[Full-disclosure] Russell Harding MacOS X SoftwareUpdate Vulnerability Advisory Missing In Action in Bugtraq Archive

[Jason Coombs]

Dear Symantec,

As long as we're burning digital books to mitigate our civil liability, 
perhaps we could do a good job of it next time? Quietly disappearing 
Russell Harding's advisory from the BugTraq archive didn't resolve your 
potential liability for distributing links to material that violates the 
DMCA. Perhaps you have failed to notice the various other locations 
where you still publish this illicit material, including the exploit?

active page:
http://www.securityfocus.com/bid/5176

exploit hosted by Symantec:
http://www.securityfocus.com/data/vulnerabilities/exploits/PhantomUpdate-0.7.tgz.tar

disappeared:
http://www.securityfocus.com/archive/1/280964

archive.org:
http://web.archive.org/web/20030606200331/http://www.securityfocus.com/archive/1/280964

exploit home page:
http://www.cunap.com/~hardingr/projects/osx/exploit.html

apple disinformation:
http://docs.info.apple.com/article.html?artnum=75304
https://depot.info.apple.com/security7-18/


To: BugTraq
Subject: MacOS X SoftwareUpdate Vulnerability
Date: Jul 7 2002 4:21AM
Author: Russell Harding <[EMAIL PROTECTED]>


 MacOS X SoftwareUpdate Vulnerability.


Date:  July 6, 2002
Version:   MacOS 10.1.X and possibly 10.0.X
Problem:   MacOS X SoftwareUpdate connects to the SoftwareUpdate Server via
HTTP with no authentication, leaving it vulnerable to attack.



  http://www.cunap.com/~hardingr/projects/osx/exploit.html



Summary:

Mac OS X includes a software updating mechanism "SoftwareUpdate". Software
update, when configured by default, checks weekly for new updates from
Apple.  HTTP is used with absolutely no authentication. Using well known
techniques, such as DNS Spoofing, or DNS Cache Poisoning it is trivial to
trick a user into installing a malicious program posing as an update from
Apple.


Impact:

Apple frequently releases updates, which are all installed as root.
Exploiting this vulnerability can lead to root compromise on affected
systems. These are known to include Mac OS 10.1.X and possibly 10.0.X.


Solution/Patch/Workaround:

There is currently no patch available. Hopefully the release of this
information will convince apple they need, at the very least, some basic
authentication in SoftwareUpdate.


Exploit:  http://www.cunap.com/~hardingr/projects/osx/exploit.html

An exploit for this vulnerability has been released to the public for
testing purposes.  It is distributed as a Mac OS X package which includes
DNS and ARP spoofing software. Also, it includes the cgi scripts, and
apache configuration files required to impersonate the Apple
SoftwareUpdatesServer.


Credits:

Author  -  Russell Harding - [EMAIL PROTECTED]
Testing -  Spectre Phlux, KrazyC, Devon, and The Wench


Want to link to this message? Use this URL: 



Sent from my Verizon Wireless BlackBerry
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fw: [IACIS-L] Statement by Defense Expert

[Jason Coombs]

Sent from my Verizon Wireless BlackBerry

-Original Message-
From: "Jason Coombs" <[EMAIL PROTECTED]>

Date: Wed, 6 Jun 2007 04:13:33 
To:[EMAIL PROTECTED]
Cc:[EMAIL PROTECTED],[EMAIL PROTECTED]
Subject: RE: [IACIS-L] Statement by Defense Expert


Dave_on_the_run <[EMAIL PROTECTED]> wrote:
> Is you D expert by any chance Jason Combs?
> That is a typical statement by him.
> I have an entire public dialogue from
> him on various security lists where
> he makes many outrageous claims
> similar to that.


Dear Dave,

Are you aware that your comment, above, has been reproduced by the Maricopa 
County Attorney in a 92-page document that details the completely absurd 
statements that were made by Tami Loehrs in the Matt Bandy case? See

http://www.maricopacountyattorney.org/Press/PDF/bandy_case_20070107.pdf

Your statement has been used as part of this publication in an effort to 
discredit Ms. Loehrs, and to respond formally to the deceptive and manipulative 
tactics of the Bandy family as they waged a political war to 'defend' their 
son, Matt, so that he would not be required to register as a sex offender.

As you may know, the television program 20/20 did a story about the Bandy case, 
and it reportedly failed to present the prosecution side of the story. I have 
not seen it, personally.

I would be glad to discuss in detail anything at all that I have written or 
spoken that you or others deem to be outrageous.

My experience with criminal computer forensics goes back almost as far as yours 
does, and my experience with expert witness testimony in civil court most 
likely predates the start of your forensics career.

It may be outrageous from your perspective, but there is no doubt in my mind 
that computer forensic examiners are not expert witnesses.

There is no such thing as 'computer forensics' as a field of forensics. It is a 
misnomer to refer to it as 'forensics' in the same way that it is improper to 
refer to a sworn law enforcement officer as an expert in the field of law.

LEOs possess neither academic background nor work experience in principles or 
practices of law, as a distinct field of skilled human endeavor.

Attorneys, judges and others who are likely to possess true expertise in law 
are the ones that we rely on for expert testimony on the subject of the law, 
including interpretation thereof, whether that testimony is given before 
congress, for instance, or in court, or on our own behalf when we need legal 
advice. Anyone who takes legal advice from a cop is probably an idiot.

LEOs may possess many hours of work experience in a field of work related to 
the law, but they are not legal experts and the nature of their skilled work 
cannot ever result in the sort of expertise that would properly qualify a 
person to render expert opinions or give well-informed interpretations or 
advice in complex legal matters.

The skill that a LEO has with law is the sort of job-oriented skill that a 
trained computer forensic examiner possesses with respect to computers. Knowing 
how to do what you're told and learning from your mistakes so that you advance 
in your career is fine if you're an honest cop, but that does not qualify a LEO 
to program computers or prepare them to educate a jury or a judge in the truly 
intricate and technically-complex subject of computer science.

Experience recovering data from all manner of data storage devices does not 
qualify anyone as a computer expert. Ability to operate software that was 
programmed by somebody else is not expertise as anything other than a computer 
operator.

What is outrageous is that we are giving forensic certifications to trained 
computer operators. Every time a certified forensic examiner or an EnCase- or 
FTK-certified examiner performs an examination, authors a report, and renders 
flawed opinions it is an outrage and an affront to justice and common decency.

Until and unless a person has worked for years as a software engineer, and has 
studied technical details of information security including the creation and 
exploitation of software bugs to force software to do things that it was never 
designed to do, there is no way that a person can imagine the precise technical 
implications of the sort of scenarios that we encounter in the real world when 
law enforcement computer examiners and prosecutors collaborate to transform a 
particular bit of data into forensic evidence of guilt to be used against a 
person who stands accused of a crime.

In 1997 I was offered the opportunity to author the book Foundations of 
Computer Forensic Science which would have been published by John Wiley & Sons.

I refused, on the grounds that such a work required far more expertise to write 
than I possessed as a result of my mere ten years of programming experience.

In the ten years since 1997, I have acquired enough additional experience and 
skill that author

[Full-disclosure] ZoneEdit.com Forcing Pop-Unders on WebForward-Configured Domains

[Jason Coombs]

Problem:

DNS service ZoneEdit.com now owned by MyDomains.com has started forcing 
JavaScript pop-Unders onto users' browsers when the domain owner uses 
the ZoneEdit WebForward feature.



References:

www.zoneedit.com

www.mydomains.com/support.php

www.casalemedia.com/contact.html


Details:

Casale Media, Inc. is the Pop-Under Spammer responsible for paying My 
Domains cash money to distribute this crap to users. Example script 
shown below, embedded within the WebForward "Cloaking" frame.


script language="JavaScript" src="http://as.casalemedia.com/sd?s=65701&f=1";


Possible Resolutions:

Stop using ZoneEdit for backup/failover or primary DNS service.

Remove the economic incentive to lie, cheat and steal.

Prosecute the offenders and send them to prison.

Send/Fax your objections to ZoneEdit/MyDomains

Correspondence or payment by check may be sent to our office at:
ZoneEdit, Inc.
111 Broadway, 11th Floor
New York, NY 10006
Fax:+1 (847) 461-1893

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Seeking Anyone Harmed by Jason Coombs

[Jason Coombs]

Full disclosure goes both ways.

Anyone who feels I have done them harm or who thinks I have something to hide 
should speak up now and make their record.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brad Astrowsky
Sent: Wednesday, April 26, 2006 10:44 AM
To: [EMAIL PROTECTED]
Subject: Re: [HTCC] Expert Info Sought


I am helping the Yuma County Attorney's Office with a case.  The other
side has noticed an expert named Jason Coombs, who has offices in CA,
HI, and New Zealand.  He is the director of forensics for PivX.  If
anyone has had any experience or contact with him, please contact me 
off
list for assistance.

Thanks.

Brad H. Astrowsky, Esq.
Associate
ZIMMERMAN REED PLLP
14646 N Kierland Blvd Suite 145
Scottsdale, AZ  85254
Tel: 480.348.6400
Fax: 480.348.6415
www.zimmreed.com



This e-mail may contain information that is privileged, confidential or
otherwise protected from disclosure.   If you are not the intended
recipient
or have received this email in error, please notify the sender
immediately
by e-mail, discard any paper copies and delete all electronic files of
the
message.   Any unauthorized review, use, disclosure or distribution of
the
e-mail or its attachment(s) is prohibited by law.

___
HTCC mailing list
[EMAIL PROTECTED]
To unsubscribe or edit options
http://htcc.secport.com/mailman/listinfo/htcc
5X35#42


Sent from my Verizon Wireless BlackBerry  ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fw: You have been unsubscribed from the Full-Disclosure mailing list

[Jason Coombs]

[Full-Disclosure] is dead.

Long live full disclosure.

-Original Message-
From: [EMAIL PROTECTED]
Date: Sat, 18 Mar 2006 00:01:39 
To:[EMAIL PROTECTED]
Subject: You have been unsubscribed from the Full-Disclosure mailing list

For quality control purposes please send mail to [EMAIL PROTECTED] and
tell us why you're unsubscribing. Thanks!

.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] HTTP AUTH BASIC monowall

[Jason Coombs]

Brian Eaton wrote:
> I'd like to see their process
> changed so that it included a more
> serious check into the business
> whose web site they are verifying.

This makes no sense at all, and is simply impossible within the DNS system. 
Furthermore, all verification done by any CA can be easily fooled. Only fools 
trust any CA.

What's wrong with expecting the end-user to be able to think clearly enough to 
find out what the *actual* trustworthy public key *actually is* for 
communicating with the *authentic* entity that the end-user wishes to 
communicate?

Three changes are required:

1. Do away with CA's entirely. Immediately. No sunset period.

2. Every entity that possesses a key pair makes a minimal effort to communicate 
their authentic public key to the people with whom they expect to communicate.

3. Give end-users a simple way to fixate trust within their client software to 
just the *single* public key that they have reason to believe is associated 
with the entity with whom they intend to communicate, and revoke client 
software's existing open-ended CA-mediated trust model, putting an immediate 
stop to it entirely.

The only reason this is not done is that Verisign's multimillions in revenue 
around their CA-related business, and their future business plans involving 
'security' in general, would cease to exist.

Reliable (and cost-free) security based on common sense would take its place, 
but nobody really wants security, do they? People just want things that are 
complicated so they can learn secret voodoo business trade secrets and grow new 
business ventures.

People who really want security already have it, so distrust anyone who claims 
to be able to sell it to you.

Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] HTTP AUTH BASIC monowall

[Jason Coombs]

bkfsec wrote:
> Frankly, the whole "web of trust" is
> a flawed idea.  "Because A trusts
> B, and B trusts C, then A can (must?)
> trust C" is, excuse the lack of 
> civility, utter bullshit. 
>
> I trust my friends, it doesn't mean
> that I trust their friends.

You're applying the sick-and-stupid-Verisign-monopoly-business-strategy version 
of the 'web of trust' idea to all webs of trust, and that's incorrect.

Verisign is guilty of fraud in even suggesting that the CA (and the SSL certs 
it issues) does anything at all other than what you describe -- but don't throw 
the web of trust baby out with Verisign's dirty business bathwater.

The 'security' problem that a proper 'web of trust' solves nicely is the one in 
which particular entities are associated with individual public keys. There is 
no especially good way, aside from a properly-implemented web of trust, for 
many-to-many reliable distributed discovery of the public key-to-entity mapping 
that is most probably accurate because it is the correlation that your trusted 
associates assure you they have successfully relied on in the past to engage in 
communication with the party they believe to be the owner of a particular 
public key.

SSL does not implement any reasonable trust mechanism today because Verisign 
dumbed it down in order to create a universal mechanism to tax the Internet.

Best,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Filtering Latest Spam Run (radio.toad.com)

[Jason Coombs]

[EMAIL PROTECTED] wrote:
And I would have never shot hot steamy load of man juice inside you 
if you were not fucking faggot


uh huh, and now we know the spam kiddie responsible. I pay by the KB to 
receive all your junk, so you can expect a lawsuit in the near future.


Send your address for service of process, please.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Filtering Latest Spam Run (radio.toad.com)

[Jason Coombs]

Don Bailey wrote:

Stop interrupting the spam, I'm trying to read.


The spam attacks would never have gotten through if Len Rose were still 
in charge of FD.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] For Sale: Security Vulnerability DatabaseCompany

[Jason Coombs]

[EMAIL PROTECTED] wrote:
> If this were a serious offer, I'd at
> least expect a phone number and
> website (of the company brokering
> the sale). Not a "reply to my
> googlemail account"...

Have you replied to the googlemail account?

Doing so will result in more information about the offer and the opportunity 
for the buyer.

If you're not interested then just ignore the offer. If you're truly offended 
by it, then investigate.

I appreciate that the poster chose NOT to supply a URL but invited instead 
personal correspondence on the matter from interested parties.

Your tactic of supplying a URL would be offensive to me, so it's probably a 
good thing you weren't the one hired to help the company in question locate a 
buyer.

Best,

Jason Coombs
[EMAIL PROTECTED]


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: How hackers cause damage... was Vulnerabilites in new laws on computer hacking

[Jason Coombs]

Craig Wright wrote:

The "state of doubt" I was referring to is the condition of
determination associated with knowledge that a system has been attacked.
The determination that the attacker was benign or malevolent leaves one
in doubt


Your sage wisdom on the subject of helping people respond appropriately 
to attacks, crime and fraud (insider/outsider/etc) is duly acknowledged.


We all have 'knowledge' that our systems have been attacked based on the 
fact that software originating from Microsoft is present on our boxes, 
and the fact that microprocessors designed only for stand-alone use 
(absent data communications or other untrustworthy I/O) have been 
improperly and irresponsibly thrust onto the marketplace by Intel, AMD, 
et al -- companies with the technical awareness of the proper solution 
to the problem who withhold not only the solution but also withhold 
disclosure of their knowledge of the problem.


Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: How hackers cause damage... was Vulnerabilites in new laws on computer hacking

[Jason Coombs]

Craig Wright wrote:
> Cyber-trespass leaves one in a state of doubt. It is commonly stated
> that the only manner of recovery from a system compromise is to
> rebuild the host.

Don't you mean that the trespass disrupts the condition of denial and 
neglect that normally exists surrounding any network of programmable 
computers?


The 'state of doubt' is no different post-trespass than it was 
beforehand, what has changed is the emotional condition of the property 
owner. After recovery steps to rebuild the host, there is again a 'state 
of doubt' and it is just as substantial as it was before the trespass 
incident caused everyone emotional trauma.


We must build computer systems that separate the act of installing and 
executing software from the act of depositing data on read/write media.


Executable code must not be stored on read/write media. At least not the 
same media to which data is written, and access to write data to 
software storage must not be possible through the execution of software; 
at least not software executing on the same CPU as already-installed 
software.


Our CPUs need a mechanism to verify that the machine code instructions 
being executed have been previously authorized for execution by the CPU, 
i.e. the machine code is part of software that has been purposefully 
installed to a protected software storage separate (logically, at least, 
and both physically and logically separated at best) through actions 
that could not have been simulated or duplicated by the execution of 
machine code at runtime on the system's primary CPU.


The worst-case scenario of 'repair' and 'recovery' from any intrusion 
event should be verification of the integrity of protected storage, 
restore from backup of data storage, analysis of data processing and 
network traffic logs to ascertain the mode of intrusion (if possible) 
and reboot of the affected box with a staged reintroduction of the 
services that box previously provided (if you just re-launch all of the 
services being exposed by the box then it is just as vulnerable as 
before to whatever attack resulted in the intrusion, so you start from 
the most-locked-down condition and add services one at a time, 
monitoring for a period of time at each step).


Depending on the length of time one is willing to monitor the box as it 
is staged into deployment again after recovery, and depending on the 
tools put into place to enable verification of the authenticity and 
'correctness' of the machine code found to be present on the protected 
storage where software is installed, 'recovery' from any incident can be 
almost immediate, requiring little more than a reboot (the steps for 
which could also be optimized in a well-built secure computer system, 
since the objective really is nothing more than wiping all RAM and 
re-reading machine code from the protected storage after integrity 
verification is complete) ...


All of the 'damage' and 'vulnerabilities' you're talking about stem 
directly from very bad business decisions made by owners of computer 
systems and from authors of software made to run on those computer 
systems. Hackers can be made irrelevant, and virtually all significant 
damage from 'intrusion' can be prevented in advance, by putting a stop 
to the world's addiction to the installation and execution of arbitrary 
code. The problem is that the computer industry has been built around 
providing financial rewards to the businesses that can get as many 
copies of their code executing as possible, and security barriers that 
curtail access to this cash generating machine would kill 75% of the 
existing computer industry.


I say let 'em die. Give us secure computing, and may every company that 
intentionally harms people for profit die a horrible and painful death 
that takes as many of its investors with it as possible in the process!


Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Compromised hosts lists

[Jason Coombs]

James Lay wrote:

I had heard tale of a site that had a semi-updated list of compromised
hosts.  I was hoping that someone knows that link...would LOVE to be
able to get my firewall to get this list and auto-create an iptables
rule.  Thanks all!


Various forms of malware autopopulate central compromised host 
directories which botnet or drone army operators use to assemble their 
lists... I've found these to be particularly useful in defending against 
criminal prosecutions of persons whose Windows boxes were added to such 
lists during a time period in which computer forensic evidence found in 
their possession appears to incriminate their computer (and by 
extension, the computer owner) as a tool of the alleged crime.


I'd like a better history of compromised hosts for this purpose, and 
suggest that botnet operators be required to publish their logs. ;-)


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fun with Foundstone

[Jason Coombs]

[EMAIL PROTECTED] wrote:

https://download.foundstone.com/?o=^2155
Now that's just plain sloppy.


