generating pseudo-random numbers isn't hard given a good API, but writing that API is non-trivial (assuming you want high entropy/low predictability). And, apparently, screwing up that API is also very easy. - - G - - Original Message - From: "Skratz0r" <[EMAIL PROTECTED]> To: "nicolas vigier" <[EMAIL PROTECTED]> Cc: Sent: Monday, May 19, 2008 7:50 AM Subject: Re: [Full-disclosure] Working exploit for Debian generated SSH Keys > >_> > > #1: It cant be that hard to generate random numbers. > #2: It's hardly the wheel. > #3: Again, pointless arguments. > > On 19 May 2008, at 12:09, nicolas vigier wrote: > >> On Mon, 19 May 2008, Ronald van der Westen wrote: >> >>> Why reinvent the wheel? >> >> Why not ? >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) - not licensed for commercial use: www.pgp.com wj8DBQFIMb4YSGIRT5oVahwRAuQXAJ9UkoJplYiA6DiVbeRTbkwTDoovZQCeN7ir t3YvNW8PRxJh3Fb4VrZ1ZDo= =+k/9 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Geeks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I think Valdis's point was valid. Why the sarcastic comments? (And what's with the mustache wax comment?) - - G - - Original Message - From: "Fredrick Diggle" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: Sent: Friday, May 16, 2008 12:39 PM Subject: Re: [Full-disclosure] Geeks > thank you for the qualified opinion valdis. everyone cares very much. > can't you see how much we are all caring. also I saw a deal on > mustache wax the other day, email fredrick off list for linkage. > > On Fri, May 16, 2008 at 5:10 AM, <[EMAIL PROTECTED]> wrote: >> On Thu, 15 May 2008 09:11:37 PDT, Morning Wood said: >>> >> Anybody who thinks a CISSP is a "license to hack" is dreadfully >>> >> ignorant of what little overlap there is between hacking skills and >>> >> the material covered in the CISSP. >>> >>> CISSP's cant hack >> >> Right, because the CISSP isn't about hacking. It's about risk >> management. It's about balancing the cost of adding more security to a >> system against the costs of an intrusion. It's about the costs of >> testing a disaster recovery plan, and the costs of not having a plan. >> It's about what sort of backup schedule you should have, and what the >> retention period on the backups should be, and why. It's about knowing >> how deep a background check you should make on prospective employees. >> It's about how much security awareness training the users need. >> >> Hacking is a *very small* part of the security world. >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) - not licensed for commercial use: www.pgp.com wj8DBQFILbvJSGIRT5oVahwRAmU+AKD2W6WgYtDzCn/OAOy4QaTUStLBIwCfbIJT br4mW8clF2qsH7S7TAmwTyQ= =S3GA -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 39, Issue 20 (very OT)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Not silly to point that out at all. I borrowed the media term du jour
("Islamic fascists," or alternately, "Islamofascists"). I typically use the
term "Salafist radicals" since it's more technically correct and less
inflammatory (well, not necessarily on FD), but that term often
necessitates more explanation.
- - G
You wrote:
"islamic fascists" is a (probably null) subset of "muslims", while
"jews" is not a similar small subset of itself.
I suppose it would be silly to point out that "fascism" has a totally
different
goalset than "islamic fundamentalists", with an even bigger divergence of
philosophy than the Shiite-Sunni rift...
- - - Original Message -
From: <[EMAIL PROTECTED]>
To: "Joey Mengele" <[EMAIL PROTECTED]>
Cc: ; <[EMAIL PROTECTED]>
Sent: Friday, May 09, 2008 7:24 PM
Subject: Re: [Full-disclosure] Full-Disclosure Digest, Vol 39, Issue 20
-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.6.2 (Build 2014) - not licensed for commercial use:
www.pgp.com
wj8DBQFIJSa9SGIRT5oVahwRAqKGAJ9VbrmZxItPnDSdoG2TiRiqdjKUpACfZ2Ls
G5se4xLyQfBX6pgk/uE81XQ=
=eFNp
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 39, Issue 20
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 There are Muslims and then there are Islamic fascists. You seem to think they are the same thing, which doesn't exactly point to strong analytical skills on your part. Or were you just using inflammatory rhetoric? Flame away, if you must... - - G - - - Original Message - From: "Joey Mengele" <[EMAIL PROTECTED]> To: ; <[EMAIL PROTECTED]> Sent: Friday, May 09, 2008 3:45 PM Subject: Re: [Full-disclosure] Full-Disclosure Digest, Vol 39, Issue 20 > Dead Groff, > > Please keep your anti Muslim rants off list. > > J > > On Fri, 09 May 2008 11:33:05 -0400 "Garrett M. Groff" > <[EMAIL PROTECTED]> wrote: >>I think it's time to cut out this anti-semitic crap. It violates >>the list >>charter and it's just embarrassing (to those who hold such hateful >>opinions). If you want to be complicit in hateful propaganda that >>echoes >>that of the mindless Islamic fascism that is so rampant in many >>parts of >>the world, then so be it (best of luck with that). But pls do so >>outside of >>the context of this list, or better yet, not at all. >> >>- G >> >> >>- Original Message - >>From: "Joey Mengele" <[EMAIL PROTECTED]> >>To: ; <[EMAIL PROTECTED]> >>Sent: Friday, May 09, 2008 11:14 AM >>Subject: Re: [Full-disclosure] Full-Disclosure Digest, Vol 39, >>Issue 20 >> >> >>> Dead Roberts, >>> >>> On Fri, 09 May 2008 10:36:43 -0400 Jesse Bacon >>> <[EMAIL PROTECTED]> wrote: >>>>Listen you self righteous, do-nothing, uninformed, sheeps arse. >>>>Misquoting verses from the old testament and adding in little >>>>bits of >>>>your own fascism doesn't show anybody how much of a scholar you >>>>are. Jews >>>>are taught to respect their fellow man and protect the innocent. >>>>Thats >>>>that. Please keep your ignorance off of this list because we >>are >>>>trying to >>>>support the freedom of information, not your right to make >>people >>>>listen to >>>>your bigoted rantings. Serious developers and scholars unite! >>>>Its time to >>>>use our resources (such as this list and the people that read >>it!) >>>>to start >>>>making a difference. I am not saying you should leave the >>group, >>>>I'm just >>>>saying unless you are posting something useful save it for >>someone >>>>who gives >>>>a shit what you think...a social forum for example. By the way, >>>>you have >>>>late fees at Blockbuster. Peace cracker! >>>> >>> >>> Blockbuster doesn't have late fees "cracker". But even if they >>did >>> that shit wouldn't have been clever. >>> >>> J >>> "Fuck Zionism and Fuck You Too" - Linus Torvalds >>> >>> -- >>> Scan, remove and block Spyware. Click now! >>> >>http://tagline.hushmail.com/fc/Ioyw6h4dKPZm5aRPFtB8frEnkhBe6o3e9BHW >>nZRz91 >>> W9QFrEyGGDzC/ >>> >>> ___ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ > > -- > Disease Information Online - Click here! > http://tagline.hushmail.com/fc/Ioyw6h4fNEriRSyrWZqPQCQT85IROCqM2m1YwOSku2 > qoXNvCj1qelp/ > -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) - not licensed for commercial use: www.pgp.com wj8DBQFIJLMaSGIRT5oVahwRAvTYAJ9f7Ydk30vx853JsE90HO1fvOrRlwCggfpA DAceMzm6u0ngyAaGLsiFGO4= =wmWj -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 39, Issue 20
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I think it's time to cut out this anti-semitic crap. It violates the list charter and it's just embarrassing (to those who hold such hateful opinions). If you want to be complicit in hateful propaganda that echoes that of the mindless Islamic fascism that is so rampant in many parts of the world, then so be it (best of luck with that). But pls do so outside of the context of this list, or better yet, not at all. - - G - - Original Message - From: "Joey Mengele" <[EMAIL PROTECTED]> To: ; <[EMAIL PROTECTED]> Sent: Friday, May 09, 2008 11:14 AM Subject: Re: [Full-disclosure] Full-Disclosure Digest, Vol 39, Issue 20 > Dead Roberts, > > On Fri, 09 May 2008 10:36:43 -0400 Jesse Bacon > <[EMAIL PROTECTED]> wrote: >>Listen you self righteous, do-nothing, uninformed, sheeps arse. >>Misquoting verses from the old testament and adding in little >>bits of >>your own fascism doesn't show anybody how much of a scholar you >>are. Jews >>are taught to respect their fellow man and protect the innocent. >>Thats >>that. Please keep your ignorance off of this list because we are >>trying to >>support the freedom of information, not your right to make people >>listen to >>your bigoted rantings. Serious developers and scholars unite! >>Its time to >>use our resources (such as this list and the people that read it!) >>to start >>making a difference. I am not saying you should leave the group, >>I'm just >>saying unless you are posting something useful save it for someone >>who gives >>a shit what you think...a social forum for example. By the way, >>you have >>late fees at Blockbuster. Peace cracker! >> > > Blockbuster doesn't have late fees "cracker". But even if they did > that shit wouldn't have been clever. > > J > "Fuck Zionism and Fuck You Too" - Linus Torvalds > > -- > Scan, remove and block Spyware. Click now! > http://tagline.hushmail.com/fc/Ioyw6h4dKPZm5aRPFtB8frEnkhBe6o3e9BHWnZRz91 > W9QFrEyGGDzC/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) - not licensed for commercial use: www.pgp.com wj8DBQFIJG5ySGIRT5oVahwRAmU3AJ9MKH6fgFqDEvEMmECwUhH8AkQrPwCg+ECE qfAaoKpLW2mrSA/bX8VHMTo= =g9F6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OT: get a life
