Re: [Full-disclosure] [MDVSA-2013:11X ] ENTIRE OS

[Laurelai]

On 4/15/2013 6:24 AM, Alexander Georgiev wrote:
>
> +1 !
>
>  
>
>  
>
> On Thu, 11 Apr 2013 00:00:18 -0700, Stefan Jon Silverman
>  wrote:
>
>> -BEGIN POPEYE (SPINACH) SIGNED MESSAGE-
>> Hash: SHAK's-SHORTS
>>
>>  ___
>>
>>  Mandriva Linux Security Advisory MDVSA-2013:ALL
>>  ___
>>
>>  Package : Entire F'n OS
>>  Date: April 11, 2013
>>  Affected: Entire F'n OS
>>  ___
>>
>>  Problem Description:
>>
>>  Updated OS packages fail to fix multiple security vulnerabilities:
>>  
>>  It was discovered that we have absolutely no clue on how to get it right so 
>> we issue several hundred security advisories each and every calendar day 
>> just to keep the rest of the planet up to date on how totally incompetent we 
>> are in managing a fork.
>>
>>  We appreciate your tolerance of clogging your inbox w/ alert after alert 
>> which reaffirms our stated distribution goal of being "the least secure 
>> Linux on the planet" and hope that you will continue to support us in our 
>> endeavors.
>>
>>  -END POPEYE (SPINACH) SIGNATURE-
>>
>> -- 
>>  
>>  
>> Regards,
>> Stefan
>>  
>> **
>>  *Stefan Jon Silverman*
>>  - Founder /
>> President
>>  SJS Associates, N.A., Inc.
>>A Technology Strategy Consultancy
>> **
>> Cell  *917 929 1668**s...@sjsinc.com*
>>    eMail
>>  *www.sjsinc.com*
>> 
>> **
>>
>> Aim/Skype/GoogleIM: *LazloInSF*  Twitter/Yahoo: *sjs_sf*
>> **
>>
>>   Weebles wobble but they don't fall down
>> **
>>
>>  
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
http://i.imgur.com/hKk8UcK.gif
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] list patch

[Laurelai]

On 3/4/2013 9:28 PM, andrew.wallace wrote:
> After all this time you don't grasp the serious nature of calling me
> or my organisation a troll and the trouble you will get yourself in
> legally. After all this time you still persist. Oh and the recent
> mails have been forwarded to my lawyer.
>
> Andrew
http://i.imgur.com/phpcZyW.jpg
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] list patch

[Laurelai]

On 3/3/2013 2:20 AM, Georgi Guninski wrote:
> On Sat, Mar 02, 2013 at 12:29:10PM -0500, valdis.kletni...@vt.edu wrote:
>> On Sat, 02 Mar 2013 18:17:46 +0200, Georgi Guninski said:
>>
>>> indeed the list headers changed.
>>> "lightly moderated" sounds like "likely pregnant" to me.
>>> i suggest we move somewhere else. seriously.
>> You do realize that what you're *actually* seeing here is the
>> list headers being changed to match the way thing have actually
>> been for over 3 years now? And apparently you've been OK with it
>> for 3 years until somebody pointed it out?
>>
>> (Though I suppose we *could* all move to someplace else where a
>> certain troll is still allowed to post.  Let me know how that turns out. :)
>
> if "certain troll" is n3td3v, IIRC i publicly wrote n3td3v should
> not be banned from the list (probably available in the archives).
>
> you appear to give up freedom for a bit of sikurity and a
> bit of comfort -- let's see how this sorts out.
>
> the spam secunia puts in the auto signatures reminds me how
> aleph1 sold bugtraq.
>
Surely you wouldn't be comparing trolls on an internet mailing list with
the complexities of a nation state and the sum of human rights :)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] how do I know the fbi is followin

[Laurelai]

Title: Message

  
  
On 3/2/2013 10:15 PM, Stefan Jon
  Silverman wrote:


  
  <<<===

gets out popcorn maker, this is going to be a fun movie.

  
  
  
   
   
  

  Regards,
  Stefan
   
  
  **

  
    Weebles wobble but they don't
  fall down 
  **

  


  
   

On 3/2/2013 7:04 PM, Chris L wrote:
  
  If you think they are following, go down a dark
rural road that you know has a few loops. You need to have a
goat in the back of the van. Deliberately drive down one of
these loops, if they're still behind you, they're following you.
That doesn't mean they're FBI though, they could just be
stalkers or serial killers. STOP randomly in the road. Jump out
of the car as fast as you can. Start visibly consuming as many
drugs as you can while stripping off your clothes and dancing.
Then, pull out the goat and begin to ritually sacrifice it. If
they're FBI you'll be arrested, if not you'll have likely scared
off the crazies following you by being more crazy then them. 

Then you'll know.

On Sat, Mar 2, 2013 at 6:42 PM, Jeff
  Kell 
  wrote:
  

  
On 3/2/2013 9:29 PM, Reed Loden wrote:


  Check your nearby WiFi SSIDs for "FBI Surveillance Van". That's always a
dead giveaway that you're being monitored.



  
  Yeah, what is it with those guys?  (or the ones that
  perpetuate the myth...)
  
  
  
  Jeff


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
  





___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
  
  
  
  
  
  ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

http://i.imgur.com/y11K1Wa.gif
  

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 11: ] How much time is appropriate for fixing

[Laurelai]

On 7/11/2012 10:56 AM, Григорий Братислава wrote:
> Obligatory question is to must remain politically correct: "When I is
> respond to you, am I to address is Wesley or Laurelai?" Not only is
> you confused, you is has everyone confused. MusntLive is reserve the
> right to dish out equal opportunity flames and is not want to address
> you as Ms. if you are still a he.
>
>
> On Wed, Jul 11, 2012 at 11:48 AM, Laurelai  wrote:
>
>> http://www.youtube.com/watch?v=m_mDTLphIVY

I repeat: http://www.youtube.com/watch?v=m_mDTLphIVY

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 11: ] How much time is appropriate for fixing

[Laurelai]

On 7/11/2012 8:12 AM, Григорий Братислава wrote:
> On Tue, Jul 10, 2012 at 6:40 PM,   wrote:
>
>> Are you familiar with Georgi's work? Please look at his website before
>> proffering opinions.
>>
> Is must be an old man thing. No one is use VAX/VMS is only people like
> parmaster (oh hai Jason Snitker) is use VAX to make is themselves look
> three is one three three seven for IRC monkeys. "Oh hai, is look I
> know VAX because is US government is use mind control on me"
> (http://www.raven1.net/mcf/v/snitker.htm)
>
> Guninski is washed up. Like is Japanese debris hit California right
> now. And is you too is washed up. No one is
> use punch card no more. Georgi is no one special lest is only to
> himself in mirror. Now is you talking Dan Kaminski, Dan is God! Only
> when he is not drunk and sappy over is "red pill blue pill" man.
> (Rutkowska). You is say Dan, I say all the way!
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
http://www.youtube.com/watch?v=m_mDTLphIVY

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] How much time is appropriate for fixing a bug?

[Laurelai]

On 7/6/12 1:48 PM, Thor (Hammer of God) wrote:
> I already covered that -- if they don't fix it, the publish it.  
> Also, if a vendor has a "venerability" to the community, then they
> would obviously fix it.
>
> There's no "responsibility" to disclose anything.   FD doesn't exist
> to satisfy some requirement for researchers to publish vulnerability
> -- it exists so that people can market themselves.   The "we must
> disclose this so that people will know and they can protect
> themselves" is simply a justification for the aforementioned.These
> people don't give a fat fuck about the industry or protecting other
> people.   If they did, they would just post "hey, there's a vuln in
> this product, email me and I'll tell you about it."  When no-one
> emails them (because this limited audience doesn't care) they don't
> get their "deserved cred" and post it.  
>
> Nobody cares, and nobody remembers...  his FD will simply be another
> tit in the peep show.  People like 0DayInit and Litchfield did it the
> SMART way.  They have a client base who have purchased a product to
> protect them from these vulnerabilities.  People who purchase the
> product are protected in the meantime, as the vuln is actually
> addressed in the product.  It actually works in their favor of the
> vendor to take longer as it makes the product more valuable.  
>
>
> Vendors want "responsible disclosure" so they can assign priority to
> plan release cadence.  Disclosures want recognition, or payment, or
> both.   Each will do what is in their own best interest.  But let's
> not pretend it is anything other than what it is.
>
> t
>
>
>
> From: Peter Dawson mailto:slash...@gmail.com>>
> Date: Friday, July 6, 2012 10:24 AM
> To: Timothy Mullen mailto:t...@hammerofgod.com>>
> Cc: "full-disclosure@lists.grok.org.uk
> "
>  >
> Subject: Re: [Full-disclosure] How much time is appropriate for fixing
> a bug?
>
> Thor (Hammer of God) : 
>  
> so if vendor don't fix it /ack the bug.. then what ??
> Responsibility works both ways.. Advise the vendor.. if they say fuck
> it.. I say fuck u.. and will advise the community !
>  
> There is a responsibility to disclose a venerability to the community
> so that they can take down/block /deactivate a service .
>  
> ".All that is necessary for the triumph of evil is that good men do
> nothing. " -whoever ..fuck it !
>  
> /pd
>
>  
> On Fri, Jul 6, 2012 at 12:46 PM, Thor (Hammer of God)
> mailto:t...@hammerofgod.com>> wrote:
>
> Well, I have to say, at least he's being honest.  If the guy is
> chomping at the bit to release the info so he can get some
> attention, then let him.  That, of course, is what it is all
> about.   He's not releasing the info so that the community can be
> "safe" by "forcing" the vendor to fix it.  He's doing it so people
> can see how smart he is and that he found some bug.   So Joro's
> reply of "fuck em" is actually refreshingly honest.  
>
> Regarding "how long does it take," it is completely impossible to
> tell.  If someone fixed it in 10 minutes, good for them.  It could
> take someone else 10 months.   Any time I see things like
> Wikipedia advising things like "5 months" I have to lol.  They
> have no freaking idea whatsoever as to the company's dev processes
> and the extend that the fix could impact legacy code or any number
> of other factors.   I would actually have expected code
> bug-finders to have a better clue about these things, but
> apparently they don't.   
>
> MSFT's process is nuts -- they have SO many dependancies, so many
> different products with shared code, so many legacy products, so
> many vendors with drivers and all manner of other stuff that the
> process is actually quite difficult and time consuming.  Oracle is
> worse -- they have the same but multiplied by x platforms.  Apple
> I think has it the "easiest" of the big ones, but even OSX is
> massively complex (and completely awesome).
>
> It is all about intent:  if you want to be recognized publicly for
> some fame or whatever, just FD it because chances are you will
> anyway.   If you really care about the security of the industry,
> then submit it and be done with it.  If and when they fix it is up
> to them.
>
> t
>
>
>
> From: Gary Baribault mailto:g...@baribault.net>>
> Date: Friday, July 6, 2012 7:59 AM
> To: "full-disclosure@lists.grok.org.uk
> "
>  >
> Subject: Re: [Full-disclosure] How much time is appropriate for
> fixing a bug?
>
> Hey Georgi,
>
> Didn't take your happy pill this morning?
>
> I would say that the answer depends on how the owner/company
> answers you, if you feel that their stringing you along and you
> have given them som

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/10/12 11:10 PM, Thor (Hammer of God) wrote:
> Well no freaking wonder then.  For whatever reason, I keep thinking
> you are Andrew posting under a different name, which always confused
> me.  I know Andrew didn't serve in the Army, which just made me think
> he was losing his mind. (I've actually never had a problem with
> Andrew, though I guess many here have.)
>
> So yes, my apologies, as I obviously don't know you from Adam.  Now
> everything makes more sense.  
> T
>
> Sent from my iPad
>
> On Jun 10, 2012, at 4:21 PM, "Laurelai"  <mailto:laure...@oneechan.org>> wrote:
>
>> On 6/10/12 6:00 PM, Thor (Hammer of God) wrote:
>>>
>>> Awesome.  I’ll send ‘er off.   “Andrew Wallace,” correct?
>>>
>>>  
>>>
>>> 
>>>
>>> * *
>>>
>>> *Timothy “Thor”  Mullen*
>>>
>>> *www.hammerofgod.com*
>>>
>>> *Thor’s Microsoft Security Bible
>>> <http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727>*
>>>
>>>  
>>>
>>>  
>>>
>>> *From:*Laurelai [mailto:laure...@oneechan.org]
>>> *Sent:* Sunday, June 10, 2012 2:26 PM
>>> *To:* Thor (Hammer of God)
>>> *Cc:* full-disclosure@lists.grok.org.uk
>>> *Subject:* Re: [Full-disclosure] Obama Order Sped Up Wave of
>>> Cyberattacks Against Iran
>>>
>>>  
>>>
>>> On 6/10/12 5:09 PM, Thor (Hammer of God) wrote:
>>>
>>> OK, I’ll bite this one time.  I assert you are blatantly lying about
>>> military service.  How about tell me your service dates?  Surely you
>>> can’t consider that any sort of privacy breach. 
>>>
>>>  
>>>
>>> This is an easy way for us to be done with the whole thing.  Part of
>>> your diatribe is based on your “right” to bitch because of your
>>> military service.  I, again, assert that is complete fabrication. 
>>> As someone who actually HAS done work for the government I know (as
>>> you should) that your military service records are actually public
>>> record.  I don’t need your service dates, but it will help.  All I
>>> need do is fax over form SF-180, and they’ll verify your service.
>>>
>>>  
>>>
>>> If you really did serve, I’ll apologize publically.  If you didn’t
>>> (or don’t provide the information) then we’ll all know you are just
>>> a lying nutjob and we can ignore you from now on.  Is that fair enough?
>>>
>>>  
>>>
>>> **
>>>
>>> * *
>>>
>>> *Timothy “Thor”  Mullen*
>>>
>>> *www.hammerofgod.com*
>>>
>>> *Thor’s Microsoft Security Bible
>>> <http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727>*
>>>
>>>  
>>>
>>>  
>>>
>>> *From:*full-disclosure-boun...@lists.grok.org.uk
>>> <mailto:full-disclosure-boun...@lists.grok.org.uk>
>>> [mailto:full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of
>>> *Laurelai
>>> *Sent:* Sunday, June 10, 2012 2:00 PM
>>> *To:* full-disclosure@lists.grok.org.uk
>>> <mailto:full-disclosure@lists.grok.org.uk>
>>> *Subject:* Re: [Full-disclosure] Obama Order Sped Up Wave of
>>> Cyberattacks Against Iran
>>>
>>>  
>>>
>>> On 6/10/12 12:52 PM, Thor (Hammer of God) wrote:
>>>
>>> And not capitalizing "Army" when you claim to have spent 10 years of
>>> your life in service does precisely the same thing. 
>>>
>>>
>>> On Jun 10, 2012, at 3:31 AM, "Laurelai" >> <mailto:laure...@oneechan.org>> wrote:
>>>
>>>
>>>
>>>
>>>  
>>>
>>> I dont listen to either. And sorry to burst your bubble but
>>> I did serve 10 years in the army.
>>>
>>>  
>>>
>>> Next I imagine you will insult my gender identity or something
>>> equally silly. For the record you should capitalize the first
>>> word of each sentence and put a punctuation mark at the end, not
>>> doing this just makes you look uneducated and ensures people do
>>> not take you seriously.
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsore

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

  
  
On 6/10/12 6:00 PM, Thor (Hammer of God) wrote:

  
  
  
  
  
Awesome. 
I’ll send ‘er off.   “Andrew Wallace,” correct?
 

  
   
  Timothy
“Thor”  Mullen
  www.hammerofgod.com
  Thor’s
  Microsoft Security Bible
   

 

  
From:
Laurelai [mailto:laure...@oneechan.org]

Sent: Sunday, June 10, 2012 2:26 PM
To: Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Obama Order Sped
Up Wave of Cyberattacks Against Iran
  

 
On 6/10/12 5:09 PM, Thor (Hammer of God)
  wrote: 
OK,
I’ll bite this one time.  I assert you are blatantly lying
about military service.  How about tell me your service
dates?  Surely you can’t consider that any sort of privacy
breach.  
 
This
is an easy way for us to be done with the whole thing.  Part
of your diatribe is based on your “right” to bitch because
of your military service.  I, again, assert that is complete
fabrication.  As someone who actually HAS done work for the
government I know (as you should) that your military service
records are actually public record.  I don’t need your
service dates, but it will help.  All I need do is fax over
form SF-180, and they’ll verify your service.
 
If
you really did serve, I’ll apologize publically.  If you
didn’t (or don’t provide the information) then we’ll all
know you are just a lying nutjob and we can ignore you from
now on.  Is that fair enough?
 

  
   
  Timothy
“Thor”  Mullen
  www.hammerofgod.com
  Thor’s
  Microsoft Security Bible
   

 

  
From:
full-disclosure-boun...@lists.grok.org.uk
[mailto:full-disclosure-boun...@lists.grok.org.uk]
On Behalf Of Laurelai
Sent: Sunday, June 10, 2012 2:00 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Obama Order Sped
Up Wave of Cyberattacks Against Iran
  

 
On 6/10/12 12:52 PM, Thor (Hammer of God)
  wrote: 

  And not capitalizing "Army" when you
claim to have spent 10 years of your life in service does
precisely the same thing. 


  
On Jun 10, 2012, at 3:31 AM, "Laurelai" <laure...@oneechan.org>
wrote:


  

  
  
  

  

  

  
 
  

  
  I dont listen to either. And
sorry to burst your bubble but I did serve 10 years
in the army.

  

 
Next I imagine you will insult my
  gender identity or something equally silly. For the record
  you should capitalize the first word of each sentence and
  put a punctuation mark at the end, not doing this just
  makes you look uneducated and ensures people do not take
  you seriously.
  


  
___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/
  


  
  
  
  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Except i don't like the government.
I went to basic in september of 99 and
  ETS'ed in may of 08. 6 years were national guard 4 years
  active duty, i went to basic at FT. Jackson South Carolina,
  the base has a lot of fire ants and the weather was a bit
  unpredictable. My drill sergeant's names were Drill Sergeant
  Hunter and Drill Sergeant Wachowski The unit i ETS'ed from was
  HHB 4/5 ADA out of camp carrol South Korea, and right before 

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

  
  
On 6/10/12 5:54 PM, Benji wrote:
Which antisec kids? Unfortunately due to some poeple
  being utterly delued, such as yourself, throwing that word around
  it's rather ambiguous now.
  
  On Sun, Jun 10, 2012 at 10:49 PM,
    Laurelai <laure...@oneechan.org>
wrote:

  

   On 6/10/12 5:09 PM, Thor (Hammer of God)
wrote:

  
OK,

I’ll bite this one time.  I assert you are
blatantly lying about military service.  How
about tell me your service dates?  Surely you
can’t consider that any sort of privacy breach. 
  
 
This

is an easy way for us to be done with the whole
thing.  Part of your diatribe is based on your
“right” to bitch because of your military
service.  I, again, assert that is complete
fabrication.  As someone who actually HAS done
work for the government I know (as you should)
that your military service records are actually
public record.  I don’t need your service dates,
but it will help.  All I need do is fax over
form SF-180, and they’ll verify your service.
 
If

you really did serve, I’ll apologize
publically.  If you didn’t (or don’t provide the
information) then we’ll all know you are just a
lying nutjob and we can ignore you from now on. 
Is that fair enough?
 

  
   
  Timothy

“Thor”  Mullen
  www.hammerofgod.com
  Thor’s Microsoft Security
  Bible
   

 

  
From:
full-disclosure-boun...@lists.grok.org.uk
[mailto:full-disclosure-boun...@lists.grok.org.uk]
On Behalf Of Laurelai
Sent: Sunday, June 10, 2012 2:00 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Obama
Order Sped Up Wave of Cyberattacks Against
Iran
  

 
On 6/10/12 12:52 PM, Thor
  (Hammer of God) wrote: 

  And not capitalizing "Army"
when you claim to have spent 10 years of your
life in service does precisely the same thing. 


  
On Jun 10, 2012, at 3:31 AM, "Laurelai" <laure...@oneechan.org>
wrote:


  

  


  

  

  
 
  

  
  I dont listen to
either. And sorry to burst your bubble
but I did serve 10 years in the army.

  

 
Next I imagine you will
  insult my gender identity or something equally
  silly. For the record you should capitalize
  the first word of each sentence and put a
  punctuation mark at the end, not doing this
  just makes you look uneducated and ensures
  people do not take you seriously.
  


  
___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and spon

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

  
  
On 6/10/12 5:09 PM, Thor (Hammer of God) wrote:

  
  
  
  
  
OK,
I’ll bite this one time.  I assert you are blatantly lying
about military service.  How about tell me your service
dates?  Surely you can’t consider that any sort of privacy
breach.  
 