But at least it's SSL-secured.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] On the "0-day" term

[Jason Coombs]

Steven M. Christey wrote:

One would hope that there is some critical mass (i.e. number of
compromised systems) beyond which any in-the-wild 0-day would become
publicly known.


We can't presume that all 0-day exploits will end up being widely 
observed and thus become well-known. This is not a valid presumption 
even if it ends up being true in practice, today.


The real challenge is for incident response forensics staff to equip 
themselves ahead of time with the necessary tools (and sources of 
forensic logs, including, for example, full packet capture logs of all 
network traffic within a rolling window time period that is as lengthy 
as possible) to be able to identify a 0-day exploit used as the source 
of entry for a one-off intrusion event.


Being able to detect, reliably, any changes made to configuration 
settings or on-disk and in-memory binaries altered by the intruder is 
good, too, but the capability to ascertain precisely what vulnerability 
got exploited to gain entry in the first place is critical to keeping 
the same well-prepared intruder out the second time around.


Some of the technical barriers to achieving full forensic awareness 
within the time period during which a relevant 0-day event occurred 
include the use of SSL and other encryption which bypasses simple packet 
capture logging (unless one's SSL engine also logs all session keys 
generated) and the processing power and storage space required to 
capture, store, and analyze such a large quantity of real-time and 
historical data. Not to mention the questionable probability that the 
log windows will be wide enough to contain useful information when an 
intrusion is finally noticed.


Dramatic improvements in this area of computer and network forensics 
would fundamentally alter modern information security. I do not see how 
any organization can believe itself to be adequately secured when the 
simple ability to prove security measures are working, and quickly 
determine the precise method of failure when they break down, 
essentially does not exist today.


Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] blocking Google Desktop

[Jason Coombs]

J.A. Terranson wrote:

Invite the idiot in the
white house, I hear he's feeling unloved today :-)


Do you mean: "invite the idiot" in the white house ?

Or do you mean: invite the "idiot in the white house" ?

My favorite stupid hacker trick "in the white house": getting POTUS to 
call you by your hacker handle. (be sure to call him POTUS in return)


http://www.cultdeadcow.com/cDc_files/cDc-0374.php
The rest is more recent history. An invitation to join President 
Clinton's Internet security advisory panel was the cherry on top of the 
whipped cream. And the coolest thing of all was that they did it on 
their own terms. For a hacker to be addressed by the President of the 
Untied States by his handle and not given name is the ultimate form of 
legitimization.


http://en.wikipedia.org/wiki/Mudge
http://en.wikipedia.org/wiki/Dildog
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] NSA tracking open source security tools

[Jason Coombs]

[EMAIL PROTECTED] wrote:

it is a neat NOC page to have on a big screen. scares management-type
folk. and Presidents of non democratic countries ;-)


Sure, it made for a fine photo op. But based on the Bush 
administration's decision-making processes there is good reason to 
believe that A) the people at the NSA who created the mock-ups for 
public relations purposes died unexpectedly and the people who took over 
their jobs didn't know that the intelligence they were looking at was 
meaningless drivel produced for the benefit of manipulating public 
opinion, or B) the NSA is only showing the Bush administration the same 
mock-ups that the rest of us get to see.


In either case, the whole show begs the question "Who's really in 
charge?" as well as "What electronic voting equipment manufacturer 
elected THEM President?"


Best,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] NSA tracking open source security tools

[Jason Coombs]

Fyodor wrote:

George Bush visiting the NSA headquarters in Fort Meade.  A wall-sized
screen in the background displays the latest versions of our favorite
open source security tools, including Nmap, Metasploit, Snort,
Ethereal, Cain & Abel, and Kismet.  Nifty.


The NSA must have learned information security tricks from Microsoft.

Who in their right mind would focus their attention on software version 
numbers and think that makes for better security?


Somebody tell the NSA they need to keep track of hash codes instead.

Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Security Bug in MSVC

[Jason Coombs]

Dave Korn wrote:

Nice thinking, Donnie. This must be the "new class of vulnerability"
that was hinted at by Microserfs a few months ago... The attacks are
launched by way of source code distributions rather than binary code.


  Why is this a terrible insecure microsoftism, when GNU make does exactly 
the same?


Just after Donnie reported this issue to Microsoft (September) we 
started seeing Microserfs suggest that their security team was working 
on a never-before-encountered novel class of vulnerability, and the 
implication was that Microsoft's security competency had finally 
surpassed both the black hats and all other white hat groups -- since it 
would be politically valuable for Microsoft to be able to claim that 
sharing source code is an unsafe behavior, and since there have been no 
other vulnerabilities disclosed since that time which might have 
appeared to Microsoft to be entirely new and far-reaching, I suspect 
that this disclosure prompted those previous statements about work being 
done by Microsoft.


How many other attacks can you point to where Microsoft's development 
tools are exploited to specifically target the unwary programmer who 
still thinks it's perfectly safe to download arbitrary data from an 
untrusted source and then open it in a text editor? My guess is that 
Donnie got Microsoft thinking about this very risk, and they started 
talking internally about it being an entirely new class of 
vulnerability. Yes, if my supposition is correct it would be quite 
pathetic and give us another reason to laugh at Microsoft; but you can 
probably see how much benefit Microsoft is going to be able to milk out 
of this and related attacks that exploit bugs in programmers' tools that 
are launched by the simple act of opening or attempting to compile a 
source code distribution.


Source code is just as dangerous as binary code. Clearly, the only way 
to be safe is to rely on Microsoft's programmers to create and 
digitally-sign software for us. Go Microsoft. Yeah!


Regards,

Jason Coombs
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Secure Delete for Windows

[Jason Coombs]

GroundZero Security wrote:

why do people run firewalls,IDS or Anti Virus ? no they dont care about 
security,
they just want to know whats the name of the virus that just hit their box, or 
see
who may just be accessing their system as obviously noone is trying to be 
secure.
you really made me realize all i need is full disclosure! who needs patches as 
long
as you know what is vulnerable. why patch at least you KNOW whats buggy, right?


Your belief that firewalls and A/V provide people with security is so 
1990's ... how quaint and nostalgic. you really are starting from ground 
zero, aren't you? good luck with that...


Give me bugs that are well-understood and keep your stinking patches to 
yourself. we don't need no stinking patches.


Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Security Bug in MSVC

[Jason Coombs]

Morning Wood wrote:


 - EXPL-A-2006-002 exploitlabs.com Advisory 048 -


  - MSVC 6.0 run file bug -


Nice thinking, Donnie. This must be the "new class of vulnerability" 
that was hinted at by Microserfs a few months ago... The attacks are 
launched by way of source code distributions rather than binary code.


Sweet As.

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Secure Delete for Windows

[Jason Coombs]

sk wrote:

thank you for the constructive feedback. at least it was usefull


People who install software on their computers and connect them to 
networks then receive and process incoming data with those computers and 
said software do not want security, we just want full disclosure of the 
risks that we expose ourselves to by engaging in such unsafe behavior.


If you're going to be part of the problem rather than part of the 
solution, if you intend to join the ranks of the self-interested 
software vendors who refuse to disclose the risk factors of installing 
and using your products, and also refuse to disclose the source code so 
that we can compile the code ourselves and therefore at least know where 
our machine code came from and what its source looks like, then you're 
the one who needs to stfu and go promptly out of business before you 
hurt somebody.


Best,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Secure Delete for Windows

[Jason Coombs]

J.A. Terranson wrote:

An exe?  No source???  Just "setup.exe"  Are you crazy?


That's the way Microsoft does it, and you've got your trusty Anti-Virus 
software to protect you, right? So what's the problem?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Steve Gibson smokes crack?

[Jason Coombs]

bkfsec wrote:
A few incidents ("NSA" backdoor) aside, Microsoft's history with 
security has been one of ineptness, not "maliciousness" per-se.


The Microsoft corporate entity may not be malicious in terms of 
purposefully planting backdoors with knowledge and consent of Gates et 
al (this assertion is of course questionable) however, individual 
programmers at Microsoft have probably planted backdoors on purpose. 
This happens frequently in many software shops.


The corporate culture at Microsoft made it easy to do so, and get away 
with it, as you so accurately described. Individual product managers who 
encouraged the least safe configurations and least safe feature/code 
designs might have done so for the purpose of preserving widespread 
access to such backdoors.


It would be relatively simple for Microsoft to determine whether any 
particular individuals were responsible for writing the bad code and 
deploying flawed architectures over and over again through the years.


Perhaps Microsoft has bothered to look into this by now, and has quietly 
dismissed the perpetrators.


Beware of ex-Microsoft programmers.

Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Steve Gibson smokes crack?

[Jason Coombs]

Stan Bubrouski wrote:

Ordinarily I'd argue, but its hard to when we find out Microsoft knew
about the bug for a long time and made a concious decision not to
patch it even though they knew it could lead to a system compromise.


It's hard to imagine anything other than conscious and willful 
preservation of known backdoors in Windows as an explanation for 
Microsoft's refusal to enable Windows Firewall by default until XP SP2.


Microsoft knew for years, if not from the very start, that all Windows 
boxes were by design exposing backdoors on the network, yet they did 
nothing to remedy the situation nor alert any customer to the risk.


This smells to me like a whole slew of intentional backdoors, and I 
don't smoke anything.


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] you can now be arrested for being annoying onthe 'net

[Jason Coombs]

Where do you want the United States to go today?


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: [Antisocial] Re: [Clips] Why Bush Approved the Wiretaps (fwd)

[Jason Coombs]

Perry E. Metzger <[EMAIL PROTECTED]> wrote:
>   Electronic surveillance means
>   (1) the acquisition by an electronic, mechanical, or other
>   surveillance device of the contents of any wire or radio
>   communication sent by or intended to be received by
...

Dear Perry, et al:

I think you're missing the key clue as to what was actually done, and thus why 
it was done in the manner chosen, and why it is now being defended by the Bush 
Administration as being legal.

All of the statutes quoted, and every other one of which I am aware, prohibit 
the INTERCEPTION of the CONTENT of communications.

Nothing presently prohibits the automated processing of the content via 
software when the content is not captured/intercepted, nor excerpted/preserved 
for law enforcement's review. A computer system, designed to circumvent the 
intent but comply with the letter of present law, can legally do what a person 
cannot.

Furthermore, courts in jurisdictions in which I have worked are presently 
ruling that with respect to electronic equivalents of conventional PSTN pen 
register intercepts, all information considered to be 'routing' information 
rather than CONTENT of electronic communications is fair game, and may not even 
require a warrant, anywhere, with respect to anyone.

At the very least, there is serious gray area in the lack of clear definition 
of the electronic communication equivalent to the conventional PSTN pen 
register.

I suspect that what is actually being intercepted is not content, but rather is 
data that the administration considers to be network routing information -- 
e-mail and IP addresses, basically. Maybe domain names of Web sites being 
visited.

Read more about Carnivore's known capabilities from several years ago with 
respect to its pen register mode of operation:

http://www.epic.org/privacy/carnivore

Then consider the consequences of the absence of explicit mention of 
'electronic communications equivalent of a pen register' or the words 'or 
network routing information' in any of the statutes you mentioned.

I wouldn't be surprised at all if the administration ultimately argues that the 
data they intercepted without a warrant, to the extent that ANY data was 
'intercepted', was not 'content' that the sender/recipient intended to 
communicate to/from the other party. Furthermore they could take the position 
that there is no need for a warrant for 'electronic communication pen 
registers' as the pen register statutes are cleverly ambiguous and (probably 
intentionally) antiquated...

Regards,

Jason Coombs
[EMAIL PROTECTED]

-Original Message-
From: "J.A. Terranson" <[EMAIL PROTECTED]>
Date: Tue, 20 Dec 2005 23:49:30 
To:[EMAIL PROTECTED]
Subject: [Antisocial] Re: [Clips] Why Bush Approved the Wiretaps (fwd)


Good back and forth.
-- 
Yours,

J.A. Terranson
[EMAIL PROTECTED]
0xBD4A95BF


Just once, can't we have a nice polite discussion about
the logistics and planning side of large criminal enterprise?

- Steve Thompson



-- Forwarded message --
Date: Tue, 20 Dec 2005 13:04:00 -0500
From: Perry E. Metzger <[EMAIL PROTECTED]>
To: R. A. Hettinga <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: [Clips] Why Bush Approved the Wiretaps

"R. A. Hettinga" <[EMAIL PROTECTED]> writes:
[...]>
>  The National Review
>  Byron York
[...]
>  At his news conference this morning, the president explained that he
>  believed the U.S. government had to "be able to act fast" to intercept the
>  "international communications of people with known links to al Qaeda." "Al
>  Qaeda was not a conventional enemy," Bush said. "This new threat required
>  us to think and act differently."

The FISA law already allows taps to go on for 72 hours before a court
is informed. That's three days. In three days people can't fill in a
form and deliver it to the FISA court? The FISC has approved 15,000
wiretaps and rejected less than ten in its history.

>  But there's more to the story than that. In 2002, when the president made
>  his decision, there was widespread, bipartisan frustration with the
>  slowness and inefficiency of the bureaucracy involved in seeking warrants
>  from the special intelligence court, known as the FISA court.

It is so inefficient that you don't even have to ask for THREE
DAYS. Three days isn't enough time?

More to the point, even if the President thinks something is
"inefficient", the law is the law. If it says "those who do not seek a
FISC warrant go to jail for five years", the President has to obey.

>  People familiar with the process say the problem is not so much with the
>  court itself as with the process required to bring a case before the cour

Re: [Full-disclosure] Re: Guidance

[Jason Coombs]

J.A. Terranson wrote:
...
> accurate and completely
> supporting information
...

Alif,

Come now, my friend, you know very well that there is no such thing in 
computing unless you happened to be monitoring all internal and external I/O of 
the computing device in question at the time the alleged 'data' were allegedly 
'processed' by that computing device.

You put on a hat labeled 'computer forensic examiner' as a necessary matter of 
business practice, in order for other people to understand what you are when 
you are serving that role in some forensic situation. But by wearing such 
title, and by engaging in such business, you are forced to make gigantic leaps 
of imagination in order to offer opinions as to your finding of 'accurate and 
completely supporting information' after your forensic tools and your knowledge 
of software give you a glimpse of the past that is beyond the capability of 
mere mortals.

The problem, and the reason the entire industry needs to die, is that this 
creates a situation in which the side with the best imagination wins.

It doesn't help the discovery of truth for people with forensic tools and 
talent to suggest that their imagination is superior and therefore can prove 
conclusively what happened in the past.

No matter what safeguards you or the rest of the computer forensics industry 
develop, I will still be able to defeat your imagination because yours is 
limited by budgets and time constraints, whereas I am only limited by the 
lengths to which I am willing to go to deposit fake evidence and secretly 
control other people's computers.

Given the desire to do so, any motivated adversary could cause your computers 
to contain 'accurate and completely supporting information' of their choosing, 
without possibility of detection after-the-fact. It is only badly-executed 
intrusions or intruders caught-in-the-act that result in the owner of a 
computer system discovering that their security has been compromised.

This is the end result of the ability to execute arbitrary code or gain 
unauthorized physical or logical access to vulnerable computer systems.

When the 'computer forensics' industry requires of each practitioner a written 
and spoken caveat to this effect before and after every report that an examiner 
delivers to a client, that's when there might be some justification for the 
industry to exist at all. Until then, we're all a bunch of self-serving glory 
hounds who can't find anything better to do with life, and who don't mind 
putting other people at risk for our own short-term benefit.

We absolutely must be stopped. But that doesn't mean I will be turning away 
jobs myself. As long as this booming market keeps making me rich, I'll keep 
doing my job to the best of my ability. But I won't be happy about it until the 
nonsense stops and people start thinking rationally about how silly it is to 
trust computer data and call it 'evidence' -- it is digital dumpster diving, 
and the hard drive are garbage cans.

Be careful which garbage can you stand next to, because proximity to the 
garbage is now effectively a crime thanks to flawed computer forensics. We are 
all at risk unnecessarily, and full disclosure of the true nature of that risk 
is our only protection against persons of superior imagination.

Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Guidance

[Jason Coombs]

It is not just defects in EnCase features that cause computer forensic 
examiners who use Guidance Software's products and training to produce 
incorrect and misleading expert testimony or fact evidence.

Guidance Software simply doesn't understand, and doesn't care to understand, 
information security.

It would be bad for sales of EnCase if Guidance admitted that they have no way 
to know whether anything discovered on a hard drive by EnCase is reliable 
circumstantial evidence.

The result of Guidance's software and their training is a severely 
dysfunctional industry built around making profits by looking at tea leaves and 
telling fortunes.

Data on hard drives simply is not evidence of anything. Even when it helps to 
prompt or guide investigations, the people who practice computer forensics must 
disqualify themselves and their reports from the status of 'expert' testimony 
or 'fact' evidence, yet they are taught by Guidance techniques to amplify the 
appearance of reliability and expertise instead of properly and competently 
explaining the inherent uncertainty in any computer forensic investigation.

Computer hard drive analysis is not expert testimony, and the result of such 
analysis is routinely misrepresented by people who use Guidance products, 
people who are trained by Guidance, and people who think the way that Guidance 
thinks.

The break-in to the Guidance computer network, and Guidance's typical botched 
corporate incident response, inadequate reporting, and failure to even try 
proactively to protect people who Guidance puts at risk, is just one point of 
proof that Guidance Software's failure to properly address the impact that 
intrusions and information security vulnerabilities have on the condition of 
data stored on hard drives is causing severe harm to the public safety 
worldwide.

Regards,

Jason Coombs
[EMAIL PROTECTED]

-Original Message-
From: Alex Eckelberry <[EMAIL PROTECTED]>
Date: Tue, 20 Dec 2005 10:21:37 
To:[EMAIL PROTECTED]
Subject: RE: Guidance

Yup, Brian got it.  Very good work on his part.  I was late on the
story.  Thanks for the pointer. 

The other issue with version 4 is worrisome.  If people went to jail
because of incorrect information, that would be disturbing.  However, it
seems it's all relative to the circumstances and the skill of the
forensics expert. 

Thanks again!


Alex
 

-Original Message-
From: Paul Alexander [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 19, 2005 8:22 PM
To: [EMAIL PROTECTED]
Subject: Re: Guidance

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Alex Eckelberry wrote:
> Hello,
>  
> I'm working on a short article on computer forensics and am doing 
> research on rumoured problems with Guidance software, particularly
>  
> a) the fact that their database was (allegedly) recently hacked
>  
> and
>  
> b) problems with version 4.0 providing incorrect information, 
> particularly showing incorrect files in the recycle bin vs. version 5 
> showing a correct number of files.
>  
>  
> If anyone can point me to some links or more info, I would appreciate
it.
>  
> TIA,
>  
>  
> Alex Eckelberry

Try this for the hacked database story -
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/19/AR200512
1900928.html

Regards, Paul Alexander.
www.linuxfx.com


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDp1y3umIg2LLN3EoRAmMyAJ4sYx8Xnc/SzPB6ZTUx87gowyKd1wCgwAdz
OSWcCrAJWAtyXG9rwt/5DDE=
=BFJV
-END PGP SIGNATURE-

Forensic Focus (http://www.forensicfocus.com) email list addresses:

Post message: [EMAIL PROTECTED]
Help address: [EMAIL PROTECTED]
Unsubscription address: [EMAIL PROTECTED]

Forensic Focus (http://www.forensicfocus.com) email list addresses:

Post message: [EMAIL PROTECTED]
Help address: [EMAIL PROTECTED]
Unsubscription address: [EMAIL PROTECTED]


.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Guidance Software Customer Database Hacked?