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 For the people who normally send this sort of filth, can you please do one or both of the following: 1) send to the person and not the entire list 2) indicate the off-topicness of the email in the subject line Alternately, you can just not send emails like this. That would be nice. Absent of that, please do one or both of the above. - - G - - Original Message - From: Jonathan Miles To: full-disclosure@lists.grok.org.uk Sent: Tuesday, May 06, 2008 3:46 PM Subject: Re: [Full-disclosure] get a life Dear Professor "I have sand in my Vagina", Why don't you go outside and throw yourself off a building you worthless piece of shit...No one cares what you have to say...No disrespect but I hope you get aids and die. Best Regards, ~J > > Professor Micheal Chatner mchatner at gmail.com > Mon May 5 10:57:40 BST 2008 > > * Previous message: [Full-disclosure] Andrew Wallace > * Next message: [Full-disclosure] get a life > * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] > > get a f**kin life and get off your computer...why don't you go outside > and get a tan...you know talk to accuial people...no your comp screen > > > * Previous message: [Full-disclosure] Andrew Wallace > * Next message: [Full-disclosure] get a life > * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] > > Full-Disclosure is hosted and sponsored by Secunia. > > - --- - - ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) - not licensed for commercial use: www.pgp.com wj8DBQFIILrISGIRT5oVahwRAqSEAJ0fN26KrbWeM8Tz4qlLNsg2O+eUAQCeLtIT ByLtYdMjzH2N3dmQSBoWj4U= =K0xg -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] HD Moore
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 These sorts of emails, while perhaps very accurate, only encourage a barrage of emails concerning our apparent involvement in a large governmental conspiracy and/or our "script kiddiness." I think ignoring such emails from netdev are in order, tempting as they are to respond to. - - Original Message - From: Nate McFeters To: [EMAIL PROTECTED] Cc: n3td3v ; full-disclosure@lists.grok.org.uk Sent: Monday, May 05, 2008 1:24 PM Subject: Re: [Full-disclosure] HD Moore More importantly than any of this is how great it is for vulnerability research. Makes it much easier to encode shell code, etc. Plus the msfpescan features are bad assery. Of course, n3td3v has no ideas what these features are for so he thinks it's a script kiddy tool. Andrew, you're so predictably boring... is there not something you have expertise on that you can talk about? Obviously you're not in the right place on this list. Nate On 5/5/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: On Sun, 04 May 2008 16:27:49 BST, n3td3v said: > On Fri, May 2, 2008 at 9:32 AM, Nate McFeters <[EMAIL PROTECTED]> > wrote: > > Oh that... Yeah, shame on hd... Maybe he was busy updating metasploit > > so that real researchers have a great vulnerability development > > framework, or something else that provided some worth to people. > > Maybe he was busy updating Metasploit so that script kids have a great > vulnerability development framework. > > He should stop providing them with a great vulnerability development > framework. There's 2 really great uses for metasploit for white hat security guys: 1) When you're handed a /16 or two during a pen test, and need a quick way to poke a whole bunch of machines for a vulnerability, it's hard to roll-your-own exploit tester as fast as you can chinese-menu one in metasploit. 2) It's a *great* tool for impressing on a PHB just how easy it is to launch an exploit for something at one of the unsecured systems he's responsible for. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - --- - - ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) - not licensed for commercial use: www.pgp.com wj8DBQFIH0YySGIRT5oVahwRAnosAJ4hHPGYV1fW2rVb6BdAv8YTXqfvzgCcCLWE 46UCD/zeo++7hxpDyT2icsM= =klVh -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Misquoted here on FD...
Richard, would you have objections to pasting your email to the group? - G - Original Message - From: "Richard Golodner" <[EMAIL PROTECTED]> To: Sent: Tuesday, April 22, 2008 4:19 PM Subject: [Full-disclosure] Misquoted here on FD... > Clearly someone has misused what I have written in kindness and > turned it into something I would never say. List members; please be aware > that the person who quoted me apparently has added some words of his or > her > own. > Let us know how you really feel since you hide behind a pseudonym > anyhow. > Richard > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security issueinFilezilla3.0.9.2:passwordsare stored in plain text(sitemanager.xml)
My comment was not directed at Netdev. - G > I assume this is a thinly veiled reference to list member n3td3v. > Yes he is an authority and communicates effectively, however I feel > I am not yet ready to be taken under his wing. Nor do I feel he > would accept me, solicited or unsolicited. But your point is taken. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security issueinFilezilla3.0.9.2:passwordsare stored in plain text(sitemanager.xml)
Pretty shocking stuff. I seriously recommend a scholarly, peer-reviewed book on basic social skills. In addition, finding a role model who has both strong domain knowledge (in the field of your choice) and also who communicates effectively (i.e., without losing his/her equanimity when faced with benign or even vehement dissent) could also be helpful for you in the long run. So, rather than flaming others, you will have a greater capacity to engage in rational discourse. I feel compelled to add that I'm seriously not saying this to be offensive, nor am I only directing this message to you (it is, quite literally, impossible to over-emphasize those points on this particular list). Hope that proves helpful, - G - Original Message - From: "Joey Mengele" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: Sent: Tuesday, April 22, 2008 3:02 PM Subject: Re: [Full-disclosure] Security issueinFilezilla3.0.9.2:passwordsare stored in plain text(sitemanager.xml) > > Dick, > > On Tue, 22 Apr 2008 13:41:39 -0400 Richard Golodner > <[EMAIL PROTECTED]> wrote: >>J- f*ck those n*. You seem to have a good working knowledge > of >>networking. >>I would not trust Wiki either. Valdis, or however you spell that > faggot's >>name should >>have written a brief explanation instead of being a jerk. A great >>book is >>Newton's Telecom dictionary, and you could also look at the >>Microsoft >>dictionary too. >> >> most sincerely, Richard >> > > I would have chosen better words, but I mostly agree with you. > > J > > -- > Click here to find old friends, lovers or family. > http://tagline.hushmail.com/fc/Ioyw6h4fH5UAJrDtZckzPWbnUTKfIoMKIV8Ou9YKIaMZoDb7zm0FyI/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security issue in Filezilla3.0.9.2:passwordsare stored in plain text (sitemanager.xml)
Sounds like your mind is made up. Good luck in your search for scholarly wisdom in this matter. - G - Original Message - From: "Joey Mengele" <[EMAIL PROTECTED]> To: ; <[EMAIL PROTECTED]> Sent: Tuesday, April 22, 2008 2:22 PM Subject: Re: [Full-disclosure] Security issue in Filezilla3.0.9.2:passwordsare stored in plain text (sitemanager.xml) > Groffg, > > On Tue, 22 Apr 2008 13:02:34 -0400 "Garrett M. Groff" > <[EMAIL PROTECTED]> wrote: >>Joey, >> >>The topic write-ups for data compression and cryptography (go to >>that page >>in lieu of "encryption") are reasonably good. You can then branch >>to other >>sources for the sake of verification via cross referencing. That >>should help >>to elucidate the substantial difference between encrypting data >>and >>compressing data. >> > > Reasonably good? Says who? Chairman Mao? > >>As far as Wikipedia being a scholarly source, I'd say that >>scholars will >>choose many sources, Wikipedia among them. Someone [citation >>needed!] once >>commented about Wikipedia that it has 10 times the information as >>an >>encyclopedia volume but with a 10% reduction in accuracy. Indeed, >>one would >>be wise to cross reference any information gleaned from Wikipedia >>that is to >>be used for anything more substantial than satisfying mere >>curiosity. But >>using Wikipedia as an initial resource doesn't seem like a bad >>idea to me. >> > > To you? What is your credibility? > >>Coming back to the topic at hand, I hope that this will wrap up >>your concern >>over the perceived weakness in FileZilla (which, as it turns out, >>is simply >>an innate weakness of using FTP). >> > > > I disagree. The flaw that I have discovered still lies in the > FileZilla implementation of FTP. Until a SCHOLARLY source can > contradict my findings, I do not anticipate anyone on this list or > elsewhere swaying me. Thanks for your time but it is back to the > grill for me. > >>- G > > J > > -- > Click to see huge collection of discounted designer watches. > http://tagline.hushmail.com/fc/Ioyw6h4dibSq5yrXbPCWd043cVzPPIKkKOV8oABuXVAfxcVSTooof1/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security issue in Filezilla3.0.9.2:passwordsare stored in plain text (sitemanager.xml)