This
is an easy way for us to be done with the whole thing.  Part
of your diatribe is based on your “right” to bitch because
of your military service.  I, again, assert that is complete
fabrication.  As someone who actually HAS done work for the
government I know (as you should) that your military service
records are actually public record.  I don’t need your
service dates, but it will help.  All I need do is fax over
form SF-180, and they’ll verify your service.
 
If
you really did serve, I’ll apologize publically.  If you
didn’t (or don’t provide the information) then we’ll all
know you are just a lying nutjob and we can ignore you from
now on.  Is that fair enough?
 

  
   
  Timothy
“Thor”  Mullen
  www.hammerofgod.com
  Thor’s
  Microsoft Security Bible
   

 

  
From:
full-disclosure-boun...@lists.grok.org.uk
[mailto:full-disclosure-boun...@lists.grok.org.uk]
On Behalf Of Laurelai
Sent: Sunday, June 10, 2012 2:00 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Obama Order Sped
Up Wave of Cyberattacks Against Iran
  

 
On 6/10/12 12:52 PM, Thor (Hammer of God)
  wrote: 

  And not capitalizing "Army" when you
claim to have spent 10 years of your life in service does
precisely the same thing. 


  
On Jun 10, 2012, at 3:31 AM, "Laurelai" <laure...@oneechan.org>
wrote:


  

  
  

  

  

  
 
  

  
  I dont listen to either. And
sorry to burst your bubble but I did serve 10 years
in the army.

  

 
Next I imagine you will insult my
  gender identity or something equally silly. For the record
  you should capitalize the first word of each sentence and
  put a punctuation mark at the end, not doing this just
  makes you look uneducated and ensures people do not take
  you seriously.
  


  
___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/
  


  
  
  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Except i don't like the government.
  

And i hope those antisec kids own the lot of your frauds, really i
ask a simple question on how to avoid state sponsored malware that
runs exclusively on windows platforms and not a single one of you
said anything about using an alternate OS, some of you insisted in
fact we should just lie down and take it. You aren't security
experts you are scam artists. Makes me wonder if you are paid to act
this way or if you all really just didnt consider it. Either answer
is pretty chilling.
  

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/10/12 5:22 PM, Ian Hayes wrote:
>
> Then why did you work for them? (or so you claim)
>
>> On Jun 10, 2012 2:01 PM, "Laurelai" > <mailto:laure...@oneechan.org>> wrote:
>>
>> On 6/10/12 12:52 PM, Thor (Hammer of God) wrote:
>> >
>> > And not capitalizing "Army" when you claim to h...
>>
>> Except i don't like the government.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
I did, i dont any longer.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

  
  
On 6/10/12 5:09 PM, Thor (Hammer of God) wrote:

  
  
  
  
  
OK,
I’ll bite this one time.  I assert you are blatantly lying
about military service.  How about tell me your service
dates?  Surely you can’t consider that any sort of privacy
breach.  
 
This
is an easy way for us to be done with the whole thing.  Part
of your diatribe is based on your “right” to bitch because
of your military service.  I, again, assert that is complete
fabrication.  As someone who actually HAS done work for the
government I know (as you should) that your military service
records are actually public record.  I don’t need your
service dates, but it will help.  All I need do is fax over
form SF-180, and they’ll verify your service.
 
If
you really did serve, I’ll apologize publically.  If you
didn’t (or don’t provide the information) then we’ll all
know you are just a lying nutjob and we can ignore you from
now on.  Is that fair enough?
 

  
   
  Timothy
“Thor”  Mullen
  www.hammerofgod.com
  Thor’s
  Microsoft Security Bible
   

 

  
From:
full-disclosure-boun...@lists.grok.org.uk
[mailto:full-disclosure-boun...@lists.grok.org.uk]
On Behalf Of Laurelai
Sent: Sunday, June 10, 2012 2:00 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Obama Order Sped
Up Wave of Cyberattacks Against Iran
  

 
On 6/10/12 12:52 PM, Thor (Hammer of God)
  wrote: 

  And not capitalizing "Army" when you
claim to have spent 10 years of your life in service does
precisely the same thing. 


  
On Jun 10, 2012, at 3:31 AM, "Laurelai" <laure...@oneechan.org>
wrote:


  

  
  

  

  

  
 
  

  
  I dont listen to either. And
sorry to burst your bubble but I did serve 10 years
in the army.

  

 
Next I imagine you will insult my
  gender identity or something equally silly. For the record
  you should capitalize the first word of each sentence and
  put a punctuation mark at the end, not doing this just
  makes you look uneducated and ensures people do not take
  you seriously.
  


  
___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/
  


  
  
  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Except i don't like the government.
  

I went to basic in september of 99 and ETS'ed in may of 08. 6 years
were national guard 4 years active duty, i went to basic at FT.
Jackson South Carolina, the base has a lot of fire ants and the
weather was a bit unpredictable. My drill sergeant's names were
Drill Sergeant Hunter and Drill Sergeant Wachowski The unit i ETS'ed
from was HHB 4/5 ADA out of camp carrol South Korea, and right
before i left korea our CSM was relieved of duty (CSM Larkin) for
sexually harassing junior enlisted soldiers under his command. I
worked in the S-6 shop in a 25B slot for a long time even though i
had been trained as a 14E ( patriot systems operator and
maintainer), I went to echo school at FT. Bliss and let me tell you
when I got there I thought the place was just terrible, but there is
nothing like the view of watching the sun set against those desert
mountains, absolutely beautiful. While I was i South Korea I met up
with hubris from backtrace security believe it or not since he was
in the area at the time, ( this was before there ever was a
backtrace security) he showed me all the fun places to hang out away
from the tourist traps and he has seen me in unifor

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/10/12 11:29 AM, valdis.kletni...@vt.edu wrote:
> On Sun, 10 Jun 2012 08:58:31 +0300, Georgi Guninski said:
>> What about legal windows backdoors (NSA key)?
> It was never confirmed whether the infamous NSAKEY was an actual backdoor, or
> just a hilariously poorly named variable.  In any case, even if it was a
> backdoor, it's certainly not the same "legal" status as CALEA, where Federal
> law said "ISPs Will Provide A Law Enforcement Tap". A lot of universities
> which had just finished positioning themselves as ISPs in order to qualify for
> the 17 USC 512 copyright "safe harbor" provisions, ended up doing a 180 degree
> turn and said "Not An ISP - Private Network" so they wouldn't have to meet the
> CALEA requirements. (An amazing number of .edu's ended up a "private net' for
> CALEA purposes, but kept things in place for the safe harbor stuff as well.
> Fortunately, nobody's ever pushed the issue).
>
> If NSAKEY was a backdoor, it was at best a quasi-legal one, and I'm positive
> that everybody at both Microsoft and the NSA would prefer that their roles in
> the story never came to light.
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
I am a bit surprised by the direction of this conversation and I have
been waiting for someone to say the obvious in regards to protecting
yourself from .gov malware, it really is quite simple if you think about
it. Stuxnet, duqu, flame, ect.. all only run on windows platforms. If
the people you are protecting are concerned about that kind of malware
(and they should be) it would be a great time to tell them about
GNU/Linux, BSD, ect..
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/10/12 12:52 PM, Thor (Hammer of God) wrote:
> And not capitalizing "Army" when you claim to have spent 10 years of
> your life in service does precisely the same thing. 
>
> On Jun 10, 2012, at 3:31 AM, "Laurelai"  <mailto:laure...@oneechan.org>> wrote:
>
>>
>>>>
>>> I dont listen to either. And sorry to burst your bubble but I
>>> did serve 10 years in the army.
>>>
>>>
>> Next I imagine you will insult my gender identity or something
>> equally silly. For the record you should capitalize the first word of
>> each sentence and put a punctuation mark at the end, not doing this
>> just makes you look uneducated and ensures people do not take you
>> seriously.
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Except i don't like the government.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/10/12 8:22 AM, doc mombasa wrote:
> maybe its because i dont take you seriously
> and who cares what gender you are
> go suck a lemon
>
> 2012/6/10 Laurelai mailto:laure...@oneechan.org>>
>
> On 6/10/12 6:23 AM, doc mombasa wrote:
>> sure you did
>> and i ride a popcicle motorcycle from my palace to the beach
>> every day :)
>>
>> 2012/6/10 Laurelai > <mailto:laure...@oneechan.org>>
>>
>> On 6/10/12 6:14 AM, doc mombasa wrote:
>>> do you by any chance listen to a lot a lot of nirvana and
>>> linkin park?
>>>
>>>
>>>  
>>> 2012/6/8 Laurelai >> <mailto:laure...@oneechan.org>>
>>>
>>> On 6/8/12 2:14 PM, Григорий Братислава wrote:
>>> > On Fri, Jun 8, 2012 at 2:08 PM, Laurelai
>>> mailto:laure...@oneechan.org>>
>>> wrote:
>>> >
>>> >> rights? You might want to invest in spell checking
>>> software by the way.
>>> > Is really show your education is you cannot determine
>>> reality of is
>>> > lexicon. Maybe is identification masquerade is hide
>>> yes? Perhaps is
>>> > maybe possible is I maybe tick is you off?
>>> Neverisless, you sir are is
>>> > troll. Is serious: http://tinyurl.com/laurelaitroll
>>> (is literalee
>>> > troll)
>>> >
>>> >
>>> There you have it folks, the best argument the so called
>>> experts could
>>> come up with as to why we shouldn't do anything about
>>> this is name
>>> calling and half baked attempts at derailing the
>>> conversation and more
>>> spelling errors than a 5th graders book report.
>>>
>>> I must have hit a nerve or something, makes me wonder if
>>> im speaking to
>>> the very people selling the zero day exploits. You
>>> wouldn't be having a
>>> guilty conscience or anything would you all? Worried we
>>> might put a stop
>>> to your gravy train perhaps?
>>>
>>> Now back on topic, those of us who actually have a soul
>>> should work
>>> together to find a good solution.
>>>
>>> Anyone interested feel free to email me.
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter:
>>> http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>> I dont listen to either. And sorry to burst your bubble but I
>> did serve 10 years in the army.
>>
>>
> Next I imagine you will insult my gender identity or something
> equally silly. For the record you should capitalize the first word
> of each sentence and put a punctuation mark at the end, not doing
> this just makes you look uneducated and ensures people do not take
> you seriously.
>
>
I don't want your damn lemons, what am i supposed to do with these?

http://www.youtube.com/watch?v=Dt6iTwVIiMM
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/9/12 5:10 PM, Mark Shuler wrote:
>
> Nudging everyone back to the alleged Obama tactics.I'm sure
> everyone has an idea for the big push for "cyber warriors" in the
> united states. 
>
> By the arguments I'm hearing and milling through some of the other
> infosec posts.  Who do you believe have more capability of cyber
> terror?  NSA?  Private industry?  Hell maybe there is already cyber
> pmc's running without a leash.
>
>

Considering what has been revealed to the public I think it is a safe
assumption the private sector and the NSA has cyber terror capability
and likely uses it on a regular basis.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/10/12 6:23 AM, doc mombasa wrote:
> sure you did
> and i ride a popcicle motorcycle from my palace to the beach every day :)
>
> 2012/6/10 Laurelai mailto:laure...@oneechan.org>>
>
> On 6/10/12 6:14 AM, doc mombasa wrote:
>> do you by any chance listen to a lot a lot of nirvana and linkin
>> park?
>>
>>
>>  
>> 2012/6/8 Laurelai > <mailto:laure...@oneechan.org>>
>>
>> On 6/8/12 2:14 PM, Григорий Братислава wrote:
>> > On Fri, Jun 8, 2012 at 2:08 PM, Laurelai
>> mailto:laure...@oneechan.org>> wrote:
>> >
>> >> rights? You might want to invest in spell checking
>> software by the way.
>> > Is really show your education is you cannot determine
>> reality of is
>> > lexicon. Maybe is identification masquerade is hide yes?
>> Perhaps is
>> > maybe possible is I maybe tick is you off? Neverisless, you
>> sir are is
>> > troll. Is serious: http://tinyurl.com/laurelaitroll (is
>> literalee
>> > troll)
>> >
>> >
>> There you have it folks, the best argument the so called
>> experts could
>> come up with as to why we shouldn't do anything about this is
>> name
>> calling and half baked attempts at derailing the conversation
>> and more
>> spelling errors than a 5th graders book report.
>>
>> I must have hit a nerve or something, makes me wonder if im
>> speaking to
>> the very people selling the zero day exploits. You wouldn't
>> be having a
>> guilty conscience or anything would you all? Worried we might
>> put a stop
>> to your gravy train perhaps?
>>
>> Now back on topic, those of us who actually have a soul
>> should work
>> together to find a good solution.
>>
>> Anyone interested feel free to email me.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
> I dont listen to either. And sorry to burst your bubble but I did
> serve 10 years in the army.
>
>
Next I imagine you will insult my gender identity or something equally
silly. For the record you should capitalize the first word of each
sentence and put a punctuation mark at the end, not doing this just
makes you look uneducated and ensures people do not take you seriously.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/8/12 9:56 PM, Jason Hellenthal wrote:
> Shit, Ill give the NSA a shell on any system... if it means achieving a
> greater goal. Whether its wrong or not... let the bots decide who is the
> better player as long as it brings the US into a primary position of
> power.
>
> On Wed, Jun 06, 2012 at 11:22:32PM -0400, Laurelai wrote:
>> On 6/6/12 2:23 PM, Peter Dawson wrote:
>>> haha..da retrun of da "farewell dossier" !!
>>>
>>> On Wed, Jun 6, 2012 at 2:21 PM, coderman >> <mailto:coder...@gmail.com>> wrote:
>>>
>>> On Wed, Jun 6, 2012 at 11:16 AM, coderman >> <mailto:coder...@gmail.com>> wrote:
>>> > ... uncle sam has been up in yer SCADA for
>>> > two decades.
>>>
>>> three decades; too early for maths!
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>>>
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>> Guys can we focus on the fact that the US Government is en mass
>> accessing computer systems without due process, and trying to prosecute
>> the people who made this known to the public.
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
Here we have a real life example of someone who is a part of the problem.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/8/12 3:54 PM, Ian Hayes wrote:
> On Fri, Jun 8, 2012 at 3:49 PM, Laurelai  wrote:
>> On 6/8/12 3:46 PM, Ian Hayes wrote:
>>> On Fri, Jun 8, 2012 at 3:38 PM, Laurelai  wrote:
>>>> Thank you, lets now discuss how infosec experts are going to deal with
>>>> the threat of state sponsored cyberwarfare, and "bend over and take it"
>>>> is not really a good answer.
>>> Sure it is, it's just not the answer you want.
>>>
>>> http://www.theonion.com/articles/god-answers-prayers-of-paralyzed-little-boy,475/
>> So your honest view as an information security expert is to just lie
>> down and take it?
> Never said that. I just said that "bend over and take it" is an
> acceptable answer.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
And you would be wrong.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/8/12 3:46 PM, Ian Hayes wrote:
> On Fri, Jun 8, 2012 at 3:38 PM, Laurelai  wrote:
>> Thank you, lets now discuss how infosec experts are going to deal with
>> the threat of state sponsored cyberwarfare, and "bend over and take it"
>> is not really a good answer.
> Sure it is, it's just not the answer you want.
>
> http://www.theonion.com/articles/god-answers-prayers-of-paralyzed-little-boy,475/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
So your honest view as an information security expert is to just lie
down and take it?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/8/12 3:33 PM, James Condron wrote:
> Aand now we degenerate into a political argument nobody but the poster 
> gives a fuck about.
>
> Ta for that, maybe take it elsewhere. Let's keep on topic (though we may be 
> several posts behind)
>
> Sent using BlackBerry® from Orange
>
> -Original Message-
> From: Bzzz 
> Sender: full-disclosure-boun...@lists.grok.org.uk
> Date: Fri, 8 Jun 2012 20:03:51 
> To: 
> Subject: Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks
>  Against Iran
>
> On Fri, 08 Jun 2012 13:36:07 -0400
> Laurelai  wrote:
>
>> Excuse me but im a veteran who served 10 years in the Army and I
>> damn well earned my right to complain about how broken the system
>> is, myself and the soldiers around me sacrificed so that we could
>> all have a free country and that yes I could "whine" about it. Its
>> called the US Constitution, we took an oath to uphold and defend
>> it and everything it stands for. 
> And in 10 years you didn't understood how the system is working,
> that you were following orders from people that won't ever take
> any risk (nor their family & friends), that are themselves receiving
> their orders from big money/business/poliotics you'll never see on
> tv nor in any newspaper.
>
>> So while I'm saying here that the civil liberties I swore to
>> uphold and defend are eroding away and that evil is triumphing
>> over the US, you are telling me this is business as usual.
> You are not lucid, your country has _always_ been a rat lab where
> masters tell you that you're free, but dig a (tiny) bit and you'll
> see that's always been a big fat lie (ie: you pay income taxes?
> but the 19th amendment has never been ratified - and your own
> justice is enforcing sanctions if you don't pay, knowing what they
> do is totally illegal...)
>
>> Just because something evil is the established way of things or is
>> becoming the established way of things doesn't mean we have to or
>> should accept it. Perhaps *you* should stop being so cold and
>> jaded about the evils of the world and put some you know *effort*
>> into fixing them instead of trying to shout down anyone who tries
>> or talks about trying to make the world better.
> I think he's living in a real world and look at it coldly & without
> any indulgence.
>
>> You are honestly implying that there is absolutely nothing that
>> can ever be done ever and we should all just lie down and take it,
>> can you understand why I might take issue with that perspective?
>> You are saying in essence "There is no more room to improve so we
>> should never again try."
> Thor missed one thing though: he said "people are doing things for 2
> reasons; get laid or get paid", there are 2 more reasons: for fun
> and for ideals; the latest being the most dangerous thing in the
> whole world.
>
> Jean-Yves
Thank you, lets now discuss how infosec experts are going to deal with
the threat of state sponsored cyberwarfare, and "bend over and take it"
is not really a good answer.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/8/12 3:12 PM, Ian Hayes wrote:
> On Fri, Jun 8, 2012 at 2:41 PM, Christian Sciberras  wrote:
>> Perhaps the US Government would gain better results by mass protests and
>> chanting peace songs.
>>
>> Or perhaps it just doesn't work this way.
>>
>> They shouldn't be blamed, everyone knows fighting fire with fire is very
>> effective, just as everyone
>> knows the people calling the government names are the same ones with small
>> botnets lying about.
>> Can't blame them, now that someone else is using their own tools against
>> them.
> I call upon the ghost of Heinlein: "Anyone who clings to the
> historically untrue—and thoroughly immoral—doctrine that, ‘violence
> never settles anything’ I would advise to conjure the ghosts of
> Napoleon Bonaparte and the Duke of Wellington and let them debate it.
> The ghost of Hitler could referee, and the jury might well be the
> Dodo, the Great Auk and the Passenger Pigeon. Violence, naked force,
> has settled more issues in history than has any other factor, and the
> contrary opinion is wishful thinking at its worst. Breeds that forget
> this basic truth have always paid for it with their lives and
> freedom.”
>
> There are those out there in power who only know the language of
> brute, naked force. No amount of cajoling, pleading, bargaining nor
> wheedling will sway them. On appeals to their better nature, no
> brilliant displays of logic and intellect. Pretty words uttered by
> politicians fall on deaf ears. But a punch to the nose, a kick to the
> nuts -the universal language of violence- that's something they
> understand intimately. And they respect that. Of course it's always
> preferable to sit down at the negotiating table and barter out a
> peace. What do we do when they knock over the table and make a mess?
>
> What separates us from them is the fact that we normally don't speak
> the universal language from the get-go. Is it deplorable? Yes. But
> like having to take a crap every now and then, it's necessary. The
> murder of civilans is certainly a terrible crime, but that and the
> release of some malware that breaks centrifuges is certainly better
> than other options.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
I don't see how Iran developing nuclear power is a threat, I'm sorry to
me this just seems like more fear mongering.