[Jason Coombs]

Guidance Software is an unethical company driven by greed.

They truly do not care that their products and their training are flawed.

Guidance cares only that its products sell, and for them to sell as widely as 
possible they need to convince law enforcement agencies that in order to do 
'computer forensic investigations' you need to license their products.

Has this resulted in wrongful convictions of innocent persons based on Guidance 
Software's brand of flawed computer forensics? Absolutely, yes. Does Guidance 
care? Absolutely, not.

There needs to be a death penalty for corporations.

Regards,

Jason Coombs
[EMAIL PROTECTED]


-Original Message-
From: "dave kleiman" <[EMAIL PROTECTED]>
Date: Sun, 18 Dec 2005 11:23:38 
To:<[EMAIL PROTECTED]>
Cc:"'Samuel Norris'" <[EMAIL PROTECTED]>
Subject: RE: Guidance Software Customer Database Hacked?

Samuel,

Inline..


 Dave,

 > Does anyone know the if the user database at Guidance
 software was
 > truly hacked?
 >

 An associate received the same letter that you cite,
 and called the phone number that was given with the
 lettter.  He got what he called 'grudging
 confirmation'.  As a side note, he was as concerned
 that they had retained his credit card information for
 2 years as he was about their getting hacked.  It is
 pretty much all over the Net. now, including the UK.


That is right they , should only keep that data at the customers request.
Additionally, under those circumstances, keep it in a separate **ENCRYPTED**
database from the customer personal information.



 As for their notification letter, their headquarters
 are located  in Pasedena, CA.  As a CA corp., they are
 required by CA law to notify all those affected when a
 security breach occurs - don't let them fool you, they
 had to contact.


I know they had tomy big concern is... It happened in November, they did
not discover it until Dec., then they decide to notify "only" by postal mail
(as required by CA law).  They are a incident response / forensic company,
you think they would know and value the importance of getting the word out
quickly.



 Being an investigative kind of guy, if find it
 interesting from a customer volume standpoint tnat
 their 'customer base' is only 3,800+.  If you buy into
 their 'best thing since in-door plumbing' marketing,
 one would think that those numbers would be higher.


Remember, a lot of their business is large corporations and Law Enforcement
agencies, most of which do business by P.O., I understand it was only their
CC customer database that was hacked.


 > It would be nice to hear something from Guidance.
 > If they are trying to be
 > hush hush about it, I think it would cause more
 > damage than putting the
 > cards on the table.
 >

 It would be totally out of character, in my opinion,
 for them to make a public disclosure.  They can't even
 admit that their product has problems.


You mean like this... gathered from several message boards...mailing lists
etc..


snip--

"I have a case involving a lot of deleted files, I examined the drives using
4.22a and 5.04a. Version 4 shows me dozens of deleted files and directories
in the recycle bin, version 5 only shows me a fraction of the files. I
called Guidance software and talked to some guy from England who is going to
call me back, but he had no clue why one version would show so many more
files in the recycle bin than the other

...It isn't just pix files, there are a lot of files of all types showing in.
4 that are not showing in 5"


According to EnCase Tech Support, any deleted file listed in V4 may or may
not be displayed in the correct place in regard to its location within the
file structure.

*** So, if you've testified or reported regarding the location of a
deleted file and it's meaning using V4, you might or might not have been
telling the truth.**

Essentially, according to Tech support, when using V4 one can not say with
any certainty regarding the location of any deleted file shown  V4.

They said there was a white paper regarding the issue that they would send
me.

After several emails and phone calls the best I'm able to get out of the
EnCase geeks in regard to this issue is that the location of deleted files
within the file structure in V4 might be as shown by V4, or, it might be
incorrect in where it shows the files located in regard to the file/folder
structure.

As far as V5, it is more "accurate" in where it shows deleted files located
within the file structure but keep in mind that "certain assumptions" are
still being made in placing those files.

Oh, and there is no "White Paper" rega

Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME AMODERATEDLIST

[Jason Coombs]

> Yes, heaps more pathetic.  This
> from a guy who got FIRED from
> one of the most pathetic
> fudpeddlers in corporate america.

Well at least we've reached agreement. See, you can be reasonable, and you 
shouldn't be banned from FD. But you are spending 6 hours per day flooding the 
list with e-mail. Please go watch television, instead.

And as for my being FIRED, even if that were true, which it isn't, why exactly 
would that be a bad thing? With your help spreading rumors and lies, there's no 
way that dishonest, incompetent people who fear public scrutiny will agree to 
work with me -- and that difficult-to-acquire protection improves the quality 
of my life substantially.

Besides, if you were old enough to have had a job, you'd know what every other 
adult on this list knows: that a business with more than a few employees is not 
controlled by any one person, and the success, failure, and decisions of the 
business do not reflect directly on any one person, not even its CEO and 
founder. There is always more to the story, for anyone who can think clearly 
and can pay attention long enough to comprehend complex information.

Can you?

Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME AMODERATEDLIST

[Jason Coombs]

> This is great.  We have n3td3v
> posting ...

You're all heaps more pathetic than the average joe, and that's what makes this 
list so interesting.

It's astonishing the sort of things you care enough about to invest your time 
and energy.

The upside of hacker mentality is that you'll actually take the time to 
discover a few things that other people need to know about, and your desire to 
disclose these things rather than keep them secret actually changes the world 
for the better from time to time.

The downside of hacker mentality is that the rest of your deranged thinking 
remains attached wherever you go, because wherever you go, there you are.

Cheers,

Jason Coombs
[EMAIL PROTECTED]


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME A MODERATED

[Jason Coombs]

[EMAIL PROTECTED] wrote:
> Everybody knows this list is
> 98% a joke

And if you truly need an hourly fix of the latest codez and sploitz then you're 
a misguided black hat. There are plenty of alternatives out there for you to 
use for swapping illegal materials and sharing evil secrets.

Full-Disclosure is for the sharing of knowledge, ideas, belief systems, and the 
awareness necessary for good people to achieve and understand how to prove 
their own security.

What are you looking for today? A call for moderation is counterproductive, but 
there may be some merit to the idea of blocking endless profane nonsense and 
flame wars. One idea that might improve the quality of discussions is to leave 
FD unmoderated for new threads, and moderate any thread that reaches some 
number of replies. Either moderate all replies or trigger moderated discussion 
at some point for long threads.

Regards,

Jason Coombs
[EMAIL PROTECTED]

Sent from my BlackBerry wireless handheld.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Looking for a job in OrangeCounty California, honestly

[Jason Coombs]

> Jay is not employable, for
> multiple reasons.

You're right, of course. Jay is probably the kind of person who employers view 
as a threat because he can't be owned and he has too much raw talent, the 
development of which by an employer will only result in helping the competition 
when Jay starts his own business or leaves for greener pastures.

Jay simply needs to understand that his small and distorted world view based on 
his indoctrination with Orange County lifestyle is the true cause of his 
problems, and that unemployment might be his last opportunity in life to 
realize this and regain his freedom.

Potential employers can already see that he has fallen out of the system and 
will start infecting others in the workplace with values and ideas that aren't 
compatible with ruthless profiteering and the necessary lies on which the 
business depends for its stability.

Rock on, Jay.

Cheers,

Jason Coombs
[EMAIL PROTECTED]

Sent from my BlackBerry wireless handheld.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Looking for a job in OrangeCounty California, honestly

[Jason Coombs]

If you're looking for honest work then Orange County may not be the right place 
to live.

Regards,

Jason Coombs
[EMAIL PROTECTED]

Sent from my BlackBerry wireless handheld.

-Original Message-
From: Day Jay <[EMAIL PROTECTED]>
Date: Wed, 7 Dec 2005 10:20:19 
To:full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Looking for a job in OrangeCounty California,
honestly

Being unemployed is a lot harder than I thought. I
have too much time on my hands and that coupled with
misc. side jobs, I really would like to find someone
to work for that needs some helop. I'm looking to
hopefully work on site and not remotely unless
sometimes needed and hopefully have some sort of
flexible hours if not a set amount.

Currently I'm looking in Orange County any part or Los
Angeles county would beeven better.

If anyone would like to use my services, I would be
maturely offering and i promise to not hack or ruin
your network.

Please send me an email...

Regards,

d4yj4y



__ 
Yahoo! DSL – Something to write home about. 
Just $16.99/mo. or less. 
dsl.yahoo.com 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [lists] Re: [Full-disclosure] IT security professionals in demandin 2006

[Jason Coombs]

Commercial pressures are just as harmful to security as are complexity and 
ignorance.

Regards,

Jason Coombs
[EMAIL PROTECTED]

Sent from my BlackBerry wireless handheld.

-Original Message-
From: "Curt Purdy" <[EMAIL PROTECTED]>
Date: Mon, 5 Dec 2005 17:30:38 
To:"'wilder_jeff Wilder'" <[EMAIL PROTECTED]>, <[EMAIL 
PROTECTED]>,
Subject: RE: [lists] Re: [Full-disclosure] IT security professionals in demand
in 2006


Jeff Wilder sent:
> Not to validate the cissp... but try to get a good security 
> job with out it. 

I agree Jeff, for some reason it is considered the gold standard, though not
sure why.  Never took a class, studied a single book for a week and knocked
it out in half the 6-hour time period.  The SANS GIAC certs were much more
technical and absolutely required the classes.

I describe the CISSP as a river a mile wide and 6 inches deep, and the SANS
certs as a hundred yards wide and 30 feet deep.

If you spend more on coffee than on IT security, you will be hacked. 
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke 

Curt Purdy CISSP, GSNA, GSEC, CNE, MCSE+I, CCDA
Information Security Officer

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Your One-Stop Site For Sony Lawsuit Info

[Jason Coombs]

Paul Schmehl wrote:
So, all those corporate execs walked out of the court house in handcuffs 
weren't really going to jail?


There's a huge difference between a financial crime committed by an 
individual and a crime committed by a corporation.


Let me know if the distinction confuses you and we'll discuss this more 
privately. You are aware that not every action of a person employed by a 
corporation is considered an action of the individual, right?


No individual programmer who writes spyware will ever be prosecuted for 
doing his or her job on behalf of a corporation. No exec who instructs 
said programmer to author said spyware will ever have personal criminal 
liability for giving said instruction.


If you don't like the world you live in, change it or get out.

Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Your One-Stop Site For Sony Lawsuit Info

[Jason Coombs]

Anthony R. Nemmer wrote:
That's a great website but it needs to include information about how to 
contact the Department of Justice so that they will take Sony to court 
for CRIMINAL action.  We need hundreds of thousands of people 
mailing/emailing/calling the DOJ to get it through their thick skulls 
that we aren't going to put up with this kind of sh*t from Sony or any 
other company.


Unfortunately, the end result of a criminal conviction for a corporation 
is nothing more than a fine. You can't put a corporation in prison, and 
there's no corporate death penalty.


The only option available to the people is mob justice. Corporations can 
be ruined and they can be burned to the ground, but they can't be 
touched in a meaningful way through mechanisms of law. Corporate persons 
are truly first-class citizens, rising above the rest of us natural 
persons in importance and worth to society.


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Anyone interested in UNFAIRDISCLOSURE.COM

[Jason Coombs]

I'm going to allow a few domain names to expire that might be of 
interest to somebody else on the list... If you want them, let me know 
and I'll transfer them to you just before they expire and you can renew 
them yourself.


They are:

UNFAIRDISCLOSURE.COM
UNFAIRDISCLOSURE.ORG
UNFAIRDISCLOSURE.NET
UNFAIRDISCLOSURE.INFO

and,

FULL-DISCLOSURE.INFO

Cheers,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Careless Law Enforcement Computer Forensics Lacking InfoSec Expertise Causes Suicides

[Jason Coombs]

34 people have killed themselves in the U.K. after being accused of 
purchasing child pornography using their credit card numbers on the Web 
between 1996 and 1999; and thousands have been imprisoned around the 
world for allegedly doing the same. Two of the first, and still ongoing, 
large-scale investigations of credit card purchases of child pornography 
through the Internet are known as Operation Ore (U.K.) and Operation 
Site Key (U.S.) -- tens of thousands of suspects' credit card numbers 
were found in the databases used by the alleged e-commerce child porn 
ring, and law enforcement's careless misunderstanding of the Internet 
and infosec (circa 1999) resulted in every single one of the suspects 
being investigated and thousands have so far been prosecuted and convicted.


Was your credit card number in the Operation Ore / Operation Site Key 
database? How would you know unless and until you've been arrested?


Over the last few years I have seen numerous cases in which the computer 
forensic evidence proves that a third party intruder was in control of 
the suspect's computer. More often there is simply no way to know for 
sure what might have happened between 1996 and 1999 with respect to the 
computer seized by law enforcement at the time of arrest years later.


If security flaws, porn spyware, or mistakes by an unskilled end user 
resulted, over the years, in some child pornography being downloaded to 
a suspect's hard drive, even in 'thumbnail' graphic formats and 
recovered only using forensic data recovery tools that carve files out 
of unallocated clusters, then the suspect is routinely charged, since 
the presence of child pornography on a hard drive owned by a person who 
is accused of purchasing child pornography is the best evidence law 
enforcement has to prove guilt of these so-called 'electronic crimes 
against children' -- crimes that are proved by the mere existence of 
data, where it matters not that a suspect did not and could not have 
known that the data existed on a hard drive that was in their possession.


I ask you this question: why doesn't law enforcement bother to conduct 
an analysis of the computer evidence looking for indications of 
third-party intrusion and malware? Some people have indicated to me that 
sometimes law enforcement actually does do post-intrusion forensics; 
though this decision is entirely up to the prosecutor or forensic lab 
director, and if they don't put in the time to do this they still get 
their conviction so there is presently no incentive to spend hundreds of 
hours analyzing large hard drives searching for evidence of intrusion 
just in case one might have occurred.


A substantial factor in the answer to this question is that it is nearly 
impossible to know what might have happened to a computer over the 
years, and most computers are used by more than end user to begin with. 
Not only is there no way to differentiate


Every person convicted of an electronic crime against a child based only 
on evidence recovered from a hard drive that happened to be in their 
possession should be immediately released from whatever prison they are 
now being held.


Law enforcement must be required to obtain Internet wiretaps, use 
keyloggers and screen capture techniques, and conduct other 
investigations of crimes-in-progress, because the current approach to 
computer forensics being taught by vendors such as Guidance Software 
(www.encase.com) and others (who just happen to sell products designed 
to analyze and search hard drives) makes the outrageous assertion that a 
person can be proven guilty of a crime based only on data that is found 
on a hard drive in their possession.


There is simply no way for law enforcement to know the difference 
between innocent and guilty persons based on hard drive data 
circumstantial evidence. Something must be done to correct this misuse 
of computer evidence, and whatever that something is, it is clear that 
only an information security organization is going to be able to explain 
it to law enforcement and legislators.


Regards,

Jason Coombs
[EMAIL PROTECTED]

--

http://news.independent.co.uk/uk/legal/article316391.ece

30 September 2005 21:24

No evidence against man in child porn inquiry who 'killed himself'
By Ian Herbert
Published: 01 October 2005

The credibility of a major investigation into child pornography came 
under renewed scrutiny yesterday after an inquest into the death of a 
naval officer who was suspended by the Royal Navy despite a lack of 
evidence against him.


The Navy suspended Commodore David White, commander of British forces in 
Gibraltar, after police placed him under investigation over allegations 
that he bought pornographic images from a website in the US. Within 24 
hours he was found dead at the bottom of the swimming pool at his home 
in Mount Barbary.


The inquest into his death heard that computer equ

Re: [Full-disclosure] Forensic help?

[Jason Coombs]

Red Leg wrote:

I was wondering if anyone knows of a program/system that I can purchase, as
a private individual, that will allow me to

...

3) Find any CONVENTIONALLY erased files?

 -- This would be either a Windows NTFS or FAT32 drive.



Use dcfldd to make the drive image.

http://sourceforge.net/projects/dcfldd

Then use Recover My Files and/or Mount Image Pro + your preferred 
deleted file recovery software. Mount Image Pro gives you the ability to 
mount raw forensic drive images produced using dd as well as EnCase 
forensic image file sets.


http://www.recovermyfiles.com/
http://www.getdata.com/
http://www.mountimage.com/

Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [Fwd: MM - #$%@ Kill Google!]

[Jason Coombs]

When will somebody get around to the important job of killing Microsoft?


 Original Message 
Subject:MM - #$%@ Kill Google!
Date:   Thu, 8 Sep 2005 18:58:17 UT
From:   Michael Robertson<[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]



If this message is not displaying properly, visit
www.michaelrobertson.com  to launch it
in your browser.

#$%@ Kill Google!
/September 8, 2005

/An intriguing but eventually vicious three-way battle is emerging
between Microsoft, Yahoo! and Google for net supremacy. How each is
dealing with the competitive threat says a lot about their individual
company culture, management and DNA. (If you're wondering why I didn't
include AOL, it's because their business seems to be moving in the wrong
direction, rapidly atrophying with nearly 900,000 fewer subscribers last
quarter.)

*Microsoft:*

Microsoft has recently made a concerted effort to hire even-keeled,
friendly liaisons within the community, giving them the authority to
speak for the company and the authorization to pay off those that might
speak negatively of Microsoft. Behind the scenes, however, it's still
the same team running the show - management that has been twice
convicted of illegal actions against competitors, and that sports a
stunning lack of ethical boundaries. Recent court documents from a fresh
legal battle over an employee jumping ship to Google report Microsoft
CEO Steve Ballmer throwing chairs and screaming many unprintable words,
capped off with, ″I'm going to %$#@ kill Google!″

The only way Microsoft knows how to operate is with an enemy in their
crosshairs. A few years back, Linspire (then Lindows) was the recipient
of Ballmer's profanity-laden tirades. But Microsoft's attention has
since been somewhat diverted from the ambiguous threat of Linux - which
doesn't present a singular target - to Google, whose O's make convenient
bull's eyes.

Look for Microsoft to employ the same approach they have used
historically to fight competitors. First they will use technology
barriers within new versions of their operating system to dramatically
favor their own products and discredit competitors. With previous
competitor DR DOS, they embedded intentional incompatibilities, spurious
error messages and bogus issues of compatibility
.