Joey, The topic write-ups for data compression and cryptography (go to that page in lieu of "encryption") are reasonably good. You can then branch to other sources for the sake of verification via cross referencing. That should help to elucidate the substantial difference between encrypting data and compressing data. As far as Wikipedia being a scholarly source, I'd say that scholars will choose many sources, Wikipedia among them. Someone [citation needed!] once commented about Wikipedia that it has 10 times the information as an encyclopedia volume but with a 10% reduction in accuracy. Indeed, one would be wise to cross reference any information gleaned from Wikipedia that is to be used for anything more substantial than satisfying mere curiosity. But using Wikipedia as an initial resource doesn't seem like a bad idea to me. Coming back to the topic at hand, I hope that this will wrap up your concern over the perceived weakness in FileZilla (which, as it turns out, is simply an innate weakness of using FTP). - G > Thanks for the tip Groff, but the Wikipedia Project is not a > scholarly source. I have also read about certain attacks that allow > people to inject arbitrary information/misinformation into > Wikipedia Project articles. For now I will just stick to what I > know. > > J > > -- > Fly cheap! Click here for great airfare deals. > http://tagline.hushmail.com/fc/Ioyw6h4eRrA50U2fvNhLtC1Rqe4Bmk17c1z8vswAT20A3fo1ei0Ah5/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security issue in Filezilla3.0.9.2:passwordsare stored in plain text (sitemanager.xml)
Joey, Wikipedia has some decent write-ups on both compression and encryption. Understanding those concepts would be helpful before tackling RFCs. Hope that helps. - G On Mon, 21 Apr 2008 22:31:53 EDT, Joey Mengele said: > So are you trying to suggest compression is not as secure as > encryption? Have you even *read* the RFC in question? The design goal of most compression algorithms is that *anybody* can take the compressed data and get back the original. The design goal of most encryption is that *only the intended recipient* can decrypt and get the original data back. The only question left at this point is whether the contents of your brain were compressed, or merely encrypted, and which of the two would be more secure. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwordsare stored in plain text (sitemanager.xml)
Joey, are you certain that you're looking at RFC 959? There is no 4.3.3 section in RFC 959. - G - Original Message - From: "Joey Mengele" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: Sent: Friday, April 18, 2008 4:26 PM Subject: Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwordsare stored in plain text (sitemanager.xml) > Valdis, > > On Fri, 18 Apr 2008 16:24:13 -0400 [EMAIL PROTECTED] wrote: > >> 3.4.3. COMPRESSED MODE >> >> There are three kinds of information to be sent: regular >>data, >> sent in a byte string; compressed data, consisting of >> replications or filler; and control information, sent in >>a >> two-byte escape sequence. If n>0 bytes (up to 127) of >>regular >> data are sent, these n bytes are preceded by a byte with >>the >> left-most bit set to 0 and the right-most 7 bits >>containing the >> number n. >> >>If you think run-length-encoding compression is security, you're >>even less >>clued than I thought. > > My mistake, I meant 4.3.3. > > J > > -- > Click here for the latest quotes on bankruptcy refinancing! > http://tagline.hushmail.com/fc/Ioyw6h4fRnroSLsvHrCYtJ9JDLtdNw4IP7N4gbgWgeI5CYmB23TeUw/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwords are stored in plain text (sitemanager.xml)
Per the FileZilla feature page (http://filezilla-project.org/client_features.php): "Supports FTP, FTP over SSL/TLS (FTPS) and SSH File Transfer Protocol (SFTP)" Did you try selecting the option to use FTPS in FileZilla? Using the plain vanilla FTP protocol in any other FTP client will yield the same problem (plaintext passwords, commands, data, etc, over the communication channel). - G - Original Message - From: "Joey Mengele" <[EMAIL PROTECTED]> To: ; <[EMAIL PROTECTED]> Sent: Friday, April 18, 2008 3:42 PM Subject: Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwords are stored in plain text (sitemanager.xml) >I disagree, read the RFC. There are plenty of more secure FTP > clients such as the OpenSSH.com groups proactive secure Secure FTP > (sftp) implementation of FTP. > > J > > On Fri, 18 Apr 2008 15:36:34 -0400 "Garrett M. Groff" > <[EMAIL PROTECTED]> wrote: >>That issue is inherent in the FTP protocol, not FileZilla. >> >>Resolution: set up FTP server to use either SFTP or FTPS. >> >>- G >> >> >>- Original Message - >>From: "Joey Mengele" <[EMAIL PROTECTED]> >>To: ; <[EMAIL PROTECTED]> >>Sent: Friday, April 18, 2008 3:21 PM >>Subject: Re: [Full-disclosure] Security issue in Filezilla >>3.0.9.2:passwords >>are stored in plain text (sitemanager.xml) >> >> >>>I have noticed a similar, yet much more severe flaw in Filezilla. >>> When logging in to a remote server, Filezilla will send the >>> password in clear text without encrypting it. This means every >>> machine on the internet that it routes through can intercept it. >>> Same flaw, much more serious consequences, since, who has access >>to >>> your personal PC anyway? >>> >>> J >>> >>> On Fri, 18 Apr 2008 15:09:18 -0400 carl hardwick >>> <[EMAIL PROTECTED]> wrote: >>>>A security issue in Filezilla 3.0.9.2 (and previous versions) >>>>allows >>>>local users to retrieve all saved passwords because they're >>stored >>>>in >>>>a plain text sitemanager.xml >>>> >>>> >>>> >>>> >>>> >>>>ftpspace.domain.com >>>>21 >>>>0 >>>>0 >>>>1 >>>>[EMAIL PROTECTED] >>>>I'mAPlainTextPassword >>>> >>>>___ >>>>Full-Disclosure - We believe in it. >>>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> -- >>> Love tea? Click and drink in fine teas from around the world. >>> >>http://tagline.hushmail.com/fc/Ioyw6h4dQrpDm7lVybi3tCFHWrTmyaROe9Wz >>HSGYBdQQdStCmOcdVO/ >>> >>> ___ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >>___ >>Full-Disclosure - We believe in it. >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>Hosted and sponsored by Secunia - http://secunia.com/ > > -- > Click for free information on earning a medical transcriptionist degree. > http://tagline.hushmail.com/fc/Ioyw6h4eKoYfamKuhgFCp2tVw5b2K1RUwTpG02BLOHutEXHEjHsDMT/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwords are stored in plain text (sitemanager.xml)
That issue is inherent in the FTP protocol, not FileZilla. Resolution: set up FTP server to use either SFTP or FTPS. - G - Original Message - From: "Joey Mengele" <[EMAIL PROTECTED]> To: ; <[EMAIL PROTECTED]> Sent: Friday, April 18, 2008 3:21 PM Subject: Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwords are stored in plain text (sitemanager.xml) >I have noticed a similar, yet much more severe flaw in Filezilla. > When logging in to a remote server, Filezilla will send the > password in clear text without encrypting it. This means every > machine on the internet that it routes through can intercept it. > Same flaw, much more serious consequences, since, who has access to > your personal PC anyway? > > J > > On Fri, 18 Apr 2008 15:09:18 -0400 carl hardwick > <[EMAIL PROTECTED]> wrote: >>A security issue in Filezilla 3.0.9.2 (and previous versions) >>allows >>local users to retrieve all saved passwords because they're stored >>in >>a plain text sitemanager.xml >> >> >> >> >> >>ftpspace.domain.com >>21 >>0 >>0 >>1 >>[EMAIL PROTECTED] >>I'mAPlainTextPassword >> >>___ >>Full-Disclosure - We believe in it. >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>Hosted and sponsored by Secunia - http://secunia.com/ > > -- > Love tea? Click and drink in fine teas from around the world. > http://tagline.hushmail.com/fc/Ioyw6h4dQrpDm7lVybi3tCFHWrTmyaROe9WzHSGYBdQQdStCmOcdVO/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Web Application Security Awareness Day
FYI - my previous email was entirely facetious. To my knowledge, a list entitled "List of Enemies To Be Smitten" does not exist (yet?) and the referenced Wikipedia page is merely a fabrication. - G On Thu, 17 Apr 2008 15:03:11 EDT, "Garrett M. Groff" said: > Fools! Do you really want to be added to Netdev's "List of Enemies To Be > Smitten"? All *I* did was point out that people with actual exploits might be enemies of "the n3td3v agenda", whatever the heck that is. If n3td3v wants to get mad at anybody, it should be *them*. I don't have any exploits worth posting, so I *cant* diss n3td3v by posting them some day other than May 1. > More on what happens to Netdev's enemies here: > http://en.wikipedia.org/wiki/The_Fate_Of_N3tD3v_Enemies http://en.wikipedia.org/wiki/Special:Search/The_Fate_Of_N3tD3v_Enemies returns: Search results From Wikipedia, the free encyclopedia You searched for The_Fate_Of_N3tD3v_Enemies [Index] Jump to: navigation, search There is no page titled "The_Fate_Of_N3tD3v_Enemies". Go figure. . I apologize for not appending a note at the end expressing that information. - G On Thu, 17 Apr 2008 15:03:11 EDT, "Garrett M. Groff" said: > Fools! Do you really want to be added to Netdev's "List of Enemies To Be > Smitten"? All *I* did was point out that people with actual exploits might be enemies of "the n3td3v agenda", whatever the heck that is. If n3td3v wants to get mad at anybody, it should be *them*. I don't have any exploits worth posting, so I *cant* diss n3td3v by posting them some day other than May 1. > More on what happens to Netdev's enemies here: > http://en.wikipedia.org/wiki/The_Fate_Of_N3tD3v_Enemies http://en.wikipedia.org/wiki/Special:Search/The_Fate_Of_N3tD3v_Enemies returns: Search results From Wikipedia, the free encyclopedia You searched for The_Fate_Of_N3tD3v_Enemies [Index] Jump to: navigation, search There is no page titled "The_Fate_Of_N3tD3v_Enemies". Go figure. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Web Application Security Awareness Day