And remember the only nation that has ever shown itself *insane* enough
to actually use nuclear weapons on other human beings is the USA and
history showed the use was completely unwarranted. I don't get why we
can have literally enough nuclear weapons to wipe out all life on the
surface of the planet but Iran developing nuclear *power* is somehow a
national security threat.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/8/12 3:09 PM, Григорий Братислава wrote:
> On Fri, Jun 8, 2012 at 3:02 PM, Laurelai  wrote:
>
>> You mean where i publicly called out the people selling zero days to the
>> US gov?
> No I is meant where you allow is your narcissism is permeate in conversation.
>
http://www.youtube.com/watch?v=j7jhb8_UPfw

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/8/12 2:56 PM, Григорий Братислава wrote:
> On Fri, Jun 8, 2012 at 2:52 PM, Laurelai  wrote:
>> *adds names to a list of people likely selling zero days*
> Is not surprise me. Is you need know, national security trumps FBI CIS
> http://www.fbi.gov/news/testimony/improving-our-confidential-human-source-program
> every times. You could not is even touch me with ten foot drag queen
> pole. Is thanks for clarifying your role.
>
You mean where i publicly called out the people selling zero days to the
US gov?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/8/12 2:41 PM, Christian Sciberras wrote:
> Perhaps the US Government would gain better results by mass protests
> and chanting peace songs.
>
> Or perhaps it just doesn't work this way.
>
> They shouldn't be blamed, everyone knows fighting fire with fire is
> very effective, just as everyone
> knows the people calling the government names are the same ones with
> small botnets lying about.
> Can't blame them, now that someone else is using their own tools
> against them.
>
>
>
>
>
> On Fri, Jun 8, 2012 at 8:20 PM, Laurelai  <mailto:laure...@oneechan.org>> wrote:
>
> On 6/8/12 2:14 PM, Григорий Братислава wrote:
> > On Fri, Jun 8, 2012 at 2:08 PM, Laurelai  <mailto:laure...@oneechan.org>> wrote:
> >
> >> rights? You might want to invest in spell checking software by
> the way.
> > Is really show your education is you cannot determine reality of is
> > lexicon. Maybe is identification masquerade is hide yes? Perhaps is
> > maybe possible is I maybe tick is you off? Neverisless, you sir
> are is
> > troll. Is serious: http://tinyurl.com/laurelaitroll (is literalee
> > troll)
> >
> >
> There you have it folks, the best argument the so called experts could
> come up with as to why we shouldn't do anything about this is name
> calling and half baked attempts at derailing the conversation and more
> spelling errors than a 5th graders book report.
>
> I must have hit a nerve or something, makes me wonder if im
> speaking to
> the very people selling the zero day exploits. You wouldn't be
> having a
> guilty conscience or anything would you all? Worried we might put
> a stop
> to your gravy train perhaps?
>
> Now back on topic, those of us who actually have a soul should work
> together to find a good solution.
>
> Anyone interested feel free to email me.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
*adds names to a list of people likely selling zero days*
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/8/12 2:08 PM, Григорий Братислава wrote:
> On Fri, Jun 8, 2012 at 1:58 PM, Laurelai  wrote:
>
>> And that brings us back to what are we going to do about the US Gov laying
>> down in the same mud as the bad guys
> I is detect narcissism Wesley. "what are we" is you ask. Define we. Is
> you has gang behind you? (I is not mean for those actions is we call
> in your pronounce huesos). You are is nobody special don't is kidding
> yourself. You are is home living with mama and papa confused manshe
> who is cannot hold down job because of yours is action is let alone
> start any revolution.
>
>
I am having a really hard time reading what you are trying to say behind
all of those horrendous spelling and grammar errors.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/8/12 1:51 PM, Григорий Братислава wrote:
> On Fri, Jun 8, 2012 at 1:47 PM, Laurelai  wrote:
>
>> Congress shall make no law respecting an establishment of religion, or
>> prohibiting the free exercise thereof; or abridging the freedom of speech,
>> or of the press; or the right of the people peaceably to assemble, and to
>> petition the Government for a redress of grievances.
>>
>> I know English isnt your first language so if you need help with the words
>> let me know. I don't see any part there that says trans people still don't
>> have that right.
> I am is glad you know lots about my first language maybe too perhaps
> also you perhaps wrong?  Is you see no mention of trans people perhaps
> maybe is because men is have balls back is when constitution written.
> Maybe perhaps yes is you c you can maybe
> perhaps is point us out where it say "Adam and heshe" or "Mahmoud and
> heshe" or "Menachnem and heshe"
>
>
Why would I care about the fictional writings of people long dead
(people who may not have even existed)  in regards to modern human
rights? You might want to invest in spell checking software by the way.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/8/12 1:48 PM, Ian Hayes wrote:
> On Fri, Jun 8, 2012 at 1:36 PM, Laurelai  <mailto:laure...@oneechan.org>> wrote:
>
>
> All that is necessary /for evil to triumph/ is for good people to
> do nothing.
>
>
> The corollary to that argument is that *good people* must not resort
> to the same tactics as the people they are fighting. To lie down in
> the same mud makes you just as dirty.
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
And that brings us back to what are we going to do about the US Gov
laying down in the same mud as the bad guys
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/8/12 1:41 PM, Григорий Братислава wrote:
> On Fri, Jun 8, 2012 at 1:36 PM, Laurelai  <mailto:laure...@oneechan.org>> wrote:
>
> Excuse me but im a veteran who served 10 years in the Army and I
> damn well earned my right to complain about how broken the system
> is, myself and the soldiers around me sacrificed so that we could
> all have a free country and that yes I could "whine" about it. Its
> called the US Constitution, we took an oath to uphold and defend
> it and everything it stands for. I didnt sign up to "get laid or
> paid" I did it to serve a cause greater than myself, not that you
> would know anything about that. Oh and that "Free clinic paid for
> by the government" is called the VA Hospital and I already earned
> the care I can receive there. Want to complain about it now? Feel
> free. You have that right. Its called freedom of speech. You are
> welcome.
>
>
> Is this time you serve when you was boy? (Wesley Bailey) Or is after
> you is transform. Is valid question. Yes is Wesley have right to
> complain, Wesley in Army, not Laurelai. Laurelai has no right
>
>
> -- 
>
> `Wherever I is go - there am I routed`
>
>
Congress shall make no law respecting an establishment of religion, or
prohibiting the free exercise thereof; or abridging the freedom of
speech, or of the press; or the right of the people peaceably to
assemble, and to petition the Government for a redress of grievances.

I know English isnt your first language so if you need help with the
words let me know. I don't see any part there that says trans people
still don't have that right.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

  
  
On 6/8/12 1:03 PM, Thor (Hammer of God) wrote:

  
  
  
  
  
>>
  finding solutions to countries using cyberwar and using
  innocent peoples machines to carry it out,
>>  invading peoples privacy and
  generally doing terrible stuff in the name of god and country.
  
  
What
solution?  And who exactly is going to “find” it?  The
entire history of mankind is based on the “terrible stuff we
do in the name of god and country.”  We, of course, being
humans.  All we need is one of the two and we’ve got all the
justification we need to go off and kill someone else for
having a different god or different country.   Note I said
“justification” and not “motivation.”   God and country are
just excuses – means to an end.  There’s always another
agenda.   
 
Man
does things for two reasons:  to get laid, or to get paid.  
Everything else is just a nice fuzzy wrap to make us feel
better about ourselves.  “Finding some other solution” is 
naïve and a waste of time.  We, and everyone else, will do
whatever we want to do, and do whatever it takes to get away
with it.  It’s as simple as that.  It’s easy and convenient
for you to bitch about the injustices from behind a keyboard
when men and woman are out there DYING for their country and
the integrity of what they believe in, irrespective of the
basis of the decisions their commanding bodies have for
sending them out there.  It’s called “real life.”  Grow up
and go get that bleeding heart sewn up at some free clinic,
paid for by the government that has to do the hard work in
order to preserve your right to whine about it.

 

  
   
  Timothy
“Thor”  Mullen
  www.hammerofgod.com
  Thor’s
  Microsoft Security Bible
   

 

  
From:
full-disclosure-boun...@lists.grok.org.uk
[mailto:full-disclosure-boun...@lists.grok.org.uk]
On Behalf Of Laurelai
Sent: Friday, June 08, 2012 9:04 AM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Obama Order Sped
Up Wave of Cyberattacks Against Iran
  

 
On 6/8/12 11:38 AM, 
valdis.kletni...@vt.edu wrote: 
On Thu, 07 Jun 2012 13:48:33 -0400, Ian Hayes said:

  On Thu, Jun 7, 2012 at 1:40 PM, andrew.wallace  wrote:
  
On Tue, Jun 5, 2012 at 8:43 PM,   wrote:

  One could equally well read that as "We're fed up and about to
  pound North Korea even further back into the Stone Age".

 
With Stuxnet, it was lucky nobody was seriously injured.
 
You cannot condone such weapons Valdis, or your hat will start to turn grey,
black.
  
   
  Stuxnet may not have killed anyone, but several Iranian nuclear
  scientists were assassinated in conjunction with Stuxnet's release.

 
Please don't feed the troll - the only way he can post to full-disclosure is
if somebody quotes him in.
 
The worst part is that Andrew's reading comprehension is as good as
always - I wasn't commenting on Stuxnet, but the move of naval forces
to the Pacific.  China isn't the only reason we might want a naval task
force over there.
 
And I never said I condoned it, merely pointed out alternate interpretations.
 
The funny thing is that Andrew was going on for a *long* time that there
is no such thing as cyber-warfare - when in fact it was going on while he
was denying it.
 

  
  
  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
I think the real question we should all
  think on is what are we going to do about this kind of thing?
  
  Because the way I see it, the infosec industry is part of this
  problem until it finds a way to be a part of the solution, if
  you all even desire this.
  
  If you do then lets talk about finding solutions to countries
  using cyberwar and using innocent peoples machines to carry it
   

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/8/12 11:38 AM, valdis.kletni...@vt.edu wrote:
> On Thu, 07 Jun 2012 13:48:33 -0400, Ian Hayes said:
>> On Thu, Jun 7, 2012 at 1:40 PM, andrew.wallace 
>>  wrote:
>>> On Tue, Jun 5, 2012 at 8:43 PM,   wrote:
 One could equally well read that as "We're fed up and about to
 pound North Korea even further back into the Stone Age".
>>> With Stuxnet, it was lucky nobody was seriously injured.
>>>
>>> You cannot condone such weapons Valdis, or your hat will start to turn grey,
>>> black.
>> Stuxnet may not have killed anyone, but several Iranian nuclear
>> scientists were assassinated in conjunction with Stuxnet's release.
> Please don't feed the troll - the only way he can post to full-disclosure is
> if somebody quotes him in.
>
> The worst part is that Andrew's reading comprehension is as good as
> always - I wasn't commenting on Stuxnet, but the move of naval forces
> to the Pacific.  China isn't the only reason we might want a naval task
> force over there.
>
> And I never said I condoned it, merely pointed out alternate interpretations.
>
> The funny thing is that Andrew was going on for a *long* time that there
> is no such thing as cyber-warfare - when in fact it was going on while he
> was denying it.
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
I think the real question we should all think on is what are we going to
do about this kind of thing?

Because the way I see it, the infosec industry is part of this problem
until it finds a way to be a part of the solution, if you all even
desire this.

If you do then lets talk about finding solutions to countries using
cyberwar and using innocent peoples machines to carry it out, invading
peoples privacy and generally doing terrible stuff in the name of god
and country.

If you don't then just do us all a favor and stop calling yourself an
infosec expert, stop pretending to be one of the good guys and just call
yourself a mercenary and realize you are in the same class of people who
assassinated civilian scientists for political reasons. I hope all that
money helps you sleep at night.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/7/12 1:48 PM, Ian Hayes wrote:
> On Thu, Jun 7, 2012 at 1:40 PM, andrew.wallace
>  wrote:
>> On Tue, Jun 5, 2012 at 8:43 PM,   wrote:
>>> One could equally well read that as "We're fed up and about to
>>> pound North Korea even further back into the Stone Age".
>> With Stuxnet, it was lucky nobody was seriously injured.
>>
>> You cannot condone such weapons Valdis, or your hat will start to turn grey,
>> black.
> Stuxnet may not have killed anyone, but several Iranian nuclear
> scientists were assassinated in conjunction with Stuxnet's release.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Civilian scientists at that.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/7/12 4:44 AM, doc mombasa wrote:
> why arent you out on the streets blowing up stuff and taking names?
> be a rolemodel
>
> 2012/6/7 Laurelai mailto:laure...@oneechan.org>>
>
> On 6/7/12 12:05 AM, Ian Hayes wrote:
> > On Wed, Jun 6, 2012 at 11:49 PM, Laurelai  <mailto:laure...@oneechan.org>> wrote:
> >> -BEGIN PGP SIGNED MESSAGE-
> >> Hash: SHA1
> >>
> >> On 6/6/12 11:44 PM, valdis.kletni...@vt.edu
> <mailto:valdis.kletni...@vt.edu> wrote:
> >>> On Wed, 06 Jun 2012 23:22:32 -0400, Laurelai said:
> >>>
> >>>> Guys can we focus on the fact that the US Government is en mass
> >>>> accessing computer systems without due process, and trying to
> prosecute
> >>>> the people who made this known to the public.
> >>> After a decade of unindicted torture of prisoners, renditions,
> spying
> >> on our
> >>> own citizens, and killing of our own citizens, and a long list
> of other
> >> stuff,
> >>> all without due process, you really think anybody cares about
> a little
> >> illicit
> >>> hacking without due process? I'm afraid that ship basically
> sailed when
> >>> Pelosi said impeachment was off the table...
> >>>
> >> And why arent people in the streets demanding they all step down?
> > Such naivety. It's charming. You have much to learn about
> American apathy.
> >
> > There were people in the streets. They were marginalized, and
> made fun
> > of, pepper sprayed, called "entitled dirty socialists" and told
> to get
> > a job. As long as people care more about what happens on
> American Idol
> > and whoever Kim Kardashian is divorcing this week, they're not going
> > to care one iota about what the government is doing to some country
> > that probably had it coming to them in the first place. You want the
> > masses out in the streets with the torches and pitchforks, you're
> > going to have to overcome decades of being programmed to not
> care what
> > the government does anymore as long as the TV works, there's beer in
> > the fridge, and porn is still freely available.
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> I know about the apathy, i see it every day. I see it a lot in the
> older
> generations. Its the younger generations out there getting maced and
> beaten and thrown in jail for standing up for what they think is
> right.
> It sickens me that the average person doesnt care.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
I prefer non violent solutions.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/7/12 12:05 AM, Ian Hayes wrote:
> On Wed, Jun 6, 2012 at 11:49 PM, Laurelai  wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> On 6/6/12 11:44 PM, valdis.kletni...@vt.edu wrote:
>>> On Wed, 06 Jun 2012 23:22:32 -0400, Laurelai said:
>>>
>>>> Guys can we focus on the fact that the US Government is en mass
>>>> accessing computer systems without due process, and trying to prosecute
>>>> the people who made this known to the public.
>>> After a decade of unindicted torture of prisoners, renditions, spying
>> on our
>>> own citizens, and killing of our own citizens, and a long list of other
>> stuff,
>>> all without due process, you really think anybody cares about a little
>> illicit
>>> hacking without due process? I'm afraid that ship basically sailed when
>>> Pelosi said impeachment was off the table...
>>>
>> And why arent people in the streets demanding they all step down?
> Such naivety. It's charming. You have much to learn about American apathy.
>
> There were people in the streets. They were marginalized, and made fun
> of, pepper sprayed, called "entitled dirty socialists" and told to get
> a job. As long as people care more about what happens on American Idol
> and whoever Kim Kardashian is divorcing this week, they're not going
> to care one iota about what the government is doing to some country
> that probably had it coming to them in the first place. You want the
> masses out in the streets with the torches and pitchforks, you're
> going to have to overcome decades of being programmed to not care what
> the government does anymore as long as the TV works, there's beer in
> the fridge, and porn is still freely available.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
I know about the apathy, i see it every day. I see it a lot in the older
generations. Its the younger generations out there getting maced and
beaten and thrown in jail for standing up for what they think is right.
It sickens me that the average person doesnt care.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 6/6/12 11:44 PM, valdis.kletni...@vt.edu wrote:
> On Wed, 06 Jun 2012 23:22:32 -0400, Laurelai said:
>
>> Guys can we focus on the fact that the US Government is en mass
>> accessing computer systems without due process, and trying to prosecute
>> the people who made this known to the public.
>
> After a decade of unindicted torture of prisoners, renditions, spying
on our
> own citizens, and killing of our own citizens, and a long list of other
stuff,
> all without due process, you really think anybody cares about a little
illicit
> hacking without due process? I'm afraid that ship basically sailed when
> Pelosi said impeachment was off the table...
>
And why arent people in the streets demanding they all step down?
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP0CTcAAoJEGVm7Hz5JilhZYEH/1FOBXMs3nT9b4Ci1NQlIw/9
Sp33ub3yBzNZLAYl2p/x3qkvreifNrKQsmxZjUbqYnnh6cnDYtUaHcUFwwJ2FO23
PyO7cBUqruOj6p3+lHOc6wQT9Cd5X1aEklNHm/6Wv0JfoZeHXLSdDcImrVT3Xoys
J2eSWGGag2m8rMe9zhk3mNS4aNVlKw4tl3lIJMFbXjcAFQaG7xRhjzuICyDTaBJQ
qAo/zNruTD7xavLPpeyw0IZk0ZFMdr95Z+XPWORQ/0SxEwS+nNCWo6xSL2UMIbVa
fUB3pMPkvxt8x8XGTgqzznd+/xlADBuZ3rr8HbRq8oO6V1gs70cIUTjsReiy0Z4=
=WyEw
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/6/12 2:23 PM, Peter Dawson wrote:
> haha..da retrun of da "farewell dossier" !!
>
> On Wed, Jun 6, 2012 at 2:21 PM, coderman  > wrote:
>
> On Wed, Jun 6, 2012 at 11:16 AM, coderman  > wrote:
> > ... uncle sam has been up in yer SCADA for
> > two decades.
>
> three decades; too early for maths!
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Guys can we focus on the fact that the US Government is en mass
accessing computer systems without due process, and trying to prosecute
the people who made this known to the public.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/6/12 2:16 PM, coderman wrote:
> On Wed, Jun 6, 2012 at 7:41 AM, Laurelai  wrote:
>> ...
>> Is anyone else the least bit concerned that stuxnet was carried out by the
>> US Government?
> remember the siberian pipeline? uncle sam has been up in yer SCADA for
> two decades.
>
> if this is a surprise, you aren't paying attention.
>
> and if you're only concerned _now_, you aren't paying attention.
>
>
> http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage
Oh ive been concerned before, it just looks like people as a whole don't
even care.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/6/12 9:20 PM, valdis.kletni...@vt.edu wrote:
> On Wed, 06 Jun 2012 18:19:21 -0400, Andrew D Kirch said:
>> I think you just identified it.  buy rifles (I have, there's a Colt M4
>> Law Enforcement Carbine sitting next to me), but mortars (a bit
>> difficult but not impossible to get) buy tanks (quite easy to get if you
>> know where to look), and buy ammo.  DEMAND that federal firearms laws be
>> revised, and specifically repeals of 18 USC 921-922.  Yet again I point
>> out your VT.edu e-mail and your refusal to listen to Jefferson's
>> warnings.
> What's this "*my* refusal to listen"? I suspect you know less of my politics
> than you think you do. ;)
>
> Incidentally, asymmetric warfare does a great job of leveling the field. ;)
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
So lets have a serious talk about countering what is clearly the
greatest threat to cyber security around right now.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/6/12 6:19 PM, Andrew D Kirch wrote:
> On 6/6/2012 6:08 PM, valdis.kletni...@vt.edu wrote:
>> You're a little bit confused here.  It doesn't matter what "people" think. It
>> matters what "the people with more rifles, mortars, tanks, and ammo than you"
>> think.
>>
>> Unless you come up with a way to level the playing field.
> I think you just identified it.  buy rifles (I have, there's a Colt M4 
> Law Enforcement Carbine sitting next to me), but mortars (a bit 
> difficult but not impossible to get) buy tanks (quite easy to get if you 
> know where to look), and buy ammo.  DEMAND that federal firearms laws be 
> revised, and specifically repeals of 18 USC 921-922.  Yet again I point 
> out your VT.edu e-mail and your refusal to listen to Jefferson's 
> warnings.  The man wrote your state constitution.  He wasn't kidding 
> when he did it.
>
> Andrew
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
I never thought id be agreeing with Andrew , but in this case he is
right, that's what the second amendment was written for.

However my idea is quite a bit less violent.


Stop selling these people 0 days.

Just stop.

I mean everyone here talks about how much of a threat cybercriminals are
and yet some of the people who im sure are on this list are selling
exploits to governments and they do quite a bit more harm than these
kids do.

They have turned the US Gov into the largest script kiddy clans on the net.

