Re: [Full-disclosure] Deutsche Post Security Cup 2013
I guess this is strong encouragement for all international participants to supply their services in a ..well...unsolicited and unmonitored manner ;-)) -h On 20.03.2013 10:24, juergen.pa...@deutschepost.de wrote: Dear all, as in 2010 (http://seclists.org/fulldisclosure/2010/Sep/318) we will be conducting the Deutsche Post Security Cup this year again. Unfortunately, this year only participants from Germany are allowed to the contest (because of legal complications if international participants would be allowed to participate). I understand that most of you on this list will thus not be able to participate, but due to the lack of an equivalent german mailing list I opted for posting this here as most german security researchers are also subscribers of this list. More information about and the registration form (registration deadline is March 31st) for the Security Cup 2013 can be found at http://www.epost.de/securitycup (in german only, sorry). Regards, Jürgen Pabel *Jürgen Pabel* Information Security Officer E-POSTBRIEF *Deutsche Post AG* Moltkestrasse 14 53173 Bonn Deutschland Deutsche Post AG; Sitz Bonn; Registergericht Bonn; HRB 6792 Deutsche Post AG; Sitz Bonn; Registergericht Bonn; HRB 6792 Vorstand: Dr. Frank Appel, Vorsitzender; Ken Allen, Roger Crook, Bruce Edwards, Jürgen Gerdes, Lawrence Rosen, Angela Titzrath Vorsitzender des Aufsichtsrates: Prof. Dr. Wulf von Schimmelmann Dies ist eine Nachricht der Deutsche Post AG und kann vertrauliche, firmeninterne Informationen enthalten. Sie ist ausschließlich für die oben adressierten Empfänger bestimmt. Sind Sie nicht der beabsichtigte Empfänger, bitten wir Sie, den Sender zu informieren und die Nachricht sowie deren Anhänge zu löschen. Unzulässige Veröffentlichungen, Verwendungen, Verbreitung, Weiterleitung sowie das Drucken oder Kopieren dieser Mail und ihrer verknüpften Anhänge sind strikt untersagt. Bitte denken Sie über Ihre Verantwortung gegenüber der Umwelt nach, bevor Sie diese Nachricht ausdrucken! /E-POST//BRIEF///-- Verbindlich. Vertraulich. Verlässlich. Jetzt registrieren: _www.epost.de_ http://www.epost.de/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Circumventing NAT via UDP hole punching.
I believe this is exactly what Symmetric RTP in the context of SIP-based communication has been doing for years. Or have I missed something? Best regards, Harry On 22.02.2012 16:36, Adam Behnke wrote: A new write up at InfoSec Institute on circumventing NAT. The process works in the following way. We assume that both the systems A and B know the IP address of C. a) Both A and B send UDP packets to the host C. As the packets pass through their NAT's, the NAT's rewrite the source IP address to its globally reachable IP address. It may also rewrite the source port number, in which case UDP hole punching would be almost impossible. b) C notes the IP address and port of the incoming requests from A and B. Let the port number for A equal X and the port number for B equal Y. c) C then tells A to send UDP packet to the global IP address of the NAT for B at port Y, and similarly tells B to send UDP packet to the global IP address of the NAT for A at port X. d) The first packets for both A and B get rejected while entering into each other's NAT's. However as the packet passes from the NAT of A to the NAT of B at port Y, NAT A makes note of it and hence punches a hole in its firewall to allow incoming packets from the IP address of the NAT of B, from port Y. The same happens with the NAT of B and it makes a rule to allow incoming packets from the IP address of the NAT of A from port X. e) Now when A and B send packets to each other, these get accepted and hence a P2P connection is established. http://resources.infosecinstitute.com/udp-hole-punching/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I find a bug
this very smart prince of the East is obviously listed in /etc/sudoers...;-) -h On 18.01.2011 16:47, Laurelai Storm wrote: I have fedora 14, several centOS 5.5 machines and a vanilla ubuntu 9.10 vm, all ask for the password 2011/1/18 Christian Sciberras uuf6...@gmail.com mailto:uuf6...@gmail.com Every bug is a feature. Some are less obvious than others. ;-) Oh, and for what it's worth, I get asked for the root password on my machine (vanilla ubuntu). 2011/1/18 Laurelai Storm laure...@oneechan.org mailto:laure...@oneechan.org It prompts for a password on my machine, perhaps you should check your sudoers config. Also, its not a bug its a feature :p 2011/1/18 我是王子 tradepri...@qq.com mailto:tradepri...@qq.com hello, I found a bug, run [sudo strace su] command can get root privileges without any password. bill -- Original -- *From: * Steve Beattiesbeat...@ubuntu.com mailto:sbeat...@ubuntu.com; *Date: * Thu, Jan 13, 2011 08:01 PM *To: * ubuntu-security-announceubuntu-security-annou...@lists.ubuntu.com mailto:ubuntu-security-annou...@lists.ubuntu.com; *Cc: * full-disclosurefull-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk; bugtraqbugt...@securityfocus.com mailto:bugt...@securityfocus.com; *Subject: * [USN-1042-2] PHP5 regression -- ubuntu-security-announce mailing list ubuntu-security-annou...@lists.ubuntu.com mailto:ubuntu-security-annou...@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] wikileaks still under attack, pressure revved up
