Re: [Full-disclosure] Facebook Police
A picture of a beer can in someone's hand does not prove it contained anything, much less beer. I have sometimes left glasses of things like apple juice with a bit of ice cream foam on top in church (when the organist needed a drink) or spoken of such. I also recall a lot of guys when I was in college making statements about their drinking and/or sexual prowess which turned out to be exaggerated. (I also remember kids in jr. high smoking cornsilk cigarettes in public to show off...or at least holding them to their mouths with a burning end. Claim was they tasted awful.) A beer or for that matter whiskey bottle might just as well contain tea. A picture by itself even when not tampered with does not necessarily show what it's cracked up to... You get suspicion, nothing more. And much less if making photos well documented to be of faked circumstances gets popular. Remember all the email signatures on the net with NSA bait phrases? -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Rohit Patnaik Sent: Friday, November 27, 2009 11:55 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Facebook Police Actually, I'm not sure what the issue is here. Facebook is a public forum. Underage drinking is an illegal act. If you post evidence of yourself committing an illegal act to a public forum, the police are free to come and arrest you, and use the pictures that you posted as evidence against you. The only complaint here seems to be that the police violated Facebook's Terms of Service in friending these underage drinkers and gathering evidence against them. However, I'm not sure how that's illegal in any way. If it were, undercover investigations and sting operations of all sorts would be illegal. As I see it, these are kids who were caught out in their own stupidity, for doing something that they know to be illegal, and then posting pictures. Now these same kids are whining because the police were marginally more tech-savvy than they assumed. --Rohit Patnaik On Fri, Nov 27, 2009 at 10:32:53AM +0100, netinfinity wrote: Facebook policy requires the use of one’s real name to sign up, but they let the police use fake names.. Sure the policy says that but a lot of people are changing their names on a daily basis (ok maybe not daily). And majority of those changes are just for fun, but never the less they are against the policy. What about those people? Only way to verify or check someone's name is through IP (ISP). And that can't be done by will.. It must have some legal grounds... Let me get to the point, I'm sure that police is violating some some kind of human rights or even law's (?) -- netinfinity ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How Prosecutors Wiretap Wall Street
Mind IANAL; however it is I think a bailment even though the bailee is also engaged to act as a delivery agent. Point is that the item remains someone's property at all times, with what seem to me fairly well defined expectations around who has what rights to it. This does not disappear when delivery is done by other than the person who made the property. Electronic delivery is just another form. If the law is going to accept a notion that something is property, this follows. I would submit though that the 4th Amendment language effects is somewhat broader than items a person owns. Abolish all copyright and patent law and it would IMO still apply. Or ought to... -Original Message- From: Paul Schmehl [mailto:pschmehl_li...@tx.rr.com] Sent: Monday, November 09, 2009 9:29 PM To: Everhart, Glenn (Card Services); full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] How Prosecutors Wiretap Wall Street I fail to see how that applies. The law of bailment basically means that you continue to own a possession, the physical possession of which you *temporarily* grant to another party. (Allowing someone to drive your car, for example, but expecting them to return it when they're done.) When you send a twitter or email, etc., you don't have any intention of continuing to possess the property. The reason you sent the communication is so that someone else could *receive* it from you, not so they could watch it for you temporarily. When you send a letter to someone you don't continue to possess the letter. The recipient does. --On Monday, November 09, 2009 10:40 AM -0500 glenn.everh...@chase.com wrote: The law of bailment applies, I would submit, to information sent on wires. The act of sending something out is not handing it to the public domain (though it may arrive in the public domain, depending on intent). However the law of bailments seems to have been ignored by many, even though it has been around for hundreds of years. (mind: I am not a lawyer - have just read some books - and speak for myself.) -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Paul Schmehl Sent: Saturday, November 07, 2009 8:53 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How Prosecutors Wiretap Wall Street --On November 7, 2009 4:06:42 PM -0600 mikelito...@hushmail.com wrote: But to gather intelligence about what terrorists are up to, even if a US citizen is involved, should not require a warrant. This is all well and good, until the definition of terrorist is changed and you become labeled a terrorist because your reason is suddenly counterproductive to someone else's opinion. You must apply the warrant requirement consistently. Otherwise, when interpretation of the word terrorist changes, it affects the meaning of the law. Sure. I agree with that. I think it's also important that law enforcement activities have much more stringent requirements than military intelligence has. The former is directed toward citizens, the latter toward enemies the military has to deal with. And call me crazy, but I'm just not willing to assume that someone won't abuse the power of being able to surveil US citizens and do exactly what Nixon did, spy on their competition/detractors. Surely you can admit that some people do things that they wouldn't normally do when big money and big power are involved. After all, Those who cannot learn from history are doomed to repeat it. Don't be so naive to think it can't happen again. Of course. I've never said they didn't. In fact I've stated that people in government have the same range of motives that people not in government have, including the seven deadly sins, if you will. But I've also pointed out that they are not totally evil either, as some seem to think. There are also good people in government just as there are in every other walk of life. Intelligence works best in a world of secrecy. So does deception. Significantly more so, in fact. As I've pointed out now several times, it's analogous to people that get all hot and bothered by the fact that admins have access to the data on their computers. Yes, but that computer probably doesn't belong to me but instead to my employer. If it belongs to me, you better have a policy that prevents me from using it at work, and/or a login disclaimer informing me of your right to monitor what I do if I connect to your network. If not, you better damn well have a warrant if you want to take a look at my property. Therein lies the rub. Whose property are the bits on the wire? Once you've clicked on send, be it email or im or twitter or whatever, does that transmission still belong to you? I would submit that it does not, and that the privacy laws that protect you and your house and belongings can no longer be sensibly applied. Even
Re: [Full-disclosure] How Prosecutors Wiretap Wall Street
It’s a bailment if I give a package to an agent to deliver somewhere too, but in that case the bailment Ends when delivery occurs. From: s...@strawberrycupcak.es [mailto:s...@strawberrycupcak.es] On Behalf Of dramacrat Sent: Monday, November 09, 2009 9:50 PM To: Paul Schmehl Cc: Everhart, Glenn (Card Services); full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How Prosecutors Wiretap Wall Street The only property in a tweet or email is intellectual property, and that remains the property of the sender... in my jurisdiction, at least, which isn't even a US one. Also, this is the most pathetic nerd-fight I have seen for many a year. 2009/11/10 Paul Schmehl pschmehl_li...@tx.rr.com I fail to see how that applies. The law of bailment basically means that you continue to own a possession, the physical possession of which you *temporarily* grant to another party. (Allowing someone to drive your car, for example, but expecting them to return it when they're done.) When you send a twitter or email, etc., you don't have any intention of continuing to possess the property. The reason you sent the communication is so that someone else could *receive* it from you, not so they could watch it for you temporarily. When you send a letter to someone you don't continue to possess the letter. The recipient does. --On Monday, November 09, 2009 10:40 AM -0500 glenn.everh...@chase.com wrote: The law of bailment applies, I would submit, to information sent on wires. The act of sending something out is not handing it to the public domain (though it may arrive in the public domain, depending on intent). However the law of bailments seems to have been ignored by many, even though it has been around for hundreds of years. (mind: I am not a lawyer - have just read some books - and speak for myself.) -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Paul Schmehl Sent: Saturday, November 07, 2009 8:53 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How Prosecutors Wiretap Wall Street --On November 7, 2009 4:06:42 PM -0600 mikelito...@hushmail.com wrote: But to gather intelligence about what terrorists are up to, even if a US citizen is involved, should not require a warrant. This is all well and good, until the definition of terrorist is changed and you become labeled a terrorist because your reason is suddenly counterproductive to someone else's opinion. You must apply the warrant requirement consistently. Otherwise, when interpretation of the word terrorist changes, it affects the meaning of the law. Sure. I agree with that. I think it's also important that law enforcement activities have much more stringent requirements than military intelligence has. The former is directed toward citizens, the latter toward enemies the military has to deal with. And call me crazy, but I'm just not willing to assume that someone won't abuse the power of being able to surveil US citizens and do exactly what Nixon did, spy on their competition/detractors. Surely you can admit that some people do things that they wouldn't normally do when big money and big power are involved. After all, Those who cannot learn from history are doomed to repeat it. Don't be so naive to think it can't happen again. Of course. I've never said they didn't. In fact I've stated that people in government have the same range of motives that people not in government have, including the seven deadly sins, if you will. But I've also pointed out that they are not totally evil either, as some seem to think. There are also good people in government just as there are in every other walk of life. Intelligence works best in a world of secrecy. So does deception. Significantly more so, in fact. As I've pointed out now several times, it's analogous to people that get all hot and bothered by the fact that admins have access to the data on their computers. Yes, but that computer probably doesn't belong to me but instead to my employer. If it belongs to me, you better have a policy that prevents me from using it at work, and/or a login disclaimer informing me of your right to monitor what I do if I connect to your network. If not, you better damn well have a warrant if you want to take a look at my property. Therein lies the rub. Whose property are the bits on the wire? Once you've clicked on send, be it email or im or twitter or whatever, does that transmission still belong to you? I would submit that it does not, and that the privacy laws that protect you and your house and belongings can no longer be sensibly applied. Even you send a private email, to whom does it belong while it's in the process of transmission? And as far as I know, there's no login disclaimer on the interwebs that allows the government to monitor what I do on