Until people inside the industry stop doing that i really dont think
there is any point *in* the infosec field because at this point you all
are not even trying anymore.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 6/6/12 6:08 PM, valdis.kletni...@vt.edu wrote:
> On Wed, 06 Jun 2012 10:41:24 -0400, Laurelai said:
>
>> People seem to think that since the US Gov did it that makes it ok, well
>> I do not think it does. Especially when they throw kids with small
>> botnets in jail for being mad at the system cause its crooked.
>
> You're a little bit confused here. It doesn't matter what "people"
think. It
> matters what "the people with more rifles, mortars, tanks, and ammo
than you"
> think.
>
> Unless you come up with a way to level the playing field.
>
So you admit we live in a police state?
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPz/W/AAoJEGVm7Hz5JilhGo8H/2dzANgDUGY17dUW7OL+rPKZ
+FWyUudW739recN/Fsvb6XASVSjsDS/lMXsP2yvmFZKhkGRYNJmn4JzBmwgRZdsJ
WhaLSAGCX1EP4DiTApsjLWR6MxjpQC9zIK/FT+entCGPsS6/VSeOM778C3JibVnd
/zf3J2N0QWR8RxCqoJZ4enYQ7RLVCLm2O720hNRBBFoadM8+OzW31QISGWAsat1l
QX3BaCBQfEkGztqZ0+8j90Xz/4Ok+eYVxWE4z/fUCC7eHvY6RG+s3DfYq+Ql0LrU
Yku0amyzlB0cowaQUhGrusjBEt5sPWrIOirUPbqosBD6PpQMtwPJf/dKQsPsWvs=
=HWmA
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/6/12 12:18 PM, Charles Morris wrote:
> On Wed, Jun 6, 2012 at 12:13 PM, Laurelai  wrote:
>> On 6/6/12 11:50 AM, Charles Morris wrote:
>>>> I know for a fact HBGary was working with the NSA in regards to stuxnet.
>>> I've never been all that good at spelling... but am I wrong that
>>> HBGary is an anagram for "posturing charlatan" ?
>>> Alternatively: if this is true then we are even worse off than I thought.
>> It was in the leaked HBgary emails, communications with the NSA
>> regarding stuxnet. Why am i the only one who remembers this?
> I don't agree, disagree, or comment in any other way than my surprise,
> as I want to have respect for the NSA-
> but I suppose there are bad decisions made in any organization.
The fact that it quickly escaped out of control should tell you something.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/6/12 11:50 AM, Charles Morris wrote:
>> I know for a fact HBGary was working with the NSA in regards to stuxnet.
> I've never been all that good at spelling... but am I wrong that
> HBGary is an anagram for "posturing charlatan" ?
> Alternatively: if this is true then we are even worse off than I thought.
It was in the leaked HBgary emails, communications with the NSA
regarding stuxnet. Why am i the only one who remembers this?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[Laurelai]

On 6/5/12 2:52 AM, Alexander Georgiev wrote:
> http://en.wikipedia.org/wiki/Argument_from_ignorance
>
> Am 04.06.2012 21:01, schrieb Joel Esler:
>> So, a quote, from a book?  Isn't that kinda circular?
>>
>> Also, there are no quotes from anyone in the room and no one is
>> referenced except by association.  Not saying it's not true, but
>> there's nothing there that indicates it is. 
>>
>> The only people who will know if this is 100% true were in the Oval
>> Office at the time, and those people aren't going to be quoted in a
>> NYTimes article.  
>>
>> http://upload.wikimedia.org/wikipedia/commons/1/18/%22Citation_needed%22.jpg 
>>  
>>
>> -- 
>> Joel Esler
>>
>> On Monday, June 4, 2012 at 2:52 PM, Jeffrey Walton wrote:
>>
>>> https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html
>>>
>>> WASHINGTON --- From his first months in office, President Obama secretly
>>> ordered increasingly sophisticated attacks on the computer systems
>>> that run Iran's main nuclear enrichment facilities, significantly
>>> expanding America's first sustained use of cyberweapons, according to
>>> participants in the program.
>>> Hasan Sarbakhshian/Associated Press
>>>
>>> Mr. Obama decided to accelerate the attacks --- begun in the Bush
>>> administration and code-named Olympic Games --- even after an element of
>>> the program accidentally became public in the summer of 2010 because
>>> of a programming error that allowed it to escape Iran's Natanz plant
>>> and sent it around the world on the Internet. Computer security
>>> experts who began studying the worm, which had been developed by the
>>> United States and Israel, gave it a name: Stuxnet.
>>>
>>> At a tense meeting in the White House Situation Room within days of
>>> the worm's "escape," Mr. Obama, Vice President Joseph R. Biden Jr. and
>>> the director of the Central Intelligence Agency at the time, Leon E.
>>> Panetta, considered whether America's most ambitious attempt to slow
>>> the progress of Iran's nuclear efforts had been fatally compromised.
>>> ...
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Is anyone else the least bit concerned that stuxnet was carried out by
the US Government? I mean lets look at this, the US Government committed
an act they themselves would consider cyber terrorism, infecting
millions of civilian machines. While they say it got "out of control"
and lets just go with that for simplicity, once it got out of control
wouldn't the right thing have been to shut it down instead of trying to
evade detection and continuing the project? How many antivirus vendors
were kept from doing their jobs during this? And how many were actively
cooperating? I know for a fact HBGary was working with the NSA in
regards to stuxnet. Was it really worth it to compromise the security
and privacy of millions of innocent people just to shut down some power
plants?

Oh and lets not forget the assassination of civilian scientists.

People seem to think that since the US Gov did it that makes it ok, well
I do not think it does. Especially when they throw kids with small
botnets in jail for being mad at the system cause its crooked.

I mean that has to be the largest cyber attack of all time, this makes
the shit the lulzsec people carried out look mild in comparison, and
those guys are facing a decade in jail and the person who wrote stuxnet
probably got a medal and a fat check.

Oh and message to the feds im sure watch this list.

http://pwnies.com/winners/

You guys might want to go claim that award and present it to Obama, he
did earn it after all ;) (and he beat lulzsec for the award)


I mean this mailing list is about threats to information security, so
lets call a spade a spade.

Right now the biggest threat to cyber-security is the US Government, it
has proven it can silently infect machines with worms powered by zero
day exploits and "stolen" driver certificates. (they were able to
acquire them twice at least with no issue, my bet is they just asked for
them)

And another thing, I somehow doubt the new york times would publish
unless they have reliable sources.

Combined with this
http://online.wsj.com/article/SB10001424052702303506404577448563517340188.html?utm_source=twitterfeed&utm_medium=twitter

It pretty much tells me the article was spot on.

Can we now discuss the fact the US Gov committed an act of cy

Re: [Full-disclosure] cDc Created Hong Kong Blondes and 'Hacktivism' as a Media Hack

[Laurelai]

On 5/4/12 3:44 AM, PsychoBilly wrote:
> [[   Laurelai   ]] @ [[   04/05/2012 10:30   
> ]]--
>
>> tl;dr
> ❤ Should have ❤
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
From what i could tell it was yet another long winded rant about whats
wrong with Anonymous.

The thing is i doubt many anons subscribe to FD, so who is this supposed
to reach? Go to voxanon and tell them yourself :p

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] cDc Created Hong Kong Blondes and 'Hacktivism' as a Media Hack

[Laurelai]

On 5/3/12 2:24 PM, Wei Honker wrote:
> cDc Created Hong Kong Blondes and 'Hacktivism' as a Media Hack
>
> http://weihonker.tumblr.com/
>
> Anonymous is a Lie
>
> Anonymous is a lie. Anonymous is built on a false foundation that
> casts a pale shadow over anything and everything they attempt to
> accomplish. While born out of the trolls and lulz of the /b/ board on
> fourchan Anonymous has quickly become an online activist movement. The
> group has targeted everything from oppressive regimes in the Middle
> East, to opposition about Internet censorship. They have been
> launching DDoS attacks from the comfort of their basements while
> people in the street are literally gunned down and then they have the
> audacity to claim victory for themselves because they managed to take
> a website offline for a few hours. These actions, these minor
> irritations, have given Anonymous the audacity to call themselves
> hacktivists, a term that is itself a lie. By using the term hackivist
> or hacktivism Anonymous is helping to perpetuate one of the biggest
> media hacks of all time and they don’t even know it.
>
> Pulling pranks on the media has a long history with the computer
> underground. One of the best examples is the entire movie “Hackers”
> which is so full of inside jokes they cease to be funny. Although when
> you examine the list of technical consultants the lack of humor makes
> sense. Hackers, the movie, is such a huge media hack the plot is used
> not once, but twice. The second time with Serena Achtul and the ‘True
> Life” show on MTV. The show supposedly illustrates a so called
> ‘hacker’ who convinces Serena to follow him around while he attempts
> to retrieve a disk before the feds do, which is exactly the same plot
> used in the movie ‘Hackers”. Even after Serena and MTV where told they
> were being trolled they chose to air the footage anyway.
>
> I don’t know who from the computer underground was the first to
> execute a media hack but some of the best have come from the Cult of
> the Dead Cow. To give you an idea of just how prolific and proficient
> the cDc is at hacking the media consider that their slogan is ‘World
> Domination through Media Saturation’. This is nowhere more apparent
> than the spectacle that was the BO2K release during Defcon in 1999. No
> software launch in recorded history; including those done by the media
> savvy Apple Inc., could touch this. Everything from smashing guitars
> to furry assless chaps to bad rap music with all the cDc members
> prancing around on stage as if it was the second coming. All that
> spectacle for nothing more than a remote access tool, something with
> almost the exact same feature set as PC Anywhere except that it runs
> on a different port number. Even Microsoft themselves said that BO2K
> wasn’t a threat but the press ate it up anyway and cDc proved again
> that they were in fact master media manipulators.
>
> Hactivism is another brainchild of cDc designed to fool and trick the
> media and all who choose to be associated with the term. The creation
> of the term is supposedly well documented as being first used by cDc
> member Omega in an IRC chat room in 1996. But close examination of the
> hacktivism Wikipedia page and that page’s history shows a second
> possible source for the term, that of techno-culture writer Jason Sack
> in a piece about media artist Shu Lea Cheang, published in InfoNation
> in 1995 which pre-dates cDc’s claim to the term. This co-option of the
> term itself is part of cDc’s plan to execute the biggest media hack of
> all time encompassing all of ‘hacktivism’.
>
> But co-opting the term itself is not enough. cDc felt they needed
> something to take advantage of the term and to plunge it fully into
> the media spotlight. They came up with a fictitious international
> hacking group, a group who would only attack corporations that did not
> support human rights, and so the Hong Kong Blondes were born.
>
> Reading the initial interview between the supposed Hong Kong Blondes
> leader ‘Blondie Wong’ and the cDc member ‘Oxblood Ruffin’ in cDc #356
> now, fourteen years later, makes the entire ruse plainly obvious. Arik
> Hesseldahl, who ran the initial story in Wired based solely on this
> interview, with absolutely no corroborating evidence in the first
> place, has since privately expressed his doubts about the story. By
> publishing this article he unwittingly became the first rube in a long
> line of media rubes that the cDc played with ever increasing
> dexterity. Hesseldahl has most likely not publicly expanded on his
> misgivings over the story as it would draw attention to his original
> reservations and expose the fact that he failed to verify even one
> fact in the article.
>
> The first thing that jumps out at me from the initial interview is
> that it was conducted by cDc member Oxblood Ruffin and published
> directly by him. No one else was present and no one else spoke to
> Blondie Wong and so no one can confirm

Re: [Full-disclosure] Vulnerability in Gentoo hardened

[Laurelai]

On 4/25/12 5:08 AM, Benji wrote:
> You should be paranoid if someone could construe what you're doing as illegal.
>
> On Wed, Apr 25, 2012 at 11:07 AM, Laurelai  wrote:
>> On 4/25/12 4:59 AM, Benji wrote:
>>> And choosing to believe any of the other reasons when you think you're
>>> an '1337 hacker' and are involved in that world, is a personality
>>> problem, end of.
>>>
>>> On Wed, Apr 25, 2012 at 10:58 AM, Laurelaiwrote:
>>>> On 4/25/12 4:54 AM, Benji wrote:
>>>>> No, with open eyes sight. If you chose not to believe the obvious at
>>>>> the time, that is your own mistake and proof that you (general you,
>>>>> not you specifically) were more interested in being part of the crowd
>>>>> than thinking.
>>>>>
>>>>>
>>>>> On Wed, Apr 25, 2012 at 10:52 AM, Laurelai
>>>>>   wrote:
>>>>>> On 4/25/12 4:48 AM, Benji wrote:
>>>>>>> except it was rather obvious why.
>>>>>>>
>>>>>>> On Wed, Apr 25, 2012 at 10:27 AM, Laurelai
>>>>>>>   wrote:
>>>>>>>> On 4/25/12 3:56 AM, Georgi Guninski wrote:
>>>>>>>>> On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu
>>>>>>>>> wrote:
>>>>>>>>>> On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said:
>>>>>>>>>>> if you read his "advisories" and "0-days" you know: It's not a
>>>>>>>>>>> joke...
>>>>>>>>>> I always thought it was misunderstood performance art...
>>>>>>>>>
>>>>>>>>> this one appears to be true:
>>>>>>>>> http://seclists.org/fulldisclosure/2011/Jul/312
>>>>>>>>> Full disclosure is arrest of Sabu
>>>>>>>>> (check the date)
>>>>>>>>>
>>>>>>>>> ___
>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>> And thats when sabu was MIA from twitter and everyone knew about
>>>>>>>> that,
>>>>>>>> nobody really knew why though.
>>>>>>>>
>>>>>>>> ___
>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>> In hindsight yes.
>>>> There are any number of reasons why someone, even sabu could have stopped
>>>> tweeting then started back up again. It just turned out that this was the
>>>> case this time.
>> I prefer not making assumptions about things i dont have any information on.
>>   Sorry you consider that a personality problem :p
Well its a good thing I dont do illegal shit, probably why im not 
paranoid all the time.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerability in Gentoo hardened

[Laurelai]

On 4/25/12 4:59 AM, Benji wrote:
> And choosing to believe any of the other reasons when you think you're
> an '1337 hacker' and are involved in that world, is a personality
> problem, end of.
>
> On Wed, Apr 25, 2012 at 10:58 AM, Laurelai  wrote:
>> On 4/25/12 4:54 AM, Benji wrote:
>>> No, with open eyes sight. If you chose not to believe the obvious at
>>> the time, that is your own mistake and proof that you (general you,
>>> not you specifically) were more interested in being part of the crowd
>>> than thinking.
>>>
>>>
>>> On Wed, Apr 25, 2012 at 10:52 AM, Laurelaiwrote:
>>>> On 4/25/12 4:48 AM, Benji wrote:
>>>>> except it was rather obvious why.
>>>>>
>>>>> On Wed, Apr 25, 2012 at 10:27 AM, Laurelai
>>>>>   wrote:
>>>>>> On 4/25/12 3:56 AM, Georgi Guninski wrote:
>>>>>>> On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu
>>>>>>> wrote:
>>>>>>>> On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said:
>>>>>>>>> if you read his "advisories" and "0-days" you know: It's not a
>>>>>>>>> joke...
>>>>>>>> I always thought it was misunderstood performance art...
>>>>>>>
>>>>>>> this one appears to be true:
>>>>>>> http://seclists.org/fulldisclosure/2011/Jul/312
>>>>>>> Full disclosure is arrest of Sabu
>>>>>>> (check the date)
>>>>>>>
>>>>>>> ___
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>> And thats when sabu was MIA from twitter and everyone knew about that,
>>>>>> nobody really knew why though.
>>>>>>
>>>>>> ___
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>> In hindsight yes.
>> There are any number of reasons why someone, even sabu could have stopped
>> tweeting then started back up again. It just turned out that this was the
>> case this time.
I prefer not making assumptions about things i dont have any information 
on.  Sorry you consider that a personality problem :p

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerability in Gentoo hardened

[Laurelai]

On 4/25/12 4:54 AM, Benji wrote:
> No, with open eyes sight. If you chose not to believe the obvious at
> the time, that is your own mistake and proof that you (general you,
> not you specifically) were more interested in being part of the crowd
> than thinking.
>
>
> On Wed, Apr 25, 2012 at 10:52 AM, Laurelai  wrote:
>> On 4/25/12 4:48 AM, Benji wrote:
>>> except it was rather obvious why.
>>>
>>> On Wed, Apr 25, 2012 at 10:27 AM, Laurelaiwrote:
>>>> On 4/25/12 3:56 AM, Georgi Guninski wrote:
>>>>> On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote:
>>>>>> On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said:
>>>>>>> if you read his "advisories" and "0-days" you know: It's not a joke...
>>>>>> I always thought it was misunderstood performance art...
>>>>>
>>>>> this one appears to be true:
>>>>> http://seclists.org/fulldisclosure/2011/Jul/312
>>>>> Full disclosure is arrest of Sabu
>>>>> (check the date)
>>>>>
>>>>> ___
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>> And thats when sabu was MIA from twitter and everyone knew about that,
>>>> nobody really knew why though.
>>>>
>>>> ___
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>> In hindsight yes.
There are any number of reasons why someone, even sabu could have 
stopped tweeting then started back up again. It just turned out that 
this was the case this time.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerability in Gentoo hardened

[Laurelai]

On 4/25/12 4:48 AM, Benji wrote:
> except it was rather obvious why.
>
> On Wed, Apr 25, 2012 at 10:27 AM, Laurelai  wrote:
>> On 4/25/12 3:56 AM, Georgi Guninski wrote:
>>> On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote:
>>>> On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said:
>>>>> if you read his "advisories" and "0-days" you know: It's not a joke...
>>>> I always thought it was misunderstood performance art...
>>>
>>> this one appears to be true:
>>> http://seclists.org/fulldisclosure/2011/Jul/312
>>> Full disclosure is arrest of Sabu
>>> (check the date)
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>> And thats when sabu was MIA from twitter and everyone knew about that,
>> nobody really knew why though.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
In hindsight yes.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerability in Gentoo hardened

[Laurelai]

On 4/25/12 3:56 AM, Georgi Guninski wrote:
> On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote:
>> On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said:
>>> if you read his "advisories" and "0-days" you know: It's not a joke...
>> I always thought it was misunderstood performance art...
>
>
> this one appears to be true:
> http://seclists.org/fulldisclosure/2011/Jul/312
> Full disclosure is arrest of Sabu
> (check the date)
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
And thats when sabu was MIA from twitter and everyone knew about that, 
nobody really knew why though.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerability in Gentoo hardened

[Laurelai]

On 4/25/12 3:56 AM, Georgi Guninski wrote:
> On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote:
>> On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said:
>>> if you read his "advisories" and "0-days" you know: It's not a joke...
>> I always thought it was misunderstood performance art...
>
>
> this one appears to be true:
> http://seclists.org/fulldisclosure/2011/Jul/312
> Full disclosure is arrest of Sabu
> (check the date)
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Nope, im still here :p

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS

[Laurelai]

On 4/23/12 12:20 AM, BMF wrote:
> On Sun, Apr 22, 2012 at 9:32 PM, Laurelai  wrote:
>> On 4/22/12 10:56 PM, BMF wrote:
>>> Ezekiel 23:20
>>>
>> Its Ezekiel 25:17..
> It sounded cool when he said it in the movie but I've never found any
> Bible that actually goes anything like what he said. Besides, I'm into
> donkey dicks and horse jizz so 23:20 is the verse for me.
>
> BMF
Cool story bro.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS

[Laurelai]

On 4/22/12 10:56 PM, BMF wrote:
> Ezekiel 23:20
>
> On Sun, Apr 22, 2012 at 12:59 PM, Thor (Hammer of God)
>   wrote:
>> You dropped a FD on the BIBLE??  Dude, you're going straight to Hacker Hell! 
>>  :)
>>
>>
>>
>> Timothy "Thor"  Mullen
>> www.hammerofgod.com
>> Thor's Microsoft Security Bible
>>
>>
>>
>> -Original Message-
>> From: full-disclosure-boun...@lists.grok.org.uk 
>> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Thomas 
>> Richards
>> Sent: Sunday, April 22, 2012 8:09 AM
>> To: full-disclosure@lists.grok.org.uk
>> Subject: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS
>>
>> # Exploit Title: phpMyBible 0.5.1 Mutiple XSS # Date: 04/15/12 # Author: G13 
>> # Twitter: @g13net # Software 
>> http://sourceforge.net/projects/phpmybible/?source=directory
>> # Version: 0.5.1
>> # Category: webapps (php)
>> #
>>
>> # Description #
>>
>> phpMyBible is an online collaborative project to make an e-book of the Holy 
>> Bible in as various language as possible. phpMyBible is designed to be 
>> flexible to all readers while maintaining the authenticity and originality 
>> of the Holy Bible scripture.
>>
>> # Vulnerability #
>>
>> phpMyBible has multiple XSS vulnerabilities.
>>
>> When reading a section of the Bible; both the 'version' and 'chapter'
>> variables are prone to reflective XSS.
>>
>> # Exploit #
>>
>> http://localhost/index.php?book=1&version=[XSS]&chapter=[XSS]
>>
>> # Vendor Notification #
>>
>> 04/15/12 - Vendor Notified
>> 04/22/12 - No response, disclos
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Its Ezekiel 25:17..