With Netscape, they deeply embedded their own products and falsely
claimed they could not be removed. Expect much of the same with Vista,
their newest OS.

In addition, look for exclusionary contracts that preclude computer
manufacturers from pre-installing links and software from Yahoo! and
Google on PCs they sell. With the same unethical management in place, a
legal process that takes years to litigate, and inevitable legal
penalties only representing a tiny fraction of profits, you'd be crazy
not to expect Microsoft to extend the same behavior you've seen over the
last two decades into the next.

*Yahoo!: *

Boxed in by the brainiacs at Google and the massive distribution and
questionable ethics of Microsoft, Yahoo! would seem to be at a slight
disadvantage in the net supremacy game. However, Yahoo!'s management has
matured at a remarkable rate and has an acute awareness of the behemoths
they must operate against.

Yahoo! has taken a unique strategy to track movements of competitors.
Employees are asked to submit tidbits of information they hear to
management, and the company coalesces these nuggets of knowledge into a
more comprehensive documents, which are then circulated more widely to
help employees understand possible moves Microsoft and Google might
make. Because they are often competing for the same talent, working with
same suppliers, and receiving visits from the same companies, this ″due
diligence″ is remarkably accurate. Yahoo! often takes meetings with
companies they have no interest in doing business with just to scrape
them for data about the industry and what Google or Microsoft might be
up to. It's rare when Yahoo! isn't aware well in advance of moves made
by Microsoft, or especially those made by their Bay Area neighbor Google.

Just knowing where your competitors are going isn't enough, of course:
you still need to compete. Yahoo! is combining Internet-based services
and media like nobody else. (Watch for an amazing rich web interface for
Yahoo! mail that has Silicon Valley buzzing.) They've even rented the
massive MGM office in Los Angeles, which gives them several hundred
thousand square feet of office space to house executives moving down the
coast to be close to Hollywood.

*Google: *

The youngest company of the bunch lacks the ferocity of Microsoft and
the process of Yahoo!, but is maturing quickly. Astonishingly, three
years ago some at Google believed Microsoft wouldn't be interested in
their business. That naiveté was undoubtedly erased when Microsoft
announced intentions to directly compete with their MSN search en

[Full-disclosure] Re: Computer forensics to uncover illegal internet use

[Jason Coombs]

 land.

Let the observer decide if they feel like there is such a thing as an 
electronic crime against a child, and if they believe there is one then make it 
a crime not to treat it as one.

Let the witch hunt begin.

Burn the witches! Burn them!

You there, sitting next to that computer, you're a witch, aren't you? No? Prove 
that you aren't one. Prove it, or burn!

I repeat that this thinking is insane.

You have to be insane in order to believe in electronic crimes against 
children, and once you are insane you are bound by law to help burn somebody 
for the crime because you believe in its existence...

How very sick.

Whatever happened to the good old days when the definition of 'crime' was 
objective rather than subjective? And what happened to law enforcement training 
that people have rights that are not to be infringed?

Where have all the LEAs gone who used to believe in conducting investigations 
to uncover all possible exculpatory evidence in addition to that which is 
inculpatory?

LEAs have had their position usurped by forensic expert opinion testimony.

This has resulted in LEAs not even doing investigations. They are now just the 
hands and the legs of the forensic investigator who uses deductive reasoning, 
fancy technology, and their valuable learnings in order to eliminate reasonable 
doubt through the power of thought alone.

Crimes are now often a matter of opinion, not a matter of reasonable proof. 
Does that not concern you substantially?

Are you teaching your children that somebody else's opinion will send them to 
prison under the modern day criminal jutice system?

I am teaching mine this, because it is the truth. In my opinion, that is more a 
crime against my child than what you propose to be an 'electronic crime' 
against somebody else's.

Your training and experience are biased against the defense because you are 
trained by law enforcement and you are never exposed to fundamental principles 
that would equip you to properly apply an unbiased and well-informed approach 
to your work. Ask yourself why not? Is there something wrong with 'computer 
forensics' that these truths must be ignored in order for 'computer forensics' 
to be used in practice?

My answer is yes, there is. You are what's wrong with so-called 'computer 
forensics' -- it is a biased system for telling lies under the guise of expert 
testimony, and these lies are being told over and over again in jurisdictions 
around the world. The purpose of the lies is to advance the cause, bias, and 
belief system of those who tell them. Your stated cause (today) is to catch 
everyone who commits an 'electronic crime against a child' -- the methods and 
thinking from which you derive this cause will, naturally, allow you to choose 
a different cause in the future and pursue it as well. Go get those 'electronic 
terrorists' who spread speech that harms commercial interests. Anyone who 
expresses hate toward Microsoft and its dangerous products must be an 
electronic criminal. Your expert testimony can take them off the street, so go 
to it. Hate speech, and speech against the interests of commerce, are against 
the law.

Go enforce the law to the best of your opinion. We depend on you to do just 
that, and to do it well.

Moderator:

This discussion is very important to the basics of information security. Please 
approve this and other postings that include the word 'insane' -- you can see 
that the term is not being used to flame, but to express accurately a technical 
issue that is fundamental to security:

Namely, that security is a belief - and not all beliefs are reasonable, nor 
healthy. Adopting the wrong set of beliefs will actually harm your ability to 
understand what security is.

A loss of legal protections for us as computer owners and operators, if we 
choose to forfeit our rights or allow ourselves to be tricked into thinking 
they do not exist, is a security risk just as certainly as any worm or Trojan 
(malicious software that grants an attacker further access to our computers at 
a future time, after it has infected a host).

A large number of people believe, incorrectly, that law enforcement is a form 
of security. This discussion helps to illustrate clearly that this is a flawed 
belief and that law enforcement can be one of the security threats against 
which we all must defend ourselves and our companies.

This is especially true today given the fact that law enforcement, as viewed 
individual by individual, frequently believe in irrational legal fictions like 
'electronic crimes against children'.

What is the penalty under law for triggering and fueling an irrational witch 
hunt, or a panicked stampede that crushes and tramples its victim-participants, 
in your jurisdiction?

Every person who comes into contact with evidence that may be interpreted to be 
proof of an 'e

Re: [Full-disclosure] RE: Example firewall script

[Jason Coombs]

The problem with knowing a thing or two about a thing or two is that you're 
constantly arguing with other people who know nothing about things that nobody 
else can possibly understand, and that nobody will be forced to learn about or 
consider carefully until it's too late for the knowledge to save them from harm.

This is yet another reason that full disclosure is crucial to everyone's 
readiness and to our ability to defend ourselves... Discussion and analysis of 
complex subjects, with real-world study and disclosure of failures and 
mistakes, prepares us to understand new risks and classify new threats 
according to actual significance in our situations.

So, thank you both for sharing your debate and thereby calling attention to an 
area of uncertainty in practice, but if you're going to argue about definitions 
of routing tables vs. ACLs, why not do it in a way that mere mortals are able 
to understand some day in the future when they find your debate archived 
somewhere because their Cisco router's ACL ruleset failed to consider the fact 
that they had routes and multihomed interfaces configured dynamically by an 
attacker who knew better than the victim just how ACLs are parsed and precisely 
what the difference is between a good ACL and a bad one -- or where an attacker 
knew there was another interface physically attached to the Cisco device where 
a small wireless access point could be attached, which WAP would automatically 
assign the Cisco device another endpoint address in the WAP's address space.

Fuck off doesn't add to the substance of the technical arguments, and even 
trying to understand why you are debating at all there does not appear to be 
any reason -- other than that you are both feeling stressed because the stock 
market keeps falling and you're counting on Wall Street to make you wealthier 
than your hard-working but lesser-compensated friends and neighbors.

Don't worry, you'll figure out when you're unemployed and broke that all the 
time you spent being upset about little things distracted you from living life 
well, and you'll really only regret not having done more to make sure other 
people had as much opportunity as you did to do good work and document then 
publish details about the things they found important at the time, and to share 
your knowledge publicly for the benefit of everyone who comes after you.

Regards,

Jason Coombs
[EMAIL PROTECTED]

-Original Message-
From: "J.A. Terranson" <[EMAIL PROTECTED]>
Date: Sat, 27 Aug 2005 15:38:11 
To:"[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Cc:Full-Disclosure 
Subject: Re: [Full-disclosure] RE: Example firewall script



For the record,  I just got a phone call from this guy - apparently he's
afraid that because I call bullshit on him in public, I'm also going to
"fill [his] email box with spam and stuff".

Very entertaining.  He even calls back and leaves messages when you hang
up on him!  Of course, while he's willing to call you on your cell phone
to bitch and moan, he's also a pussy: he hides his calling number.

HEY - ERIC!!!

FUCK OFF.


On Sat, 27 Aug 2005, [EMAIL PROTECTED] wrote:

> Date: Sat, 27 Aug 2005 16:27:14 -0400
> From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: [Full-disclosure] RE: Example firewall script
>
>
> As does Juniper, as does.
>
> >> Your Point?
>
>
>
> Uh... No.  Traffic shaping may make use of ACLs, but ACL != Shaping.
>
> >>Sorry, but...
> >>By definition, ACLs are a traffic shaping device.
>
>
>
>
> Bzzzt.  *All* "Autonomous Systems" are multihomed.  Thats the definition
> of AS.
>
> >> That's completely wrong. The definition of an "AS" is not that it's
> multihomed, and not all AS's are multihomed.
>
>
>
> Again, wrong.  ACLS are involved, but what you are talking about are
> called ROUTING DECISIONS, and ACLS != Routing Decisions.
>
> >> Sorry, but that's EXACTLY what they are. They are a set of instructions
> by which a routing device DECIDES where to route packets.
>
>
> This is true for *most* ACL implementations, but NOT for all.  Again, you
> are trying to paint the entire world with your only available [Cisco]
> brush, and it is making you look like a self-important fool.
>
> >> Sorry, but... you're wrong again. The very nature of how ACL's work mean
> that you move from specific to general.
>
>
> I can probably find a few good ones to recommend - if you will promise to
> read them prior to spewing more of this.
>
> >> Based on your statements so far, I would not be inclined to follow your
> suggestions.
>
>
>
> And still managed to screw up most of what y

[Full-disclosure] talk.google.com

[Jason Coombs]

http://www.google.com/talk/

Anyone looked at Google Talk?

Yet another exposed endpoint... Let's bring all those vulnerable 
processors together in one place so they're easier to find? Hmm.


When will users demand something fundamentally safer to use?

Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: MS not telling enough

[Jason Coombs]

> So there ya go. I suppose you'll
> find something new to complain
> about, or to be rude about.

Whenever possible, yes.

It's amazing how much you support Microsoft. Don't you know that it is in the 
continued support that you give them that they derive their continued 
opportunities to harm others?

Of course, the more you and others support Microsoft, the more your expertise 
grows in value.

Compare your decision-making and ethics to the decisions made by me and others 
who, after hard work and sacrifice to gain over a decade worth of training, 
education, skill and work experience with Microsoft products, grew to 
understand that it causes harm to the entire world for us to apply that skill 
in any fashion that helps Microsoft.

I swore an oath never again to apply my skills in a way that helps Microsoft.

... or to help any other organization that knowingly causes harm with reckless 
disregard for the well-being of others.

Integrity, competency, and those who prove they are good people must be 
supported, and anyone who lacks integrity, competency, and has proven they are 
bad must be opposed.

To do otherwise demonstrates the same self-serving and wrong thinking that 
enables Microsoft to con its victims in the first place.

Glad to see Microsoft give an opinion that more clearly explains that their 
Windows 2000 product is inherently defective and shouldn't be used if you 
intend to connect it to a computer network.

That was the conclusion that I arrived at after performing a forensic review of 
IIS 5.0 -- you'll find my analysis contained within my book about IIS security:

http://www.science.org/jcoombs/

http://www.forensics.org/IIS_Security_and_Programming_Countermeasures.pdf

Best,

Jason Coombs
[EMAIL PROTECTED]


-Original Message-
From: "Kurt Seifried" <[EMAIL PROTECTED]>
Date: Thu, 18 Aug 2005 11:00:04 
To:<[EMAIL PROTECTED]>
Subject: MS not telling enough

They just updated MS05-039.

 Windows 2000 systems are primarily at risk from this vulnerability. Windows 
2000 customers who have installed the MS05-039 security update are not 
affected by this vulnerability. If an administrator has disabled anonymous 
connections by changing the default setting of the RestrictAnonymous 
registry key to a value of 2, Windows 2000 systems would not be vulnerable 
remotely from anonymous users. However, because of a large application 
compatibility risk, we do not recommend customers enable this setting in 
production environments without first extensively testing the setting in 
their environment. For more information, search for RestrictAnonymous at the 
Microsoft Help and Support Web site.

So there ya go. I suppose you'll find something new to complain about, or to 
be rude about.

-Kurt 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Sensitive Information Disclosure Vulnerability in Kinetics Kiosk Product

[Jason Coombs]

The following script error message was noted being displayed this morning on an 
airline check-in kiosk manufactured by Kinetics USA.

Vendor: Kinetics USA
www.kineticsUSA.com


Line: 107
Char: 2
Error: object expected
Code: 0
URL: http://151.151.10.46:64080/attract
?time=1124376480&TransactionID=HNL_KIOSK09-050818044716

Clearly, building a product such as a publicly-accessible airline passenger 
check-in kiosk using Internet Explorer and Windows is a very bad design 
decision if you care at all about preventing this sort of information 
disclosure.

Even so, IE can and should be configured so as not to display such script 
errors.

Furthermore, the use of an IP address that is outside of the RFC 1918 private 
subnet address range appears very irresponsible.

Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: It's not that simple...

[Jason Coombs]

Kurt Seifried wrote:
Why don't you test it and tell us rather then constantly complaining. 


Ah, but you got the message, didn't you? There is more doubt as to 
whether your suggestion would actually mitigate the risk than your very 
nice posting acknowledged.


I'm supposed to do Microsoft's job for them? No way.

It's painful that I'm not able to stop using their crap software 
entirely, and I wish they would just go away.


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: It's not that simple...

[Jason Coombs]

Kurt Seifried wrote:
Actually it really is that simple. Disabling Null sessions is entirely 
possible, quite easy, and doesn't break a lot (at least in my previous 


Then why doesn't Microsoft provide these instructions in the workarounds 
section of the vulnerability announcement? Are you certain, Kurt, that 
the proposed registry hack is sufficient to prevent PnP null sessions? 
Perhaps they branch differently in the Windows 2000 code base.


http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

Workarounds for Plug and Play Vulnerability - CAN-2005-1983:

Microsoft has tested the following workarounds. While these workarounds 
will not correct the underlying vulnerability, they help block known 
attack vectors. When a workaround reduces functionality, it is 
identified in the following section.


Note Other protocols, such as Internetwork Packet Exchange (IPX) and 
Sequenced Packet Exchange (SPX), could be vulnerable to this issue. If 
you are using vulnerable protocols such as IPX and SPX, you should block 
the appropriate ports for those protocols. For more information about 
IPX and SPX, visit the following Microsoft Web site.


Note As mentioned in the “Mitigating Factors” section, Windows XP 
Service Pack 2 and Windows Server 2003 are vulnerable to this issue 
primarily from locally logged on users. The following workarounds are 
designed primarily for earlier operating system versions that are 
vulnerable to anonymous network-based attacks.

•   

Block TCP ports 139 and 445 at the firewall:

These ports are used to initiate a connection with the affected 
protocol. Blocking them at the firewall, both inbound and outbound, will 
help prevent systems that are behind that firewall from attempts to 
exploit this vulnerability. We recommend that you block all unsolicited 
inbound communication from the Internet to help prevent attacks that may 
use other ports. For more information about ports, visit the following 
Web site.

•   

To help protect from network-based attempts to exploit this 
vulnerability, use a personal firewall, such as the Internet Connection 
Firewall, which is included with Windows XP Service Pack 1.


By default, the Internet Connection Firewall feature in Windows XP 
Service Pack 1 helps protect your Internet connection by blocking 
unsolicited incoming traffic. We recommend that you block all 
unsolicited incoming communication from the Internet.


To enable the Internet Connection Firewall feature by using the Network 
Setup Wizard, follow these steps:


1.


Click Start, and then click Control Panel.

2.


In the default Category View, click Network and Internet Connections, 
and then click Setup or change your home or small office network. The 
Internet Connection Firewall feature is enabled when you select a 
configuration in the Network Setup Wizard that indicates that your 
system is connected directly to the Internet.


To configure Internet Connection Firewall manually for a connection, 
follow these steps:


1.


Click Start, and then click Control Panel.

2.


In the default Category View, click Networking and Internet Connections, 
and then click Network Connections.


3.


Right-click the connection on which you want to enable Internet 
Connection Firewall, and then click Properties.


4.


Click the Advanced tab.

5.


Click to select the Protect my computer or network by limiting or 
preventing access to this computer from the Internet check box, and then 
click OK.


Note If you want to enable certain programs and services to communicate 
through the firewall, click Settings on the Advanced tab, and then 
select the programs, the protocols, and the services that are required.

•   

To help protect from network-based attempts to exploit this 
vulnerability, enable advanced TCP/IP filtering on systems that support 
this feature.


You can enable advanced TCP/IP filtering to block all unsolicited 
inbound traffic. For more information about how to configure TCP/IP 
filtering, see Microsoft Knowledge Base Article 309798.

•   

To help protect from network-based attempts to exploit this 
vulnerability, block the affected ports by using IPsec on the affected 
systems.


Use Internet Protocol security (IPsec) to help protect network 
communications. Detailed information about IPsec and about how to apply 
filters is available in Microsoft Knowledge Base Article 313190 and 
Microsoft Knowledge Base Article 813878.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: It's not that simple...

[Jason Coombs]

Florian Weimer wrote:
Doesn't the exploit code need a null session? 


Under Windows 2000 it does, the other OSes require authenticated 
sessions to launch the exploit.


Not clear whether Windows 2000 allows disabling of null sessions, but 
the implication is not.


http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Disney Down?

[Jason Coombs]

American Express has been unable to provide me with customer service by 
telephone since the outbreak began.

Larry, you of all people can't possibly believe that the scope of this incident 
is limited to what you read in the news.

Furthermore, do you truly believe that the worms are the point here?

The worms cause a distraction, and the media plus the antivirus industry 
collaborate to make victims believe that they can recover from the incident 
just by shutting down the worm.

What about attacks that took place with the worms as cover? How many high-value 
systems just got compromised, and will remain so, by something other than the 
worms' code -- where the victim won't even bother to investigate that 
possibility because they feel like the worm was the incident.

Regards,

Jason Coombs
[EMAIL PROTECTED]

-Original Message-
From: "Larry Seltzer" <[EMAIL PROTECTED]>
Date: Wed, 17 Aug 2005 08:20:17 
To:"'Micheal Espinola Jr'" <[EMAIL PROTECTED]>,   

Subject: RE: [Full-disclosure] Disney Down?