Re: [Full-disclosure] How Prosecutors Wiretap Wall Street
The law of bailment applies, I would submit, to information sent on wires. The act of sending something out is not handing it to the public domain (though it may arrive in the public domain, depending on intent). However the law of bailments seems to have been ignored by many, even though it has been around for hundreds of years. (mind: I am not a lawyer - have just read some books - and speak for myself.) -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Paul Schmehl Sent: Saturday, November 07, 2009 8:53 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How Prosecutors Wiretap Wall Street --On November 7, 2009 4:06:42 PM -0600 mikelito...@hushmail.com wrote: But to gather intelligence about what terrorists are up to, even if a US citizen is involved, should not require a warrant. This is all well and good, until the definition of terrorist is changed and you become labeled a terrorist because your reason is suddenly counterproductive to someone else's opinion. You must apply the warrant requirement consistently. Otherwise, when interpretation of the word terrorist changes, it affects the meaning of the law. Sure. I agree with that. I think it's also important that law enforcement activities have much more stringent requirements than military intelligence has. The former is directed toward citizens, the latter toward enemies the military has to deal with. And call me crazy, but I'm just not willing to assume that someone won't abuse the power of being able to surveil US citizens and do exactly what Nixon did, spy on their competition/detractors. Surely you can admit that some people do things that they wouldn't normally do when big money and big power are involved. After all, Those who cannot learn from history are doomed to repeat it. Don't be so naive to think it can't happen again. Of course. I've never said they didn't. In fact I've stated that people in government have the same range of motives that people not in government have, including the seven deadly sins, if you will. But I've also pointed out that they are not totally evil either, as some seem to think. There are also good people in government just as there are in every other walk of life. Intelligence works best in a world of secrecy. So does deception. Significantly more so, in fact. As I've pointed out now several times, it's analogous to people that get all hot and bothered by the fact that admins have access to the data on their computers. Yes, but that computer probably doesn't belong to me but instead to my employer. If it belongs to me, you better have a policy that prevents me from using it at work, and/or a login disclaimer informing me of your right to monitor what I do if I connect to your network. If not, you better damn well have a warrant if you want to take a look at my property. Therein lies the rub. Whose property are the bits on the wire? Once you've clicked on send, be it email or im or twitter or whatever, does that transmission still belong to you? I would submit that it does not, and that the privacy laws that protect you and your house and belongings can no longer be sensibly applied. Even you send a private email, to whom does it belong while it's in the process of transmission? And as far as I know, there's no login disclaimer on the interwebs that allows the government to monitor what I do on that network, nor on the telephone, or my mobile phone contract. Really? To whom does your response to me belong? What about the email you send to a friend? A stranger? And twitter posts? Blog comments? Etc., etc. Does it really make sense to extend your privacy rights to those things that you have sent into the public domain? And how do you draw the line legally at what the government can look at without a warrant and what they must get a warrant for when they can't even know what's on the network without first connecting to it to look? Should we forbid them to ever connect simply because something they could potentially see is private? And is it really private? And if they already have a warrant to monitor all communications of a known terrorist, what happens when those communications include a US person? All they allowed to monitor since they already have a warrant, even though they don't have one for the US person? From what I've read getting a warrant in 72 hours is almost impossible. Ahah! Now we're on to something. Here's an idea. Make it easier to get that warrant when you need it. Improve the process, so that when requested, a warrant can be turned around in hours, not days. Don't remove the requirement altogether. That's simply inviting trouble. I completely agree. I also think the definitions need to be much clearer, so that intelligence people understand exactly where the fences are.
Re: [Full-disclosure] security industry software license
Recall that government licenses historically serve mainly to limit the size of a field and enrich those who get licensed, and exclude a number of competent people. Personally I do not favor such measures...speaking for myself here. Glenn Everhart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of n3td3v Sent: Friday, October 10, 2008 10:39 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] security industry software license let's go there anyway, and if hd moore doesn't comply, we can just slap some sort of law on the license to make it against the law not to require that downloaders have the license. While we are at it, why don't we just impose government restrictions on all security related books and since a lot of the technical security issues can be found in computer science textbooks, lets impose a restriction on them as well. no, let's just keep it to security software. Criminals would still be just as capable of creating their own tools and using them. So let them, ... because they haven't registered with the scheme (which criminal programmers are unlikely to do, or want to do), they are easier to deal with under law, and so are the people using the software. I think if you did some research, which I know is a difficult thing for you to do, you'd find that the use of Metasploit contributes to a very minor percentage of crime. show me *your* research that proves that? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Recall: simple phishing fix
The sender would like to recall the message, [Full-disclosure] simple phishing fix. - This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] simple phishing fix
You might eliminate phishing but there are occasionally messages from people at these institutions also. This sort of thing is in essence allowing phishers a denial of service attack against anyone they choose to make themselves a nuisance with. I am not well pleased with any bank authentication I have seen so far personally; seems to me finance-related messages should be authenticated both ways and preferably a confirming authentication to demonstrate the subject agrees with the transaction should be done before such are accepted. That kind of thing would be hard to spoof and if done right pretty useless to someone who could record entire transactions. As for email, judge by its content. This posting for example will do nothing to your money, sells you nothing. Nor does it ask any information of you. If it were spoofed it would be harmless. Glenn Everhart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Peter Besenbruch Sent: Tuesday, July 29, 2008 2:04 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] simple phishing fix On Monday 28 July 2008 20:55:10 Stian Øvrevåge wrote: You mention phising, but I think quite a few points from the why-your-spam-solution-wont-work-list are relevant: (x) Mailing lists and other legitimate email uses would be affected If we stick with the narrowly focused problem of bank phishing spam, I doubt mailing lists would be affected. Yes, stuart, the original poster, spoke of deny all tactics, but he certainly wasn't implementing anything like that in practice. At least, I couldn't see it. (x) It will stop spam for two weeks and then we'll be stuck with it Yes, you would need to add a new filter from time to time. This would work on your own e-mail account, but I would see problems generalizing to more people. (x) Users of email will not put up with it On the other hand, it sounded like the original poster wanted to share lists, so that anyone who wanted to could tweak theirs. People sharing such lists would put up with it. (x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical I get my share of phishing spam, and most involve about a dozen domains, or less. These domains have remained relatively stable over the last two years. Paypal still dominates. So yes, a list of the common banking sites might reduce the annoyance factor. (x) Whitelists suck They do indeed. http://craphound.com/spamsolutions.txt 1. Your filter will never be complete, there are too many banks/institutions (with ever-changing domains etc). See above. 2. Banks/institutions actually sends legitimate mail. Yes, but I would not do business with a bank that did. Phishing spam has eliminated e-mail as a viable means of communication between banks and their customers. My bank doesn't know my e-mail address, and I don't bank on-line (but that's a whole other kettle of fish). 3. Phishers will find ways to get around the filters, either by registering similar domain-names or by numerous browser/MTA tricks. 4. Users likely to fall for a phish is not very likely to even know what a filter is. What we are talking about here is the sharing of filter material on a small list of people who can spot a phish from a mile off. Full Disclosure isn't big enough to change the habits of spammers. That said, I haven't made use of any filters specifically to weed out phishing spam. I use Kmail and Bogofilter, and they have caught almost every phishing spam I have received in the last year. Such spam was one of the firsts things that the Bayesian based Bogofilter learned to flag reliably. Bogofilter flags a far greater variety of spam reliably than flagging domains in the from field could ever hope to accomplish. -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please