http://www.youtube.com/watch?v=UmvnXKRfdb8

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The Mystery of the Duqu Framework

[Laurelai]

On 3/10/12 2:16 PM, William Pitcock wrote:
> On 3/10/2012 9:00 AM, 夜神　岩男 wrote:
>> On 03/10/2012 03:51 AM, f...@deserted.net wrote:
>>
>>> http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework
>>>
>>> Haven't seen this (or much discussion around this) here yet, so I
>>> figured I'd share.
>>>
>>  From the description, it looks like someone pushed some code from a
>> Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by
>> GCL, for example, before compilation) into a C++ DLL. Normal in the
>> deper end of Linux dev or Hurd communities, but definitely not standard
>> practice in any established industry that makes use of Windows.
>>
>> I could be wrong, I didn't take the time to walk myself through the
>> decompile with any thoroughness and compare it to code I generate.
>> Anyway, I have no idea the differences between how VC++ and g++ do
>> things -- so my analysis would probably be trash. But from the way the
>> Mr. Soumenkov describes things it seems this, or something similar,
>> could be the case and why the code doesn't conform to what's expected in
>> a C++ binary.
>>
>>
> LISP would refer to specific constructor/destructor vtable entries as
> "cons" and there would be no destructor at all.  The structs use vtables
> which refer to "ctor" and "dtor", which indicates that the vtables were
> most likely generated using a C++ compiler (since that is standard
> nomenclature for C++ compiler symbols).  It pretty much has to be
> Microsoft COM.  The struct layouts pretty much *reek* of Microsoft COM
> when used with a detached vtable (such as if the implementation is
> loaded from a COM object file).  The fact that specific vtable entries
> aren't mangled is also strong evidence of it being Microsoft COM (since
> there is no need to mangle vtable entries of a COM object due to type
> information already being known in the COM object).
>
> If it looks like COM, smells like COM, and acts like COM, then it's
> probably COM.  It certainly isn't "some new programming language" like
> Kaspersky says.  That's just the dumbest thing I've heard this year.
>
> William
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
I think William just told everyone...again.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The Mystery of the Duqu Framework

[Laurelai]

On 3/10/2012 9:00 AM, 夜神　岩男 wrote:
> On 03/10/2012 03:51 AM, f...@deserted.net wrote:
>> http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework
>>
>> Haven't seen this (or much discussion around this) here yet, so I
>> figured I'd share.
>  From the description, it looks like someone pushed some code from a 
> Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by 
> GCL, for example, before compilation) into a C++ DLL. Normal in the 
> deper end of Linux dev or Hurd communities, but definitely not standard 
> practice in any established industry that makes use of Windows.
>
> I could be wrong, I didn't take the time to walk myself through the 
> decompile with any thoroughness and compare it to code I generate. 
> Anyway, I have no idea the differences between how VC++ and g++ do 
> things -- so my analysis would probably be trash. But from the way the 
> Mr. Soumenkov describes things it seems this, or something similar, 
> could be the case and why the code doesn't conform to what's expected in 
> a C++ binary.
>
> -IY
>
> 1. [Caveat] I say "Lisp" but some other languages come to mind as well; 
> maybe Haskell would come out that way. I'm not sure because I'm most 
> familiar with Lisp and know it can be cobbled with C/C++ without 
> complications because of the way most of its C-based implementations 
> work. Anyway, if I were looking for a lock on how this code was 
> produced, I would ignore C-based languages and focus instead on 
> languages that behave this way natively first, because I think that's 
> the least exotic explanation for the features this segment of code exhibits.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Lisp? Are you serious?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The Mystery of the Duqu Framework

[Laurelai]

On 3/10/2012 4:36 AM, Sanguinarious Rose wrote:
> Trying to cover up you being "told", that's Cute <3
>
> On Sat, Mar 10, 2012 at 3:34 AM, Laurelai  wrote:
>> On 3/10/2012 4:31 AM, Sanguinarious Rose wrote:
>>
>> Not really, it looks like speculation same as I just admitted my idea
>> was. There is no proof as of yet besides for just a single tweet
>> suggesting an idea much in the same mine just was. Unless someone does
>> the proper research into it, it is just that, 140 chars speculation.
>>
>> Told [x]
>> Not Told [ ]
>>
>> umad?
>>
>> On Sat, Mar 10, 2012 at 3:23 AM, Laurelai  wrote:
>>
>> On 3/10/2012 4:13 AM, Sanguinarious Rose wrote:
>>
>> Yea, I have been thinking on ideas for that as well, I see no one has
>> thought outside the box yet.
>>
>> I would look into OO'ed C (www.planetpdf.com/codecuts/pdfs/ooc.pdf) as
>> being a possibility. Long before in the time when the mighty C++ was
>> young, it was translated to C code for compilation. I have not had the
>> time to dig into it yet to see how you could code it in OO C style
>> code yet. You can implement much of the functionality of OO parts of
>> C++ including virtual functions and other things.
>>
>> Well, these are my thoughts on it. More speculation at the moment but
>> might be of use to someone.
>>
>> On Fri, Mar 9, 2012 at 11:51 AM,   wrote:
>>
>> http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework
>>
>> Haven't seen this (or much discussion around this) here yet, so I figured
>> I'd share.
>>
>> --
>> -Joe.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> https://twitter.com/#!/nenolod/status/178352865667067904
>> <https://twitter.com/#%21/nenolod/status/178352865667067904>
>>
>> not told [ ]
>> told [x ]
>>
>>
>> Put the crack pipe down.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> My post was Williams response to Kaspersky, wasn't directed to you. Do try
>> and keep up.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Did you even read the tweet?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The Mystery of the Duqu Framework

[Laurelai]

On 3/10/2012 4:31 AM, Sanguinarious Rose wrote:
> Not really, it looks like speculation same as I just admitted my idea
> was. There is no proof as of yet besides for just a single tweet
> suggesting an idea much in the same mine just was. Unless someone does
> the proper research into it, it is just that, 140 chars speculation.
>
> Told [x]
> Not Told [ ]
>
> umad?
>
> On Sat, Mar 10, 2012 at 3:23 AM, Laurelai  wrote:
>> On 3/10/2012 4:13 AM, Sanguinarious Rose wrote:
>>> Yea, I have been thinking on ideas for that as well, I see no one has
>>> thought outside the box yet.
>>>
>>> I would look into OO'ed C (www.planetpdf.com/codecuts/pdfs/ooc.pdf) as
>>> being a possibility. Long before in the time when the mighty C++ was
>>> young, it was translated to C code for compilation. I have not had the
>>> time to dig into it yet to see how you could code it in OO C style
>>> code yet. You can implement much of the functionality of OO parts of
>>> C++ including virtual functions and other things.
>>>
>>> Well, these are my thoughts on it. More speculation at the moment but
>>> might be of use to someone.
>>>
>>> On Fri, Mar 9, 2012 at 11:51 AM,   wrote:
>>>> http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework
>>>>
>>>> Haven't seen this (or much discussion around this) here yet, so I figured
>>>> I'd share.
>>>>
>>>> --
>>>> -Joe.
>>>>
>>>> ___
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>> https://twitter.com/#!/nenolod/status/178352865667067904
>> <https://twitter.com/#%21/nenolod/status/178352865667067904>
>>
>> not told [ ]
>> told [x ]
>>
>>
>> Put the crack pipe down.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
My post was Williams response to Kaspersky, wasn't directed to you. Do
try and keep up.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The Mystery of the Duqu Framework

[Laurelai]

On 3/10/2012 4:13 AM, Sanguinarious Rose wrote:
> Yea, I have been thinking on ideas for that as well, I see no one has
> thought outside the box yet.
>
> I would look into OO'ed C (www.planetpdf.com/codecuts/pdfs/ooc.pdf) as
> being a possibility. Long before in the time when the mighty C++ was
> young, it was translated to C code for compilation. I have not had the
> time to dig into it yet to see how you could code it in OO C style
> code yet. You can implement much of the functionality of OO parts of
> C++ including virtual functions and other things.
>
> Well, these are my thoughts on it. More speculation at the moment but
> might be of use to someone.
>
> On Fri, Mar 9, 2012 at 11:51 AM,   wrote:
>> http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework
>>
>> Haven't seen this (or much discussion around this) here yet, so I figured
>> I'd share.
>>
>> --
>> -Joe.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
https://twitter.com/#!/nenolod/status/178352865667067904


not told [ ]
told [x ]


Put the crack pipe down.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Stakeout: how the FBI tracked and busted a Chicago Anon

[Laurelai]

On 3/8/2012 12:23 PM, Elly_Tran_Ha wrote:
> A few lessons I learned:
>
> 1. Don't use a Mac
> 2. Don't use wireless
> 3. Trust no one.
>
> On Wed, Mar 7, 2012 at 6:09 PM, Ivan .Heca  > wrote:
>
> /"Yesterday, we learned that one of the top members of LulzSec
> (Sabu) had been an FBI informant for almost 6 months
> 
> ,
> and that this confidant of the LulzSec leader 'anarchaos' had
> given the feds what they needed to take him down. More details
> have come out now
> 
> ,
> completing a picture of how the sting took place from start to
> finish. It turns out that even the server space given from Sabu to
> anarchaos storing the details of 30,000 credit cards (from the
> Stratfor hack) had been funded by the FBI."
>
> 
> /http://arstechnica.com/tech-policy/news/2012/03/stakeout-how-the-fbi-tracked-and-busted-a-chicago-anon.ars
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
4. Don't declare open cyberwar on the US government.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Full disclosure is arrest of Sabu

[Laurelai]

On 3/6/2012 2:24 PM, Ferenc Kovacs wrote:
>
> 2011/7/25 Laurelai Storm  <mailto:laure...@oneechan.org>>
>
> Oh and im not a part of lulzsec, FYI sabu tweeted 2 minutes ago
> wtf are you on about sir?
>
>
> maybe we could resurrect this thread. :)
Sure lets.

http://gizmodo.com/5890825/lulzsec-leader-betrays-all-of-anonymous

Im going to paste my favorite part of this article.

6:12:32 PM virus: I don't have proof of him being a snitch, and he
doesn't have proof of me being a snitch. it's my word against his.
6:15:39 PM virus: he disappeared for a week, I don't recall what day
6:15:52 PM virus: but when he returned he said his grand mother died and
that's why he was MIA
6:16:01 PM virus: after that he started offering me money to own people
6:16:14 PM Sam Biddle: anyone important?
6:16:55 PM virus: backtrace security and laurelai
6:17:22 PM virus: he gave me IPs, asked me to access their accounts with
their IP and asked me to access their emails
6:17:25 PM virus: told me he would pay me
6:17:42 PM Sam Biddle: did you?
6:17:53 PM virus: no, I found that to be suspicious and declined

Sabu tried to pay someone to hack me and it didn't work, sabu also got
caught because he connected to IRC one time with his real IP, so this
proves what i said already, sabu hated me and i didn't know anything
that the feds didn't already. For a supposed ring leader of a group of
"master cyber terrorists" as the feds like to paint them they couldn't
take down one loud mouthed trans woman on the internet. Hell even their
ddos against my imageboard failed and i didn't even have cloudflare.


And speaking of backtrace security here is Jen giving away government
secrets to win internet points on reddit

http://imgur.com/a/0g9VG <http://imgur.com/a/0g9VG>

Looks like Jen can't be trusted by anon or the feds.



<http://imgur.com/a/0g9VG>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Anon war?- arrests

[Laurelai]

On 2/29/2012 8:45 AM, Christian Sciberras wrote:
> "And we'd like to add that we are not crooks." - Anonymous.
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
popcorn.gif
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Eleventh Circuit Finds Fifth Amendment Right Against Self Incrimination Protects Against Being Forced to Decrypt Hard Drive Contents

[Laurelai]

On 2/27/2012 12:11 PM, valdis.kletni...@vt.edu wrote:
> On Mon, 27 Feb 2012 01:38:56 MST, Sanguinarious Rose said:
>> This isn't anything new
> Yeah, the decision was released all the way back on Feb 23, four whole days
> ago, that's practically last century in Internet time...
>
> So tell me - what's your definition of "new" (obviously significantly less 
> than 4 days),
> and how does it affect threads on F-D that last longer than 4 days?
>
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
not told [ ]
Told [x]


oh snap
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Eleventh Circuit Finds Fifth Amendment Right Against Self Incrimination Protects Against Being Forced to Decrypt Hard Drive Contents

[Laurelai]

http://www.ca11.uscourts.gov/opinions/ops/201112268.pdf

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PHP Gift Registry 1.5.5 SQL Injection

[Laurelai]

On 2/24/2012 3:21 PM, ctrun...@christophertruncer.com wrote:
> You only gave them two days to respond?
>
>
> Chris
>
>
>
> On 24.02.2012 08:08, Thomas Richards wrote:
>> # Exploit Title: PHP Gift Registry 1.5.5 SQL Injection
>> # Date: 02/22/12
>> # Author: G13
>> # Software Link: https://sourceforge.net/projects/phpgiftreg/
>> # Version: 1.5.5
>> # Category: webapps (php)
>> #
>>
>> # Vulnerability #
>>
>> The userid parameter in the users.php file is vulnerable to SQL 
>> Injection.
>>
>> A user must be signed in to exploit this.
>>
>> # Vendor Notification #
>>
>> 02/22/12 - Vendor Notified
>> 02/24/12 - No response, disclosure
>>
>> # Exploit #
>>
>> http://localhost/phpgiftreg/users.php?action=edit&userid=[SQLi]
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Pretty sure this project is dead the last update to it was made
2009-03-12 see http://sourceforge.net/projects/phpgiftreg/files/ ,
anyone using it at this point needs to switch to another
product.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Arbitrary DDoS PoC

[Laurelai]

On 2/14/2012 2:58 PM, Sanguinarious Rose wrote:
> I do not understand why you are wasting time on an obvious troll to
> downright, and I don't normally call people names but he well deserves
> it, a retard. I think I ironically illustrated the fundamental flaw in
> that you can't possibly generate more bandwidth by using proxies for
> the python code provided due to it violates the laws of physics
> (literally). In fact, if we want to be technical, we could say it is
> less effective due to the handshake required to initiate the proxy
> connection in fact decreasing efficiency of input compared to input.
> If there was something besides making lots of proxy request there
> might be something there but it, in fact, has nothing.
>
> Taking into account THN retweeted his FD post and his obvious
> inability to understand why everyone is not taking him seriously I
> have concluded he is just trying to seek fame and fortune passing off
> as some kind of sec expert. Maybe get some brownie points with the
> skiddie crowd who wouldn't know better. Throwing fancy terms and
> pretending to know what they are talking about doesn't work up against
> real researchers who understand what they are doing. Poorly written
> scripts also do not impress anyone here considering that I could just
> put into google "HTTP Proxy Flooder" and a find superior equivalent
> (Even with Point and Click!).
>
> To this effect, I propose we look into Unicorns as a possible
> unconventional medium of DDoS due to their mythical properties in a
> network environment over-ruled by Pink Lepricons.
>
> Conclusion: Christian Magick.
>
> On Tue, Feb 14, 2012 at 10:19 AM, Gage Bystrom  
> wrote:
>> If the design is broken than the implementation is broken. Have you READ
>> your own source code? Do you understand what its actually doing? Rhetorical
>> questions of course but still.
>>
>> Your poc calls curl multiple times via a list of proxies. No more, no less.
>> If you are going to claim that such a thing is an effective general
>> technique YOU have to back up that claim, not me or anyone else on this
>> list. I never bothered running it because anyone who read that simple python
>> code(which was a good thing its simple), can understand what it is doing,
>> and do a mental comparison to what they previously knew about the subject of
>> dos. Your poc does not demonstrate anything new, it demonstrates existing
>> knowledge that is generally known to not be an effective method for dosing
>> for all the reasons I explained in my previous mails.
>>
>> I think its quite pedantic of you to only criticize me for calling out the
>> ineffectiveness of your poc. You did not address anything I or anyone else
>> said about your claim. If you think I am wrong or mistaken in my personal
>> assessment of your claim than you are the one who must show how and why to
>> defend your claim. Belittling someone who criticizes you is not
>> professional, not productive, does not give strength to your claim, and does
>> not make you right.
>>
>> The end of the line is I don't care what you claim your code does, I care
>> about what the code does, and your code is not an effective general
>> technique for denial of service attacks.
>>
>> On Feb 13, 2012 8:48 PM, "Lucas Fernando Amorim" 
>> wrote:
>>> I could argue that an attack targeted at a service, especially HTTP, is
>>> not measured by the band, but the requests, especially the heavier, could
>>> argue that a technique is the most inherent characteristic of multiple
>>> sources of traffic and still relying on trust. I could still say that is an
>>> implementation that relates only to say - Look, it exists!, I could still
>>> prolong explaining about overheads, and using about the same time many sites
>>> that make the requests, thus reducing the wake of a failure, even if you say
>>> easily diagnosable.
>>>
>>> But I'd rather say that it is actually very pedantic of you label
>>> something as inefficient, especially when not done a single test, only the
>>> pedantic observation of someone whose interests it is reprehensible. I will
>>> not say you're one of those, but this is really an attitude typical of this
>>> kind, which is certainly not a hacker. Thanks to people like that, do not
>>> know if you like, there are many flaws yet to be explored.
>>>
>>> If anyone wants more information, obviously I will ask to send an email or
>>> call me to give a presentation, I will not think about anything. My goal in
>>> was invited researchers to study DDoS on this model, because anytime someone
>>> can direct thousands to generate a network congestion.
>>>
>>>
>>> On 13-02-2012 11:17, Gage Bystrom wrote:
>>>
>>> Uhh...looks pretty standard boss. You aren't going to DoS a halfway decent
>>> server with that using a single box. Sending your request through multiple
>>> proxies does not magically increase the resource usage of the target, its
>>> still your output power vs their input pipe. Sure it gives a slight boost in
>>>

Re: [Full-disclosure] when did piracy/theft become expression of freedom

[Laurelai]

On 1/28/2012 6:55 PM, Christian Sciberras wrote:
>> Actually, *most* bands that make money do so off the concert tours - tickets 
>> and
>> tshirts is where the actual money is at, not the album sales.
> So why bother with album sales in the first place?
>
> This is the same with free/commercial software. At the end of the day
> the creator decides
> the sales strategy.
>
>
> The only thing I can see in this is that the recording industry really
> needs to grow up
> to the times, but piracy is not a solution nor the means to one, just
> like DDoSing facebook
> is not the means to the removal of a certain bill/law (arguably, to
> the contrary).
>
> The recording companies have every right to retaliate just as the FBI
> has every right to
> arrest suspects involved in these childish acts.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
"The reasonable man adapts himself to the world: the unreasonable one
persists to adapt the world to himself. Therefore all progress depends
on the unreasonable man." 
-- George Bernard Shaw
, /Man
and Superman /
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] when did piracy/theft become expression of freedom

[Laurelai]

On 1/28/2012 3:36 PM, Christian Sciberras wrote:
> Sadly you can't download routers and internet connections...especially
> without an internet connection.
>
> But I suppose you could be the regular joe and steal from your
> neighbours' bandwidth (it's a human right, remember? your
> neighbour doesn't have a right to keep the internets to himself!!!).
>
> /rant
>
>
>
>
> On Sat, Jan 28, 2012 at 10:33 PM, Laurelai  <mailto:laure...@oneechan.org>> wrote:
>
> On 1/28/2012 3:13 PM, Julius Kivimäki wrote:
>> Of course I wouldn't, downloading a car would be like stealing a car.
>> Piracy is horrible and all the boats used by the pirate scum
>> should be taken away.
>>
>>
>> 2012/1/28 Laurelai > <mailto:laure...@oneechan.org>>
>>
>> On this topic i saw this
>> 
>> https://thepiratebay.org/torrent/6960965/1970_Chevelle_Hot-Rod_3d_model
>> , real question is would you download a car if you could?
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
> If you took away their boats they would just download more...duh.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
There are always public hotspots, hell even mcdonalds has them now.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] when did piracy/theft become expression of freedom

[Laurelai]