>>"So patch your systems, but don't miss your kid's play in order to do it.
We've seen a lot worse than this in the past."
>>Brilliant advise[sic]!

Yeah, clearly I timed the column badly, but I still think there's more smoke
than fire on this outbreak. If it had been International Paper or some
company like that rather than media outlets I suspect it wouldn't be getting
all this attention. I also think it's fair to say that when it dies down,
relatively soon, it won't achieve the endemic status of Blaster and Sasser
because it will have little or no presence on consumer systems.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Fwd: Re: Global CompuSearch]

[Jason Coombs]

Paul Schmehl wrote:

Is there a compelling reason for posting this pissing contest to the list?


Yes, there is, Paul. But you weren't paying attention, as usual.

Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: pnp worm unknown variant - post infectionactions

[Jason Coombs]

Madison, Marc wrote:

Just heard a key not speech from Jim Christy of the Defense Cyber Crime
Institute Defense Cyber Crime Center, in which he states over eighty
percent of the labs cases are related to child porn, not Al Qaeda or
terrorism but these allegedly sick individuals.  Mr. Christy said the
lab has compiled hashes of know child porn, they use the hashes to
perform quick scans of suspected criminals computers in order to
facilitate a quicker response to the investigating agency in the case.



Right. So, let me walk you through the sequence of events that takes 
place in the real world based on these "quick" searches for hashes of 
known child pornography:


1) You are arrested
2) Your computer is seized
3) A Law Enforcement Agency computer forensics crime lab searches for 
hashes of known child pornography on your hard drives

4) Matches are found
5) A report is authored detailing these findings, and nothing else, so 
that the prosecutor's office and investigating agency gets a "quicker 
response" (translation: improved customer service)

6) The prosecutor goes ahead with the case against you
7) You go to trial
8) At your trial, the proof that you possessed child pornography is 
presented by a duly trained, certified, and highly-credentialed law 
enforcement-associated computer forensic examiner

9) The jury convicts you

What's wrong with this picture? Absolutely nothing if you are interested 
in growing an industry and providing good customer service to your law 
enforcement and prosecuting agency clients.


Who cares that you're guilty until you prove yourself innocent, right?

Maybe that's how it should be in all cases... If law enforcement arrest 
you and the prosecutor prosecutes your case, then these good and 
reputable and honest and trustworthy people must know something that the 
general public doesn't know, and their knowledge must be proof of your 
guilt, right?


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [Fwd: Global CompuSearch]

[Jason Coombs]

 Original Message 
Subject:Global CompuSearch
Date:   Tue, 16 Aug 2005 17:05:02 -0700
From:   Matthew Ries <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
CC: Marcus Lawson <[EMAIL PROTECTED]>



Mr. Coombs:
Our firm represents Global CompuSearch.  Please see the attached
letter which is also being mailed to you.  If you are represented by an
attorney, give me your attorney's contact information and I will
communicate directly with your attorney.
Matt Ries


LtrCoombs.doc
Description: MS-Word document
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: pnp worm unknown variant - post infectionactions

[Jason Coombs]

Aditya Deshmukh wrote:

suppose we have VNC installed and that is used to take control of the
computer and the actions show up as done by the user - would it not be
caught by law enforcement ?


What, you expect them to take an inventory of all of your installed 
software? You think there are "scientific standards" for "computer 
forensic" examinations? Are you expecting law enforcement to also be 
expert infosec gurus and do exhaustive searches through hundreds of 
gigabytes of data looking for the needle in the haystack?


What about Metasploit, which will gladly inject a RAM-only WinVNC server 
and give complete remote control without "installing" WinVNC anywhere on 
the hard drive?


If your Windows box gets owned by such a thing, and you end up accused 
of the crimes that the attacker committed while they were in control of 
your box, you can kiss your ass goodbye.


This is what I'm trying to correct. And I'm not alone, but I am in the 
minority. Your help would be most welcome, but I honestly don't know 
what you can do...


Just be aware, gather proof that "computer forensics" as it is practiced 
today has very serious flaws, and tell others.


I predict that we will see a wave of convictions overturned, and 
prisoners released, based on faulty computer forensic evidence, that 
will make wrongful convictions based on faulty DNA evidence seem 
insignificant by comparison.


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Fwd: Re: Global CompuSearch]

[Jason Coombs]

VIA MAIL AND EMAIL [EMAIL PROTECTED]

Mr. Jason Coombs
59-088 Kamehameha Hwy.
Haleiwa, HI  96712

Re: Global CompuSearch, L.L.C.

Dear Mr. Coombs:

Our firm has been retained by Global CompuSearch, L.L.C., to address the 
false and slanderous statements that you have made to various third 
parties about Global CompuSearch and Marcus Lawson.  I have reviewed 
several emails that you have sent which you have sent to calling Mr. 
Lawson a liar, and calling him an incompetent computer forensic expert. 
 Specifically, I have reviewed an August 9, 2005 email that you sent to 
an internet forensic bulletin board where you provide an alleged quote 
of Marcus Lawson and stated that Mr. Lawson’s purported statement is “a 
big fat lie told by self-important people.”   Later in this email you 
seek information about Marcus Lawson and then state that “people like 
Marcus Lawson who think they know what their doing but clearly do not 
are helping to get innocent people convicted by spewing nonsense.”  Your 
statements about Mr. Lawson are false and are obviously made with the 
intent to injure Mr. Lawson’s reputation as a forensic expert and injure 
Mr. Lawson’s business throughout the computer forensic community which 
Mr. Lawson and Global CompuSearch will not sit idly by and allow.


I have also reviewed the emails that you have sent directly to Global 
CompuSearch’s client, Mr. Phil Cave, Esq., in which you attempt to 
directly solicit forensic work by repeatedly defaming Marcus Lawson and 
his company.In an email that you sent on August 10, 2005, to Mr. 
Cave you state that Mr. Lawson’s testimony caused harm to a defendant in 
a separate trial, and then state:


“I would submit to you that anyone with minimal training who knows how 
to operate a computer could have done the work that Mr. Lawson did, and 
it is my belief that the same can be said of Mr. Lawson’s work in the 
present case.”


Considering that you have not reviewed the work that Mr. Lawson has done 
in Mr. Sander’s case, nor have you reviewed the computer hard drive in 
question, your accusations are clearly baseless.  You further claim in 
your email that Mr. Lawson has made a purported false statement at some 
point in time which “proves beyond any doubt that Mr. Lawson’s 
inaqdequate understanding of computer programming is causing him to 
offer inaccurate, underinformed opinions in the present case.”  In an 
August 13, 2005, email to Mr. Cave after writing two pages of reasons 
why you believe Mr. Lawson can simply disobey a court order and transfer 
to you a hard drive which contains illicit child pornography, you state 
that Mr. Lawson’s work product is “incompetent and misleading.”  In this 
same email you write:


“I sincerely hope that the court in this case is given full explanation 
of what Mr. Lawson’s mistakes have been, and that the court takes the 
time to carefully teach Mr. Lawson his duty as an expert witness.  He 
clearly misunderstands what the court expects of him, and his 
misunderstandings are helping to deprive people of their Constitutional 
rights.  Surely this cannot be his intent.”


Your statements about Mr. Lawson are false and are obviously made with 
the intent to injure Mr. Lawson’s professional relationship with Mr. 
Cave.  This not only constitutes defamation, but you are further 
deliberately attempting to interfere with the business relationship 
between Mr. Cave and Global CompuSearch.


Global CompuSearch hereby demands that you immediately cease and assist 
from making any further defamatory and disparaging statements to anyone 
regarding Marcus Lawson and Global CompuSearch; and that you cease and 
desist from contacting Mr. Cave about Mr. Lawson, Global CompuSearch or 
about Mr. Sanders’ case.  If you choose to ignore my client’s demand, 
and you continue to spew these false and defamatory statements against 
Mr. Lawson and his company, I have been instructed me to immediately 
proceed with initiating a lawsuit against you to obtain all appropriate 
remedies.  I am further informed that you are affiliated with a forensic 
organization.  If you continue with this conduct, we will have to notify 
the organization and potentially join them as a party to the lawsuit.
Global CompuSearch hopes that you will act prudently so that no further 
legal action will be necessary.  However, Global CompuSearch is prepared 
to do what is necessary to protect itself from your unwarranted attacks 
and outrageous conduct.


Very truly yours,

MATTHEW T. RIES

cc: Marcus Lawson
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [Fwd: Re: Global CompuSearch]

[Jason Coombs]

 Original Message 
Subject: Re: Global CompuSearch
Date: Tue, 16 Aug 2005 15:02:10 -1000
From: Jason Coombs <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: Matthew Ries <[EMAIL PROTECTED]>
CC: Marcus Lawson <[EMAIL PROTECTED]>


I have also reviewed the emails that you have sent directly to Global
CompuSearch’s client, Mr. Phil Cave, Esq., in which you attempt to
directly solicit forensic work by repeatedly defaming Marcus Lawson
and his company.


I have done no such thing as "solicit forensic work" -- I suggest that
you re-read my e-mails to Mr. Phil Cave. Better yet, talk with him. He
will tell you that Mr. Cave himself offered me work on another case and
sent me documents pertaining to it; I explained that I did not need nor
did I want compensation, that we could talk about his other case later,
perhaps, and I would review the documents free of charge, but in the Air 
Force service member's immediate case it was perfectly clear that Mr. 
Lawson's obscene incompetency was causing harm and this harm needed to 
be addressed adequately, a task that I agreed to undertake free of charge.


I volunteered my expertise when I was asked by the defendant for help
saving a potentially-innocent defendant from wrongful conviction.

Your client's despicable actions are a menace to society, and any good
and honorable person who knows this to be the case cannot sit still and
let his willful deceptions and his wrongful acts continue to harm
unsuspecting victims who merely seek competent computer expert witness
testimony.

Mr. Lawson has been given an opportunity to correct his mistakes. Let's
try wait and see if he does so. That would be the ultimate proof that he
is not incompetent, at which point he and I can meet in court and find
out what the damage is that he thinks has been done by my forced
intervention that prompted his acquisition of competency.

Sincerely,

Jason Coombs
[EMAIL PROTECTED]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: pnp worm unknown variant - post infection actions

[Jason Coombs]

Nick FitzGerald wrote:
Oh, and it's far from the first "wormy bot" (or similar) to further 
compromise the victim machine by installing adware, spyware, warez 
server, etc, etc.


Very good points, but can you think of another worm that downloaded XXX 
spyware/adware ?


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Global CompuSearch

[Jason Coombs]

Matthew Ries wrote:

Mr. Coombs:
Our firm represents Global CompuSearch.  Please see the attached 
letter which is also being mailed to you.  If you are represented by an 
attorney, give me your attorney's contact information and I will 
communicate directly with your attorney.
Matt Ries 


No statement made by me with respect to Mr. Lawson has been false.

Mr. Lawson *IS* an incompetent computer forensic expert who 
misrepresents his work as something that it is not.


The facts prove this beyond any doubt. Good luck in your lawsuit.

Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: pnp worm unknown variant - post infection actions

[Jason Coombs]

Morning Wood wrote:
>> Does it install child pornographic malware

wtf would you ask that anyway?


Because people are being prosecuted for possession of child pornography 
based on what is found on their hard drives and in their IE history, and 
most of these people are being convicted despite the fact that their 
computers are infected with porn-related spyware and adware. In nearly 
every case law enforcement fails to even check for these infections.


Interesting thing with this worm is the extent to which is may have just 
planted a large amount of porn on a large number of computers.


Not that this hasn't already been happening as a result of porn-related 
spyware and adware, but is this the first porn worm?


Cheers,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] pnp worm unknown variant - post infection actions

[Jason Coombs]

Morning Wood wrote:

the .reg files disable IE Security settings

update.html contains...

...

which installs pornographic malware.


Donnie,

Does it install child pornographic malware, or have you confirmed that 
all of the exposed genitalia are attached to a natural person who is 
more than 18 years of age?


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computerforensics

[Jason Coombs]

J.A. Terranson wrote:
> SANS is a for profit corp.,
> and was run as such even when
> they were playing possum as a
> non-profit.
> They are *not* a "disinterested
> third party" any more than the
> anti-virus firms are - and not
> many people would use *them*
> as an authoritative reference

To drive this point home, Newton's Telecom 'Dictionary' has some amazingly bad 
'definitions' -- for example, the definition of 'multimedia' includes data that 
is transmitted or viewed by way of a fax machine.

http://www.harrynewton.com/

Newton's 'definition' of 'Internet' starts out with a first-person narrative on 
how difficult it is to define the Internet. Pure crap.

Anyone who puts effort into writing a book should be encouraged to publish it, 
but publishers (and readers) should care a little about commercial misuse of 
labels like 'dictionary' when the definitions have only a single biased author.

There are some very impressive collaborative, community-developed computer 
dictionaries and encyclopedias. They do a nice job most of the time, because 
they are constantly peer-reviewed and corrected.

Anyone presumptuous enough to arbitrarily define technical terms without 
considerable careful thought and then publish the arbitrary text and call it a 
'dictionary' should be shot.

Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fw: US-CERT Technical Cyber Security Alert TA05-224A -- VERITAS Backup Exec Uses Hard-Coded Authentication Credentials

[Jason Coombs]

So, what's the password?

-Original Message-
From: CERT Advisory 
Date: Fri, 12 Aug 2005 18:16:36 
To:cert-advisory@cert.org
Subject: US-CERT Technical Cyber Security Alert TA05-224A -- VERITAS Backup 
Exec Uses Hard-Coded Authentication Credentials


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


 National Cyber Alert System

   Technical Cyber Security Alert TA05-224A


VERITAS Backup Exec Uses Hard-Coded Authentication Credentials

   Original release date: August 12, 2005
   Last revised: --
   Source: US-CERT


Systems Affected

 * VERITAS Backup Exec Remote Agent for Windows Servers


Overview

   VERITAS Backup Exec Remote Agent for Windows Servers uses
   hard-coded administrative authentication credentials. An attacker
   with knowledge of these credentials and access to the Remote Agent
   could retrieve arbitrary files from a vulnerable system.


I. Description

   VERITAS Backup Exec Remote Agent for Windows Servers is a data
   backup and recovery solution that supports the Network Data
   Management Protocol (NDMP). NDMP "...is an open standard protocol
   for enterprise-wide backup of heterogeneous network-attached
   storage." By default, the Remote Agent listens for NDMP traffic on
   port 1/tcp.

   The VERITAS Backup Exec Remote agent uses hard-coded administrative
   authentication credentials. An attacker with knowledge of these
   credentials and access to the Remote Agent may be able to retrieve
   arbitrary files from a vulnerable system. The Remote Agent runs
   with SYSTEM privileges.

   Exploit code, including the credentials, is publicly available.
   US-CERT has also seen reports of increased scanning activity on
   port 1/tcp. This increase may be caused by attempts to locate
   vulnerable systems.

   US-CERT is tracking this vulnerability as VU#378957.

   Please note that VERITAS has recently merged with Symantec.


II. Impact

   A remote attacker with knowledge of the credentials and access to
   the Remote Agent may be able to retrieve arbitrary files from a
   vulnerable system.


III. Solution

Restrict access

   US-CERT recommends taking the following actions to reduce the chances
   of exploitation:

 * Use firewalls to limit connectivity so that only authorized backup
   server(s) can connect to the Remote Agent. The default port for
   this service is port 1/tcp.

 * At a minimum, implement some basic protection at the network
   perimeter. When developing rules for network traffic filters,
   realize that individual installations may operate on
   non-standard ports.

 * In addition, changing the Remote Agent's default port from
   1/tcp may reduce the chances of exploitation. Please refer
   to VERITAS support document 255174 for instructions on how to
   change the default port.

   For more information, please see US-CERT Vulnerability Note VU#378957.


Appendix A. References

 * US-CERT Vulnerability Note VU#378957 -
   

 * Veritas Backup Exec Remote Agent for Windows Servers Arbitrary
   File Download Vulnerability -
   

 * VERITAS support document 255831 -
   

 * VERITAS support document 258334 -
   

 * VERITAS support document 255174 -
   

 * What is NDMP? - 


 

   The most recent version of this document can be found at:

 
 

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <[EMAIL PROTECTED]> with "TA05-224A Feedback VU#378957" in the
   subject.
 

  To unsubscribe:


 

   Produced 2005 by US-CERT, a government organization.

   Terms of use:

 
 


Revision History

   Aug 12, 2005: Initial release

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQv0e3BhoSezw4YfQAQJbFQf9E5d1IyfH5OwAVMgoHwZ2zUiozACJfoEN
zh2X3pYbYCmBhfzr9uQDJW1U0TJfQXvgQUs/bpGVVFH1YHGjTV/Op6vGt4KnUFjW
KRcQrKAy+evk/ajrFlcLr/mM3oM4GdsJvqz9UdFBmU0ET53a10PAxYwLWY+5weB+
7d+TCXvnUkpwrDHo1N331QxrcZaFqZEA0b86dL7X6Cjt39NDv/4EVkoDiWv608w3
V6FGeXIXFpLP241141lQcDnf2WLmAD3oNSK6YbJ1utDu4dezoR164apTZBLEhcp0
AUptGGZGe9PxjyrylxIv8KSxEWB7oajKziQxcQG0IRv4CTP0UPLB7Q==
=cO6/
-END PGP SIGNATURE-
_

Re: [Full-disclosure] Re: Help put a stop to incompetent computerforensics

[Jason Coombs]

J.A. Terranson wrote:
> The simple fact of the matter is that
> "what matters" *IS* the definition,
> and you full well know it.  What
> happened here is you slipped and
> fell, and rather than admitting it
> you're crying foul - shame on you!

I didn't disagree that the broader definition of Trojan was completely unknown 
to me. How did I miss it? Was it me who slipped and fell, because I was being 
careless, or is there more to the story... This was and is a good question.

In my entire life I have not encountered a real-world use of the term Trojan 
where the software at issue did not grant remote access to an attacker after 
the Trojan infection occurred.

Now we use other terms like spyware to classify what I have recently learned 
used to be called Trojans.

My conclusion is that I slipped and fell because the definition has changed and 
computer dictionaries haven't caught up yet.

As for whether or not you'd roast me in front of the judge,

'Your honor, the evidence shows that the term Trojan hasn't been used in 
practice since before public dial-up access to the Internet first became 
possible. The parties clearly have adopted other language to describe the 
software in question in this case and they have formalized this language in 
contract. I believe that there was no definition of Trojan set forth in the 
contract because, your honor, neither party believed that the term Trojan 
needed a definition, because it's obvious to anyone with a high school 
education what the word Trojan means. Its only meaning to this contract (or in 
this patent) is the common sense meaning, regardless of the computer dictionary 
definitions and computer expert testimony dating back to the 1960s that the 
opposing counsel and opposing experts would have this court believe was in the 
mind of the parties (or the inventor) when they drafted this contract (or 
patent claim).