Re: [Full-disclosure] DNS spoofing issue. Thoughts on
1% per hour for each target. Lots of targets. The need for something more like ssl certs in there remains. (Also needed for bgp I suspect). By extension, some web of trust variation of CERTs would make much of this easier for those not interested in or able to pay for certs from commercial suppliers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Saturday, July 26, 2008 12:58 AM To: Paul Schmehl Cc: RandallMan; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] DNS spoofing issue. Thoughts on On Fri, 25 Jul 2008 23:16:18 CDT, Paul Schmehl said: Just apply the Microsoft patches and you'll be fine. The patches make the attack essentially impossible. Paul, don't make me take you out back and smack you around. :) First off - SBC probably doesn't run Windows on the server(s) that they do the external for RandallMan's site, so the Microsoft patches are going to do squat-all for that side of the problem. And RandallMan most certainly *DOES* need to worry about SBC getting patched - that's the *biggest* threat now, is mass poisoning of an ISP's DNS servers affecting *all* their customers. Paul Vixie already pointed out that on an unpatched system, the DNS can get poisoned in about 11 seconds. And we *also* know that by iteratively trying new bogus names, the attacker can keep trying over and over till it works or they get bored. And all the current patches do is make it *harder* to hit. The attack isn't impossible, it's more like 1% chance *per hour* that your IDS doesn't notice and stop the attempts. Big difference... - This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DNS flaw fixing causes surge in DNS traffic
The kind of thing being talked about should be perhaps viewed in terms of other work Dan has done. An exploit that alters DNS and is combined with turning corporate browsers into gateways is perfectly feasible and would in effect make most corporate gateways into pieces of wire. All the pieces are pretty much out there already, available to any of us who have grabbed them over the years. An exploit that also combines research into being able to scan loads of systems at once could be useful, even where the chance of success on a single site got down in the few percent range, in compromising substantial numbers of systems. Since DNS resolution is distributed, this could mean substantial sections of DNS resolution might be compromised at once, so that for example if you wanted to resolve mumble.foo.com, whereas perhaps the root DNS systems might get foo.com right, the foo.com resolver would give out evil-cracker.something's IP address instead of the real mumble.foo.com. Let this happen widely enough and chaos ensues. It need not only be for the denizens of foo.com, but could affect many others. Three orders of magnitude (or more) speedup of common processors makes quite a difference here. Remember we are using protocols designed when 56KB was the arpanet BACKBONE speed and was considered blindingly fast, and when computers with cycle times of 1 megahertz were common and considered reasonable performers. Back then, guessing 65K of something was not as trivial as now...and I rather suspect with a few recursive routing tricks enough sensing can be devised to cut that down, possibly with the birthday paradox, even attacking one site. But when was the last time Dan K. did an app that attacked only one? Attack 65000 at a time and the birthday paradox wins for the attacker bigtime. Mind I have no inside information about Dan's plans, but I read now and then.. :-) Glenn Everhart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of n3td3v Sent: Friday, July 11, 2008 6:30 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] DNS flaw fixing causes surge in DNS traffic On Fri, Jul 11, 2008 at 10:54 PM, Supranamaya Ranjan [EMAIL PROTECTED] wrote: Hi, I noticed an interesting side-effect of the co-ordinated DNS patching after the news broke out on Tues July 8th. Some DNS servers started seeing more than normal amount of query traffic, most likely due to the fact that the patched DNS clients and resolvers had their caches reset and hence had to resolve new domains. More interestingly, all these clients began their new DNS resolutions around the same time. For more details please read the blog article at: http://www.narus.com/blog/2008/07/10/dns-fix-causes-huge-surge-in-dns-traffic-in-the-internet/ Thanks, Soups Ranjan Stop adding to the media over hype FFS, its a gay bug being used to market Blackhat security conference, think about the timing of the announcement and media over hype carnage and say to yourself Why now?. All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Greedy Jews fact of the day
The atrocities in Canaan reported about places like Jericho and Ai happened something like 3 millennia ago now; time to get over them, and remember there may be statements in the Bible which are not divinely inspired. In fact the Bible says there are. See for example Jeremiah 8:8 which I have seen translated as roughly: How can you say 'we are wise, for we have Yahweh's Torah' when it was written for a lie, by the lying pens of scribes The tales of Ai and Jericho and so on that come down to us do let us know the Bible narration has survived pretty well intact, not been cleaned up or prettied up as happens with so many narrations with unpleasant acts done by the protagonists. The later prophets gave a much more worthy picture of how God wants us to act, as did Christ. Yes, there are people who claim their religion advocates killing all other groups, disposessing them, stealing from them, etc. etc. but people like that tend to have lives that are (as Hobbes put it) nasty, brutish, and short. Remembering ancient feuds and wrongs particularly after so long a time is a good way to claim such a fate also. Thus folks should have a care about feeding old feuds too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andrew A Sent: Tuesday, April 01, 2008 7:22 PM To: Full Disclosure Subject: [Full-disclosure] Greedy Jews fact of the day And it shall be, when the LORD thy God shall bring thee into the land which He swore unto thy fathers, to Abraham, to Isaac, and to Jacob, to give thee--great and goodly cities, which thou didst not build, and houses full of all good things, which thou didst not fill, and cisterns hewn out, which thou didst not hew, vineyards and olive-trees, which thou didst not plant, and thou shalt eat and be satisfied. These verses from Deuteronomy chapter 6 are written on a piece of parchment and placed in a box which is hung outside the house of every Jew that keeps the covenant. And so they have accomplished, in the United States of America. The subprime crises and resulting bailouts (at our expense by our national reserve bank, which is headed by an Orthodox Jew serving a board of Orthodox Jews) are going to create thousands of empty homes and plots of arable land owned by investment banking institutions that are owned exclusively by Orthodox Jews. Why should we leave a single follower of such a filthy, greedy religion alive? Do any of you have an idea? I pray to you, the Lord my God, to help me destroy the Jewish meme. Every single follower of this arrogant and horrible idea should have their gold exchanged for flying pieces of lead and steel. Let the Jews take what they have reaped and sown-- death, destruction and hatred. - This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firewire Attack on Windows Vista
Certainly in VMS there is DMA opened up, but only to buffers that are known and checked to be legal for such. This is a source of considerable complexity in the drivers, and depending on hardware architecture (number of control registers available, for example, to control DMA channels) limits both number of concurrent operations and size of some operations. For example, the max size of magtape records is limited, in part to conserve such bandwidth for use with disks. If driver writers adopt a wild-west approach where the DMA space is left wide open, obviously the security of anything within memory is totally open to whatever a smart peripheral may do. It should be realized though that fixing this is not necessarily a simple thing, nor are architectural considerations missing. But with the advent of more and more smart peripherals (at least some of which are commonly user programmable), open DMA access amounts to peek/poke control over all of memory and the abdication by the OS involved of any pretense of security whatever. As for what can be done by Windows (as opposed to any OS), that is perhaps limited by the great range of underlying hardware. A compromise which might allow DMA to/from disks, tapes, or CDs but disallow it for most other peripherals might turn out to be the best general solution available, or something comparably ugly. Glenn Everhart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Larry Seltzer Sent: Thursday, March 06, 2008 3:36 PM To: Tim Cc: Full Disclosure; Bugtraq Subject: Re: [Full-disclosure] Firewire Attack on Windows Vista No, the iPod device signature makes Windows drivers think it should allow DMA access for that device because it detect it as a disk device. Other disk device signatures would likely work the same way, that's just the one he happened to emulate. Is it not possible for Windows (or any OS) to open up DMA for a device only to a certain range? If not, what options are available? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DHS need to get on top of this right now