On 1/28/2012 3:13 PM, Julius Kivimäki wrote:
> Of course I wouldn't, downloading a car would be like stealing a car.
> Piracy is horrible and all the boats used by the pirate scum should be
> taken away.
>
> 2012/1/28 Laurelai mailto:laure...@oneechan.org>>
>
> On this topic i saw this
> https://thepiratebay.org/torrent/6960965/1970_Chevelle_Hot-Rod_3d_model
> , real question is would you download a car if you could?
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
If you took away their boats they would just download more...duh.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] when did piracy/theft become expression of freedom

[Laurelai]

On this topic i saw this 
https://thepiratebay.org/torrent/6960965/1970_Chevelle_Hot-Rod_3d_model 
, real question is would you download a car if you could?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] when did piracy/theft become expression of freedom

[Laurelai]

On 1/27/2012 12:06 PM, Michael Schmidt wrote:
>
> You want to be very careful with that line of thought. You are taking
> the creator the rightful owners profits, which they are entitled to if
> it is a product they created to be sold. You are confusing what you
> want -- with what the law states. Theft is typically very widely
> defined in the law, not just what the dictionary states.
>
>  
>
> When you make a copy, you are performing a step that the manufacturer
> takes with physical products. Just because copying software is easy
> does not mean the laws are so cut and dried around what is theft and
> what is not. If you take something by making yourself a copy, when the
> producer is the only authorized authority to make copies then you have
> committed theft.
>
>  
>
> You also cannot steal electricity, check out "Abstracting
> Electricity", but bypassing the meter is wrong in most jurisdictions.
>
>  
>
> In the US you can be arrested and charged for riding in a stolen car,
> even if you really didn't know it was stolen, known as "taking without
> consent" or TWOC.
>
>  
>
> In some jurisdictions you can be arrested and charged for "going
> equipped for burglary" mean you have implements of the trade on you --
> crowbars, lock picks etc. So I suppose in the US we are fortunate that
> having a copy of some previously defined hacking tools on a computer
> in our possession will not get us arrested -- yet.
>
>  
>
> The more you know...
>
>  
>
>  
>
> *From:*full-disclosure-boun...@lists.grok.org.uk
> [mailto:full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *Laurelai
> *Sent:* Friday, January 27, 2012 12:51 AM
> *To:* full-disclosure@lists.grok.org.uk
> *Subject:* Re: [Full-disclosure] when did piracy/theft become
> expression of freedom
>
>  
>
> On 1/27/2012 2:24 AM, Jerry dePriest wrote:
>
> im going to the 'benz dealer in the morning to express my 1st
> amendment right...
>
>  
>
> The Somalians are learning the hard way that it just isnt so...
>
>  
>
> bma
>
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> Piracy: an act of robbery or criminal violence at sea
>
> Theft:  the illegal taking of another person's property without that
> person's permission or consent with the intent to deprive the rightful
> owner of it
>
> Software copying: Occurs neither on the high seas and does not deprive
> the rightful owner of it.
>
>
> The more you know.
>
Yeah and the US is becoming a police state, so using US law as examples
of morality is pretty shaky ground.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fw: when did piracy/theft become expression of freedom

[Laurelai]

On 1/27/12 4:12 AM, Jerry dePriest wrote:
software "piracy" has been around for ever. I remember copying punch 
cards. It took forever and if you made one mistake hours of work was 
down the tubes. I had an apple II that we used "Disk Pirate" 1-11 to 
copy games, peach tree accounting software, etc. In the time it took 
to load the 5 1/4" floppy you could make a copy. From that you could 
make as many copies as you deemed fit. I must of made $100 from Dig 
Dug alone.
Then came cad or ? with a software "lock" it was a piece of hardware 
that connected to a serial port on your computer. Without the lock the 
software was dead. You were free to use the software on any computer 
but you had to have the lock. More computers simply buy more locks. It 
has been so long I forget the details but it was effective. If you 
tried to reverse engineer the "lock" you rendered it dead. No one 
wanted to buy the locks so it went with the dodo...
In this day and age piracy is simply a game that is quite profitable. 
We used to copy and share over bbs' or even mail each other copies. 
Shareware was the cats ass. Now I have to buy a new OS every frickin 
year. New version of Office, Photoshop, etc. Frick that! I love Win 
98SE, it still serves my purpose. I love win 2k pro, it serves my 
purpose. Vista, Win 7, MAc OSes... Crap, pure crap. Photoshop 5 does 
all I need. Office 97 works great and has a nifty flight sim in it. 
Win 7 is still frickin Dos... I still have my copies of Dos versions 
3- 6.2 and it serves its purpose.
Do I use dvd decrypter? Yes. Dvd shrink? Hell yes. Do I sell the 
copies or profit from it? Whenever I can. Boldly doing it over the 
internet is just stupid and anyone who does it deserves the full penalty.

bma
- Original Message -
*From:* Jerry dePriest 
*To:* full-disclosure@lists.grok.org.uk 


*Sent:* Friday, January 27, 2012 2:24 AM
*Subject:* [Full-disclosure] when did piracy/theft become expression 
of freedom


im going to the 'benz dealer in the morning to express my 1st 
amendment right...

The Somalians are learning the hard way that it just isnt so...
bma


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Except that you just posted about it in public on the internet...
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] when did piracy/theft become expression of freedom

[Laurelai]

On 1/27/2012 3:29 AM, Vipul Agarwal wrote:
> Let's keep FD and Reddit apart!
>
> Regards,
> Vipul
>
> Sent from my HTC
>
> - Reply message -
> From: "Kai" 
> To: 
> Subject: [Full-disclosure] when did piracy/theft become expression of
> freedom
> Date: Fri, Jan 27, 2012 09:15
>
>
> Hello,
>
> http://img256.imageshack.us/img256/2527/1282302008370.jpg
>
> know the difference.
>
> -- 
> Cheers,
>
> Kai
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Posting to /r/netsec now...
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] when did piracy/theft become expression of freedom

[Laurelai]

On 1/27/2012 3:01 AM, Robert Kim App and Facebook Marketing wrote:
> HAHAHAA... 
>
> Well... it's hard to convince people that data piracy is the same as
> physical piracy! The think that if they CAN do somehting... they have
> the RIGHT to DO IT!
>
> As a content producer... I can't stand this sense of entitlement...
> but oh well... I've just gotta tranform with the times i guess!
>
> On Fri, Jan 27, 2012 at 5:51 PM, Laurelai  <mailto:laure...@oneechan.org>> wrote:
>
> On 1/27/2012 2:24 AM, Jerry dePriest wrote:
>> im going to the 'benz dealer in the morning to express my 1st
>> amendment right...
>>  
>> The Somalians are learning the hard way that it just isnt so...
>>  
>> bma
>>
>>
>
> Theft:  the illegal taking of another person's property without
> that person's permission or consent with the intent to deprive the
> rightful owner of it
>
> Software copying: Occurs neither on the high seas and does not
> deprive the rightful owner of it.
>
>
> The more you know.
>
>
> -- 
> Robert Q Kim
> Technical Chinese Korean English Translator
> http://www.youtube.com/watch?v=QozAHbUS-VU 
> 2611 S Coast Highway
> San Diego, CA 92007
> 310 598 1606
Let's not kid ourselves here, you all would download a car if you could
and you know it ;)


That being said I would prefer people *widely use* my software and
donate money to me if they think its worth something, the humble indy
bundles profits are telling in this case. Perhaps if content producers
would change their business model to adapt to modern times instead of
trying to force the world to live in the past software copying wouldn't
be so popular.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] when did piracy/theft become expression of freedom

[Laurelai]

On 1/27/2012 2:24 AM, Jerry dePriest wrote:
> im going to the 'benz dealer in the morning to express my 1st
> amendment right...
>  
> The Somalians are learning the hard way that it just isnt so...
>  
> bma
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Piracy: an act of robbery or criminal violence at sea

Theft:  the illegal taking of another person's property without that
person's permission or consent with the intent to deprive the rightful
owner of it

Software copying: Occurs neither on the high seas and does not deprive
the rightful owner of it.


The more you know.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] UFC.com

[Laurelai]

On 1/23/12 9:43 AM, Julius Kivimäki wrote:
Oh god, my linux server buried underground with five feet of concrete 
just got rooted. This box has no internet connection, coincidence? I 
think not.

(Also I'm a derpcat and can't into mailinglists with gmail)
2012/1/23 Laurelai mailto:laure...@oneechan.org>>

On 1/23/12 9:34 AM, Julius Kivimäki wrote:

He is a god-tier hecker, like better than Chippy1337. ICMP remote
root 0day imo.

2012/1/23 Laurelai mailto:laure...@oneechan.org>>

On 1/23/12 7:14 AM, Ian Hayes wrote:
> On Mon, Jan 23, 2012 at 4:37 AM, Julius Kivimäki
> mailto:julius.kivim...@gmail.com>>  wrote:
>> Wat
>>
>>
>> 2012/1/23 RandallMmailto:randa...@fidmail.com>>
>>> Piracy retaliation taken on UFC.com
>>>
>>> Pinging ufc.com <http://ufc.com> [50.116.87.24] with 32
bytes of data:
>>>
>>> Reply from 50.116.87.24 <http://50.116.87.24>: bytes=32
time=48ms TTL=52
>>> Reply from 50.116.87.24 <http://50.116.87.24>: bytes=32
time=49ms TTL=52
>>> Reply from 50.116.87.24 <http://50.116.87.24>: bytes=32
time=48ms TTL=52
>>> Reply from 50.116.87.24 <http://50.116.87.24>: bytes=32
time=48ms TTL=52
>>>
>>>
http://network-tools.com/default.asp?prog=dnsrec&host=ufc.com
<http://network-tools.com/default.asp?prog=dnsrec&host=ufc.com>
> It's a one man crime wave!
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Look out hes got ping! Hide your servers!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Truly a god among blackhats has graced the mailing list.



no u r a derpcat
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] UFC.com

[Laurelai]

On 1/23/12 9:34 AM, Julius Kivimäki wrote:
He is a god-tier hecker, like better than Chippy1337. ICMP remote root 
0day imo.


2012/1/23 Laurelai mailto:laure...@oneechan.org>>

On 1/23/12 7:14 AM, Ian Hayes wrote:
> On Mon, Jan 23, 2012 at 4:37 AM, Julius Kivimäki
> mailto:julius.kivim...@gmail.com>>
 wrote:
>> Wat
>>
>>
>> 2012/1/23 RandallMmailto:randa...@fidmail.com>>
>>> Piracy retaliation taken on UFC.com
>>>
>>> Pinging ufc.com <http://ufc.com> [50.116.87.24] with 32 bytes
of data:
>>>
>>> Reply from 50.116.87.24 <http://50.116.87.24>: bytes=32
time=48ms TTL=52
>>> Reply from 50.116.87.24 <http://50.116.87.24>: bytes=32
time=49ms TTL=52
>>> Reply from 50.116.87.24 <http://50.116.87.24>: bytes=32
time=48ms TTL=52
>>> Reply from 50.116.87.24 <http://50.116.87.24>: bytes=32
time=48ms TTL=52
>>>
>>> http://network-tools.com/default.asp?prog=dnsrec&host=ufc.com
<http://network-tools.com/default.asp?prog=dnsrec&host=ufc.com>
> It's a one man crime wave!
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Look out hes got ping! Hide your servers!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Truly a god among blackhats has graced the mailing list.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] UFC.com

[Laurelai]

On 1/23/12 7:14 AM, Ian Hayes wrote:
> On Mon, Jan 23, 2012 at 4:37 AM, Julius Kivimäki
>   wrote:
>> Wat
>>
>>
>> 2012/1/23 RandallM
>>> Piracy retaliation taken on UFC.com
>>>
>>> Pinging ufc.com [50.116.87.24] with 32 bytes of data:
>>>
>>> Reply from 50.116.87.24: bytes=32 time=48ms TTL=52
>>> Reply from 50.116.87.24: bytes=32 time=49ms TTL=52
>>> Reply from 50.116.87.24: bytes=32 time=48ms TTL=52
>>> Reply from 50.116.87.24: bytes=32 time=48ms TTL=52
>>>
>>> http://network-tools.com/default.asp?prog=dnsrec&host=ufc.com
> It's a one man crime wave!
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Look out hes got ping! Hide your servers!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Rate Stratfor's Incident Response

[Laurelai]

On 1/13/12 1:24 PM, Paul Schmehl wrote:
> --On January 13, 2012 12:03:22 PM -0500 Benjamin Kreuter
>   wrote:
>
>> On Fri, 13 Jan 2012 10:37:31 -0600
>> Paul Schmehl  wrote:
>>
>>> --On January 12, 2012 3:16:19 PM -0500 Benjamin Kreuter
>>>   wrote:
>>>
 The law is not going to stop the really bad people
 from attacking your system, nor is it going to stop them from
 profiting from whatever access they gain; sending law enforcement
 after someone who reports problems to you accomplishes little and
 only discourages people who might try to help you.

>>> Assuming everyone's motives are as pure as the driven snow is a bit
>>> naive, don't you think?
>> Are there lingering doubts about the motives of someone who is
>> reporting a vulnerability to you?  They could have just profited from
>> their discovery and never bothered to tell you.  In any case, what have
>> you accomplished by sending the cops after *someone who is helping you*?
>>
> Unless you're a complete fool, yes.  You say you're helping me, but you
> broke in to my server.  How do I know you didn't help yourself to a
> permanent back door?
>
> Again, it's naive to think that most people are motivated purely by a
> desire to help others, especially when they are actively intruding into
> other people's assets.
>
> YOU might say thank you, but I'll be taking the server offline, grabbing
> forensic images and rebuilding it long before I get around to saying thank
> you.
>
Well just remember they could have *not* told you and helped themselves 
to a backdoor. If they wanted to door you they probably wouldn't have 
told you.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/12/12 2:00 PM, Elazar Broad wrote:
"Sounds like this industry could benefit from these kids even more 
since they are driving home the points you all are supposed to be 
warning them about."


That's because these kids don't have mouths to feed and a paycheck to 
worry about. Ethics and ethos are all very nice when you have nothing 
to lose, all to gain and no one depending on you...


On Thursday, January 12, 2012 at 4:43 AM, Laurelai 
 wrote:


On 1/12/12 3:34 AM, doc mombasa wrote:

i dont know if you ever worked for a big corporate entity?
like kovacs wrote its not about whether you can do it or not
as an employee its more about if your manager allows you the
time to do it
pentesting doesnt change anything on the profits excel sheet
we can agree it looks bad when shit happens but they usually
dont think that far ahead
i tried once reporting a very simple sql injection flaw to my
manager and including a proposed fix which would take all of 5
minutes to implement
18 months went by before that flaw was fixed because there was
no profits in allocating resources to fix it
and that webapp was the #1 money generator for that company

Den 12. jan. 2012 10.29 skrev Laurelai :

On 1/12/12 3:27 AM, doc mombasa wrote:

just one question
why should they hire the "skiddies" if most of them
only know how to fire up sqlmap or whatever current
app is hot right now?
doesnt really seem like enough reason to hire anyone
besides im not buying the whole "they do it because
they are angry at society" plop
ive been there.. they do it for the lulz

    Den 11. jan. 2012 06.18 skrev Laurelai
:

On 1/10/12 10:18 PM, Byron Sonne wrote:
>> Don't piss off a talented adolescent with
computer skills.
> Amen! I love me some stylin' pwnage :)
>
> Whether they were skiddies or actual hackers,
it's still amusing (and
> frightening to some) that companies who really
should know better, in
> fact, don't.
>
And again, if companies hired these people, most
of whom come from
disadvantaged backgrounds and are self taught they
wouldn't have as much
a reason to be angry anymore. Most of them feel
like they don't have any
real opportunities for a career and they are often
right. Microsoft
hired some kid who hacked their network, it is a
safe bet he isn't going
to be causing any trouble anymore. Talking about
the trust issue, who
would you trust more the person who has all the
certs and experience
that told you your network was safe or the 14 year
old who proved him
wrong? We all know if that kid had approached
microsoft with his exploit
in a responsible manner they would have outright
ignored him, that's why
this mailing list exists, because companies will
ignore security issues
until it bites them in the ass to save a buck.

People are way too obsessed with having
certifications that don't
actually teach practical intrusion techniques. If
a system is so fragile
that teenagers can take it down with minimal
effort then there is a
serious problem with the IT security industry.
Think about it how long
has sql injection been around? There is absolutely
no excuse for being
vulnerable to it. None what so ever. These kids
are showing people the
truth about the state of security online and that
is whats making people
afraid of them. They aren't writing 0 days every
week, they are using
vulnerabilities that are publicly available. Using
tools that are
publicly available, tools that were meant to be
used by the people
protecting the systems. Clearly the people i

Re: [Full-disclosure] Rate Stratfor's Incident Response

[Laurelai]

On 1/12/12 11:21 AM, Ian Hayes wrote:
> On Wed, Jan 11, 2012 at 9:57 AM, Benjamin Kreuter  
> wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA512
>>
>> On Tue, 10 Jan 2012 21:39:07 -0800
>> Ian Hayes  wrote:
>>
>>> On Tue, Jan 10, 2012 at 9:18 PM, Laurelai
>>> wrote:
>>>> On 1/10/12 10:18 PM, Byron Sonne wrote:
>>>>>> Don't piss off a talented adolescent with computer skills.
>>>>> Amen! I love me some stylin' pwnage :)
>>>>>
>>>>> Whether they were skiddies or actual hackers, it's still amusing
>>>>> (and frightening to some) that companies who really should know
>>>>> better, in fact, don't.
>>>>>
>>>> And again, if companies hired these people, most of whom come from
>>>> disadvantaged backgrounds and are self taught they wouldn't have as
>>>> much a reason to be angry anymore. Most of them feel like they
>>>> don't have any real opportunities for a career and they are often
>>>> right.
>>> [citation needed]
>>>
>>>> Microsoft hired some kid who hacked their network, it is a safe bet
>>>> he isn't going to be causing any trouble anymore.
>>> Are you proposing that we reward all such behavior with jobs? I've
>>> always wanted to be a firefighter. Forget resumes, job applications
>>> and interviews, I'm going to set people's houses on fire.
>> No, it is more like you see a house on fire, call 911, then clear the
>> road so that firefighters can get to the house.  You know, someone who
>> is helping the professionals do their job?
> Yes. But by Larueli's logic, since I know how to use a Bic lighter,
> I'm infinitely more qualified that a trained firefighter. By setting
> fire to other people's houses, I'm announcing my intention to join
> their ranks, and deserve a job at the nearest station. Nevermind, that
> 20 people died and hundreds of thousands of dollars of property
> damage- if the firemen were true professionals, they would have made
> the houses completely fireproof a long time ago, or at the very least
> responded and put out the fire before any real damage was done.
>
> Plus, I have a Zippo, which makes me uber-leet.

*Laurelai* I know its a strange spelling but it is spelled correctly in 
my email address, and its than not that. Committing arson is not 
comparable to a digital intrusion, no lives are lost and any enterprise 
system worth speaking of has backup systems so very little real damage 
is done, the most damage that occurs is to their reputation, it injures 
peoples pride and causes humiliation.  The people being humiliated have 
created reputations as experts in infosec, reputations that as its being 
shown they don't deserve. Lets be honest here if it wasn't anon/antisec 
doing it someone else would have eventually (perhaps they already were) 
and they probably wouldn't have made the incident public, they would 
have just quietly stolen user data and credit card information and sold 
them off to the highest bidder for as long as they possibly could. Or 
used stolen credentials to gain access to even more data. You seem to be 
missing the point that anon/antisec is using methods for the most part 
that are simple attacks that any company has absolutely no excuse to be 
vulnerable to. This is more like owning a large store and leaving the 
doors unlocked at night and finding that some kids walked in and put all 
of your stock outside of the store and pinned your internal finance 
documents that show you have been embezzling to the windows, plus they 
drew penises on the pictures in your office just to pour salt on the 
wound. In this case you have nobody to blame but yourself. My suggestion 
that they should hire these kids was meant to imply that as bad as they 
are they probably are more ethical than the people they are attacking 
since they aren't storing all sorts of sensitive user data in plain text 
and telling people its all safe.
>>> By your
>>> logic, an arsonist is not only the best person to combat other
>>> arsonists, but due to his obviously unique insight into the nature of
>>> fire, simply must know how best to fight a fire as opposed to someone
>>> who went to school for years to learn the trade.
>> Unless you are going to give me a proof that no attack on my network
>> could be successful, you need people who can find their way through the
>> cracks to evaluate the efficacy of your security system.  If the people
>> you already hired to maintain your security are not able to identify
>> threats and design systems that are resilient to those thr

Re: [Full-disclosure] Rate Stratfor's Incident Response

[Laurelai]

On 1/12/12 11:12 AM, valdis.kletni...@vt.edu wrote:

On Wed, 11 Jan 2012 12:57:48 EST, Benjamin Kreuter said:


The problem is that we have criminalized too much here.  If some 14
year old comes to you and hands you supposedly secret documents, he is
behaving very ethically -- he is telling you that you have a
vulnerability, rather than simply trying to sell your secrets to a
competitor.  That sounds like a person who can be trusted to work for
you -- someone who could have easily betrayed you, but did not, and who
knew when and how to do the right thing.