Sorry to all of those who think this is gossiping, but: Wikileaks has been down for ca. 2 weeks now during which time the US has at least cut off their financial channels. This during a period where WL has announced another major leak release this time re. Iraq. What is also extremely disconcerting is the absolute silence of _all_ main street media to the topic (gag...?) Now the latest tweet reads: WikiLeaks communications infrastructure is currently under attack. Project BO move to coms channel S. Activate Reston5. Yet again I would like to pint out that there seems to be a concerted high power attack going on against WL And yet again I would like to point out it would be interesting to know what is rally happening. And yet again I'd like to emphasize that this indeed a security issue; it does concern netizens and citizens in general if major government organisations engage in what seems to be a dirty war against a whistleblowing organisation. If anybody knows more, pls. do share insights... Harry ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] wikileaks still under attack, pressure revved up
Am 21.10.2010 18:54, schrieb T Biehn: An entity that has the resources that would provoke such a hollywood esque tweet wouldn't have the ability to gag the twitter account before this release? would it, would it want to, has it missed it..who knows? Wouldn't that mean the tweet is a load of shit? Wouldn't/shouldn't/couldn't...I just don't know. Point is I'm trying to find out what's actually happening... -h ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WikiLeaks
Am 07.10.2010 22:37, schrieb Cal Leeming [Simplicity Media Ltd]: Yeah, you both have valid points. In this case though, I really just don't see why everyone is so hyped up about the wikileaks / cryptome stuff. :S If you don't understand why something like Wikileaks being down with no obvious reason or explanation is an issue - then I guess continue sleeping... And it is indeed a security issue - in fact of international proportions.. -h ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WikiLeaks
Am 07.10.2010 22:37, schrieb Cal Leeming [Simplicity Media Ltd]: Yeah, you both have valid points. In this case though, I really just don't see why everyone is so hyped up about the wikileaks / cryptome stuff. :S If you don't understand why something like Wikileaks being down with no obvious reason or explanation is an issue - then I guess continue sleeping... And security or disclosure is not just bits and bytes ... -h ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WikiLeaks
Two days ago I managed to find somebody (Anny) on their web chat. She didn't say much, only that it's supposed to be up in a week or so and that the issues are technical vs. political. I still believe it smells of fish. And to kinda paraphrase: Just because J Assange is a raving paranoid doesn't mean they aren't out to get him... -h Am 06.10.2010 20:06, schrieb Juha-Matti Laurio: It's the newest tweet still. Juha-Matti Jeffrey Walton [noloa...@gmail.com] kirjoitti: The latest is kind of funny (Latest smear attempt: Chinese spy agency gave WikiLeaks $20M). Just call it a 'PAC Contribution' and everything will be fine. On Mon, Oct 4, 2010 at 7:05 AM, Juha-Matti Laurio juha-matti.lau...@netti.fi wrote: And nothing related is not tweeted at http://twitter.com/wikileaks Juha-Matti Harry Behrens [ha...@behrens.com] kirjoitti: for 5 days and nothing about this to be found on google. Does anybody have an idea what is happening here - it does smell slightly fishy... -h ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WikiLeaks underoing (sic) scheduled maintenance
for 5 days and nothing about this to be found on google. Does anybody have an idea what is happening here - it does smell slightly fishy... -h ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hacxx Anti Malware for Windows XP
at least he's got chuzpe..;-) netinfinity wrote: /Hacxx Anti Malware for Windows XP blocks virus and worms using known filenames. To install it simply visit http:///antimalware.x10.bz http://antimalware.x10.bz and click in Run Hacxx Anti Malware. You must accept the ActiveX and the source is available in the site./ I'll stick to my antivirus program :D You really think that someone will fall to that HERE? -- www.google.com http://www.google.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Georgia government sites hacked (and spreading malware)
d...@sucuri.net schrieb: A few sites from the Georgia .gov have been attacking our honeypots... Some analysis: http://blog.sucuri.net/2010/02/georgia-government-sites-hacked-and.html Thanks, --dd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I guess if it's friendly (Georgia) governments from whose computers we (US) see attacks, _they_ have been hacked. When it's Chinese computers, it's they are hacking us... Go figure -h p.s.: it is (or should be) common knowledge that Chinese zombies were aquired in huge numbers in the early 2000s and are now being used to launch attacks and host botnets for people most definitely not Chinese! So it is actually probable that the Georgians have been hacked and are used as launchpad. I just wish the same logic would be applied to the so-called Chinese cyberattacks much ballyhoed lately... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hindustan Times epaper Server Hacked
A small suggestion, do not use a consistent pseudonym, post completely anonymously. It's difficult to keep the ego from making mistakes. very wise and unfortunately sorely underestimated by most active people. It's the out-of-band mistakes - and the correlation thereof of the powers to be - most hacking wizzards get caught by -h ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Does this exist ?