I suspect rather that DHS needs to first acquire the expertise to deal with these issues, and participate as helpers rather than as directors. Nanog has dealt with interruptions to the Internet in the past, with success enough that most people are unaware that major problems ever occurred. There is no reason to expect anyone in government could do as well, and blocking discussion (the general effect of banning it in public places - ever work on a spook job?) would have made the recovery in the last outage I heard about impossible. Unfortunately, wisdom and knowledge do not automatically come with authority. DHS has authority, at least within the US, but has not the record of accomplishment that Nanog has. Let them come forward with improved routing codes that are not subject to attacks, or with protocols that can be seen to be better than are current, get them discussed, and act to facilitate (often = pay for) changing over to such, and this would provide the kind of reputation that would get them followed and improve safety without writing mandates that could make things worse. They should of course be open to competing designs also, since others may come up with better designs. Participating in this way would show wisdom. Glenn Everhart (speaking for myself) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of worried security Sent: Wednesday, October 24, 2007 12:32 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] DHS need to get on top of this right now I'm sorry everyone I was just trying to highlight a valid point, i didn't expect a flame war to errupt. The DHS need to ban ISP's from talking about infrastructure security in public places. it should be classified information don't you all think? Just because Nanog has been offending for years by talking about similar subjects doesn't mean its ok and action should be taken now to prevent the continuation of critical infrastructure security recovery be talked about in public. For anyone who does care about what i'm talking about, I apologize about the trolls in my thread who told me I worked in Mc Donalds and KFC. I know not everyone hates me so perhaps we can have mature discussions about the DHS and Nanog instead of bashing each other saying I work in Mc Donalds, KFC etc. n3td3v - This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox 2.0.0.7 has a veryserious calculation bug
So the precision of an IEEE single precision float is about 7 digits and of a double is about 15. If you try to exhibit the result to more digits of precision what makes anyone think you would get a more precise result? What makes you think that such exhibiting is even guaranteed to be accurate? Certainly this is not a math fault, except perhaps that Firefox attempts to show results to more precision than is defined. At worst a venial sin. In the Dark Ages it used to be taught routinely that tests for equality when using floating point were likely to fail due to precision limits. Is this lore now lost??? (For that matter, is the lore also lost that 1.000... (infinite series) is exactly the same number mathematically as 0.... (infinite series) ??) Hmph. May your punishment for excessive belief in calculators be to have to multiply a few score numbers that are expressed to 50 decimal places, using pen or pencil and paper. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rodrigo Barbosa Sent: Friday, September 28, 2007 3:44 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Firefox 2.0.0.7 has a veryserious calculation bug -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Sep 28, 2007 at 09:09:02PM +0200, Michal Zalewski wrote: On Sat, 29 Sep 2007, Jimby Sharp wrote: I don't get the same from C-style double arithmetics. Could you provide a sample code that you believe should show the same behavior? If you don't, it's presumably because the subtraction is optimized out by the compiler, or because you printf() with an insufficient precision in format spec. The following should do the trick: volatile double a = 5.2; volatile double b = 0.1; main() { printf(%.16lf\n,a-b); } Isn't this the same issue pointed out by Brian Kim (double to float conversion) ? Look the results I get for the following code: volatile double a = 5.2; volatile double b = 0.1; main() { printf(%.16lf\n,a); printf(%.16lf\n,b); printf(%.16lf\n,(volatile double) 5.1); printf(%.16lf\n,(volatile double)((float) 5.1)); printf(%.16lf\n,a-b); } Results: 5.2002 0.1000 5.0996 5.099046325684 5.1005 - -- Rodrigo Barbosa Quid quid Latine dictum sit, altum viditur Be excellent to each other ... - Bill Ted (Wyld Stallyns) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFG/VmCpdyWzQ5b5ckRArw8AJ9snBYsgIK7pvwHbILw43gTtuz6rwCgqxGO snsqqiu9zDaqhITIe/Ycf7o= =MJfE -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Minor point: No need to limit such accumulations to nation-states though. People interested in fiddling with other peoples' computers have come up with attacks that don't get instantly published at least since the 1970s, and have had more-or-less private channels to communicate them. The motives these days, if you believe the press, may be more around money than simple mischief, but the practice of not disclosing bugs and exploits to the world has been with us a long time. Such exploits are 0day exploits until someone gets wind of them who will do something to defend against them. This can be a vendor, someone who publishes workarounds for admins, or whatnot, the key point being that the 0day issue is one that pretty much all systems of the target type will be vulnerable to. Once an exploit is widely used, it is likely to be noticed and cease to be effective everywhere too. The recent stories about targetted attacks are I expect partly devised to keep exploits working longer by avoiding this. BTW the older use for 0day to refer to warez that were newly cracked is similar in that again the term refers to the fact that the vendor has not yet had time to do anything to react to the crack or disallow use of the software. Glenn Everhart -Original Message- From: Crispin Cowan [mailto:[EMAIL PROTECTED] Sent: Monday, September 24, 2007 5:59 PM To: Chad Perrin Cc: [EMAIL PROTECTED]; Gadi Evron; pdp (architect); [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Subject: Re: 0day: PDF pwns Windows Chad Perrin wrote: On Sat, Sep 22, 2007 at 10:34:07PM -0700, Crispin Cowan wrote: A private 0day exploit (the case I was concerned with) would be where someone develops an exploit, but does not deploy or publish it, holding it in reserve to attack others at the time of their choosing. Presumably if such a person wanted to keep it for very long, they would have to base it on a vulnerability that they themselves discovered, and did not publish. In the case of that private zero day exploit, then, nobody will ever know about it except the person that has it waiting in reserve -- and if someone else discovers and patches the vulnerability before the exploit is ever used, it never becomes a public zero day exploit. In other words, you can always posit that there's sort of a Heisenbergian state of potential private zero day exploitedness, but in real, practical terms there's no zero day anything unless it's public. The moment you have an opportunity to measure it, the waveforms collapse. Its a little less abstract than that. Consider that the United States government might want to worry about whether some foreign nation is banking a large pool of private 0day exploits in preparation for war. Such a nation might farm these private 0day exploits by employing a pool of vulnerability researchers and exploit developers, and just not published the results. This is a perfectly viable way to produce what amounts to Internet munitions. The recent incident of Estonia Under *Russian Cyber Attack*? http://www.internetnews.com/security/article.php/3678606 is an example of such a network brush war in which possession of such an arsenal would be very useful. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com AppArmor Chat: irc.oftc.net/#apparmor - This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Xbox live accounts are being stolen
When someone fraudulently charges your credit card you should immediately complain to the card issuer in writing so the charge can be reversed and charged back to the merchant who accepted the fraudulent credentials. That is one of the advantages of a credit card - the loss can be charged back, and a merchant who accepts bogus information is liable if it turns out to be fake. There is often a 60 day period to notify of this, so if you have not written your card issuer before, don't delay. Some of the wait... tactics can have the effect of your losing the right to get the purchase charged back if you don't get the notice out in time. As with any such messages, too, send with return receipt requested so you can prove that you got the message sent and that it got to the bank. It is probably ok to send two letters, one normal and one with return receipt, mentioning they both exist, in case a mail room doesn't know how to handle one of them. That is not malice, just human confusion, but it's easy to print out two letters and might help especially if your time is now short. Writing in like this does not mean the merchant can't make things right; it just ensures the fraud claim gets known by the card issuer bank and that it should not be treated as an ordinary charge on your card bill. It can also sometimes get the merchant's attention since the bank will now be after the merchant to prove the charge was not fraudulent...it's not just you vs. the company. These kinds of cases are possibly harbingers of the future. Trusting some consumer owned box as evidence of who he is is not foolproof. Bets on that being an issue with consumer PCs, cell phones, etc.? Glenn Everhart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Finisterre (lists) Sent: Wednesday, August 08, 2007 9:34 AM To: Ashley Wilson Cc: Scott Hirnle; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Xbox live accounts are being stolen Hi Ashley... I can certainly understand your frustration. Although my account was taken care of and I was ultimately given some things to quiet me down, I never got an explanation of what *really* happened, I never got any information about who I could prosecute or anything like that. As you can see I had to be very vocal about the whole situation in order to get my issue taken care of and the process was quite lengthy, time consuming and frustrating, so good luck. I have CC'd a gentleman from Microsoft that got me taken care of in the past. He should hopefully be able to help you out, no promises of course. I think it would be fair of me to say really don't like Microsoft's disclosure policy under these circumstances. -KF On Aug 7, 2007, at 5:08 PM, Ashley Wilson wrote: Hey there, I'm so very frustrated with Microsoft and went on a search to see if anyone else has had the same issue and low and behold, I came across you're article of sorts. Its been over a month now, since I was hacked. I woke up on a Sunday morning, check my email as I do everyday. I had 4 emails from Microsoft stating I purchased 2 Microsoft points and a year subscription. As most people would, I panicked and wondered what kind of insane thing happened. When I turned on my Xbox and attempted to log into my account, I couldn't. My boyfriend shortly after that, recovered my account on the Xbox and we came to find out that my username had been changed, all my friends had been deleted off my list and my motto was changed to LOL I got jacked. I was furious to think someone could do such a thing. They not only stole my account but over 400 dollars was spent on my credit card. I called Microsoft support shortly after that. I got the run around. Transferred to one agent and then another. They basically accused me of giving out the information. I eventually got to speak to a supervisor, who assured me that everything would be taken care of. They even said they would catch the individual that did this and assured me a phone call in a few days, as they had to send in a full investigation the next day. 3 weeks later and I was still waiting for a call. I decided it was time for me to call them, since obviously I as a customer wasn't important to them. Again, the run around. I spoke with again, another supervisor who informed me that they hadn't even sent out the investigation yet. He assured me that he would send it out that very day and I should receive a call within 3 days. I sat home waiting to receive a call for 3 days. Again, I never received a phone call. By the 4th day, I called again. Speaking with an agent who assured me, I will receive a call. Its under investigation now, you have to wait for a phone call. Now, 2 weeks later and I called again today. I'm told that they attempted to call me today and I have to wait to speak with them because there is nothing they