We're all familiar with, and have experienced, the broadening of the meaning of 
familiar terminology. However, the narrowing of the meaning of familiar 
terminology can and does also occur. I conclude, and it is my opinion, that 
just such a narrowing has occurred and is occurring with respect to Trojan as 
the term is applied and used in computing.

Who roasts who at trial? It depends on the evidence, and so far I haven't seen 
anything other than dictionaries that disagree with my argument above. You 
probably know that dictionaries are written by people, and even with peer 
review that often leaves room for mistakes.

Of course my argument was born out of the pain caused by my fall. But that 
doesn't make the argument invalid. So many people share my definition of Trojan 
that those of you who think you can dismiss it as wrong simply have to think 
twice.

Cheers,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] "responsible disclosure" explanation (anexample of the fallacy of idealistic thought)

[Jason Coombs]

Florian Weimer wrote:
> The implicit message that other
> disclosure processes were
> irresponsible was invaluable.

Invaluable; adjective

'Valuable beyond estimation. Priceless.'

http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=invaluable

You've got that right. It has proved invaluable to marketing efforts, lobbyist 
campaigns to get new legislation enacted, and disinformation spread by 
self-interested bad people.

(I know you're not one of them)

Sincerely,

Jason Coombs
[EMAIL PROTECTED]

“A Trojan is malicious code that gives an attacker future unauthorized access 
to a computer or its data. Nobody with common sense refers to spyware as 
Trojans.”

-Original Message-
From: Florian Weimer <[EMAIL PROTECTED]>
Date: Thu, 11 Aug 2005 19:15:27 
To:Matthew Murphy <[EMAIL PROTECTED]>
Cc:full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] "responsible disclosure" explanation (an
example of the fallacy of idealistic thought)

* Matthew Murphy:

> Let me just define "responsible disclosure" first of all, so as to 
> dissociate myself from the lunatic lawyers of certain corporations 
> (Cisco, HP, ISS, et al) who define "responsible disclosure" as 
> "non-disclosure".  The generally accepted definition of responsible 
> disclosure is simply allowing vendors advance notification to fix 
> vulnerabilities in their products before information describing such 
> vulnerabilities is released.

Back in 2001, this was called "full disclosure", see:

  <http://www.wiretrip.net/rfp/policy.html>

(The document is probably even older, use archive.org to find out.)

In retrospect, "responsible disclosure" was always more a marketing
term than anything else (just like "blended threat").  The implicit
message that other disclosure processes were irresponsible was
invaluable.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics

[Jason Coombs]

James Tucker wrote:

Sorry, how many programs which you class as "Trojans" add what you
define as a "backdoor", given that a "backdoor" is generally
pre-compiled code which allows access via previously un-announced or
commonly unused connection methods? Malware doesn't typically ADD
backdoors, it comes shipped with them, thus the classification
Trojan.Backdoor, as opposed to just Trojan. Many of the more common
Trojans these days are Worms, Trojans, and Backdoors and some are Viri
too. The reason is simple - short of breaking the kernel process
scheduler it is useful to be a Trojan when present as an active virus.
Similarly due to the current nature of desktop and server side
application logic, most viri are unsuccessful without being worms -
although this may change in a few decades as applications become more
data driven and automatic. Nothing will ever substitute a full
description of a particular malware's actions in describing what it
does, unless you expect malware authors to start conforming to
standards.



Applying the broader definition of Trojan, I can't even make sense out 
of your paragraph above. But I know that you aren't using the term to 
communicate the idea of malware that enables the attacker to gain 
control over, and future access to, the infected system ... If that's 
the definition you had in mind, then the paragraph you wrote makes 
logical sense. Otherwise, not.


I agree that calling it a backdoor isn't comfortable, it just doesn't 
fit. This is part of why I'm saying that the definition of Trojan must 
include the access and control that a backdoor gives.


It doesn't make sense to me that "Many of the more common Trojans these 
days are Worms, Trojans, and Backdoors ..." unless you are using Trojan 
to communicate the feature of remote access to the infected box.


Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computerforensics

[Jason Coombs]

Chuck Fullerton wrote:

"A Trojan horse is a program that appears to have some useful or benign
purpose, but really masks some hidden malicious functionality."

"A Backdoor is a program that allows attackers to bypass normal security
controls on a system, gaining access on the attacker's own terms." 


Here's an example of a completely flawed explanation of the origin of 
the term. The definition given claims that the warriors emerged from the 
horse and only those warriors overran the city. Obviously that isn't 
what happened in the Iliad, the Trojan Horse was used to get further 
access for other warriors. Furthermore, "overran the city" means of 
course that the Trojan Horse was used for the purpose of gaining control 
of the city, regardless of which warriors accomplished the objective.


Most (but not all) of you are suggesting that the only thing that 
matters is what the definitions say, and that's not the right way to 
look at this issue. A program that does something malicious when used is 
not a Trojan unless its malicious purpose fits with the story of the 
Trojan Horse as it is understood by non-computer people. This is why we 
don't call spyware Trojans any longer -- a distinction has been drawn, 
and that distinction has overrun the past usage of the term.


http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213221,00.html

In computers, a Trojan horse is a program in which malicious or harmful 
code is contained inside apparently harmless programming or data in such 
a way that it can get control and do its chosen form of damage, such as 
ruining the file allocation table on your hard disk. In one celebrated 
case, a Trojan horse was a program that was supposed to find and destroy 
computer viruses. A Trojan horse may be widely redistributed as part of 
a computer virus.


The term comes from Greek mythology about the Trojan War, as told in the 
Aeneid by Virgil and mentioned in the Odyssey by Homer. According to 
legend, the Greeks presented the citizens of Troy with a large wooden 
horse in which they had secretly hidden their warriors. During the 
night, the warriors emerged from the wooden horse and overran the city.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics

[Jason Coombs]

Donald J. Ankney wrote:
Your definition is just a subset of the standard, broader one. 


When a word causes widespread misunderstanding such that you simply 
can't use it to communicate ideas clearly, the old meaning becomes 
archaic. I think that's what has happened with Trojan. Proof of this can 
be found in the list of malware that anti-Trojan software is designed to 
detect -- without double-checking this, just from memory, I'm going to 
say that the list of malware detected by the typical anti-Trojan 
software product is limited to malware that meets my definition and does 
not include the broader definition. That causes a real problem, in 
practice, since if the anti-Trojan doesn't stop spyware then how can 
spyware be a Trojan?


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics

[Jason Coombs]

Thierry Zoller wrote:

JC> Because Trojan horses often have
JC> these harmful functions, there often arises the misunderstanding that
^   
JC> such functions define a Trojan Horse.

Please read what you just posted, it directly contradicts what
that wikipedia author wrote 2 lines above that. That wikipedia
article can be trashed.


It is not a misunderstanding. The definition of Trojan has very clearly 
been relegated to the malware that forces open a means of unauthorized 
or hidden access or remote control, i.e. a backdoor. I understand your 
point that Trojan had a broader definition in the past, but that is in 
the past. Archaic. The Wikipedia entry is instructive to illustrate that 
there is so often a "misunderstanding" in present usage that the older 
definition is no longer correct.


We won't succeed in attempts to convince millions of people that a 
Trojan Horse is also a gift that contains a nuclear bomb inside that 
will nuke your house after you accept it. That's not a Trojan, that's a 
bomb, even if it is a Greek wooden horse. It just doesn't matter that in 
the past the industry had not yet come to realize that it needed a 
different term for spyware. We have it now, so there's no looking back.


Thanks for helping me understand your viewpoint. I've never met anyone 
who thinks of a Trojan the way that you do, and the common usage even by 
infosec industry professionals clouded my brain so badly that at no time 
did I perceive the classic definitions you and others have cited to 
imply anything other than the context in which the term is used today. 
The bad acts that the Trojan performs, in my mind, must be in connection 
with some attempt to give the Trojan author further, future access to 
systems or to the data they contain.


I'm not saying that you're wrong. I'm saying you have far too much 
experience and expertise, and all that knowledge is causing you to fail 
to see the forest for the trees. Common people's common sense has 
changed the definition of Trojan, pure and simple.


Nobody today would avoid using the term spyware just because the term 
Trojan was the way in which that malware would have been labeled in the 
past. As I said, everyone I know understands what a Trojan is, and their 
understanding is not what you suggest it should be.


Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics

[Jason Coombs]

Erik Kamerling wrote:

Trojan Horse
A computer program that appears to have a useful function, but also has a 
hidden and potentially malicious function that evades security mechanisms, 
sometimes by exploiting legitimate authorizations of a system entity that 
invokes the program.


Copied from the SANS Glossary of Terms Used in Security and Intrusion 
Detection. 


http://www.sans.org/resources/glossary.php


Common usage in practice today matters as much as if not more than the 
original use of the term in computing. The term Trojan is synonymous 
with malware that adds a backdoor, even if a bunch of old people think 
it's still okay to call other malicious code by this name.


From:

http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29

In practice, Trojan Horses in the wild do contain spying functions (such 
as a Packet sniffer) or backdoor functions that allow a computer, 
unbeknownst to the owner, to be remotely controlled remotely from the 
network, creating a "zombie_computer". Because Trojan horses often have 
these harmful functions, there often arises the misunderstanding that 
such functions define a Trojan Horse.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics

[Jason Coombs]

[EMAIL PROTECTED] wrote:

On Thu, Aug 11, 2005 at 12:26:23AM +0200, Thierry Zoller wrote:


The industry definition is perfectly within Homers defintion of a Trojan
horse. 



JC> http://classics.mit.edu/Homer/iliad.html



When I read Homer, it was a Greek horse.



The horse became the property of the Trojans before it launched its 
hidden attack, but your point is interesting as well.


There are other terms used to describe malware disguised as something 
else that has hidden capability to cause damage. Logic bomb, for example.


I'll do some more work on this and see where it leads. The proposal of 
"backdoor" as the better term just doesn't work, since a backdoor is a 
hidden mechanism for gaining entry or control of a system that is built 
into the system by its creator or some other involved party. An intruder 
may open up a backdoor in a system by altering its programming rather 
than by planting a Trojan, so there needs to be a distinction between 
the two.


Cheers,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics

[Jason Coombs]

Thierry Zoller wrote:

Or in better English :
A computer trojan horse is a program which appears to be something good,
but actually conceals something bad.


Interesting. What dictionary are you reading this definition from?

Whether or not the malware does other things as well, everyone I know 
considers a Trojan to be a type of malware that allows an intruder to 
gain entry to a system through the front door once the malware has 
gained entry through some other means such as tricking the user into 
installing it, forcing itself to install a la spyware, or exploiting one 
of the many vulnerabilities in Internet Explorer that enable Web sites 
to plant and execute arbitrary code.


If your proposed definition is the correct one, I'm willing to alter my 
own understanding of this term. But you're going to have to offer some 
proof that other people agree with you.


Somehow I suspect that Homer would disagree with you, and he is the 
proper definitive authority on this subject. See the story of the fall 
of Troy through the use of a Trojan Horse that enabled the whole Greek 
army to gain entry through the front gates because of the actions of the 
hidden package within the horse.


http://classics.mit.edu/Homer/iliad.html

Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Help put a stop to incompetent computer forensics

[Jason Coombs]

anonymous wrote:
I know when running EnCase or some other software you can see the 
cookies of the machine. More importantly, you can see what "search 
items" the invidual was searching for.



No, you cannot. You can see what the Internet Explorer history files 
contain. This does not prove that a person typed search terms into 
Google. If you'd like me to prove this to you, ship your computer to me. 
I will ship it back to you and it will contain proof that you are a 
very, very bad person.



So I can tell if the person had the intent or atleast give some ammo to 
the prosecution that the perp was searching for "z" and "" etc.


No you can't. You can tell that the Internet Explorer history files 
contain data.



So if their entire defense is that a trojan put the kiddie porn on their 
machine yet their search items were things related to that sort of thing 
then we can show the the perp was searching for related topics.


Come on, do you even understand what a Trojan is?

By definition, the Trojan gives a third-party the ability to control the 
computer from a remote location. I'm not suggesting that the Trojan was 
programmed to plant evidence. I'm saying that a third-party was in 
control of the computer and any data that you see on the computer's hard 
drive, including things that you seem to think "prove" that a person 
typed on the attached keyboard, reflects, at best, the actions of many 
people and a lot of software -- and at worst the data are meaningless 
because the files have been tampered with on purpose by a third party.


But I do believe that once an analysis of the perp's hard drive has been 
done said examiner should be able to determine if the information on the 
machine was from the surfing habits of the perp, or if they may have 
come from a trojan. Besides, if a trojan was present it should still be 
there when the examiner is looking at the system!


No. The analyst can only determine that the computer may have been 
executing software in the past at various purported times (based on 
date/time stamps) -- or, maybe what you can determine is that the 
computer has been receiving files from elsewhere, and the date/time 
stamps don't have any connection whatsoever to the local computer but 
have some connection to another computer. Furthermore, Trojan infections 
come and go, and you probably know that remote exploitable 
vulnerabilities make it unnecessary to plant a Trojan -- if the 
attacker/intruder is only interested in gaining control of the computer 
one time, and a victim comes along with a vulnerable IE browser, then 
arbitrary code can be executed and no Trojan infection will necessarily 
result. That's up to the attacker. Nevertheless, the arbitrary code 
execution resulted in the attacker being able to do anything they want 
with the computer, including launch IE and visit Web sites and enter 
search terms which IE will log.


However, if the information came from an email, cd, diskette or other 
media then it's going to open a whole other can of worms.


It's not a can of worms for a CD or diskette to be found alongside a 
computer, that's called reasonable circumstantial evidence. Computer 
data stored on hard drives connected to the Internet is NOT reasonable 
circumstantial evidence. It's just data.


The "circumstances" under which data come to be on a hard drive are 
UNKNOWN unless law enforcement have established appropriate forensic 
controls to monitor computer operation during an investigation.


When the circumstances of software execution on a computer and the data 
communications to and from a computer are UNKNOWN, all data from that 
computer should be excluded from use in court as "evidence" of anything.


Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Operation Site-Key computer forensic searches ruled illegal

[Jason Coombs]

- rather, he was a database programmer who 
used dBase to create databases and the programming instructions that 
would put data in and get data out of the databases. Perhaps you've done 
this yourself using Microsoft Office. It is not a difficult skill to 
learn, and its practitioners do not need to understand how computer 
software really works, they only need to understand the commands that 
they have to use to cause their database to do what they want it to do. 
In software engineering people with this capability are never selected 
to write operating systems or software like Internet Explorer because 
they simply do not understand software development -- they understand 
database development. We call them "database programmers" but that's 
just to be nice (and make resumes look good) -- they are not "computer 
programmers" because without the database program that they know how to 
operate these "programmers" would not be capable of writing "software".


This is all lost on the court in the same way that the distinction 
between "computer forensics" and "software expert" is lost on the court, 
resulting in a belief that a "computer forensics expert" is by 
definition an expert in computers and software programming, but the 
truth is usually that the computer forensics expert was trained to 
operate some computer forensics software program like EnCase -- without 
that program the so-called "expert" would not be capable of performing 
an investigation into what happened to a computer in the past, what 
software executed on it, what people appear to have used it, etc.


All of these issues sort of converge in a sick and twisted way when 
computer evidence is planted by a third party (or when a third party 
takes control of somebody else's computer and uses it to commit a crime, 
which is, in effect, planting electronic evidence) because the people 
who do the work investigating the computer evidence (on behalf of law 
enforcement OR on behalf of the defense) simply do not have the 
information security expertise necessary to explain first and foremost 
that hard drives do not contain "computer evidence" but instead that 
hard drives contain "data" -- and that data was stored on the hard 
drives by the execution of "software" and that it is impossible to know 
exactly what software executed in the past on a microprocessor.


The practice of using "computer forensics" to gather, present, and 
explain "computer evidence" in court is in dire need of remediation. 
Without competency in the information security field, no "computer 
forensics expert" should be allowed anywhere near a courtroom.


There should also be minimum mandatory information security training 
given to judges, attorneys, and members of a jury, before any one of 
such persons is allowed to view "computer evidence" -- if the computer 
forensic examiners aren't going to offer opinion testimony that calls 
into question the legitimacy of their own investigative techniques then 
the court must force this safeguard into the process.


Except where law enforcement has implemented strict forensic controls 
during an investigation, and conducted ancillary surreptitious 
monitoring of a suspect using video surveillance, keyloggers, screen 
capture, runtime forensic logging of machine code executed by a CPU, and 
other techniques that conclusively establish the physical presence of a 
suspect, and the conclusive absence of hidden outside control or 
influence over a computer that is the source of computer evidence, no 
computer evidence should be allowed in court.


What's happening today is akin to giving intruders from the other side 
of the world the ability to fill our filing cabinets, our wallets, our 
bedrooms, our closets, and our vehicles with incriminating evidence 
automatically through the Internet. Nobody ever explains this to the 
judge, and law enforcement forensic examiners seem not to understand it.


Something must be done to fix this, and every person convicted of a 
crime in the past where computer evidence was used without ensuring that 
its pitfalls are well-understood should be given an immediate retrial.


Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Help put a stop to incompetent computer forensics

[Jason Coombs]

"An experienced computer forensics person could tell you whether it was 
because of [a Trojan virus] or not." -- Marcus Lawson.


This quote and article citation below concerning "computer forensics" is 
typical of the opinion of "computer forensics" professionals. We know 
it's a big fat lie told by self-important people who don't know anything 
about information security and have never written software in their 
lives, but I'm asking anyone who reads this, who has ideas about how to 
put a stop to this "computer forensics" absurdity where people who don't 
know how software is written and don't understand infosec are allowed to 
be the voice of "computer forensics" expertise in court, to please 
contact me.


In addition, anyone who has any information about computer forensics 
professional Marcus Lawson please contact me immediately.


The fact that malware authors aren't cooperating with the computer 
forensics industry by making sure that it's easy to distinguish between 
the actions of malware and the actions of a human computer user, 
combined with uninformed expert opinions like those shown below, is 
resulting in innocent people being put behind bars, and people like 
Marcus Lawson who think they know what they're doing but clearly do not 
are helping to get innocent people convicted by spewing nonsense.


This undermines the ability of the criminal court system to convict 
those who are truly guilty, and keep them convicted on appeal.


Somehow we need to fix this broken system and insist that all computer 
forensics be performed with the help of a competent information security 
professional, at the very least.


Any other suggestions?

Sincerely,

Jason Coombs
[EMAIL PROTECTED]


http://edition.cnn.com/2003/LAW/08/12/ctv.trojan/

Though it raises new and important issues, say industry sources, the 
Trojan Horse problem won't likely mint a new defense strategy: It's just 
a riff on the standard "not me" defense.


"There are a lot of child porn defendants who say, well, somebody else 
might have done it," said the EFF's Tien.  "But it doesn't fare very 
well, for obvious reasons."