Fools! Do you really want to be added to Netdev's "List of Enemies To Be Smitten"? More on what happens to Netdev's enemies here: http://en.wikipedia.org/wiki/The_Fate_Of_N3tD3v_Enemies - G - Original Message - From: <[EMAIL PROTECTED]> To: "mcwidget" <[EMAIL PROTECTED]> Cc: Sent: Thursday, April 17, 2008 2:22 PM Subject: Re: [Full-disclosure] Web Application Security Awareness Day > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: n3td3v has a fan
I appreciate Valdis's point and agree with it. I'll posit that there is an optimal balance that can be achieved vis-a-vis security. I'll use airport security as my example. In this case, security theater becomes a political necessity (fed gov't needs to look responsive after 9/11 to re-assure people that something is being done). If people are being assured that something is being done, that can (potentially) lower the "level" at which people feel terrorized, as they believe that they are protected. However, if security theater becomes too restraining or inordinately conspicuous, the perception of safety could back-fire, as people feel one or both of the following: a) the authorities are desperate; and b) authorities inconvenience (at best) and detain (worse) innocent parties. That second point could lead to a backlash against the very security that is (ideally) protecting the populace from terrorism-by-plane. Security theater by itself is disadvantageous by definition. Further, security theater might provide a "good show" where people think they are secure, creating an environment that reduces pressure to enact more meaningful but less visible security measures. Bottom line: security theater isn't universally "bad." But it is incontrovertibly insufficient. - G - Original Message - From: <[EMAIL PROTECTED]> To: "G. D. Fuego" <[EMAIL PROTECTED]> Cc: Sent: Monday, April 14, 2008 2:23 PM Subject: Re: [Full-disclosure] Fwd: n3td3v has a fan > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v has a fan
Allow me to posit the following: "netdev" wants attention, even if its negative attention. I.e., he is intentionally saying things that are inflammatory/unintelligent/provocative so as to arouse a reaction. To say that this is out of stupidity (or that netdev is unintelligent) is a conclusion that--while possible--is far from certain (other list subscribers might know him better than I do and therefore be in a better position to judge). There are intelligent people who might engage in this behavior as a form of stress relief, due to personality aberrations, or simply because they derive euphoria from the reaction. Absent of data on correlations to intelligence, it would be irresponsible to gauge intelligence from netdev's behavior. (Though, one could use aggregated information based on behavioral patterns, articles he's written, etc, to form a more comprehensive analysis. But, doing so would feed into his desire for attention, and thus would be ill-advised if my conjecture is correct.) - G - Original Message - From: "Razi Shaban" <[EMAIL PROTECTED]> To: "n3td3v" <[EMAIL PROTECTED]> Cc: Sent: Thursday, April 10, 2008 12:13 PM Subject: Re: [Full-disclosure] n3td3v has a fan >I was trying to get you to shut up. I thought you might have the > intelligence to realize I was doing that, but I never thought you were > dumb enough to take me seriously. > > > -- > Razi > > On 4/9/08, n3td3v <[EMAIL PROTECTED]> wrote: >> On Tue, Apr 8, 2008 at 10:54 PM, Razi Shaban <[EMAIL PROTECTED]> >> wrote: >> > You know, by replying to your enemies you're just proving them right. >> > If you just ignore them, you'll embaress them and make them look >> > foolish. >> >> >> So you're admitting you're trying to keep me responding and getting >> everyone to turn against me? >> >> :hate: >> >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v has a fan
Good point regarding English grammar. I would definitely dissent with someone who proved to be inordinately picky regarding sentence construction or style. Still, good grammar and judicious use of writing style has its uses. Here are two: professionalism and persuasiveness (yes, they're not mutually exclusive). Bad writing leads to--fairly or otherwise--a lacking in credibility. It looks unprofessional and leaves you with a smaller audience of people who will take your points seriously (again, right or wrong). You're left only with people who know you or are willing to overlook the frequent grammatical and stylistic faux pas. By reducing your audience, you reduce the effectiveness of your writing, needlessly. Persuasiveness (related to professionalism, of course) also suffers when writing style is poor. It's hard to be persuasive if the reader finds the points confusing due to sentence construction, style, or other reasons. And, as mentioned, one is less persuasive if readers find the writing style unprofessional. Bottom line: if being professional and persuasive aren't important, then writing style and attention to grammatical detail aren't that important. Otherwise, they are very important. Depends on your audience, motivations, and ambitions. - G - Original Message - From: "n3td3v" <[EMAIL PROTECTED]> To: ; "n3td3v" <[EMAIL PROTECTED]> Sent: Wednesday, April 09, 2008 12:49 PM Subject: Re: [Full-disclosure] n3td3v has a fan > On Wed, Apr 9, 2008 at 8:06 AM, <[EMAIL PROTECTED]> wrote: >> First, learn the proper use of the English language before choosing >> to mouth off with it. > > People think english and spelling matters, but its what you say that > counts not the way you say it. > > This is a concept many have failed to grasp in recent times. > > For instance, I went on Cnet News last night and told them about > offline machines: > > Connected to the internet?: reader comment from n3td3v > > Posted on: April 8, 2008, 8:10 PM PDT > Story: Breaking into a power station in 3 easy steps > > Computers don't need to be connected to the internet to get infected > with the latest and greatest zero-day, someone, a rogue employee > downloads code from the internet or makes his own, then uploads it to > his memory key, then walks into power station, plugs it in with the > intent to infect and hey presto, your infrastructure gets compromised. > Valuable lesson: _ALL_ your computers need to be patched against the > latest zero-day threats, not just online ones BUT offline systems too. > Even computers which will NEVER have an internet connection _still_ > need to be patched. The threat from rogue employees and the inside job > is far greater than an internet facing computer. Is anyone listening? > I've been repeating this for years, the internet isn't the threat, the > real number one threat to cyber security is the inside job. Got the > message yet? The national infrastructure terrorists want to attack is > *permanently offline* and the terrorists know this, but what they also > know is those offline systems are *permanently unpatched* because the > administrators think the bugs being released by security researchers > on-the-internet won't touch offline-machines, think again. The > terrorists aren't trying to hit your internet facing stuff, they are > far more interested in going after your offline machines, as these are > the most important ones. All the best, n3td3v. > > http://www.news.com/5208-10784_3-0.html?forumID=2&threadID=36712&messageID=396611 > > [/snip] > > Now it may look like the above isn't written correctly, but I think I > got my point across pretty well. > Weather the english, grammar, spell checker police take it seriously > is another matter. ;) > > My online friend who worked in the US Navy for 6 years in cyber > security said I should have wrote it like this: > > -- Forwarded message -- > From: Chris Mills > Date: Wed, Apr 9, 2008 at 5:07 AM > Subject: Try this > To: [EMAIL PROTECTED] > > Computers don't need to be connected to the internet to get infected > with the latest and greatest zero-day malware. > > Insiders are one of the greatest threats to any enterprise: business > or government. > > Consider This: > An employee with any amount of access can download code from the > internet or make his or her own. With a simple copy to his USB memory > key, he then walks into power station, plugs it in with the intent to > cause harm. An unpatched, offline system IS vulnerable. > > Valuable lesson: > All your computer systems are vulnerable. They all need to be patched > against the latest threats, just as you would patch your internet > connected devices. > Even computers which will never have an internet connection still > need to be patched. The threat from rogue employees and the inside job > is far greater than an internet facing computer. This has been seen > over and over in news articles and threat reports published by the top > secur
Re: [Full-disclosure] n3td3v has a fan