No, the person I *want* to hire doesn't come to me with a secret document,
he comes to me and says "There's a hole in this web page that will leak
secret documents, but I didn't actually download one to fully verify it".


And if they do that they will get told "Well how do you know it will 
actually leak secret documents since you didn't verify that it actually 
leaks them, stop wasting our time" We have all seen companies ignore 
vulnerabilities because the company claimed it was not exploitable when 
it was. Right now the FBI is claiming that they knew about the Stratfor 
hack and had informed people that their personal data was compromised, 
but we know this isnt true because live credit cards from the data leak 
were actually used after it became public, so again who are you going to 
trust the people who have been proven over and over to lie to the public 
about the state of their security or the people showing the world they 
are liars?

The people who are going to attack your system and then sell your
secrets on the black market are people who are not going to think in
the structured way that your engineers think.  They are going to do
things that your IT staff did not expect anyone to do.  They are going
to do things your IT staff did not even think about.  If the people in
your organization were not creative enough to do what the teenage
hacker did, then the teenage hacker has skills that are missing from
your team -- which can be restated as the teenager is someone you
should hire.

No, it can be restated as "you want to hire someone with a skillset similar
to that teenager".

Would you hire that teenager to take several tens of thousands of cash to the
bank unescorted?  No?  Then why are you hiring them into a position where
they'll have basically unescorted access to similar amounts of valuables?


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/12/12 3:54 AM, doc mombasa wrote:
and you are obviously blindly stuck on a point and has no idea how it 
actually works out there in "the real world"

in small companies you have freedom and ability to execute
in big companies not so much..

Den 12. jan. 2012 10.52 skrev Laurelai <mailto:laure...@oneechan.org>>:


On 1/12/12 3:47 AM, doc mombasa wrote:

ok obviously you never worked for a big corporate entity :)
sure standing up to them is fine
after shouting about the bug for 4 months i thought bah why
bother its their asses not mine
just going in and fixing a bug without the mandate is usually not
a good idea (if you want to keep your job so you can pay your
bills that is..)

Den 12. jan. 2012 10.41 skrev Laurelai mailto:laure...@oneechan.org>>:

On 1/12/12 3:34 AM, doc mombasa wrote:

i dont know if you ever worked for a big corporate entity?
like kovacs wrote its not about whether you can do it or not
as an employee its more about if your manager allows you the
time to do it
pentesting doesnt change anything on the profits excel sheet
we can agree it looks bad when shit happens but they usually
dont think that far ahead
i tried once reporting a very simple sql injection flaw to
my manager and including a proposed fix which would take all
of 5 minutes to implement
18 months went by before that flaw was fixed because there
was no profits in allocating resources to fix it
and that webapp was the #1 money generator for that company

Den 12. jan. 2012 10.29 skrev Laurelai
mailto:laure...@oneechan.org>>:

On 1/12/12 3:27 AM, doc mombasa wrote:

just one question
why should they hire the "skiddies" if most of them
only know how to fire up sqlmap or whatever current app
is hot right now?
doesnt really seem like enough reason to hire anyone
besides im not buying the whole "they do it because
they are angry at society" plop
ive been there.. they do it for the lulz

Den 11. jan. 2012 06.18 skrev Laurelai
mailto:laure...@oneechan.org>>:

On 1/10/12 10:18 PM, Byron Sonne wrote:
>> Don't piss off a talented adolescent with
computer skills.
> Amen! I love me some stylin' pwnage :)
>
> Whether they were skiddies or actual hackers,
it's still amusing (and
> frightening to some) that companies who really
should know better, in
> fact, don't.
>
And again, if companies hired these people, most of
whom come from
disadvantaged backgrounds and are self taught they
wouldn't have as much
a reason to be angry anymore. Most of them feel
like they don't have any
real opportunities for a career and they are often
right. Microsoft
hired some kid who hacked their network, it is a
safe bet he isn't going
to be causing any trouble anymore. Talking about
the trust issue, who
would you trust more the person who has all the
certs and experience
that told you your network was safe or the 14 year
old who proved him
wrong? We all know if that kid had approached
microsoft with his exploit
in a responsible manner they would have outright
ignored him, that's why
this mailing list exists, because companies will
ignore security issues
until it bites them in the ass to save a buck.

People are way too obsessed with having
certifications that don't
actually teach practical intrusion techniques. If a
system is so fragile
that teenagers can take it down with minimal effort
then there is a
serious problem with the IT security industry.
Think about it how long
has sql injection been around? There is absolutely
no excuse for being
vulnerable to it. None what so ever. These kids are
showing people the
truth about the state of security online and that
is whats making people
afraid of them. They aren't writing 0 days every
week, they are using
vulnerabilities that are publicly available. Using
tools that ar

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/12/12 3:49 AM, Ferenc Kovacs wrote:





Well that's what you get when you let profit margins dictate
security policy. You guys act pretty tough when you argue with
each other online but you can't stand up to some corporate idiots?
Sounds like this industry could benefit from these kids even more
since they are driving home the points you all are supposed to be
warning them about.


Maybe you should try out at your company to hire a kiddie, and tell us 
how it turned out.

Usually the ones shittalking here are those without a decent job imo...

--
Ferenc Kovács
@Tyr43l - http://tyrael.hu

I have a great job.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/12/12 3:47 AM, doc mombasa wrote:

ok obviously you never worked for a big corporate entity :)
sure standing up to them is fine
after shouting about the bug for 4 months i thought bah why bother its 
their asses not mine
just going in and fixing a bug without the mandate is usually not a 
good idea (if you want to keep your job so you can pay your bills that 
is..)


Den 12. jan. 2012 10.41 skrev Laurelai <mailto:laure...@oneechan.org>>:


On 1/12/12 3:34 AM, doc mombasa wrote:

i dont know if you ever worked for a big corporate entity?
like kovacs wrote its not about whether you can do it or not as
an employee its more about if your manager allows you the time to
do it
pentesting doesnt change anything on the profits excel sheet
we can agree it looks bad when shit happens but they usually dont
think that far ahead
i tried once reporting a very simple sql injection flaw to my
manager and including a proposed fix which would take all of 5
minutes to implement
18 months went by before that flaw was fixed because there was no
profits in allocating resources to fix it
and that webapp was the #1 money generator for that company

Den 12. jan. 2012 10.29 skrev Laurelai mailto:laure...@oneechan.org>>:

On 1/12/12 3:27 AM, doc mombasa wrote:

just one question
why should they hire the "skiddies" if most of them only
know how to fire up sqlmap or whatever current app is hot
right now?
doesnt really seem like enough reason to hire anyone
besides im not buying the whole "they do it because they are
angry at society" plop
ive been there.. they do it for the lulz

    Den 11. jan. 2012 06.18 skrev Laurelai
mailto:laure...@oneechan.org>>:

On 1/10/12 10:18 PM, Byron Sonne wrote:
>> Don't piss off a talented adolescent with computer
skills.
> Amen! I love me some stylin' pwnage :)
>
> Whether they were skiddies or actual hackers, it's
still amusing (and
> frightening to some) that companies who really should
know better, in
> fact, don't.
>
And again, if companies hired these people, most of whom
come from
disadvantaged backgrounds and are self taught they
wouldn't have as much
a reason to be angry anymore. Most of them feel like
they don't have any
real opportunities for a career and they are often
right. Microsoft
hired some kid who hacked their network, it is a safe
bet he isn't going
to be causing any trouble anymore. Talking about the
trust issue, who
would you trust more the person who has all the certs
and experience
that told you your network was safe or the 14 year old
who proved him
wrong? We all know if that kid had approached microsoft
with his exploit
in a responsible manner they would have outright ignored
him, that's why
this mailing list exists, because companies will ignore
security issues
until it bites them in the ass to save a buck.

People are way too obsessed with having certifications
that don't
actually teach practical intrusion techniques. If a
system is so fragile
that teenagers can take it down with minimal effort then
there is a
serious problem with the IT security industry. Think
about it how long
has sql injection been around? There is absolutely no
excuse for being
vulnerable to it. None what so ever. These kids are
showing people the
truth about the state of security online and that is
whats making people
afraid of them. They aren't writing 0 days every week,
they are using
vulnerabilities that are publicly available. Using tools
that are
publicly available, tools that were meant to be used by
the people
protecting the systems. Clearly the people in charge of
protecting these
system aren't using these tools to scan their systems or
else they would
have found the weaknesses first.

The fact that government organizations and large name
companies and
government contractors fall prey to these types of
attacks just goes to
show the level of hypocrisy inherent to the situation.
Especially when
their solution to the problem is to just pass more and
  

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/12/12 3:34 AM, doc mombasa wrote:

i dont know if you ever worked for a big corporate entity?
like kovacs wrote its not about whether you can do it or not as an 
employee its more about if your manager allows you the time to do it

pentesting doesnt change anything on the profits excel sheet
we can agree it looks bad when shit happens but they usually dont 
think that far ahead
i tried once reporting a very simple sql injection flaw to my manager 
and including a proposed fix which would take all of 5 minutes to 
implement
18 months went by before that flaw was fixed because there was no 
profits in allocating resources to fix it

and that webapp was the #1 money generator for that company

Den 12. jan. 2012 10.29 skrev Laurelai <mailto:laure...@oneechan.org>>:


On 1/12/12 3:27 AM, doc mombasa wrote:

just one question
why should they hire the "skiddies" if most of them only know how
to fire up sqlmap or whatever current app is hot right now?
doesnt really seem like enough reason to hire anyone
besides im not buying the whole "they do it because they are
angry at society" plop
ive been there.. they do it for the lulz

Den 11. jan. 2012 06.18 skrev Laurelai mailto:laure...@oneechan.org>>:

On 1/10/12 10:18 PM, Byron Sonne wrote:
>> Don't piss off a talented adolescent with computer skills.
> Amen! I love me some stylin' pwnage :)
>
> Whether they were skiddies or actual hackers, it's still
amusing (and
> frightening to some) that companies who really should know
better, in
> fact, don't.
>
And again, if companies hired these people, most of whom come
from
disadvantaged backgrounds and are self taught they wouldn't
have as much
a reason to be angry anymore. Most of them feel like they
don't have any
real opportunities for a career and they are often right.
Microsoft
hired some kid who hacked their network, it is a safe bet he
isn't going
to be causing any trouble anymore. Talking about the trust
issue, who
would you trust more the person who has all the certs and
experience
that told you your network was safe or the 14 year old who
proved him
wrong? We all know if that kid had approached microsoft with
his exploit
in a responsible manner they would have outright ignored him,
that's why
this mailing list exists, because companies will ignore
security issues
until it bites them in the ass to save a buck.

People are way too obsessed with having certifications that don't
actually teach practical intrusion techniques. If a system is
so fragile
that teenagers can take it down with minimal effort then
there is a
serious problem with the IT security industry. Think about it
how long
has sql injection been around? There is absolutely no excuse
for being
vulnerable to it. None what so ever. These kids are showing
people the
truth about the state of security online and that is whats
making people
afraid of them. They aren't writing 0 days every week, they
are using
vulnerabilities that are publicly available. Using tools that are
publicly available, tools that were meant to be used by the
people
protecting the systems. Clearly the people in charge of
protecting these
system aren't using these tools to scan their systems or else
they would
have found the weaknesses first.

The fact that government organizations and large name
companies and
government contractors fall prey to these types of attacks
just goes to
show the level of hypocrisy inherent to the situation.
Especially when
their solution to the problem is to just pass more and more
restrictive
laws (as if that's going to stop them). These kids are
showing people
that the emperor has no clothes and that's whats making
people angry,
they are putting someones paycheck in danger. Why don't we
solve the
problem by actually addressing the real problem and fixing
systems that
need to be fixed? Why not hire these kids with the time and
energy on
their hands to probe for these weaknesses on a large scale?
The ones
currently in the job slots to do this clearly aren't doing
it.  I bet if
they started replacing these people with these kids it would
shake the
lethargy out of the rest of them and you would see a general
increase in
competence and 

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/12/12 3:27 AM, doc mombasa wrote:

just one question
why should they hire the "skiddies" if most of them only know how to 
fire up sqlmap or whatever current app is hot right now?

doesnt really seem like enough reason to hire anyone
besides im not buying the whole "they do it because they are angry at 
society" plop

ive been there.. they do it for the lulz

Den 11. jan. 2012 06.18 skrev Laurelai <mailto:laure...@oneechan.org>>:


On 1/10/12 10:18 PM, Byron Sonne wrote:
>> Don't piss off a talented adolescent with computer skills.
> Amen! I love me some stylin' pwnage :)
>
> Whether they were skiddies or actual hackers, it's still amusing
(and
> frightening to some) that companies who really should know
better, in
> fact, don't.
>
And again, if companies hired these people, most of whom come from
disadvantaged backgrounds and are self taught they wouldn't have
as much
a reason to be angry anymore. Most of them feel like they don't
have any
real opportunities for a career and they are often right. Microsoft
hired some kid who hacked their network, it is a safe bet he isn't
going
to be causing any trouble anymore. Talking about the trust issue, who
would you trust more the person who has all the certs and experience
that told you your network was safe or the 14 year old who proved him
wrong? We all know if that kid had approached microsoft with his
exploit
in a responsible manner they would have outright ignored him,
that's why
this mailing list exists, because companies will ignore security
issues
until it bites them in the ass to save a buck.

People are way too obsessed with having certifications that don't
actually teach practical intrusion techniques. If a system is so
fragile
that teenagers can take it down with minimal effort then there is a
serious problem with the IT security industry. Think about it how long
has sql injection been around? There is absolutely no excuse for being
vulnerable to it. None what so ever. These kids are showing people the
truth about the state of security online and that is whats making
people
afraid of them. They aren't writing 0 days every week, they are using
vulnerabilities that are publicly available. Using tools that are
publicly available, tools that were meant to be used by the people
protecting the systems. Clearly the people in charge of protecting
these
system aren't using these tools to scan their systems or else they
would
have found the weaknesses first.

The fact that government organizations and large name companies and
government contractors fall prey to these types of attacks just
goes to
show the level of hypocrisy inherent to the situation. Especially when
their solution to the problem is to just pass more and more
restrictive
laws (as if that's going to stop them). These kids are showing people
that the emperor has no clothes and that's whats making people angry,
they are putting someones paycheck in danger. Why don't we solve the
problem by actually addressing the real problem and fixing systems
that
need to be fixed? Why not hire these kids with the time and energy on
their hands to probe for these weaknesses on a large scale? The ones
currently in the job slots to do this clearly aren't doing it.  I
bet if
they started replacing these people with these kids it would shake the
lethargy out of the rest of them and you would see a general
increase in
competence and security. Knowing that if you get your network
owned by a
teenager will not only get you fired, but replaced with said
teenager is
one hell of an incentive to make sure you get it right.


Yes they would have to be taught additional skills to round out what
they know, but every job requires some level of training and there are
quite a few workplaces that will help their employees continue their
education because it benefits the company to do so. This would be no
different except that the employees would be younger, and younger
people
do tend to learn faster so it would likely take less time to teach
these
kids the needed skills to round out what they already know than it
would
to teach someone older the same thing. It is the same principal behind
teaching young children multiple languages, they learn them better
than
adults.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Because the ones in charge right now can't

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/11/12 8:39 AM, Ferenc Kovacs wrote:



Because the ones with the so called ethics either lack the technical
chops or lack the enthusiasm to find simple vulnerabilities. Not very
ethical to take a huge paycheck and not do your job if you ask me.


If the only thing missing to secure those systems was somebody being 
able to use sqlmap and xss-me, then that could be fixing without 
hiring people who already proved that they aren't trustworthy.
from my experience, the lack of security comes from the management, 
you can save money on that (and qa) on the short run.
so companies tend to hire QSA companies to buy the paper which says 
that they are good, when in fact they aren't.
most of them don't wanna hear that they are vulnerable and take the 
risks too lightly.
if they would take it-security seriously it simply couldn't be owned 
through trivial, well-known attack vectors.


--
Ferenc Kovács
@Tyr43l - http://tyrael.hu

:D at least one person here gets it.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/10/12 11:39 PM, Ian Hayes wrote:
> On Tue, Jan 10, 2012 at 9:18 PM, Laurelai  wrote:
>> On 1/10/12 10:18 PM, Byron Sonne wrote:
>>>> Don't piss off a talented adolescent with computer skills.
>>> Amen! I love me some stylin' pwnage :)
>>>
>>> Whether they were skiddies or actual hackers, it's still amusing (and
>>> frightening to some) that companies who really should know better, in
>>> fact, don't.
>>>
>> And again, if companies hired these people, most of whom come from
>> disadvantaged backgrounds and are self taught they wouldn't have as much
>> a reason to be angry anymore. Most of them feel like they don't have any
>> real opportunities for a career and they are often right.
> [citation needed]
>
>> Microsoft hired some kid who hacked their network, it is a safe bet he isn't 
>> going
>> to be causing any trouble anymore.
> Are you proposing that we reward all such behavior with jobs? I've
> always wanted to be a firefighter. Forget resumes, job applications
> and interviews, I'm going to set people's houses on fire. By your
> logic, an arsonist is not only the best person to combat other
> arsonists, but due to his obviously unique insight into the nature of
> fire, simply must know how best to fight a fire as opposed to someone
> who went to school for years to learn the trade.
>
>> Talking about the trust issue, who
>> would you trust more the person who has all the certs and experience
>> that told you your network was safe or the 14 year old who proved him
>> wrong?
> This is asinine. WHY would I want to hire someone for a position of
> trust that just committed a crime, or at the very least acted in an
> unethical manner? More than anything, that person has proven that
> while he *might* have the technical chops, he certainly lacks the
> ethics and decision making skills to operate in the grown-up world.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Because the ones with the so called ethics either lack the technical 
chops or lack the enthusiasm to find simple vulnerabilities. Not very 
ethical to take a huge paycheck and not do your job if you ask me.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/11/12 1:21 AM, valdis.kletni...@vt.edu wrote:
> On Tue, 10 Jan 2012 23:18:40 CST, Laurelai said:
>
>> real opportunities for a career and they are often right. Microsoft
>> hired some kid who hacked their network, it is a safe bet he isn't going
>> to be causing any trouble anymore.
> How safe a bet, exactly?  Safe enough to bet your business on it? Microsoft 
> has
> $40B in cash handy to survive on if something goes wrong.  What's *your* Plan 
> B
> if the kid you hired blabs about his gig and one of his buddies rapes your 
> net using
> the credentials you gave the kid to do the pen test?
>
>>  Talking about the trust 
>> issue, who
>> would you trust more the person who has all the certs and experience
>> that told you your network was safe or the 14 year old who proved him
>> wrong?
> A really clever guy by the name of Edsgar Dyjkstra once said "Testing can 
> prove
> the presence of bugs, but not their absence".  If you're getting a pen test
> done by somebody who says your network is safe, you're being ripped off. 
> First,
> all networks have holes - if the pen tester comes up empty, it doesn't mean
> your net is secure, it means finding the holes needs somebody with better
> skills. Second, any pen tester who says "the net is safe" is a rip-off artist.
> At best, they can say "we did not find any of the following vulnerabilities we
> tested for. There may be vulnerabilities present that we were unable to find
> under the rules of engagement, which limit the scope and total time and money
> spent".
>
> Also, It's not just about who do you trust more to find the holes, it's who 
> you
> trust to be professional while they do it.
>
> Or the "put your money where your mouth is (literally)" version - which one
> would you rather have working for your bank when they find a security hole 
> that
> allows them access to your checking account?
>
If you guys cant scan for basic sql injection and these kids can then 
theres a real problem, thats my point here. The attacks are so simple 
children can do it and the so called experts arent finding them or just 
arent looking so im not sure if its incompetence or apathy behind these 
high profile hacks, you can teach these kids the same skillsets the so 
called experts have, but you cant teach incompetent people to be 
competent as its a willful mindset to not learn new things, and theres 
no solution for apathy other than hiring someone who cares.  These kids 
have the motivation to learn new things and the energy to apply them. 
Something the people they are owning lack sorely. As the ancient proverb 
says "Set a thief to catch a thief"


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/11/12 1:15 AM, Kyle Creyts wrote:


How many of those engaged in these attacks _could_ actually fix the 
vulns they exploit? What is a good "rough estimate" in your opinion?