In the end, experienced computer forensics investigators should be able 
to tell whether the computer's owner, or a Trojan Horse, spawned the 
material in question.


"You wouldn't want to just throw that out there as your defense," said 
Marcus Lawson, a computer forensic analyst who testified in the trial of 
convicted child rapist and murderer David Westerfield. "An experienced 
computer forensics person could tell you whether it was because of [a 
Trojan virus] or not."

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Operation Site-Key computer forensic searches ruled illegal

[Jason Coombs]

Dear Robert,

In reference to your computer forensics-related article (below) from 
July 13, 2005, detailing computer searches ruled illegal because of the 
period of time that had elapsed from the date of alleged online purchase 
to the date of search of a defendant's Windows computer please consider 
the following:


I worked as an expert witness on behalf of the defense in a case brought 
before a military court martial under UCMJ where the defendant's name 
and credit card number was found in the site-key database.


A computer forensic examination of the defendant's Windows computer 
revealed the presence of a Trojan and a keylogger that would have 
enabled a third-party intruder to intercept the defendant's credit card 
number and use it to purchase child pornography from a Web site that 
processed credit card payments using the site-key service.


Since this time, other cases involving site-key prosecutions have come 
to me seeking computer forensics and expert witness services. Thus far 
in these other cases I have not been provided with copies of computer 
evidence to analyze, but I have been performing as much preliminary work 
as possible and the possibility has arisen that the crimes of which the 
defendants are accused may be nothing more than a "failure of 
imagination" on the part of law enforcement.


Rather than the site-key database contents reflecting true purchases of 
child pornography by actual paying customers, I believe it is possible 
that site-key was in fact a bank robbery.


From my experience with e-commerce payment processing and online 
merchant services, I know that a merchant will be allowed to withdraw 
funds from a merchant account after a relatively short period of time, 
subject to the holding "in reserve" of a pool of funds to cover expected 
"charge backs" where the customer claims fraud must have occurred and 
disputes the credit card charge.


A sophisticated group of criminals could have used the site-key service 
to commit a bank robbery by intercepting a victim's credit card 
information and taking control of the victim's Windows computer through 
the Internet by exploiting security vulnerabilities in the Windows 
operating system and through the use of spyware.


Once in control of the victim's Windows computer, and after the criminal 
is in possession of the victim's credit card information as a result of 
the installation of a keylogger program, it would have become possible 
to "shop" online at a site-key child pornography website, impersonating 
the victim.


For those suspected child pornography customers who are arrested within 
a month or two after the bogus "purchase" by them of the child 
pornography, disputing the credit card charge would have been quite 
difficult as they would have been in jail.


Disputing the charge becomes impossible upon examination of their 
Windows computer's hard drives, due to the fact that corroborating 
evidence would have been found on the suspect's computer.


I have attempted to alert law enforcement to this possibility and have 
shared the details of the court martial case in which both a Trojan and 
a keylogger were found prompting this notion that site-key was a bank 
robbery rather than truly a child pornography online business that 
attracted actual paying customers.


As you clearly have contact with the Dallas, Texas-based investigators 
and attorneys on behalf of various Operation Site-Key defendants, will 
you please make inquiries along these lines or help me make contact with 
the appropriate parties so that I may explain this theory in more detail?


Thank you kindly,

Jason Coombs
[EMAIL PROTECTED]

--

Stale warrants doom porn cases

Exclusive: Searches that turned up images of children ruled illegal

09:55 PM CDT on Wednesday, July 13, 2005

By ROBERT THARP / The Dallas Morning News

When Dallas police and federal agents wrapped up a sophisticated 
Internet child pornography investigation in April 2004, authorities 
boasted at a news conference that arrests could number in the thousands 
and circle the globe.


But just a few blocks away at the Dallas County criminal courthouse, 
attorneys are now quietly getting their clients' child pornography cases 
thrown out by exposing what they call a fatal flaw in the way 
investigators proceeded with their work.


The problem: Detectives obtained many of their search warrants based on 
information that was more than a year old, far longer than what 
constitutional protections from unreasonable searches allow.


"I don't think there's a line, but certainly a year is stale under 
anyone's definition," said attorney Reed Prospere, who got the charges 
thrown out for three clients.


In at least nine Dallas arrests stemming from the Internet pornography 
investigation dubbed Operation Site-Key, attorneys have successfully 
argued

Re: [Full-disclosure] "responsible disclosure"

[Jason Coombs]

Dominique Davis wrote:
In the intrest of  "responsibily discloseing " information you belived 
needed to be spread to the public without a  objective third 
party couterbalance to verify the facts you have caused harm to 
innocents who were just doing their jobs without thought to the harm it 
might cause them making you a "accessory to the intentional destruction of
innocent lives." In the name of righting injustice outside of the 
established legal process with no justifaction other than your own views 
and intrest.


You're obviously talking about my near-disclosure of the fact that PivX 
Solutions appeared to be stealing money from investors.


My intervention saved your job, you dickweed.

It also saved your company. The investors who backed you now control 
your company. Do you think that happened by accident?


Shit, you're a gigantic moron.

Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] "responsible disclosure"

[Jason Coombs]

Dominique Davis wrote:
Can you state here in public that you have never done the samewhen you 
were starting out.Nothing personal bud ,But those who live in glass 
houses shouldnt through stones.


Here's my house:

http://www.jasoncoombs.com

No, I have never authored a report that mischaracterizes "data" found on 
a hard drive as "proof of wrongdoing by a person". Data prove nothing.


Only people who need "computer forensics" to mean something more than it 
really does so that they can have "careers" do such intolerable things.


I have published books and articles that contained inaccuracies. For 
this I apologize. No apology can every restore the lives destroyed by 
"computer forensics" used to gather "evidence" against those accused of 
crimes.


Use whatever tools and information-gathering techniques you want to 
conduct investigations, but stop telling lies to judges. Just stop.


Whether you're Cisco and playing like you're hurt so you can improperly 
press your claim of "trade secrets" that do not exist, or whether you're 
a prosecutor or law enforcement "forensic examiner" who just wouldn't 
have a paycheck if you didn't "play along" -- just stop.


Bring on the stones. Do your worst. You and people like you are evil and 
you must be stopped.


Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] "responsible disclosure" explanation

[Jason Coombs]

"responsible disclosure" causes serious harm to people. It is no 
different than being an accessory to the intentional destruction of 
innocent lives.


Anyone who believes that "responsible disclosure" is a good thing needs 
to volunteer their time to teach law enforcement, judges, prosecutors, 
and attorneys that the consequence of everyone communicating with 
everyone else online is that some people use secret knowledge of 
security vulnerabilities to ruin other people's lives or commit crimes 
by hijacking innocent persons' vulnerable computers.


Some of you may know that I work as an expert witness in civil and 
criminal court cases that involve computer forensics, information 
security, and electronic evidence.


I just received a phone call from a member of the armed services in the 
U.S. who is being court martialed for possession of computerized child 
pornography.


This happens every day in courtrooms throughout the world.

On a regular basis somebody accused of this crime finds me and asks for 
my help explaining that a third-party could have been responsible for 
the crime. In every case the prosecution is alleging that the computer 
forensics prove beyond a reasonable doubt that the defendant is guilty 
of the crime because it was their Windows computer that was used to 
commit it.


Often, some incompetent computer forensics professional will have 
already done work on behalf of the defense and authored a report of 
their own. These reports read like those authored by the prosecution's 
computer forensic examiners, they list the contents of the hard drive, 
itemize entries from Internet Explorer history files and explain that 
some "deleted" files were recovered that further incriminate.


So you tell me, those of you who believe that "responsible disclosure" 
is a good thing, how can you justify holding back any detail of the 
security vulnerabilities that are being used against innocent victims, 
when the court system that you refuse to learn anything about is 
systematically chewing up and spitting out innocent people who are 
accused of crimes solely because the prosecution, the judge, the 
forensic examiners, investigators, and countless "computer people" think 
it is unrealistic for a third-party to have been responsible for the 
actions that a defendant's computer hard drive clearly convicts them of?


You cannot withhold the details of security vulnerabilities or you 
guarantee that victims of those vulnerabilities will suffer far worse 
than the minor inconvenience that a few companies encounter when they 
have no choice but to pull the plug on their computer network for the 
day in order to patch vulnerabilities that they could otherwise ignore 
for a while longer.


"Responsible disclosure" is malicious. Plain and simple, it is wrong.

"Responsible disclosure" ensures that ignorance persists, and there is 
no doubt whatsoever that ignorance is the enemy.


Therefore, supporters of "responsible disclosure" are the source of the 
enemy and you must be destroyed. Hopefully some patriotic hacker will 
break into your computers and plant evidence that proves you are guilty 
of some horrific crime against children. Then you will see how nice it 
is that all those "responsible" people kept hidden the details that you 
needed to prevent your own conviction on the charges brought against you 
by the prosecution.


How can "responsible" people be so maliciously stupid and ignorant?

Please, somebody tell me that I'm not the only one inviting judges to 
phone me at 2am so that I can teach them a little about why a Windows 
2000 computer connected to broadband Internet and powered-on 24/7 while 
a member of the armed forces is at work defending the nation could in 
fact have easily been compromised by an intruder and used to swap warez, 
pirated films and music, and kiddie porn without the service member's 
knowledge.


How can trained "computer forensics" professionals from the DCFL and 
private industry author reports that fail to explain information 
security? The answer is that the people who teach computer forensics 
don't understand information security. It is not "responsible" to 
suppress knowledge of security vulnerabilities that impact ordinary 
people. Suppress security vulnerability knowledge that impacts only 
military computer systems, but don't suppress security vulnerability 
knowledge that impacts computer systems owned and operated by ordinary 
people; for doing so ruins lives and you, the suppressing agent, are to 
blame for it moreso than anyone else.


Grr. Rant. Rant. Grumble.

Sincerely,

Jason Coombs
[EMAIL PROTECTED]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [Fwd: GWAVA Sender Notification (Content filter)]

[Jason Coombs]

Good job, Internal Revenue, New Zealand!

Keep all that awareness and truth out -- it might hurt you.


 Original Message 
Subject:GWAVA Sender Notification (Content filter)
Date:   Tue, 9 Aug 2005 15:52:06 +1200
From:   <[EMAIL PROTECTED]>
To: undisclosed-recipients: ;






A message sent by you was blocked by GWAVA - Content protection for
Novell GroupWise.

The message was blocked for the following reason(s):

* Content filter

The message contained the following information:

*Subject:*  Re: [Full-disclosure] "responsible disclosure" explanation
*From:* "[EMAIL PROTECTED]".INTERNET.IRDOM
*Recipient(s):* [No To Addresses]
[No Cc Addresses]
JBM1.clhpo.IRDOM_Addresses

The following information details the events that prevented delivery of
this message:

*Event* *Details*
Content filtered

Content within this message was disallowed.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] "responsible disclosure" explanation

[Jason Coombs]

Georgi Guninski wrote:

On Mon, Aug 08, 2005 at 12:58:06PM +0200, Florian Weimer wrote:

Georgi Guninski wrote:

the term "responsible disclosure" is a corporate instrument for
trying to shut people up.

No, it's an attempt to create a market for vulnerabilities and
exploits, trying to mimic the underground's success.

i disagree. market for vulnerabilities exists, there were auctions even on fd.


Actually it's another tool for asserting ownership of other people's 
work product based on the premise that "irresponsible" equals 
"criminal". I hereby re-assert my exclusive claim of ownership over my 
own work product. I own my trade secrets. I own the exclusive copyright 
interest in my written and communicated works. I am the only owner of my 
original intellectual property.


If you are a corporation or a government entity that believes you have 
the right to claim ownership of any part of my work effort simply 
because you wrote a EULA or manufactured and sold a product of your work 
effort, you are the one who is irresponsible. Your actions will cause 
the death of others. If not in the short-term, certainly in the 
long-term as good people conclude that they must kill others in order to 
reclaim rights and freedoms that you stole from them by tricking the 
masses into believing that you are more important because you have more 
money. I suggest that you begin to act responsibly and fight to defend 
the very rights and freedoms that you enjoyed in order to get to where 
you are today. Stupid fucks.


See:

http://www.wired.com/news/technology/0,1282,68435,00.html
http://www.granick.com/blog/
http://www.granick.com/blog/lynncomplaint.pdf

Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [Fwd: CCO Locksmith - Automated Reply]

[Jason Coombs]

Can I e-mail [EMAIL PROTECTED] and ask them to send me an arbitrary 
user's new password? Hmm...


If I happened to be the one responsible for causing this DoS then don't 
you think I would already have the ones of the following details of a 
target victim's account at cisco.com ?


  1 Maintenance contract or Account number you used in your registration
  2 The user ID your believe you have
  3 Full name
  4 Company name

And of course I would have their authentic e-mail address temporarily 
disabled due to some unexplained outage, so that Cisco can't easily 
e-mail them a confirmation to their old e-mail address...


Practically-speaking, Cisco has little choice but to personally phone 
every single member, or dump their entire registration database and 
force the users to re-apply for new member accounts.


This automatic password reset thing is fatally-flawed.

Regards,

Jason Coombs
[EMAIL PROTECTED]


 Original Message 
Subject: CCO Locksmith - Automated Reply
Date: Thu, 4 Aug 2005 00:07:15 -0700 (PDT)
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]

This is an automated reply ONLY to have your CCO p/w changed.

DO NOT reply directly to this email!

Sorry, your attempt to change your p/w on CCO has not been successful.

Reason:
==
1) There was no record of your email address being associated with
   a user ID in CCO.
 or
2) The email record within CCO that may be associated with your name, may be
   slightly different to the one on your email Reply-to: or From: line.
 or
3) You are not registered at all on the service.
or
4) Your account may be in inactive state.

Action:
==
A) If you believe you are registered on CCO...

Please email [EMAIL PROTECTED] to have your correct email address 
associated

with your User ID. To ensure you receive prompt attention, please provide
all of the following details:

  1 Maintenance contract or Account number you used in your registration
  2 The user ID your believe you have
  3 Full name
  4 Company name

Please note, your registration may have been disabled if you had not used
the service in the last 6 months. In this case, you may need to perform an
online registration again. You will be advised by email if this is the case.

or

B) If you are not registered, please perform an online registration.
   For an automated reply of general CCO information,
   please email [EMAIL PROTECTED]

Any further inquiries should be directed to [EMAIL PROTECTED]

Thank you



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jason Coombs]

Technica Forensis wrote:

CAUTION:
Internet and e-mail communications are Kohl's property and Kohl's reserves the 
right to retrieve and read any message created, sent and received.  



Kohl's owns the Internet?  
Kohl's reserves the right to read my email I send my mom just because

it's on the Internet?

maybe you should go reread the wiretap act.


Wiretap Act doesn't apply to stored electronic communications.

Kohl's owns all of those communications, whether stored temporarily in 
RAM or stored persistently to a hard drive.


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jason Coombs]

[EMAIL PROTECTED] wrote:
It occurs to me that your solution is flawed as well.  What assurance do 
we have that your "protected storage" is future-proof (i.e. unbreachable 
by an means whatsoever)?


It doesn't have to be unbreachable by any means whatsoever, it has to be 
unbreachable from a remote location. This is easy to accomplish by not 
connecting the protected storage to a network interface.


The box can still be owned by an attacker who gains physical access to 
the device, but so what? The protected storage will never be owned by a 
JPEG and the CPU will never ignore its built-in machine code 
authentication logic because it would not be implemented in software or 
firmware.


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Mike Lynn's controversial Cisco Security Presentation

[Jason Coombs]

J.A. Terranson wrote:

didn't get my copy from Infowarrior.  Nor have I seen any "order".


"On Thursday, Judge Jeffrey White of the United States District Court 
for the Northern District of California issued a permanent injunction 
preventing further distribution of the material (attached). Cisco 
Systems, Inc. and Internet Security Systems, Inc. v. Michael Lynn and 
Black Hat Inc. United States District Court, Northern District of 
California."


http://www.infowarrior.org/users/rforno/lynn-cisco.pdf

Your point seems to be that because your name was not listed in the list 
of Defendants, nor were you referenced in a Does 1-99 placeholder, that 
the order does not apply to you.


I know you're not suggesting that copyright law no longer applies to 
you, or that the .pdf lost its copyright protection the moment somebody 
put it on the Internet.


If you're saying that Judge White's order doesn't apply to anyone other 
than the named Defendants, and that until the order is expanded to 
include the whole of the citizens of the United States, et seq, there is 
no trade secret protection afforded to the document, then I invite you 
to attempt to sell it to a foreign government and we'll see how well you 
are able to convince the court that you did not engage in espionage 
because the material was no longer a trade secret.


Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jason Coombs]

[EMAIL PROTECTED] wrote:

On Fri, 29 Jul 2005 15:02:51 -1000, Jason Coombs said:
redesign, fundamentally, the turing machine so that before each 
operation is performed a verification step is employed to ensure that 


Ahem. No.  You *can't* "ensure" it (although you *can* do things like bounds
checking to *minimize* issues).

It's called the Turing Halting Problem



We're not talking about proving/disproving the result of computation 
here, we're talking about a simple logical step inserted prior to 
transmission of operating instructions and data to a turing machine.


It does not invoke the Turing Halting Problem to ask the question 
"should the following opcode be sent to the CPU / should the opcode be 
read from memory and acted upon" ?


The simplest solution is to duplicate the machine code, placing one copy 
in a protected storage and requiring the CPU to confirm that both the 
active/RAM-resident copy and the protected storage copy match before 
proceeding with computation.


This is superior to simply reading machine code from a protected storage 
because the point is that malicious arbitrary code that overwrites or 
reprograms or inserts itself into the runtime memory space of an active 
process would easily defeat a volatile copy of a non-volatile protected 
storage image of some machine code. Only by requiring the CPU to perform 
a validation of each opcode instruction but allowing the CPU to continue 
to behave in all other respects as it behaves today does the protection 
arise. Other approaches are possible, but the basic idea of a separate 
supply of bits useful for the runtime authentication of opcodes remains 
the same.


Turing has nothing to say on this subject because he never contemplated 
it, to the best of my knowledge. Turing never tried to defend against 
buffer overflows back in the 1930s, yet people invoke him as a sage 
unerring philosopher of our time. Why?


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Mike Lynn's controversial Cisco Security Presentation

[Jason Coombs]

J.A. Terranson wrote:

On Fri, 29 Jul 2005, Jason Coombs wrote:

reverse engineered.


*millions* of copies of these "secrets" in general circulation.  Nobody
can assert with a straight face that anything about Lynn's presentation is
not completely and totally within the public view - and irretrievably so.


Just because you have a copy doesn't mean the document is in public 
view. The infowarrior.org URL no longer provides a copy of the trade 
secrets to those who seek them, so the effort to control distribution is 
working. Anyone who complies with the court order will delete their copy 
of the document and forget what they have read.


You are making an argument that the legal system doesn't work just 
because you can disregard it at your own peril. That's nonsensical.