Fact is, n3td3v, we're all out to get you. I apologize for not mentioning that earlier. Oh, the NSA is after you as well and is actively involved in the smear campaign. Why? Because, due to your extensive security research, you are a potential threat. At some point you'll be abducted, but I don't think they've set a date yet. In related news, I suspect many of us have already subscribed to your blog's RSS feed, so pls keep us updated... - G - Original Message - From: "n3td3v" <[EMAIL PROTECTED]> To: Sent: Tuesday, April 08, 2008 3:49 PM Subject: Re: [Full-disclosure] n3td3v has a fan > On Tue, Apr 8, 2008 at 8:34 PM, Razi Shaban <[EMAIL PROTECTED]> wrote: >> Does anyone still think that this thread is not about self-promotion? > > You guys turned the discussion into one about me, so I had to follow it > up. > > Originally I came on the list to talk cyber security. > > Regards, > > n3td3v > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Let's outlaw mass securityconferencespamming its f****** gay
netdev, I'll begin by confessing that I merely skimmed your email and did not peruse it. Having said that, the buying and selling of vulnerabilities is subject to the trading of anything else, be it commidities, products, services, securities (such as stocks), or other tradeable assets. What you proposed is economic in nature and not unique or specific to geekdom. Specifically, what you're suggesting is more in line with Marxism, where a "fair" price is dictated by a central authority. Instead, our system of free-market capitalism is such that vulnerabilities can be bought and sold by whomever wishes to buy them and sell them. (Furthermore, evidence suggests that black market activity would *increase* in cases where trading of a given item is highly restricted on the legitimate market (relegating the trading to the black market); for eg, the trading of illicit drugs exists and is a multi-billion dollar industry in the US despite laws that proscribe the trading and possession of those drugs). -- Regarding the information on conferences and such that are touted on this list (and others), it's something that we'll just have to deal with. This list is un-moderated and, perhaps, there are people who appreciate the information. - G - Original Message - From: "n3td3v" <[EMAIL PROTECTED]> To: "Garrett M. Groff" <[EMAIL PROTECTED]>; "n3td3v" <[EMAIL PROTECTED]>; Sent: Thursday, April 03, 2008 5:38 PM Subject: Re: [Full-disclosure] Fwd: Let's outlaw mass securityconferencespamming its f** gay > On Thu, Apr 3, 2008 at 3:02 PM, Garrett M. Groff <[EMAIL PROTECTED]> > wrote: >> Regarding the particular person in question, I'll defer to others who >> know >> him (or her, or they, or whomever) better than I do. Instead, I'll say >> that, >> generally, on lists like FD, there is a minority of out-spoken >> personalities >> who sadly support the stereotypical hacker persona: condescending egoists >> who are socially inept and emotionally charged when discussing topics >> that >> relate to their knowledge domain. That's unfortunate, since the broader >> IT >> security community is poorly represented due to attention-seeking >> zealots. >> >> Regarding the idea of "oulawing security conference spamming," I'd say >> the >> literal idea of outlawing cross-posts to multiple security mailing lists >> is >> a bad idea. The idea that the legislature should write into law >> legislation >> that reduces our freedom in such a sense is a slippery slope borne of >> emotionalism and narrowness. What else should the government do to >> curtail >> our freedoms? I tend to side with libertarian types (though I don't call >> myself a "libertarian" un-qualified) on what the government should do and >> what they should not do. And micro-manage security mailing lists is >> something they should not do. It's a bad idea and would make a dreadful >> precedent. > > Full-Disclosure is ment to be about free source, not making money. I'm > against people who make money come on the mailing lists, its > commerical spam. We can't allow this to continue, here are what I > don't like: > > - Come to our conference - profit... buy our ticket, get a macbook prize. > > - Hacking challenge prize - profit... they give you $5000 and sell it > to the vendor for a lot more. > > - Train to use our software -profit... over priced training for > software... not interested. > > On the issue of how much a vulnerability is worth, the prices are not > regulated, we need regulation into how much a vulnerability costs, > because the prices right now are wild. We need to take vulnerability > pricing off the blackmarket and onto a legitimate central website for > selling vulnerabilities, or cash rewards for disclosing a > vulnerability to a particular company or organisation. I don't like > sites like digital armaments which when i visited it, the content and > answers they gave were questionable, and people have complained about > digital armaments in the past. Its time to get pricing regulated and > defined, so everyone knows whos being joe jobbed and who isn't. > > Can someone post to full-disclosure a price list of what they think a > bufferoverflow should be worth etc, and we can vote if we agree. > > So what i'm calling for is someone to post up a hackers price list per > vulnerability type. > > XSS/SQL should be worth something as well, so Morning_Wood can buy > milk and a news paper in the mornings after he's taken care of his > wood. > > Sorry i've ended this e-mail
Re: [Full-disclosure] Fwd: Let's outlaw mass securityconferencespamming its f****** gay
Regarding the particular person in question, I'll defer to others who know him (or her, or they, or whomever) better than I do. Instead, I'll say that, generally, on lists like FD, there is a minority of out-spoken personalities who sadly support the stereotypical hacker persona: condescending egoists who are socially inept and emotionally charged when discussing topics that relate to their knowledge domain. That's unfortunate, since the broader IT security community is poorly represented due to attention-seeking zealots. Regarding the idea of "oulawing security conference spamming," I'd say the literal idea of outlawing cross-posts to multiple security mailing lists is a bad idea. The idea that the legislature should write into law legislation that reduces our freedom in such a sense is a slippery slope borne of emotionalism and narrowness. What else should the government do to curtail our freedoms? I tend to side with libertarian types (though I don't call myself a "libertarian" un-qualified) on what the government should do and what they should not do. And micro-manage security mailing lists is something they should not do. It's a bad idea and would make a dreadful precedent. - G - Original Message - From: Ureleet To: Michael Simpson Cc: full-disclosure@lists.grok.org.uk Sent: Thursday, April 03, 2008 9:45 AM Subject: Re: [Full-disclosure] Fwd: Let's outlaw mass securityconferencespamming its fucking gay or, he's just stupid? spade equals spade. On Thu, Apr 3, 2008 at 4:11 AM, Michael Simpson <[EMAIL PROTECTED]> wrote: On 4/3/08, Paul Schmehl <[EMAIL PROTECTED]> wrote: > --On April 3, 2008 12:27:35 AM -0400 Mary Landesman <[EMAIL PROTECTED]> > wrote: > > > Referring to oneself in the third person can be a symptom of identity > > confusion or identity alteration, a subset or trait of dissociation. In > > ancient times, it was referred to as demonic possession. > > > > Self-objectification is also a trait of narcissism, perhaps because > > narcissists love and feel empowered by (possession of) objects. And what > > better object for a narcissist to love than themselves, objectified? > > Other traits associated with narcissism are bragging, attention-seeking, > > delusions of grandeur, etc. In modern times, I believe it is sometimes > > referred to as being a bore. > > > > Or boring a bee? > > Paul Schmehl ([EMAIL PROTECTED]) > Senior Information Security Analyst > The University of Texas at Dallas > http://www.utdallas.edu/ir/security/ As a medic working as a associate specialist in the treatment of substance misuse disorder for the last few years n3td3v reminds me of my patients who indulge in polydrug abuse mainly involving cocaine and alcohol, often in combination. This is a very dangerous thing to do due to the 2 drugs being combined by the liver to form cocaethylene which is significantly more euphoric and hepatotoxic. -tip i have done some "n of 1" trials with patients showing that antabuse (disulphiram) can help with this as it seems to inhibit dopamine decarboxylase in the brain thus raising basal dopamine levels reducing cravings as well as preventing alcohol use. Modafenil also seems quite promising for stimulant misuse but my bosses are being slow about letting me set up a proper double-blind placebo controlled study of this. I also think this is why the analysis of n3td3v done previously came to the conclusion that it was several separate individuals. It is merely one guy in different states of intoxication. The evolution of his evolving addiction and deteriorating mental health has been quite clear over the last few years. Soon , if he follows the pattern set by many Scots indulging in hard drug use he will start to use benzodiazepines more and more and if he is very unlucky he will be exposed to heroin. At this point he will go away and FD can return to its true nature as a list for sec matters with occasional furry pr0n spam. :-) mike ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door RaceCondition
Although, in all seriousness, I can imagine "physical world" things being
compromised, possibly via software attacks alone (or, equally likely, a single
disgruntled employee). Allow me to explain using a particular example: safes.