Thank you for the reply. This is not helping my headache. There simply has to be a way to represent a larger value than you transmit when you transmit. by consulting Shannon you will find: only if you can index the value against a relatively small set of possible values. The possible values need to exist as reference sets, i.e. you are trading storage space for transmission bandwidth. This is important: the reference sets need to be shared (as data or - probably impossible - as a generative function) and pre-existing to the moment of encoding In that case using the index is entropically more efficient than transmitting the actual data. The most drastic example is sending an index to one of ten possible videos, you have truly represented a much larger value (a number several 100 Million digits long: the video data) with 4 bits. Or how our professor in networking told us 1980 (still valid today I believe): If you pack a Being 747 full of CDs (now DVDs) and send it over to NY, that yields a higher bandwidth than any network connectivity. All of this is merely academic anyway, i.e. no immediate practical use. Regards, Harry All message scanned for viruses with Clam Antivirus. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] correction: Does this exist ?
Bad typo: shared and relatively rare sequences should read shared and relatively frequent sequences. By using the sequence index instead of payload it is theoretically possible to reduce payload size, i.e. compress and in the case of not all packets being available to an interceptor also somewhat obfuscate. The mother of all these schemes - or at least related - is bruce scheier's shuffle-based encryption scheme. sorry for the confusion, -h - original message - Subject:Re: [Full-disclosure] Does this exist ? From: Harry Behrens (mobile) [EMAIL PROTECTED] Date: 06.07.2007 19:27 Rob, while you are essentially right, I believe the original post had the (implicit) assumption that certain _sequences_ of patterns might occur relatively frequently, thus representing positive information or negentropy. By mutually indexing these shared and relatively rare sequences the original idea would make sense. In fact the choice of these patterns can be fully autoamtic - precisely by going for negentropy/information. It only makes sense if we assume payload packet ID/hash And yes, it is analog to what traditional encryption does to documents - instead of (networked) streams. I do hope I did understand the original post correctly. regards, -h - original message - Subject:Re: [Full-disclosure] Does this exist ? From: Rob McCauley [EMAIL PROTECTED] Date: 06.07.2007 18:45 Ya know, I don't think he does get that part yet. This scheme is essentially how data compression already works. Not in gigantic swaths of bits, as being proposed here, but in smalish numbers a few bits represents a bigger set of bits. Huffman coding is a basic example. The infeasability of this idea is all about the data size. As someone already pointed out 2^4000 is not 16,000,000 (that's 4000^2). 2^4,000 is large enough to just call it infinite and be done with it. For comparison, there's something like 2^100 to 2^130 or so atoms in the known universe. The hardware you'd need to implement a database of that size would require more matter than exists. Period. This idea is only interesting if it works at the scale proposed. It doesn't. On a smaller scale, this is how data compression is already done. Rob On Fri, Jul 06, 2007 at 01:52:55 -0500, Dan Becker wrote: So we generate a packet using the idpacket field of a database to describe which packets should be assembled in which order then send it. 1 packet to send 500. Do you realize the id of the packet(s) would be equivalent to the contents of the package(s)? See also http://en.wikipedia.org/wiki/Information_entropy#Entropy_as_information_content ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Does this exist ?
Rob, while you are essentially right, I believe the original post had the (implicit) assumption that certain _sequences_ of patterns might occur relatively frequently, thus representing positive information or negentropy. By mutually indexing these shared and relatively rare sequences the original idea would make sense. In fact the choice of these patterns can be fully autoamtic - precisely by going for negentropy/information. It only makes sense if we assume payload packet ID/hash And yes, it is analog to what traditional encryption does to documents - instead of (networked) streams. I do hope I did understand the original post correctly. regards, -h - original message - Subject:Re: [Full-disclosure] Does this exist ? From: Rob McCauley [EMAIL PROTECTED] Date: 06.07.2007 18:45 Ya know, I don't think he does get that part yet. This scheme is essentially how data compression already works. Not in gigantic swaths of bits, as being proposed here, but in smalish numbers a few bits represents a bigger set of bits. Huffman coding is a basic example. The infeasability of this idea is all about the data size. As someone already pointed out 2^4000 is not 16,000,000 (that's 4000^2). 2^4,000 is large enough to just call it infinite and be done with it. For comparison, there's something like 2^100 to 2^130 or so atoms in the known universe. The hardware you'd need to implement a database of that size would require more matter than exists. Period. This idea is only interesting if it works at the scale proposed. It doesn't. On a smaller scale, this is how data compression is already done. Rob On Fri, Jul 06, 2007 at 01:52:55 -0500, Dan Becker wrote: So we generate a packet using the idpacket field of a database to describe which packets should be assembled in which order then send it. 1 packet to send 500. Do you realize the id of the packet(s) would be equivalent to the contents of the package(s)? See also http://en.wikipedia.org/wiki/Information_entropy#Entropy_as_information_content ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] talk.google.com
VoIP to VoIP is usally free. PSTN break-out is what people (Skype, the SIP world) charge for. -h Andrew Smith wrote: Definitly, VOIP is on the way. It's becoming the new blogging or podcasting or whatever this weeks Internet buzz is. I can't see Google not venturing in to VOIP. Still, it isn't like google is it? They generally offer a free service and make money from advertisements, surely VOIP would have to be a pay service? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/