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Mike Lynn's controversial Cisco Security Presentation

[Jason Coombs]

J.A. Terranson wrote:

I believe that at the moment of disclosure it becomes public domain.
Echoes of RC4...

http://www.infowarrior.org/users/rforno/lynn-cisco.pdf


That letter doesn't change anything.  Theres a lot of law that says that
is now public data, and free of it's trade incumberances.


RC4 is an algorithm, which means it cannot be patented nor copyrighted 
nor protected as intellectual property as anything other than a trade 
secret.


The Cisco/ISS trade secrets remain so unless and until these companies 
forego the legal protections afforded to them under law. i.e. they fail 
to seek restraining orders and otherwise fail to attempt to keep control 
of the commercial advantage that they believe they enjoy as a result of 
their ownership of the trade secret.


Because RC4, as an algorithm, cannot be protected as a trade secret 
starting the moment it is embodied into a product where the product can 
be reverse engineered legally, it would not have been possible to obtain 
injunctions against the dissemination and use of the RC4 algorithm and 
this is where you end up feeling like RC4 became "public domain" upon 
its public disclosure. See:


http://en.wikipedia.org/wiki/RC4

Now, if RC4 had never been used to create a product and had been kept as 
a trade secret, and that secret had been published, then it would not 
have become, automatically, an unencumbered algorithm that could be used 
by anyone with impunity. There being no way other than theft of trade 
secret for a third party to come to know the algorithm, had a court 
order been obtained to halt the spread of the secret the algorithm 
itself could very well have been kept as protectable intellectual 
property until such time as the company that enjoyed a commercial 
advantage through preservation of their RC4 trade secret had concluded 
the public distribution of a product that somebody else could have 
reverse engineered.


The interesting question in the Lynn case arises when international 
jurisdictions come into play. It is very clear that anyone inside the 
U.S. who were to publish an article like the following one:


http://www.techworld.com/security/news/index.cfm?NewsID=4130

Would be subject to the injunction on distribution of the trade secrets 
in question, and could be sued for having knowingly possessed and made 
use of (for the purpose of writing the article) those secrets.


However, techworld.com is a UK-based publisher, apparently, and so 
should be fine until a UK court concurs with the U.S. court's granting 
of the injunction.


Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jason Coombs]

J.A. Terranson wrote:

Also, that Cisco must fix was not the point of my argument.  I was trying
to point out that Jason's basic premise that this was a grossly negligent
act by Cisco is pure fiction.


Not at all -- you're simply constraining the discussion to all known 
CPUs and I'm referring to the duty that a company like Cisco obviously 
has to make a better mousetrap if they intend to sell it to millions of 
people and coax billions of people to rely on the devices.


There are any number of technical solutions that one could use to 
redesign, fundamentally, the turing machine so that before each 
operation is performed a verification step is employed to ensure that 
the operation is the correct one in the correct sequence given prior 
configuration settings loaded into memory at the time the device was 
activated.


Store the necessary security profile, which could very well be just 
another copy of the entire machine code, in a separate memory that can 
be accessed in parallel and used solely to verify that the operation 
about to be performed matches the operation that is supposed to be 
performed. Require a physical act by the owner of the device to populate 
the security profile data storage so that it cannot be automated through 
the execution of code, and you enable both the software 
reprogrammability of the computing device and the non-programmability 
feature that provides the proper security safeguard.


This is a very high-level explanation, to be sure, but there's no reason 
not to redesign the CPU if you're Cisco. Or if you're Microsoft, or 
Intel, or AMD, for that matter.


CPUs are unnecessarily-insecure by design, as a result of people running 
around saying that you just can't change the way that a turing machine 
operates. That's what's pure fiction. Turing machines don't need to be 
allowed to operate in a vacuum, they can be sanity-checked at runtime if 
anyone cares to do so.


I am not suggesting that such CPUs exist today, only that they should 
and that a company like Cisco knows this very well and chooses not to 
undertake this engineering challenge, presumably because it would cut 
into profits.


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Mike Lynn's controversial Cisco Security Presentation

[Jason Coombs]

J.A. Terranson wrote:


I believe that at the moment of disclosure it becomes public domain.
Echoes of RC4...


Wrong, J.A.

infowarrior.org is now hosting a fine replica of the cease and desist 
letter that was received earlier today:


http://www.infowarrior.org/users/rforno/lynn-cisco.pdf

Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jason Coombs]

Madison, Marc wrote:

 Am I missing something here, because it seems that two vulnerabilities
are being discussed, one is the IPv6 DOS
http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml.  And
the other is Lynn presentation on shellcode execution via the IOS?


Did you read the advisory? It is not solely a DoS threat.

"Cisco Internetwork Operating System (IOS ) Software is vulnerable to a 
Denial of Service (DoS) and potentially an arbitrary code execution 
attack from a specifically crafted IPv6 packet."

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jason Coombs]

Steve Friedl wrote:

So you're suggesting that Cisco should have adopted security by
obscurity for its hardware design?


How about adopting an architecture that incorporates special-purpose 
security safeguards into the CPU? Routers and switches don't need to 
execute arbitrary code, Cisco knows ahead of time, before they deploy a 
product, what code that product should be allowed to execute.


Do you think there is no way in hardware to limit the code that gets 
executed? Maybe you should join the FBI.


Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jason Coombs]

J.A. Terranson wrote:


Do I hear a faint echo of Adobe???



No, Lynn reportedly quit his job, so he is not going to have the "my 
company did it, so you can't prosecute me" defense...


If we assume Lynn knew about this defense given that he is quoted as 
referencing the Adobe case in his statements to the press, then Lynn 
willfully gave up that protection prior to his disclosure.


Now that is truly patriotic and brave, to sacrifice oneself in order to 
demonstrate that there are holes in the criminal justice system...


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jason Coombs]

Frank Knobbe wrote:

What he has done is not say "Here's a bug that I can exploit". He has
said "This IOS is capable of exploitation beyond current belief". And it
will be for the foreseeable future.



Precisely. And Lynn pointed out that Cisco routers use general purpose 
CPUs -- therefore Cisco's own engineers chose purposefully to build a 
vulnerable device.


Cisco is responsible for this entire mess. Had they engineered a secure 
product around a CPU that was not general purpose, none of this would be 
happening now.


No company that intentionally engineers a computing device around a 
general purpose programmable CPU should have the ability to press 
charges against security researchers who disclose security flaws in 
those devices.


Cisco is wrong to conclude that they can engineer a defective product 
and then allow the criminal prosecution of a person who simply asks the 
pointed question "Why did Cisco do this? It renders their product 
permanently defective, and here's the proof."


Somebody needs to explain this clearly to the FBI.

Cisco should be criminally prosecuted for telling lies to their 
customers and for abuse of process.


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jason Coombs]

Michael Holstein wrote:

Secrecy and censorship are contrary to the ideals of a democratic society.


Mike,

You don't live in a democratic society. You have representatives and 
laws to make decisions and impose rules of order on others on your 
behalf. Like it or not, if the rules you allow to exist on your behalf 
get violated then there may be swift and decisive retaliation by your 
representative democratic government.


Nobody knows in this case whether the "trade secrets" allegedly "stolen" 
bring this matter into the realm of a criminal offense, or whether this 
is squarely and clearly only a civil matter. Cisco doesn't even know 
whether this is a crime, everyone is fumbling in the dark here.


Reports that the FBI are investigating are therefore believable, and 
prosecution of Lynn for criminal acts is not unlikely depending upon 
whether or not Cisco backs down from their harsh interpretation of what 
happened. In determining whether or not a crime occurred, the existence 
of an entity/person who appears to have been victimized is an important 
factor. You can help your democratic representatives do the right thing 
on your behalf by showing us all conclusive proof that Cisco was not 
victimized in any way by the actions of Lynn or by his disclosures.


Likewise, anyone with information that would show that Cisco is 
knowingly "faking it" by exaggerating their appearance as a "victim" can 
be instrumental in having Cisco prosecuted for abuse of process, or at 
the very least any possible criminal charges against Lynn dropped.


Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Our Industry Is Seriously Ethics Impaired

[Jason Coombs]

Adam Jones wrote:

What exactly is wrong with this? I personally would rather have 3com
buying up exploits (probably under an agreement for exclusive access)
instead of having them sold to the highest, probably malicious,
bidder. Even if someone sells it to both there is a more reputable
group that has the exploit and can help with mitigation.

- Adam
On 7/26/05, J.A. Terranson <[EMAIL PROTECTED]> wrote:


Yet another voice baying at the moon.



Come on, Adam. Do you still not understand that the entirety of almost 
all 'security' fixes is a change to a single character on a single line 
of a single file of source code?


How much more complicated do you need to make it in order to feel safe?

3Com needs it to be so complicated that a 'Digital Vaccine' is required 
in order to make you feel healthy again. Bull. Crap. Lies.


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] iDEFENSE/VeriSign - VCP Program Changes

[Jason Coombs]

J.A. Terranson wrote:

On Tue, 26 Jul 2005, iDEFENSE Labs wrote:

Retention program:
The retention program is designed to reward the top five contributors

...

Old  New

...

Incentive program:
The purpose of the incentive program is to reward the top three

...

Old  New

...


Puke.



VeriSign is going to need a similar retention and incentive program for 
its stockholders.


Buy VRSN @ $29.00 on 7/20/05

value declines 15.62% on 7/21/05 to close at $24.47

Considering the stock traded under $4.00 per share as recently as 
October, 2002 the company's going to need to find a very fancy trick to 
convince the shareholders to keep the faith and not dump the stock.


Obviously, buying iDEFENSE makes VeriSign far more valuable. Hoorah!

"Who do you want the stock market to eat, today?"

Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Why Vulnerability Databases can't do everything

[Jason Coombs]

Do either of you seriously believe that it will ever be safe to use a software 
programmable CPU to automatically process data that originates from some place 
other than your fingertips?

The entire personal and business computer industry is producing broken and 
dangerous products, yet it would require only a few fundamental changes to fix 
everything. Instead of putting effort and capital into this objective everyone 
is squabbling over changing software vendors' behavior or fretting over 
individual bugs and whether or not they should be disclosed and if so how and 
when.

1) Stop loading machine code from the same data storage devices to which 
user/application data is saved.

2) Don't allow machine code to be written to program storage unless it has 
first been enciphered with a key assigned to the computer.

3) Stop buffering runtime I/O within the same physical memory as machine code.

4) Put a stop the silly belief that software must be executed in the same form 
that it is delivered. (i.e. Just because the programmer wrote code that made 
Win32 API calls on the development box, this does not mean that the OS 
deployment that hosts the execution of that code has to support Win32 at all -- 
we need to insert a machine code transformation step prior to deployment of 
code, combining the principles of address space layout randomization with new 
approaches to API obfuscation/reassembly down to the level of 
customized/reassigned interrupts and CPU registers.

6) Etc.

Do these things, some of which require modifications to the present 
fixed-opcode structure of the programmable CPU, and all outsider attacks 
against software will fail to accomplish anything other than a denial of 
service.

With a little common sense applied to the design of computers, the only threats 
anyone would have to worry about are data theft, physical device 
tampering/hacking, and insiders.

The company that achieves objectives like these will own the next 100 years of 
computing. Everyone who believes that security flaws in software are worth 
effort to discover and fix is very badly confused.

Solving present-day systemic defects in the design of computing architectures, 
now that's important.

Software bugs are a plague that infects every computer from the moment it is 
first assembled, but not because of software vendors' mistakes, rather as a 
direct result of genetic defects in the computer genome.

Windows will no longer exist within 10 years because everyone will have 
realized that it was built on a flawed premise around defective hardware.

Will Microsoft be the architect of the first non-defective programmable 
computer? No way. They only know how to profit by exploiting short-term 
opportunity.

More likely, some microprocessor vendor will bring to market a machine 
architecture that the best and brightest programmers around the world will 
rally around to birth the neocomputer industry.

Meanwhile, your continued loyalty to, investment in, and commercial 
exploitation of the computer technology we have today is obviously nothing more 
than an attempt to increase your own importance at the expense of others. Get 
over it. If you're a decent human being you will not buy nor encourage the 
purchase of a single computing device other than the Nokia 770 Linux Internet 
Tablet until the neocomputer industry emerges.

Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Tools accepted by the courts

[Jason Coombs]

Evidence Technology wrote:

That era is quickly fading. Going forward, I think we'll see more
and more digital evidence rendered inadmissible via failure to
adhere to established evidentiary standards.


Jerry,

No way. What 'evidentiary standards' are you talking about here?

I'm sorry but that's just absurd. How will there ever be 'evidentiary 
standards' on the contents of my filing cabinet and my personal 
pornography collection?


The police find the data where they find it. That's called 
'circumstantial evidence' and digital evidence will always be treated 
exactly as such no matter who we successfully convince of the flaws 
inherent in the filing cabinet or printed document/glossy photograph 
analogy.


What I demand to hear spoken by law enforcement, and what I insist 
prosecutors compel law enforcement to speak if they don't volunteer 
these words out of their own common sense, is the following:


"Yes, that's what we found on the hard drive but there's little or no 
reason for us to believe that the defendant is responsible for placing 
it there just because the hard drive was in the defendant's possession. 
We often see cases where hard drives are installed second-hand and data 
from previous owners remains on the drive, we can't tell when the data 
in question was written so it's important to be aware that hundreds of 
other people could have placed it there. We also see cases where 
software such as spyware or Web pages full of javascript force a 
suspect's Web browser to take actions that result in the appearance that 
the owner of the computer caused Internet content to be retrieved when 
in fact the owner of the computer may not have known what was happening, 
malicious Web site programmers know how to use techniques such as 
pop-unders and frames to hide scripted behavior of Web pages. 
Furthermore, once the Web browser is closed and its temporary files are 
deleted, every bit of data that was saved 'temporarily' to a file by the 
browser becomes a semi-permanent part of the hard drive's unallocated 
space and we have no way to tell the difference between data that was 
once part of a temporary file created automatically by a Web page being 
viewed or scripted inside a Web browser and the same data placed 
intentionally on the hard drive by its owner without the use of the 
Internet. Also ..."


Disrespectfully Yours,

 (with extreme prejudice born of intense frustration due to the fact 
that nobody cares about getting this stuff right when it's so much 
easier just to collect a forensic paycheck and move on to the next 
victim -- I would like to think you are part of the solution rather than 
being part of the problem but you're talking nonsense and so is nearly 
everyone else in the computer forensics field, most especially the 
computer forensics vendors who need people to love them in order to make 
their businesses grow. They do not deserve respect and they most 
certainly fail the 'lovable' test, but television shows like CSI and 
visions of fat bank accounts have deceived everyone temporarily...)


Please get a clue before you hurt somebody.

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [Fwd: Returned post for [EMAIL PROTECTED]

[Jason Coombs]

I'm sick and tired of the stupid securityfocus.com mailing list 
moderators who keep refusing to allow the truth to be added to the 
discussions that they moderate.


Boycott Symantec. They're a bunch of arrogant exploiters of other 
people's stupidity, and they attract those who are like-minded.


Symantec profits through suppressing truth and encouraging delusion.

May every person who supports the suppression of full disclosure go to 
prison for crimes they didn't commit based solely on digital evidence.


Hooray for modern American-prisoner-industrial-slavery capitalism.

Regards,

Jason Coombs
[EMAIL PROTECTED]


 Original Message 
Subject: Returned post for [EMAIL PROTECTED]
Date: 4 Jul 2005 23:18:20 -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]

Hi! This is the ezmlm program. I'm managing the
[EMAIL PROTECTED] mailing list.

I'm working for my owner, who can be reached
at [EMAIL PROTECTED]

I'm sorry, the list moderators for the forensics list
have failed to act on your post. Thus, I'm returning it to you.
If you feel that this is in error, please repost the message
or contact a list moderator directly.

--- Enclosed, please find the message you sent.

Subject: [Fwd: Re: Tools accepted by the courts]
From: Jason Coombs <[EMAIL PROTECTED]>
Date: Wed, 29 Jun 2005 11:25:33 -1000
To: Forensics <[EMAIL PROTECTED]>

For those who asked to read my original post ... See below.

I propose that we do two things:

1) Add an impartial peer-review step to every submission of 'digital 
evidence' in court;


2) Publish all expert/analysis reports and transcripts of testimony 
given by forensic examiners;


3) Build a mechanism (an automatic appeal, perhaps, on the grounds that 
computer forensics was used to assist in the conviction) whereby careful 
scrutiny can be performed after-the-fact of every criminal conviction 
that was obtained through the involvement of 'computer forensics'.


4) Require law enforcement computer forensic examiners to do work on 
behalf of the defense.


I have witnessed unreasonable law enforcement and prosecution behavior 
and technical mistakes that causes me to believe that courts are being 
systematically misled with respect to the reliability of computer 
forensic evidence.


Believe it or not, people have been convicted of crimes based on 
computer evidence alone in cases where the fact of their computer having 
been acquired used, or frequently operated by multiple users, or 
outright owned by a warez or porn distributor, or hijacked and forced to 
be a P2P file sharing hub, or massively infected with spyware and 
Trojans, gets completely ignored.


The only case I have ever seen in which prosecution/law enforcement 
computer forensics even bothered to look into such issues of information 
security was a UCMJ court martial where the DODCFL took care to locate 
and report the existence of the presence of a Trojan and a keylogger on 
the suspect's computer.


Considering that this UCMJ case was a direct result of the FBI's 
"operation site key" child porn investigation, where nothing more than 
the suspect's credit card number having been found in the "site key" 
database of online child porn customers led to the charges in question, 
and the keylogger and Trojan probably did result in a third party being 
in possession of the suspect's credit card information, a failure of the 
DODCFL to search for such evidence would have itself been criminal.


Fortunately, the DOD computer forensic lab staff appear quite skilled, 
and they are available to do work on behalf of the accused service 
member. The fact that the HTCIA has a written policy against any law 
enforcement forensic examiner ever doing work on behalf of a defendant 
is disgusting and offensive in light of the DOD's more enlightened 
procedures.


We allow 'digital evidence' to have meaning and we give it weight in 
court, but we do so by ignoring how easy it is for anyone to obtain 
whatever information they need to steal another person's identity, and 
we do so by ignoring the fact that it is impossible to know what 
happened in the past to a digital computer. (heck, it is 
nearly-impossible in practice to know what a digital computer is doing 
RIGHT NOW)


This issue goes far beyond simply 'fixing' the broken system that exists 
today. For the better part of the last two decades computer forensics 
has been in use by law enforcement in real-world investigations. From my 
experience as an instructor of CCE "boot camp" courses I learned that 
John Mellon claims to have invented computer forensics twenty years ago 
when he was at the IRS. If he is correct that some of the first uses of 
computer forensics in criminal investigations occurred in connection 
with IRS enforcement of the tax code against U.S. citizens, then the 
entire field is even more ba