Companies that make safes (be they old-fashioned mechanical or electronic)
often have records of their combinations corresponding to a unique serial
number for each safe. Yes, they have an electronic database of all the
combinations for all their safes. In the case of electronic safes, this
combination is often un-changeable; the user of the safe can use that factory
default code initially to create a "user combination" that can open the safe,
but can later be changed (if you wish to disallow that user access later on).
Anyway, the factory default combination can't be changed and is in a database
somewhere. This presents a convenience on the part of the business that
produces the safes (avoids angry customers who are locked out of their safes)
but reduces security for all users of that company's products.
I understand the business case for keeping records of all combinations for all
safes, but the downside is security in the event that that list/database is
ever leaked.
- G
- Original Message -
From: evilrabbi
To: Nate McFeters
Cc: full-disclosure@lists.grok.org.uk ; [EMAIL PROTECTED]
Sent: Tuesday, April 01, 2008 9:58 AM
Subject: Re: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door
RaceCondition
Why would you realease something like this without telling the vendor? What
you did is irresponsible.
On Tue, Apr 1, 2008 at 12:18 AM, Nate McFeters <[EMAIL PROTECTED]> wrote:
Hahaha, nice find.
On 4/1/08, I)ruid <[EMAIL PROTECTED]> wrote:
____
/\/\ | | | |
/ /\__\##/ /\ \##| |##| |
| | | |__| | | | | |
| | ___ | __ | | | | |
--==##\ \/ /#| |##| |#| |##| |##==--
\/ |__| |__| \__/
Computer Academic Underground
http://www.caughq.org
Security Advisory
===/
Advisory ID:CAU-2008-0001
Release Date: 04/01/2008
Title: Slowly Closing Door Race Condition
Application/OS: Physical Structures
Topic: Physical structures employing exit doors with locks
are vulnerable to a race condition.
Vendor Status: Not Notified
Attributes: Physical, Race Condition
Advisory URL: http://www.caughq.org/advisories/CAU-2008-0001.txt
Author/Email: CAU
===/
Overview
Physical structures which employ automatically locking doors to secure
exit points expose a race condition which may allow unauthorized entry.
Impact
==
Malicious outsiders may be able to enter a structure via an exit point.
Exit points may additionally provide an exit from a secure area of the
structure, allowing an outsider entering through the exit point to gain
direct access to the secure area.
Affected Systems
Physical structures which employ automatically locking doors at exit
points of the structure.
Technical Explanation
=
An exit's lock[1] generally converts a two-way door into a one-way
door, allowing a person to traverse the door's threshold in one
direction but not in the other. These types of locks are used to
secure exit points of structures so that people may exit via the door
but not re-enter without disabling the lock through force or
authentication.
When a person exits the structure through an exit point which is
secured by such a mechanism, a race condition exists wherein a
malicious outsider may be able to reach the door and enter through it
before it closes and locks itself.
Many doors, especially heavier ones, also employ closing mechanisms[2]
which are designed to cause the door to close slowly so as not to slam
the door shut and damage the door frame, or damage any human appendage
which may be in between the door and it's frame. Such closing
mechanisms can greatly increase the amount of time that the race
condition exists.
Solution & Recommendations
==
1) Always ensure that personnel exiting an exit door wait outside the
door until it has completely closed and locked before walking
away.
2) Employ a double door system such as is used in a
Re: [Full-disclosure] (no subject)
Another approach is that you could stop reading her blog and seek an alternate past-time(s). That would avoid the commission of computer crime and its possible ramifications. - G - Original Message - From: "josh" <[EMAIL PROTECTED]> To: "Cody Roby" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; Sent: Tuesday, April 01, 2008 3:50 PM Subject: Re: [Full-disclosure] (no subject) Can you sue for slander? And probably a simple phishing techique would work against her. Sent from my BlackBerry® smartphone with SprintSpeed -Original Message- From: Cody Roby <[EMAIL PROTECTED]> Date: Tue, 1 Apr 2008 15:31:38 To: Subject: [Full-disclosure] (no subject) Alright i have a crazy ex who keeps posting malicous things about me on her myspace and i would like to know how to use html errors to hack her myspace, i saw a previous post, but the code has been removed. please help. Pack up or back up–use SkyDrive to transfer files or keep extra copies. Learn how. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Free Iraq
Tempting to give a soap-box response, I'll attempt to give this thread a graceful exit by saying that I believe the strategic course I've described previously is do-able and a welcomed evolution of the US "maintain the superpower status quo" vision that so many in power have. The obstacles mentioned can be overcome (less painfully than US troops are currently experiencing in Iraq). Currently, our choices are: Iraq-style invasion and messy/expensive/painful aftermath OR strategic isolationism (where intervention is completely shunned). I've proposed an alternate vision that is neither of those. Whether you agree or disagree, it is a broad strategic approach that I espouse, not an emotional or reactionary course of action. Security guru Bruce Scheier recently blogged about a security mindset (http://www.schneier.com/blog/archives/2008/03/the_security_mi_1.html) (how's that for an IT security tie-in?). I propose that we (and certainly our political luminaries) have a "strategic mindset" in this flatter and more globalized world that we live in. - G - Original Message - From: "Razi Shaban" <[EMAIL PROTECTED]> To: "Garrett M. Groff" <[EMAIL PROTECTED]> Cc: Sent: Thursday, March 27, 2008 1:33 PM Subject: Re: [Full-disclosure] Free Iraq > On 3/27/08, Garrett M. Groff <[EMAIL PROTECTED]> wrote: >> A thoughtful reply was posed to my address rather than the list. I'll >> keep >> the sender anonymous & post my reply since others have posed similar >> concerns: > :-) > >> Excellent point. Initially, a "puppet regime" would be in place to run >> the >> country on a day to day basis. Actually, I'm more concerned about the >> pertinent country's 1) access to the global economy as well as 2) >> security. >> Point 2 is obvious enough, so I'll focus on point 1. > > As an American, I can understand how that would be the most important > things on your agenda. As someone who has lived in a country with one > of those "puppet regimes," I feel that the only way that these > countries can become benefecial to the global economy is if their > people are freed from their imposed ignorance and servitude. Countries > with 45% unemployment rates, lawlessness and corruption will not > integrate with the global economy. > >> Simply stated, countries that have or are moving in the direction of >> broad >> economic integration with the rest of the world (i.e., that are or are >> becoming more "globalized," to use the vogue term) tend to be more >> moderate >> in their ideologies, better (or getting better) in their governance and >> governmental transparency, and more economically productive. On that >> last >> point, I'll take keeping people busy with jobs over the prospect of >> millions >> of "idle hands." > ... >> Globalization is the answer to Salafist (Sunni extremist)-borne >> terrorism in >> the long run (or any terrorist ideological movement), as alternate view >> points dilute local/regional extremism and, pragmatically, give people >> other >> things to do. The same effect occurs in rogue regimes, assuming we (or >> someone) is able to "persuade" the heads of state in those regimes to >> allow >> exterior connectivity. > > The problem with this globalization is that in conservatives begin to > feel threatened, and often become extremists. I feel that it is this > globalization that lead to the extremism that pervades the Middle > East, creating Islamists. This globalization is the reason people in > the Middle East cry for Bush's head. The Middle East is the only > example I can think of off the top of my head, but I'm sure that > similar extreme reactions occur accross the globe. > > >> Economics binds people together, even if they're of disparate cultures >> and >> beliefs, and gives them a means of constructive, non-violent engagement >> with >> each other. It leads to idea-sharing that would otherwise be difficult >> and >> discouraged. It leads to distribution of power away from the central >> government, as people compete constructively in the private sector >> rather >> than just politically in the halls of power. Oh, and it also increases >> aggregate prosperity in the region, and by extension, across the globe. > > Trade has led to the prosperity of today, but unfortunately I feel > that the capitalism under which trade thrives leads to very unequal > distribution of power. Not the thread for that though :-) > > >> The