Re: [Full-disclosure] [Humor] [archivists] National Archives timestamp(fwd)
They discover SHA256 but misunderstand somewhat. There will be cases where different files yield the same hash, but if the algorithm works as it should it will be infeasible to generate one given the desired hash value in any sufficiently simple way. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of J.A. Terranson Sent: Wednesday, July 11, 2007 12:25 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] [Humor] [archivists] National Archives timestamp(fwd) The Great Unwashed Masses discover SHA-256! -- Yours, J.A. Terranson sysadmin_at_mfn.org 0xBD4A95BF The real point is that you cannot harbor malice toward others and then cry foul when someone displays intolerance against you. Prejudice tolerated is intolerance encouraged. Rise up in righteousness when you witness the words and deeds of hate, but only if you are willing to rise up against them all, including your own. Otherwise suffer the slings and arrows of disrespect silently. Harvey Fierstein is an actor and playwright. -- Forwarded message -- Date: Tue, 10 Jul 2007 13:52:18 -0500 From: Brad Jensen [EMAIL PROTECTED] To: 'Bill Cribbs' [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: [archivists] National Archives timestamp For those who are not aware, there is a computational procedure you can do for any digital file, that creates a unique number, called a hash, that only matches that exact file. There is a Federal standard for one hashing algorithm, called SHA-1. That is a 160-biit number. More commonly used today is the SHA-256 hash, that generates a 256 bit number. Another term for this is 'digital thumbprint'. In the following discussion I am referring implicitly to the use of the SHA-256 hash. If you take a digital file 'A', and you change the order of two characters in the file, the hash becomes completely different. No two digital files will have the same thumbprint. You cannot predict what the thumbprint will be for a file. You cannot forge or modify a file to match an existing thumbprint. There are digital time stamping services on the internet that register these 'thumbprints' to prove a particular file existed at a particular date and time, and it has not changed. The US Postal Service offers a time stamping service for a small fee that they call an 'Electronic Postmark' but it only is kept for seven years. They also require the user to have a digital certificate to establish identity of the person time stamping the file. I propose something simpler. I propose that the National Archives create and offer a free time stamping service that does not require a digital certificate. The purpose of this is to store and retrieve unique file identifiers that will establish that a file existed at a certain date and time, and has not changed. Then files can be archived in multiple locations across a distributed network, and their identity and authenticity will remain unquestionable. This service would be a public good, similar to the digital time source offered by the Navy, for example. The National Archives will keep these timestamps in perpetuity. They would basically be entries in a database, with a 32-byte thumbprint, date and time. They would be a public record, so anyone can look up a thumbprint and now the date and time it was registered. Can others see the value of this idea? I can write the basic software for this. One part would be a database for the National Archives with a web XML interface for registering and retrieving the thumbprints. It would include a feature to thumbprint each day's database entries, to eliminate any possibility of human interference in the process. You don't have to trust anybody or even the institution, since the thumbprints are impossible to forge. The second thing would be a program, downloadable from a web page, to calculate and submit the thumbprint. I can write it in Windows, publish the source, and others could do the same for Linux, etc. What could it be used for? Scanned images, photographs, text documents, backup files, sound recordings, web pages, newspapers, anything that can be digitized. Since the only submission is the thumbprint and not the file, files can remain private yet still be authenticated later. And the processing load on the server is tiny. The other alternative to have someone like the National Archives do it, is to do it ourselves as a distributed database with replication across many sites and servers. I can do it myself, but this needs institutional support to last forever. That institution can be a formal body like the National Archives, or an ad hoc self-organizing one. Perhaps the latter makes sense in this global internet world. I think of this as the 'Forever Project' since it is the first thing designed to last forever. Brad Jensen President LaserVault LLC www.laservault.com ___ Full-Disclosure - We believe in it.
Re: [Full-disclosure] Persistent XSS and CSRF on networkappliance[subject corrected :) ]
Well, it depends on the context. A story went around some years ago about a colleague who was in London. Once he got his PhD (in physics), he had a sign made which read DOCTOR VISITING which was placed in his dashboard when he double parked now and again (parking spaces being hard to find in his neighborhood). As the story went, he never got a parking ticket. Signing with the PhD is occasionally useful in dealing with bureaucrats or people in schools who make life difficult for one's children too, as I have noticed. Glenn Everhart (leaving the degree off for now ;-) 8-) ) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of coderman Sent: Wednesday, June 27, 2007 7:49 PM To: Pete Simpson Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Persistent XSS and CSRF on networkappliance[subject corrected :) ] On 6/27/07, Pete Simpson [EMAIL PROTECTED] wrote: ... After all few educated individuals would be likely to be so pretentious as to declare themselves as both Dr and PhD? lol it is the Standford envy; for the AM philosopher must shore up his fine credentials lest the authority and expertise conveyed by such be underestimated... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Month of Random Hashes: DAY TWELVE
No money or valuables demanded ==no blackmail. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of HACK THE GOV Sent: Wednesday, June 20, 2007 10:20 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Month of Random Hashes: DAY TWELVE http://seclists.org/fulldisclosure/2006/Dec/0382.html From: n3td3v xploitable_at_gmail.com mailto:xploitable_at_gmail.com?Subject=Re:%20n3td3v%20calls%20on%20month%20of%20bug%20campaigns%20to%20stop http://seclists.org/fulldisclosure/2006/Dec/0382.html Date: Wed, 20 Dec 2006 21:38:38 + [introduction] n3td3v is deeply sad at the new trend of morally accepted blackmail by the security community, known better as a month of bugs. [rest of this deleted] - This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Month of Random Hashes: DAY TWELVE
maybeso, but that does not come from the company. Blackmail requires some sort of or else. Unilateral release of info might match a description of reckless endangerment, but not blackmail. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 22, 2007 11:34 AM To: Everhart, Glenn (Card Services) Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Month of Random Hashes: DAY TWELVE On Fri, 22 Jun 2007 11:15:57 EDT, [EMAIL PROTECTED] said: No money or valuables demanded ==no blackmail. Remember that in this industry, getting named as the first person to discover an exploit is a valuable. - This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fw: [IACIS-L] Statement by Defense Expert
Ayup, true enough re jury confusion. Once a machine has had a malware infection though, the point a layman needs to understand is simply: it is not possible in under (a large number, maybe 1000) man years) to determine that the machine has not been remotely controllable if connected to an outside net. Further it is not possible to say with certainty that an apparently clean machine, so connected, has not been infected in the past by something that removed its traces. One is left with probabilities. If for example I am looking for a worm author and find on his computer lots of partial code, edited versions of the worm, and maybe the final one, compilers etc., while it is possible these were inserted by an evil outsider, I might reckon that local creation is more likely. If all I find is a cache of warez, nasty pictures etc., and some server running, it is harder to exclude the idea the box might be in use by an evildoer as a hiding place for material the outsider is unwilling to risk serving out himself. As long as experts are suitably modest about what they can know, and explain the probabilities honestly all could be well. The more of these elderly jury selectees that are informed ahead of time about the limits of what can be found, the better. The story about Mr. Ballmer (Microsoft CEO) having a box infected, taking it to work to get it cleaned, and having all the experts he could access be unable to clean it save by wiping and reloading, may be a useful one to spread to said jury pool folks. It makes it clear the level of expertise and time needed to clean a box up, suggesting that Mr. 20something-self-proclaimed-forensic-guy who swears there could never have been external meddling on this box might be just a tad out of his depth. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of J. Oquendo Sent: Thursday, June 07, 2007 8:42 AM To: [EMAIL PROTECTED] Cc: Full Disclosure; Jason Coombs Subject: Re: [Full-disclosure] Fw: [IACIS-L] Statement by Defense Expert [EMAIL PROTECTED] wrote: So I take it that law enforcement computer examiners and prosecutors *do* have the years of experience in software engineering and exploit construction and use, to qualify them to translate a bit of data into forensic evidence of guilt? Catch 22. This is why prosecutors often rely on expert witnesses who even then are lacking. One of the things many omit in their methods of thinking when it comes to perhaps going to trial is the following, and please take it very seriously... Will the JURY understand it first and foremost, secondly will the jury even give a rats ass. From experience, 1) the jury WILL NOT understand even 1/2 of the terminology nor concepts, analogies you can throw at them. This works to the benefit of whichever side is willing to exploit the jurors. Overwhelm them with so much technology they'll have to believe the accused is guilty. After all, why bring in all of these *experts* (for the prosecution). Overwhelm them with so much technology to counter the former experts expertise and throw in doubt... For the defense. On the latter... While guilty until proven innocent is the American dream, it is seldomly practiced. If so there would be no need for bail since the defendant is after all innocent. (Bottom line holding true to the letter of the law... Not practical but this concept of innocent until proven guilty is flawed). Anyhow, if one were to find themselves on trial this is what you SHOULD expect... You will get a jury of your so called peers.. So let's define peer: Noun 1. peer - a person who is of equal standing with another in a group. Your peers will never be in equal standing from a technological perspective period. For one, it would take a miracle to gather a bunch of computer literate users for jury duty. Heck you will likely find 0 even if one appears for jury duty, it is likely the prosecution will try to rid this person from selection. Its not in their best interest to have someone fully technical on trial for a few reasons. 1) The juror might associate his experiences with the case being tried and taint an outcome based on HIS experience, not the facts presented. Would be the main reason. It might not be in the best interest of the defendant for the same reason. No sir, your peer will consist of someone who's likely going to be computer illiterate, likely twice your age, etc., they'll 1) be frustrated they have to go through jury duty and want to get things over with to return to normal life. 2) They'll be looking like a deer in headlights trying to understand what the hell an expert is talking about: SMTP is a protocol used to deliver electronic mail. This mail consists of binary zeros and ones which when converted formed a corrupted gif image which caused Microsoft's Windows Small Business Server to suffer a buffer overflow. Might sound like clockwork to anyone here, but will sound Klingon to a
[Full-disclosure] Maybe nothing so shady; depends on the motive.
There may be no impersonation going on. Could be that email for terminated people is directed to a common mailbox which might be perused by security folks to check whether anything wrong might have been going on and not noticed while the person was there. In effect the mail has then gone to a wildcard name at the company's machine. If you send to the machine, you should not be surprised if someone representing the machine owner might read it. Someone communicating exploits might attract interest, if nothing else just to see that whoever was represented by the Maynor address did not appear to be involved in some crime ring. I seem to recall various stories of people being caught doing things they should not by events that happened shortly after they left a company. As for keeping old accounts or mailboxes in being, the advice used to be given that disabling accounts but leaving them was better than deleting because an attempted use of a disabled account would produce messages about account foo login fail or the like, where unknown accounts would produce account unknown login fail. Same kind of thing works for mail. It can be better to know if a recently departed person's account is being attempted. You can then ask that person if he/she was the one trying it, and why, for example. Glenn Everhart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Lowry Sent: Wednesday, June 06, 2007 2:49 PM To: H D Moore Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] You shady bastards. The only part I find legally questionable is the impersonation of Mr. Maynor by someone at his old company. It certainly appears legal for his company to read the email. Acting on that email under the guise of the addressee would seem to tread pretty close to impersonation. 2 cents ... On Jun 6, 2007, at 9:47 AM, H D Moore wrote: Hello, Some friends and I were putting together a contact list for the folks attending the Defcon conference this year in Las Vegas. My friend sent out an email, with a large CC list, asking people to respond if they planned on attending. The email was addressed to quite a few people, with one of them being David Maynor. Unfortunately, his old SecureWorks address was used, not his current address with ErrattaSec. Since one of the messages sent to the group contained a URL to our phone numbers and names, I got paranoid and decided to determine whether SecureWorks was still reading email addressed to David Maynor. I sent an email to David's old SecureWorks address, with a subject line promising 0-day, and a link to a non-public URL on the metasploit.com web server (via SSL). Twelve hours later, someone from a Comcast cable modem in Atlanta tried to access the link, and this someone was (confirmed) not David. SecureWorks is based in Atlanta. All times are CDT. I sent the following message last night at 7:02pm. --- From: H D Moore hdm[at]metasploit.com To: David Maynor dmaynor[at]secureworks.com Subject: Zero-day I promised Date: Tue, 5 Jun 2007 19:02:11 -0500 User-Agent: KMail/1.9.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: 200706051902.11544.hdm[at]metasploit.com Status: RO X-Status: RSC https://metasploit.com/maynor.tar.gz --- Approximately 12 hours later, the following request shows up in my Apache log file. It looks like someone at SecureWorks is reading email addressed to David and tried to access the link I sent: 71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] GET /maynor.tar.gz HTTP/1.1 404 211 - Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/419 (KHTML, like Gecko) Safari/419.3 This address resolves to: c-71-59-27-152.hsd1.ga.comcast.net The whois information is just the standard Comcast block boilerplate. --- Is this illegal? I could see reading email addressed to him being within the bounds of the law, but it seems like trying to download the 0day link crosses the line. Illegal or not, this is still pretty damned shady. Bastards. -HD ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this
Re: [Full-disclosure] UK ISP threatens security researcher
Extortion is AFAIK the demand for money or valuables without legal authority. I do not believe fame qualifies, and in any event one who points out a bug in public has his fame or infamy independently of what a company does. At a former employer (an OS vendor) the general line was to ask customers to not disclose vulnerabilities. However this was accompanied by an almost paranoid internal search-and-destroy attitude toward security holes and by prompt fixes to such problems as became known. As a result the customers supported this stand. Mind, there was little or none of the childish counting coup that seems to go on in some quarters involved. Those who advocated disclosing problems did not claim credit for finding the problems in the cases that surfaced. The discussion about whether to do so was always centered on the theory (with some observational support) that attackers knew of the bugs already and countermeasures could often be used if the attacks were known to exist. To my mind, a company that wants its problems to be kept quiet externally till fixed needs to earn that consideration by such paranoia. If a company is smart it will communicate with outsiders who point out problems. (Communicating about problems that can affect third party software is also a good thing. Many of us did.) Still, one who reveals a problem to the public is contributing to public knowledge, and that act by itself is not extortion or bullying. It should not be confused with such. The ethical issues center around whether the warning might help avoid a problem, or simply precipitate it. A similar ethical issue appeared in science fiction and is a caution to the reveal everything side. In the story a small group learns to build a cheap doomsday device. In the end one of them kills the others because he worries about it being used for extortion. However, he is shortly afterwards killed by his wife, who worries that if the device can be built her children's lives cannot be safe. The law ought to be clear that revealing information freely is OK, but that something that risks precipitating a catastrophe is not. A properly defended (in 2nd Amendment sense!) society might very well in clear cases resort to the science fiction solution. On the other hand, claiming such risk for every oversight, and at the same time not advertising your code does not run in hostile environments, is a kind of public fraud which does not deserve either protection or respect. The science fiction example is in clearly defined territory. Computer risks are seldom so, and before legal (or extralegal societal extreme) measures get involved there should be much more proof than has been common, and clarity about what is arguably beneficial and what is thuggery. When I propose designs, by the way, I am very glad to have heard about vulnerabilities in different technical areas so I might design around them. If I must propose a kludge I am also very glad to have heard about where the dangers lie. At least it allows my guesstimates of how long the kludge might be used to be more accurate. In the case referred to, the ISP's arguments remind me of what English banks were reputed to do some years ago when thefts occurred: argue that (in so many words) our systems are secure so you must have done something wrong to breach them. Yep, bullying seems to be going on, but from the ISP. A response more along the lines of fixing the holes (as Microsoft has done when holes cropped up in its mail systems) would be more responsible. Had they considered that the researcher was giving them free help, having found the problem due to some vulnerabilities the ISP's software was causing on his home system, the ISP would have wound up looking better. Reading the original post btw shows the guy gives a workaround for customers to close the holes created in their home systems. No evidence there far as I can see that the guy wanted anything other than to alert others about a hole in their own systems that the ISP software created (perhaps inadvertently), and what he noted. (That they responded noting that the terms conditions say a customer is responsible for security of account passwords selected by the customer, and claiming this somehow applies to passwords evidently selected by the ISP, is an indication of CYA, not of problem solving.) Glenn Everhart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dr. Neal Krawetz, PhD Sent: Wednesday, April 18, 2007 8:01 AM To: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] UK ISP threatens security researcher ** This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying,