Re: [Full-disclosure] Free Iraq
Your concern in our off-topicness is indeed justified. We have strayed far from the primary topic of the list. - G - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Thursday, March 27, 2008 1:05 PM Subject: Re: [Full-disclosure] Free Iraq Sorry, but am I the only one missing the infosec security angle on the "free tibet" and "free iraq" posts? Renski > I'm sorry, but I think you misunderstood part of my post. > What I meant was that the USA is a rogue nation, just like other > so-called "rogue nations," and is causing the UN to lose its > effectiveness. > > I don't doubt that what the USA has done to Cuba is pointless, > ineffective, and strategically wrong. > > > -- > Razi > > On 3/27/08, b. <[EMAIL PROTECTED]> wrote: >> Sorry for the Junk mail ( not related 2 security ) >> But >> this made me laugh a lot >> rogue/clean nations >> and USA as a respectfull ONU member >> Cuba blocus is condemned for 14 years, each years, by the general >> assembly @ ONU, >> On the ONU thema, please read *Hans-Christof von Sponeck book >> "*/A different war : The UN sanctions regime in Irak" >> /And be a little more subtle/ >> / >> >> >> Razi Shaban a écrit : >> >> > Touche. >> > >> > Now a question. Is the USA a member of the UN? Okay. And was Iraq a >> > member of the UN? Okay. So both nations agreed to subject themselves >> > to the UN mandate, which implies recognition. >> > >> > In order for the UN to effectively work, the participation of all >> > nations is a must. When you have rogue nations such as Libya, North >> > Korea, and the USA, thats when the UN begins to appear defunct. >> > >> > -- >> > Razi >> >> >> > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Free Iraq
Not commenting on the perceived misunderstanding, but I'll post a couple thoughts... One, I disagree with the "rogueness" of the US (beyond that, the debate is semantics, methinks). Having said that, I'm not particularly fond of the current administration and I hope the next president expresses greater desire toward diplomacy and engagement internationally. Cuba embargo: I agree. It's stupid and unncessary. It constricts our ability to expand economic connectivity to Cubans (in addition to the restrictions within Cuba that are imposed by the socialist regime) at no strategic gain. I hope the next administration phases out the embargo that, obviously, has not been effective. - G - Original Message - From: "Razi Shaban" <[EMAIL PROTECTED]> To: "b." <[EMAIL PROTECTED]> Cc: Sent: Thursday, March 27, 2008 12:57 PM Subject: Re: [Full-disclosure] Free Iraq I'm sorry, but I think you misunderstood part of my post. What I meant was that the USA is a rogue nation, just like other so-called "rogue nations," and is causing the UN to lose its effectiveness. I don't doubt that what the USA has done to Cuba is pointless, ineffective, and strategically wrong. -- Razi On 3/27/08, b. <[EMAIL PROTECTED]> wrote: > Sorry for the Junk mail ( not related 2 security ) > But > this made me laugh a lot > rogue/clean nations > and USA as a respectfull ONU member > Cuba blocus is condemned for 14 years, each years, by the general > assembly @ ONU, > On the ONU thema, please read *Hans-Christof von Sponeck book > "*/A different war : The UN sanctions regime in Irak" > /And be a little more subtle/ > / > > > Razi Shaban a écrit : > > > Touche. > > > > Now a question. Is the USA a member of the UN? Okay. And was Iraq a > > member of the UN? Okay. So both nations agreed to subject themselves > > to the UN mandate, which implies recognition. > > > > In order for the UN to effectively work, the participation of all > > nations is a must. When you have rogue nations such as Libya, North > > Korea, and the USA, thats when the UN begins to appear defunct. > > > > -- > > Razi > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Free Iraq
A thoughtful reply was posed to my address rather than the list. I'll keep the sender anonymous & post my reply since others have posed similar concerns: Excellent point. Initially, a "puppet regime" would be in place to run the country on a day to day basis. Actually, I'm more concerned about the pertinent country's 1) access to the global economy as well as 2) security. Point 2 is obvious enough, so I'll focus on point 1. Simply stated, countries that have or are moving in the direction of broad economic integration with the rest of the world (i.e., that are or are becoming more "globalized," to use the vogue term) tend to be more moderate in their ideologies, better (or getting better) in their governance and governmental transparency, and more economically productive. On that last point, I'll take keeping people busy with jobs over the prospect of millions of "idle hands." Economics binds people together, even if they're of disparate cultures and beliefs, and gives them a means of constructive, non-violent engagement with each other. It leads to idea-sharing that would otherwise be difficult and discouraged. It leads to distribution of power away from the central government, as people compete constructively in the private sector rather than just politically in the halls of power. Oh, and it also increases aggregate prosperity in the region, and by extension, across the globe. Globalization is the answer to Salafist (Sunni extremist)-borne terrorism in the long run (or any terrorist ideological movement), as alternate view points dilute local/regional extremism and, pragmatically, give people other things to do. The same effect occurs in rogue regimes, assuming we (or someone) is able to "persuade" the heads of state in those regimes to allow exterior connectivity. The strategic vision that I'm suggesting is that we use our global power projection as the initial phase in taking out stubborn regimes. That's a small part of the picture, but still a necessary piece. - G - Original Message - From: [REMOVED] To: "Garrett M. Groff" <[EMAIL PROTECTED]> Sent: Thursday, March 27, 2008 10:38 AM Subject: Re: [Full-disclosure] Free Iraq > Only problem is that the "re-building" usually involves the > installation of a dictator who supports American policies at the > expense of that nation's people's rights. > > -- > [NAME REMOVED] > > On 3/27/08, Garrett M. Groff <[EMAIL PROTECTED]> wrote: >> Excellent points, with exception to the gratuitious name-calling (just >> b/c >> there are annoying people on this list who throw out invective doesn't >> mean >> we should submit to our temptation to do the same vile practice back to >> them). >> >> I'll add the following (despite the fact that it's grossly off-topic!). >> The >> Iraq war was more than just a follow-up to a UN resolution or two. It >> was a >> desire by neo-conservatives to re-make the Middle East. That desire is >> partly strategic and partly political. Strategic: eliminate the threat >> of >> WMD proliferation (including to Salafist groups like Al Qaeda) by >> scaring >> rogue-ish countries into thinking "they're next" if they don't behave >> (think, Libya). The strategic plan was to go beyond Iraq and is often >> referred to as a "domino effect" whereby other mid-east nations >> liberalize >> their political systems and economies. Political: free up huge oil >> fields in >> Mesopotamia, bringing down global oil prices. Also, empower Republicans, >> making them appear more responsive & pro-active in a post-911 world to >> threats posed by rogue nations & global terrorist groups. >> >> My focus is strategic, since the political side-effects are less >> important >> and less justifiable than the strategic argument. >> >> Result... >> Unforutnately, the nation-rebuilding effort is not going well (compared >> to >> the actual "war" which went well by historic standards, lasting only >> about 4 >> weeks; everything since has involved dealing with the war's aftermath). >> I >> can think of specific things that would have made the nation re-building >> campaign much more likely to succeed. Rather than a lengthy explanation >> on >> that, I'll say this. Think about what would have happened if the Bush >> administration weren't so inept and if Iraq had been a successful model >> of >> nation re-building. That model could be replicated to other >> nation-states >> that are arguably an
Re: [Full-disclosure] Free Iraq..