Re: [Full-disclosure] Searching chroot-like jail for Windows
There is something called sandboxie that seems to do this same kind of thing. Programs run inside the sandbox can read whatever you allow, but writes get done to other directories so that it is more difficult for a rogue app to corrupt anything outside the area it is allowed to write to. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Victor Krapivin Sent: Tuesday, February 20, 2007 3:54 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Searching chroot-like jail for Windows Hello, TB You can duplicate this behavior by using multiple accounts TB and using runas (which is essentially, from what I gather, what TB winquota does.) Hmm, it is not the same as I see. WinJail also provides way to re-map such folders like c:\* - c:\NewPlace\* at file system level for every application, so such process (and all sub-processes) being accessing to c:\* files will use files from c:\NewPlace\* for all file operations instead. So there is most interesting issue from this tool is ability to make chroot()-like environment, not managing additional permissions ;-) Best regards, Victor ** This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Major gcc 4.1.1 and up security issue
Actually some of the older machines (pdp11 in particular) with their signed and unsigned conditional branches forced you to think about overflow, and if your programs happened to run in memory above 32K bytes (16K words) things were too apt to just crash if you got that stuff wrong. I recall though that condition codes (the pdp11 approach to capturing overflows and the like) were said to be a feature that makes it very hard to speed a processor up. BTW things got still more interesting on 12 bit boxes. In that era there were few of the constructs later CPUs like Z80 got to support wider operations; you did it all the hard way. I suspect those who recall using the older boxes may have less trouble with integer overflow than folks who have not (who in a few years may be recalling when an overflow occurred at only 2 billion. At some point, maybe in a 64 or 128 bit word, it may be feasible to just routinely zap the high part of a register to be sure you never get the wrong sign, sight unseen... Glenn Everhart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Monday, January 22, 2007 2:50 PM To: Marcin Owsiany Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Major gcc 4.1.1 and up security issue On Sun, 21 Jan 2007 12:07:18 GMT, Marcin Owsiany said: I also think that CPUs can detect internally when an overflow happens - is there a way to use that feature in C somehow, in a portable way? (Somehow I feel that the answer is that not all CPUs do that, so - no.) The fact that some CPUs implement overflow detection in ways best described as byzantine and sometimes merely flawed or lacking entirely is why C does such hand-waving on the issue. It's generally considered performance-crippling to add inline code that does a test condition/branch pair after *every single* opcode that might cause an overflow - so the C paradigm is to leave them out and have the programmer code tests when actually needed. You think it's bad *now*, where you have to force-feed a 2-billion-something value in to cause an integer overflow, you obviously aren't old enough to have programmed on 16-bit machines, where numbers around 32,000 were sufficient, and even 'unsigned int' didn't suffice to let you sort 5-digit US postal ZIP codes... (And we won't mention the horrorshow that was floating point before IEEE-standard became widely used...) ** This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security as an Enabler - Virtual Trust: AnOpen Challenge to All InfoSec Professionals
I see no value in suddenly starting to use a term virtual trust for trust given due to evidence produced over wires as opposed to trust given due to evidence produced by other means. Trust and the validity of evidence to justify it are meaningful. A new candidate buzzword for a concept that has been around for a long time does not. Many of us have argued for at least decades now that more trustworthy systems and more trustworthy evidence for the parties to a transaction not being fooled about the identity of their correspondents enables more kinds of business. However I see nothing virtual about the trust that is needed. Seems to me it must be real trust, ultimately validated by real evidence or statistics showing it is properly granted, whether granted by a person or an automaton. Whether a human or an automaton evaluates evidence for identity, either must use similar statistics to validate their choices and either will probably perform better given more and more varied evidence. If you build your authentication systems so that available evidence is excluded, shame on you. But this observation was published at least 14 years back, probably further, and depends on there being real trust, real evidence, and real ways to tell (at least statistically) whether it is being conferred justly. I suspect efforts to separate them obscure rather than elucidate. Glenn Everhart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave No, not that one Korn Sent: Thursday, September 28, 2006 9:43 AM To: full-disclosure@lists.grok.org.uk Cc: bugtraq@securityfocus.com Subject: Re: [Full-disclosure] Security as an Enabler - Virtual Trust: AnOpen Challenge to All InfoSec Professionals Kenneth F. Belva wrote: I've been defending Virtual Trust as an enabler for the past three days on the full-disclosure list. So far, fairly successfully. An enabler *of* anything in particular? Or just some kind of magic enabling pixie dust, good for all purposes? Here's the challenge: How creative are you *for* VT, *against* VT and determining the *impact* of VT? What does being creative *for* something even mean? cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ** This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] New Laptop Polices
If the data is encrypted on laptop that mitigates loss. If you have never heard of truecrypt (as one possibility that is free), go learn (and use!) now. However I fail to see the governments doing much to see that whatever gets checked through in fact GETS to the destination with the passenger, is un-rifled-through, un stolen-from, and in fact also GETS to the passenger again. Much better safety of the materials ought to be as high a priority as the interference. They need also to consider that for example piezoelectric quartz could be an igniter. Those bits are tiny (would be hard to see in sand). Probably scores or more of other ways to generate ignition are doable also. Detective work to keep attackers from getting on planes in the first place seems more effective. If instead of just taking things from people they would pack them and carry them on the plane (perhaps in a resistant box) and deliver back to passengers, the pain of finding you have some contraband du jour and must either lose it forever or not fly could be lessened. Such actions would go a rather long way to mitigate, in turn, the problems being caused for travellers. Glenn Everhart (speaking for myself) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Simon Richter Sent: Friday, August 11, 2006 12:34 PM To: Cullen, Michael Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] New Laptop Polices Hello, Cullen, Michael wrote: Given the new threats and the change in policy with the airlines and traveling in and around the UK, has anyone changed their laptop and portable computing device policy? We are being questioned about the safety of executives traveling with their laptops. Last thing I heard was that the new policy was no electronics in hand luggage. I just had an idea for an interesting venture: At the airport, offer a service that takes laptops, creates an image, sends that image to the destination airport where it is put onto a new laptop that is then rented to the client. On return, do the same thing in the other direction. Couple with optional virus scanning for $5 extra. Pointy-haired bosses are going to love this. Simon ** This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of JPMorgan Chase Co., its subsidiaries and affiliates. This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Sniffing RFID ID's ( Physical Security )
Every RFID that I have seen descriptions for (they're on websites for vendors!) has a unique serial number that is manufactured in, and is designed not to be writeable after manufacture. If someone does not use this information the part could be cloned but the feature exists to block this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of mikeiscool Sent: Tuesday, June 27, 2006 12:25 AM To: Josh L. Perrymon Cc: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] Sniffing RFID ID's ( Physical Security ) On 6/27/06, Josh L. Perrymon [EMAIL PROTECTED] wrote: I was contacted by Eweek recently about previous posts about RFID and how it is being used at the World Cup and Olympics. This got me thinking a little more about some previous ideas I have had. I think the real risk is in RFID access cards. World Cup and Olympics are / will be using embedded RFID chips in tickets to ID ticketholders. Upon buying the tickets patrons provide a lot of personell details- This is stored in a Database and I suppose a unique ID is assigned to each ticket holder. Now internal security can identify each ticket holder and do whatever they want with the data. ( ID terrorists so on, I dont care. ) Risks: Not a lot here- As long as the ID used on the ticket is unique and not associated with personell details. An attacker would have to embed an SQL injection into the RFID ticket or another RFID chip in their pocket to be parsed by the RFID reader / backend. I have't been involved in many of these systems but I will bet that input validation may not be built into the SDLC. But overall, injecting SQL to get a remote connection may be fairly involved and take several attempts. But deleting the DB may be a lot easier. My ideas on RFID risk in its current implementation: I'm thinking a lot of the risk with RFID would be within ID cards and physical security. I have been in 100's of companies that use RFID ID cards for physical security to access a building. Just rock up and swipe your badge in front of the reader right??? What if an attacker was sitting at the cafe downstairs sniffing RFID ( Well, sending out RFID signals to power the chips and get a response ). Wouldn't it be trivial to obtain the STATIC ID codes stored on the RFID chips and write them to a generic chip? THis new card could easily be used to walk right in to the target company? As we all know.. once your inside it's trivial to root the entire network. Just insert your usb/ CD with an autorun backdoor sploit connecting outside OR plug in a small wireless AP. Go back down to the coffee shop and hack away. Is anyone addressing this RFID issue for access cards? At MINUMIUM a private PIN# should be used with this type of ID. I'd like to hear your ideas / comments. eh? surely a RFID would only communicate it's private token with a trusted (i.e. keyed) source. like a smartcard ... Cheers, Joshua Perrymon CEO Packet Focus Security Research www.packetfocus.com [EMAIL PROTECTED] -- mic CMLRA, Mirios ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Phishing and Spammers
A query based on IP has the same problems everyone else has with IP address; it would immediately remove everyone using the same proxy, or who happened to get the same IP from a point of presence, or from a load balancer... It might just be that a merchant trying to advertise this way and getting a large number of fake charges would start to look like a fraudster and start getting queried by some folks worried about money laundering or fraud. (Why so many orders from favorite locale that is heavy into illegal drugs?) Best not to flood the phisher with extra replies lest he be able to recognize that, but if everyone did their best to create plausible orders with phony and suspicious-sounding sources it might make that form of advertising about as popular with merchants as the proverbial cake with lye frosting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Cardoso Sent: Wednesday, June 14, 2006 3:31 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Phishing and Spammers A simple SQL query can delete all records from the same IP/machine, if the counter is above 2. Presto, database cleaned. Also the phiser will now that at that address there's someone who knows better. Remove the address from the database and add a newbie clueless address instead. Best-case scenario? Solve our problem and let others deal with it. On Wed, 14 Jun 2006 15:23:05 -0400 Geo. [EMAIL PROTECTED] wrote: G I would appreciate hearing a little feedback on this idea. G G It strikes me that phishers and spammers have a vulnerability that we have G not yet exploited. They collect information, granted the returns are small G but since email is cheap they send out tons and those tons net them a G profitable return. G G Why not encourage everyone to reply to phishers and spammers with fake G information? Get a spam, order it using a fake name and credit information. G Get a phishing mail, go login to change your ebay/paypal password with G credentials. G G GIGO, you know? I mean if they are getting a 1% or 2% return then if the G same ratio were to respond with bad information it would make a lot of work G for the folks profitting from these activities. G G Geo. G G ___ G Full-Disclosure - We believe in it. G Charter: http://lists.grok.org.uk/full-disclosure-charter.html G Hosted and sponsored by Secunia - http://secunia.com/ G Allgemeinen Anschulterlaubnis Cardoso [EMAIL PROTECTED] - SkypeIn: (11) 3711-2466 / (41) 3941-5299 vida digital: http://www.contraditorium.com site pessoal e blog: http://www.carloscardoso.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Publishing exploit code - what is it good for
This argument has gone on for decades at least; you hear very similar things from the feds about homeland security as well, to pick one of the more prominent other sources. We are engaged, when trying to defend systems, in a design contest with attackers, trying to keep our fortresses from being breached. While it is temporarily embarrassing and more dangerous that someone publishes the exact defect that allows the enemy's artillery to penetrate our armor, I must point out that when trying to design better armor, that design is driven by knowing precisely what characteristics attacks have. This information is most honest, when discussing code, when working code can be examined. If you stop your analysis at the point when you consider the greater ease of more attackers to duplicate successful attacks, it may appear revealing the attacks is a problem. (This is even easier if the fact that those attackers have been much better at sharing such information clandestinely than most defenders have been with defensive information.) If you continue to the (necessary) creation of new defenses, though, it is clear that the defenses cannot be designed without knowing the attacks, and starting from real attacks and having the designer do his own abstraction is arguably a less error prone process than having some other experts try to produce a summary of a method, which may leave out precisely the details needed to show the correct broader pattern. The above is itself pretty abstract, just like the questions asked. It might be fair to ask the person who advocates keeping attacks secret, though, how many new defenses he / she has designed. Maybe the world will get some new designers... Glenn Everhart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 30, 2005 8:39 AM To: Aviram Jenik Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com Subject: Re: [Full-disclosure] Publishing exploit code - what is it good for Hi Aviram, There are two main problems with your analyst friend's position. The first is that he has no business deciding for me or anyone else as to whether or not my needs are legitimate. I get to decide if I need/want something (like exploit code) or not, his arrogance notwithstanding. The second point is that he, like most software vendors, have to yet to figure out that their products are consumer products and should be treated just like automobiles and toys. Consumer product testing is very public. Software is the same. We all want to know *exactly* how the product fails, just like any other consumer product, no exceptions. It is no longer about full disclosure, it's about being just like everyone else. There is no difference between how my software gets exploited and how my child safety seat fails. cheers, bob On Thu, 30 Jun 2005, Aviram Jenik wrote: Hi, I recently had a discussion about the concept of full disclosure with one of the top security analysts in a well-known analyst firm. Their claim was that companies that release exploit code (like us, but this is also relevant for bugtraq, full disclosure, and several security research firms) put users at risks while those at risk gain nothing from the release of the exploit. I tried the regular 'full disclosure advocacy' bit, but the analyst remained reluctant. Their claim was that based on their own work experience, a security administrator does not have a need for the exploit code itself, and the vendor information is enough. The analyst was willing to reconsider their position if an end-user came forward and talked to them about their own benefit of public exploit codes. Quote: If I speak to an end-user organization and they express legitimate needs for exploit code, then I'll change my opinion. Help me out here. Full disclosure is important for me, as I'm sure it is for most of the people on these two lists. If you're an end-user organization and are willing to talk to this analyst and explain your view (pro-FD, I hope), drop me a note and I'll put you in direct contact. Please note: I don't need any arguments pro or against full disclosure; all this has been discussed in the past. I also don't need you to tell me about someone else or some other project (e.g. nessus, snort) that utilizes these exploits. Tried that. Didn't work. What I need is a security administrator, CSO, IT manager or sys admin that can explain why they find public exploits are good for THEIR organizations. Maybe we can start changing public opinion with regards to full disclosure, and hopefully start with this opinion leader. TIA. -- Dr. Robert Bruen Cold Rain Technologies http://coldrain.net +1.802.579.6288 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored
[Full-disclosure] FW: Introducing a new generic approach to detecting SQL injection
Folks - The following scheme looks like it could be helpful, apart from runtime cost (which would tend to be limited since it is only where using human entered data). Anyone see serious holes? Concur? Disagree? This seemed just crazy enough to work when it occurred to me... Thanks Glenn Everhart As you know, blocking SQL injection with filters on characters is painful and not always successful. I got thinking about it and thought of an approach that might detect such activity, and which is pretty generic. The idea is that SQL in web apps gets used by shoving some SQL command code into a DBMS, tacking one or more user inputs (possibly edited) onto a prefix part that is part of the app. In examples, this is often a SELECT statement but in principle others could be used. Then after the input there will be other stuff to complete the statement. Normally when valid input is present, this gives legal SQL that does something. However when there is SQL injection, generally you see the user input piece being some condition to cause the initial statement to be legal all the time followed by whatever mischief is desired, followed by something to comment out whatever else is there since it would otherwise make the whole not look legal. If I want to detect SQL injection, one way to do it could be to put in the prefix and the user piece, and follow it with some condition that will prevent the statement from working when valid input is present...the idea is to wind up with something like select password from users where user = 'user input' and hell has frozen over and 1 = 0 (so the undisturbed statement will never be executed if valid input is present). If you try to parse this with the user input and it comes out to be valid and ok to execute, that would seem to indicate something strange is going on with user input and that an attack is going on. Now a problem is that you don't want to allow your database to be corrupted with some such attack before you can react, seeing that allowing your business to be hosed and THEN complaining seems inadequate. Even if there is nothing that will allow such statements to be run in a test mode, though, they could be run against a dummy database whose corruption would not matter. At any rate this seems like a technique worth a look as a way to detect mischief which is at any rate different from character filters and could make apps a bit safer. Glenn C. Everhart 18 April 2005 A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects. -R.A.H. ** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/