Legal immigration is voluntary, not an "invasion." Further, countries that are able to absorb immigration (like the United States) have benefited in the aggregate economic sense. Contrast that with France. France has had some level of success with immigrants... but not much. The car burnings and riots are primarily a result of people feeling excluded and unable to find jobs. Yes, "it's the economy, stupid!" (not calling you stupid, just borrowing the phrase). If the French economy were more dynamic and its labor laws less constricting, the unemployed would likely have less trouble finding jobs and being productive members of society. Instead, they fester in boredom and frustration. Security and economics are not unrelated, and this is but one example of that relationship. - G - Original Message - From: "Rankin, James R" <[EMAIL PROTECTED]> To: "'n3td3v'" <[EMAIL PROTECTED]>; Sent: Thursday, March 27, 2008 5:34 AM Subject: Re: [Full-disclosure] Free Iraq.. > So is the UK, it is being invaded by half of Europe, Asia and the Middle > East > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v > Sent: 26 March 2008 15:55 > To: full-disclosure@lists.grok.org.uk > Subject: [Full-disclosure] Free Iraq.. > > On Wed, Mar 26, 2008 at 3:35 PM, Robert Smits <[EMAIL PROTECTED]> wrote: >> Tibet is an invaded country, and China has no right to be there at all. > > Iraq is an invaded country, and America has no right to be there at all. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Free Iraq
Excellent points, with exception to the gratuitious name-calling (just b/c there are annoying people on this list who throw out invective doesn't mean we should submit to our temptation to do the same vile practice back to them). I'll add the following (despite the fact that it's grossly off-topic!). The Iraq war was more than just a follow-up to a UN resolution or two. It was a desire by neo-conservatives to re-make the Middle East. That desire is partly strategic and partly political. Strategic: eliminate the threat of WMD proliferation (including to Salafist groups like Al Qaeda) by scaring rogue-ish countries into thinking "they're next" if they don't behave (think, Libya). The strategic plan was to go beyond Iraq and is often referred to as a "domino effect" whereby other mid-east nations liberalize their political systems and economies. Political: free up huge oil fields in Mesopotamia, bringing down global oil prices. Also, empower Republicans, making them appear more responsive & pro-active in a post-911 world to threats posed by rogue nations & global terrorist groups. My focus is strategic, since the political side-effects are less important and less justifiable than the strategic argument. Result... Unforutnately, the nation-rebuilding effort is not going well (compared to the actual "war" which went well by historic standards, lasting only about 4 weeks; everything since has involved dealing with the war's aftermath). I can think of specific things that would have made the nation re-building campaign much more likely to succeed. Rather than a lengthy explanation on that, I'll say this. Think about what would have happened if the Bush administration weren't so inept and if Iraq had been a successful model of nation re-building. That model could be replicated to other nation-states that are arguably and egregiously bad, be it countries with a) too much government (dictatorships) or b) too little government (many African states, which are tribal & lack sufficient central governance). A "nation re-making" process that falls under UN legitimacy would be powerful, shifting the American focus from maintaining the "superpower status quo" to "making the world better." Sounds controversial (like some imperial colonial fantasy), but try living in the DPRK, Cuba, or Sudan, and tell me those nations aren't screwed up and wouldn't go for a "nation re-making" make-over, provided that it actually worked. The US (and others) will certainly engage in nation re-building again. If you don't believe that, then check out recent US history. It's really just a question of when, where, and to what extent. Next time, I hope the war's aftermath goes substantially better and involves broad international legitimacy, not to mention significant involvement in the post-war phase (where the US actually needs allies). - G - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Wednesday, March 26, 2008 8:22 PM Subject: Re: [Full-disclosure] Free Iraq === On Wed, Mar 26, 2008 at 3:55 PM, net-dummy wrote: > >Iraq is an invaded country, and America has no right to be there at all. > Actually, dummy... The Iraqi invasion of Kuwait in August of 1990 led to a United Nations authorization to remove Saddam's forces from Kuwait. This military action was carried mainly by the Americans for entirely practical reasons. The United Nations halted hostilities and declared that a ceasefire would be in effect as long as Saddam cooperated fully with United Nations Inspectors who were looking for an extensive list of banned weapons, which included but was by no means limited to; chemical, biological and nuclear/radiological weapons. After over a decade of continual failure to cooperate, the American political leadership decided that they could no longer take the same patient approach that they had taken for the previous 12 years; and resumed hostilities. After invading Iraq and removing Saddam, American forces searched for the aforementioned list of banned weapons, and while they found most of them they did not find stockpiles of weaponized biologicals, final stage chemicals or nuclear/radiologicals. Whether you believe this is because Saddam didn't possess them at the time of the invasion or that he simply did a better job of hiding them than the American's did of looking for them doesn't change the facts. Nor does your opinion of the current American administration or your opinion of their actions. However, the most disturbing part of your post was not that you demonstrated your ignorance once again... That is basically; your job here. No, the disturbing part of your asinine post was that you made Saddam's murderous Ba'athist thugs the moral equivalent of the Free Tibetan People. THAT needed to be answered, or I would have ignore this post as I ordinarily do to ALL of your posts.
Re: [Full-disclosure] Free Tibet..
Maybe the relevance of this post is escaping me. Over the weekend, quite a few unread FD emails were purged to make the task of catching up a little more bearable... But I'll bite. Regarding China, as they've been liberalizing their economy for nearly the last three decades, personal freedoms have gone up, with political liberties to follow suit soon enough. If anyone has read Milton Friedman's "Capitalism and Freedom," this makes sense. Economic freedom begets freedom in the broader sense, be it freedom of the press, freedom of religion, or political freedom. There are enough Cold Warriors in the DoD who can make the case that China is our next near-peer military competitor (forget the whole Mutual Assured Destruction concept). Their motivation is primarily economic (divert funding for big weapons systems projects), as well as political (gaining power & influence with tales of the Sino Bogeyman). Until a later time (next administration?), a grand Sino-American alliance will have to wait till politics catches up with Wall St (which has already embraced the idea that China is a strategic opportunity). - Garrett - Original Message - From: "Gerald Maggro" <[EMAIL PROTECTED]> To: "Full Disclosure" Sent: Monday, March 24, 2008 8:57 PM Subject: [Full-disclosure] Free Tibet.. > ..with purchase of one country of equal or greater value? > > Seriously though, those cocksuckers in the Chinese gov't are at it > again... wait, they never stopped. Murderous freedom hating ways. Just > not right. > > How about a bigger target than Scientology this time? > > China's got the Olympics coming up, that makes them more sensitive than > usual. > > The Dalai Lama can be as peaceful as he wants... more action is needed. > Alot more. Anyone want to pick a fight with the Chinese? > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] agile hacking?
Can emails like the one below be sent to the person & not the entire list... for the benefit of all list members? Thanks. - G - Original Message - From: reepex To: Petko D. Petkov ; full-disclosure@lists.grok.org.uk Sent: Tuesday, March 18, 2008 11:26 PM Subject: Re: [Full-disclosure] agile hacking? I see thoth responded negatively to your project and again you assume that if someone bashes you that he/she has no skill and is just trolling. This means you obviously were not as his kiwicon talk or read the slides ( not that you would understand them ) but it shows how arrogant you are. you are just another sad leader who has amassed a following of idiots and when someone speaks out against you act all high and mighty when really they are better than you. I also think its funny that you say how its a 'community project' and that you are uniting all these people together when in truth its a bunch of clueless kiddies ( I am sure you will get a great article from the kid who will 'create b0f overfl0wz' as he put it) who follow you while people 'with a clue' know you are a joke. Either way if this book somehow gets published it will be another laughing stock like the rest of your published work. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