On Jan 11, 2012 12:47 AM, "Laurelai" <mailto:laure...@oneechan.org>> wrote:


On 1/10/12 11:32 PM, James Smith wrote:
> Well I do agree with what you are stating. As I have seen incidents
> like this happen to many times.
> This mailing list is a big part of the IT Security community.
>
>
    >
> -Original Message- From: Laurelai
> Sent: Wednesday, January 11, 2012 1:18 AM
> To: full-disclosure@lists.grok.org.uk
<mailto:full-disclosure@lists.grok.org.uk>
> Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident
Response
>
> On 1/10/12 10:18 PM, Byron Sonne wrote:
>>> Don't piss off a talented adolescent with computer skills.
>> Amen! I love me some stylin' pwnage :)
>>
>> Whether they were skiddies or actual hackers, it's still
amusing (and
>> frightening to some) that companies who really should know
better, in
>> fact, don't.
>>
> And again, if companies hired these people, most of whom come from
> disadvantaged backgrounds and are self taught they wouldn't have
as much
> a reason to be angry anymore. Most of them feel like they don't
have any
> real opportunities for a career and they are often right. Microsoft
> hired some kid who hacked their network, it is a safe bet he
isn't going
> to be causing any trouble anymore. Talking about the trust
issue, who
> would you trust more the person who has all the certs and experience
> that told you your network was safe or the 14 year old who
proved him
> wrong? We all know if that kid had approached microsoft with his
exploit
> in a responsible manner they would have outright ignored him,
that's why
> this mailing list exists, because companies will ignore security
issues
> until it bites them in the ass to save a buck.
>
> People are way too obsessed with having certifications that don't
> actually teach practical intrusion techniques. If a system is so
fragile
> that teenagers can take it down with minimal effort then there is a
> serious problem with the IT security industry. Think about it
how long
> has sql injection been around? There is absolutely no excuse for
being
> vulnerable to it. None what so ever. These kids are showing
people the
> truth about the state of security online and that is whats
making people
> afraid of them. They aren't writing 0 days every week, they are
using
> vulnerabilities that are publicly available. Using tools that are
> publicly available, tools that were meant to be used by the people
> protecting the systems. Clearly the people in charge of
protecting these
> system aren't using these tools to scan their systems or else
they would
> have found the weaknesses first.
>
> The fact that government organizations and large name companies and
> government contractors fall prey to these types of attacks just
goes to
> show the level of hypocrisy inherent to the situation.
Especially when
> their solution to the problem is to just pass more and more
restrictive
> laws (as if that's going to stop them). These kids are showing
people
> that the emperor has no clothes and that's whats making people
angry,
> they are putting someones paycheck in danger. Why don't we solve the
> problem by actually addressing the real problem and fixing
systems that
> need to be fixed? Why not hire these kids with the time and
energy on
> their hands to probe for these weaknesses on a large scale? The ones
> currently in the job slots to do this clearly aren't doing it.
 I bet if
> they started replacing these people with these kids it would
shake the
> lethargy out of the rest of them and you would see a general
increase in
> competence and security. Knowing that if you get your network
owned by a
> teenager will not only get you fired, but replaced with said
teenager is
> one hell of an incentive to make sure you get it right.
>
>
> Yes they would have to be taught additional skills to round out what
> they know, but every job requires some level of training and
there are
> quite a few workplaces that will help their employees continue their
> education because it benefits the company to do so. This would be no
>

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/10/12 11:32 PM, James Smith wrote:
> Well I do agree with what you are stating. As I have seen incidents 
> like this happen to many times.
> This mailing list is a big part of the IT Security community.
>
>
>
> -Original Message- From: Laurelai
> Sent: Wednesday, January 11, 2012 1:18 AM
> To: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
>
> On 1/10/12 10:18 PM, Byron Sonne wrote:
>>> Don't piss off a talented adolescent with computer skills.
>> Amen! I love me some stylin' pwnage :)
>>
>> Whether they were skiddies or actual hackers, it's still amusing (and
>> frightening to some) that companies who really should know better, in
>> fact, don't.
>>
> And again, if companies hired these people, most of whom come from
> disadvantaged backgrounds and are self taught they wouldn't have as much
> a reason to be angry anymore. Most of them feel like they don't have any
> real opportunities for a career and they are often right. Microsoft
> hired some kid who hacked their network, it is a safe bet he isn't going
> to be causing any trouble anymore. Talking about the trust issue, who
> would you trust more the person who has all the certs and experience
> that told you your network was safe or the 14 year old who proved him
> wrong? We all know if that kid had approached microsoft with his exploit
> in a responsible manner they would have outright ignored him, that's why
> this mailing list exists, because companies will ignore security issues
> until it bites them in the ass to save a buck.
>
> People are way too obsessed with having certifications that don't
> actually teach practical intrusion techniques. If a system is so fragile
> that teenagers can take it down with minimal effort then there is a
> serious problem with the IT security industry. Think about it how long
> has sql injection been around? There is absolutely no excuse for being
> vulnerable to it. None what so ever. These kids are showing people the
> truth about the state of security online and that is whats making people
> afraid of them. They aren't writing 0 days every week, they are using
> vulnerabilities that are publicly available. Using tools that are
> publicly available, tools that were meant to be used by the people
> protecting the systems. Clearly the people in charge of protecting these
> system aren't using these tools to scan their systems or else they would
> have found the weaknesses first.
>
> The fact that government organizations and large name companies and
> government contractors fall prey to these types of attacks just goes to
> show the level of hypocrisy inherent to the situation. Especially when
> their solution to the problem is to just pass more and more restrictive
> laws (as if that's going to stop them). These kids are showing people
> that the emperor has no clothes and that's whats making people angry,
> they are putting someones paycheck in danger. Why don't we solve the
> problem by actually addressing the real problem and fixing systems that
> need to be fixed? Why not hire these kids with the time and energy on
> their hands to probe for these weaknesses on a large scale? The ones
> currently in the job slots to do this clearly aren't doing it.  I bet if
> they started replacing these people with these kids it would shake the
> lethargy out of the rest of them and you would see a general increase in
> competence and security. Knowing that if you get your network owned by a
> teenager will not only get you fired, but replaced with said teenager is
> one hell of an incentive to make sure you get it right.
>
>
> Yes they would have to be taught additional skills to round out what
> they know, but every job requires some level of training and there are
> quite a few workplaces that will help their employees continue their
> education because it benefits the company to do so. This would be no
> different except that the employees would be younger, and younger people
> do tend to learn faster so it would likely take less time to teach these
> kids the needed skills to round out what they already know than it would
> to teach someone older the same thing. It is the same principal behind
> teaching young children multiple languages, they learn them better than
> adults.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Yes I am aware they are, the ones who cry out that they are just script 
kiddies and such are the ones who are most likely to be 

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/10/12 10:18 PM, Byron Sonne wrote:
>> Don't piss off a talented adolescent with computer skills.
> Amen! I love me some stylin' pwnage :)
>
> Whether they were skiddies or actual hackers, it's still amusing (and
> frightening to some) that companies who really should know better, in
> fact, don't.
>
And again, if companies hired these people, most of whom come from 
disadvantaged backgrounds and are self taught they wouldn't have as much 
a reason to be angry anymore. Most of them feel like they don't have any 
real opportunities for a career and they are often right. Microsoft 
hired some kid who hacked their network, it is a safe bet he isn't going 
to be causing any trouble anymore. Talking about the trust issue, who 
would you trust more the person who has all the certs and experience 
that told you your network was safe or the 14 year old who proved him 
wrong? We all know if that kid had approached microsoft with his exploit 
in a responsible manner they would have outright ignored him, that's why 
this mailing list exists, because companies will ignore security issues 
until it bites them in the ass to save a buck.

People are way too obsessed with having certifications that don't 
actually teach practical intrusion techniques. If a system is so fragile 
that teenagers can take it down with minimal effort then there is a 
serious problem with the IT security industry. Think about it how long 
has sql injection been around? There is absolutely no excuse for being 
vulnerable to it. None what so ever. These kids are showing people the 
truth about the state of security online and that is whats making people 
afraid of them. They aren't writing 0 days every week, they are using 
vulnerabilities that are publicly available. Using tools that are 
publicly available, tools that were meant to be used by the people 
protecting the systems. Clearly the people in charge of protecting these 
system aren't using these tools to scan their systems or else they would 
have found the weaknesses first.

The fact that government organizations and large name companies and 
government contractors fall prey to these types of attacks just goes to 
show the level of hypocrisy inherent to the situation. Especially when 
their solution to the problem is to just pass more and more restrictive 
laws (as if that's going to stop them). These kids are showing people 
that the emperor has no clothes and that's whats making people angry, 
they are putting someones paycheck in danger. Why don't we solve the 
problem by actually addressing the real problem and fixing systems that 
need to be fixed? Why not hire these kids with the time and energy on 
their hands to probe for these weaknesses on a large scale? The ones 
currently in the job slots to do this clearly aren't doing it.  I bet if 
they started replacing these people with these kids it would shake the 
lethargy out of the rest of them and you would see a general increase in 
competence and security. Knowing that if you get your network owned by a 
teenager will not only get you fired, but replaced with said teenager is 
one hell of an incentive to make sure you get it right.


Yes they would have to be taught additional skills to round out what 
they know, but every job requires some level of training and there are 
quite a few workplaces that will help their employees continue their 
education because it benefits the company to do so. This would be no 
different except that the employees would be younger, and younger people 
do tend to learn faster so it would likely take less time to teach these 
kids the needed skills to round out what they already know than it would 
to teach someone older the same thing. It is the same principal behind 
teaching young children multiple languages, they learn them better than 
adults.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Fw: Who is behind Stratfor hack?

[Laurelai]

On 1/8/12 2:06 PM, valdis.kletni...@vt.edu wrote:
> On Sun, 08 Jan 2012 11:16:59 CST, Laurelai said:
>
> He sent a copy to you too?  My condolences.  He comes up with the most
> "interesting" conclusions sometimes.
>
>> If this turns out to be the person who hacked your web site, I would
>> like a cash reward.
>>
>> Andrew
>>
>> ---
>>
>> http://pastebin.com/f7jYf5Wd
>>
>> "46.>  lol xD"
>> Should we read into this too much?
> You just did, Andrew.  There's 2 possibilities. Either it's a frikkin 
> *SMILEY*,
> or I'm actually a Microsoft hacker that goes by the name 'XP Vista'.  Hint - 
> in a few
> places, we find the string 'xD xD'.  Do you sign your name Andrew Andrew? No?
> Then which is more likely, it's 2 smileys in a row, or the person's tag twice
> in a row?
>
>> Last email I have from him is 23rd December... same kind of grammar as
>> the Stratfor pastebin.
> This is *so* amusing, coming from the person who's *still* threatening legal
> action against me for suggesting "n3td3v" to Neal Krawetz, which resulted in
> a nice presentation at Black Hat on linguistic analysis.  At least Neal 
> actually
> measured percentages of words and syllable lengths and tenses and stuff
> like that. ;)
>
>> It seems he disappeared just as the Stratfor news broke just before
>> Christmas.
> Andrew? Hate to break it to you, but a lot of people go on actual multi-week
> vacations around Christmastime. Heck, something like 57% of the entire 
> population
> of the town I live in left around Dec 16, and won't be back till next week.  
> The streets
> are deserted.  Maybe one of those 20,000 people is the *real* hacker and left
> just before the news broke, not on Christmas vacation?
>
> lol XP XP
His "logic" reminds me of Jen Emerick

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fwd: Fw: Who is behind Stratfor hack?

[Laurelai]

I don't know why you emailed this to me, perhaps you were looking for 
attention or something, so ive forwarded it to the FD list so you can 
get all the attention you want.


Cheers.

 Original Message 
Subject:Fw: Who is behind Stratfor hack?
Date:   Sun, 8 Jan 2012 00:06:23 -0800 (PST)
From:   andrew.wallace 
Reply-To:   andrew.wallace 
To: "Laurelai" 



- Forwarded Message -
*From:* andrew.wallace 
*To:* "feedb...@stratfor.com" 
*Sent:* Saturday, December 31, 2011 1:50 AM
*Subject:* Who is behind Stratfor hack?

If this turns out to be the person who hacked your web site, I would 
like a cash reward.


Andrew

---

http://pastebin.com/f7jYf5Wd

"46. > lol xD"

---

Should we read into this too much?

Andrew

---


"48. We almost have sympathy for those poor DHS employees and australian 
billionaires who had their bank accounts looted by the lulz (orly? i 
just fapped)."


---

The guy we know is australian...

Andrew

---

"51. We call upon all allied battleships, all armies from darkness, to 
use and abuse these password lists and credit card information to wreak 
unholy havok upon the systems and personal email accounts of these rich 
and powerful oppressors. Kill, kitties, kill and burn them down... 
peacefully. XD XD"


---

Signed as XD again.

Andrew

---

Last email I have from him is 23rd December... same kind of grammar as 
the Stratfor pastebin.


It seems he disappeared just as the Stratfor news broke just before 
Christmas.


Andrew

- Forwarded Message -
*From:* xD 0x41 
*To:* Larry W. Cashdollar 
*Cc:* full-disclosure@lists.grok.org.uk
*Sent:* Friday, December 23, 2011 1:26 PM
*Subject:* Re: [Full-disclosure] Mobile Prank Hacktool

hi Larry!
Hope your doing well mate ;) , anyhow, here.. i did manage to get
it via windows..maybe megaupload.com <http://megaupload.com/> has blocks 
for lynx or other

linux ? notsure and, not caring to test,..lol...anyhow, sanme
file..enjoy, cheers.
(Oh, id always run this with atleast a basic Sandbox, like sanboxie
,wich would makesure that never loose our data incase there is
malws,wich,usually tools like this always do..but, anyhow, it is not
from me, altho, many would probably wish it was :s sad...

> Looks like the link is unavailable.
>
> -- Larry C$

Oh, i was able to download what looks like, a very interesting
application and files..very cool...well, to look atm, atm :P
I did browse the src, just then directly upped it to hotfile.com..i
think lynx is abit better with hotfile...anyhow, here is a working
link:

http://hotfile.com/dl/138283571/f9ef676/Mobile_Prank_Hacktool.rar.html

anyhow, cheers larry, letme know if worked, ifnot, ill put it ion a
ftp or sumthin :s but, then id be checking my own cobnnection :P~
lol...tc buddy!
XD // hax...@haxshells.us <mailto:hax...@haxshells.us> @ crazycoders.com 
<http://crazycoders.com/> crazycoders.us





___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/7/12 6:20 PM, valdis.kletni...@vt.edu wrote:
> On Sat, 07 Jan 2012 17:37:44 CST, Laurelai said:
>> Because they pay the kids to own them in a safe manner to show that
> It's not as simple as all that.  A good pen-tester needs more skills than just
> how to pwn a server.  You need some business smarts, and you need to be *very*
> careful about writing the rules of engagement (some pen tests that involve
> physical attacks can literally get you shot at if you screw this part up), and
> then *sticking with them* (you find a major social engineering problem while
> doing a black-box test of some front-end servers, you better re-negotiate 
> those
> rules of engagement before you do anything else).  Also, once a pen test
> starts, you can't take your time and poke it with the 3 or 4 types of attacks
> that you're good at - you have 3 weeks starting at 8AM Monday to hit it with
> 37 different classes of attacks they're likely to see and another 61 types
> of attacks they're not likely to see and aren't expecting.  And be prepared to
> work any one of those 94 from "looks like might be an issue" to something you
> can put in a report and say "You Have A Problem".
>
> Almost no company is stupid enough to hire a pen testing team without that 
> team
> posting a good-sized performance bond in case of a screw-up taking out a
> server, or a rogue pentester stealing the data. (ESPECIALLY in this case, you
> *already* caught them stealing the data once :)
>
> And the kids are going to land a $1M performance bond, how?
>
> (Hint - think this through.  Really good pentesters make *really* good bucks.
> If those kiddies had what it took to be good pentesters, they'd already be
> making bucks as pentesters, not as kiddies)
>
>> their so called expertsd are full of shit, then they fire said experts
>> and hire competent people saving time money and resources, try and
> Doesn't scale, because there's not enough competent people out there. There's
> 140 million .coms, there aren't 140 million security experts out there.
>
> It's not a new idea - I've heard it every year or two since probably before
> most of the people on this list were born.  The fact that almost no companies
> actually *do* it, and that those hackers who have successfully crossed over to
> consulting are rare enough that you can name most of them, should tell you
> something about how well it ends up working in practice.
>
Well enjoy your doomed industry then. Ill continue to take great 
pleasure as the so called experts get owned by teenagers.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/7/12 5:31 PM, Ferenc Kovacs wrote:



On Sun, Jan 8, 2012 at 12:03 AM, Laurelai <mailto:laure...@oneechan.org>> wrote:


On 1/7/12 3:50 PM, valdis.kletni...@vt.edu
<mailto:valdis.kletni...@vt.edu> wrote:

On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said:


Although, once they have gained popularity and to a stage where a garage
office becomes a shop floor and a @home biz becomes a 
rent-a-million$-building
office, it is time to shift priorities.

If finding people who are competent enough to secure a payroll system for a
company of 10 people is difficult, what makes you think that it's easy to 
find
people who can secure the systems for a company of 1,000?

As Stratfor has demonstrated, the talent pool of *really* competent security
people is shallow enough that there's not even enough to secure the security
companies. And it's not just Stratfor - when was the last time this list 
went a
week without mocking a security company for its lack of clue?  It's an 
industry-wide
problem - there's a *severe* shortage of experts.

And even though schools like DeVry and ITT are churning out lots of people 
with
entry level certifications, I'm not at all sure that helps the situation - 
we
end up with a lot of people who are entry level, and don't realize how much
they don't know. That makes them almost more dangerous than not having 
anybody
at all. Sort of like if you walk alone through a scary part of town, you
actually stand a good chance because you *know* you're alone and will act
accordingly - but if you have a bodyguard with you, you're likely to act
differently, and end up totally screwed when you find out said bodyguard 
has a
belt in martial arts, but zero experience in street fighting...



___
Full-Disclosure - We believe in it.
Charter:http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -http://secunia.com/

Perhaps these companies should try to hire the kids owning them
instead of crying to the feds.


why do you think that kiddies using tools like sqlmap would be able to 
defend them from other kids?



--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
Because they pay the kids to own them in a safe manner to show that 
their so called expertsd are full of shit, then they fire said experts 
and hire competent people saving time money and resources, try and 
remember the guys with the certs are the ones getting owned by the 
skiddies with sqlmap so that should show you how broken the infosec 
industry is, want to fix it? Start by hiring the skids because they are 
still more competent than the guys they are owning. If that one gets 
owned you hire the guy who owned him ect... until you actually have to 
know what the hell your doing to be in infosec. Use a Darwinian approach 
to the industry.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/7/12 3:50 PM, valdis.kletni...@vt.edu wrote:

On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said:


Although, once they have gained popularity and to a stage where a garage
office becomes a shop floor and a @home biz becomes a rent-a-million$-building
office, it is time to shift priorities.

If finding people who are competent enough to secure a payroll system for a
company of 10 people is difficult, what makes you think that it's easy to find
people who can secure the systems for a company of 1,000?

As Stratfor has demonstrated, the talent pool of *really* competent security
people is shallow enough that there's not even enough to secure the security
companies. And it's not just Stratfor - when was the last time this list went a
week without mocking a security company for its lack of clue?  It's an 
industry-wide
problem - there's a *severe* shortage of experts.

And even though schools like DeVry and ITT are churning out lots of people with
entry level certifications, I'm not at all sure that helps the situation - we
end up with a lot of people who are entry level, and don't realize how much
they don't know. That makes them almost more dangerous than not having anybody
at all. Sort of like if you walk alone through a scary part of town, you
actually stand a good chance because you *know* you're alone and will act
accordingly - but if you have a bodyguard with you, you're likely to act
differently, and end up totally screwed when you find out said bodyguard has a
belt in martial arts, but zero experience in street fighting...



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Perhaps these companies should try to hire the kids owning them instead 
of crying to the feds.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/7/12 2:48 PM, Ferenc Kovacs wrote:



On Sat, Jan 7, 2012 at 8:10 PM, Jeffrey Walton > wrote:


http://bolt.thexfil.es/84e9h!t 
was an interesting link - it
demonstrated the pwnage.

It looks like these folks gained access via PHP. Stratfor was using a
Linux based system system, but PHP was version 1.8
from 2009 (perhaps with some back patches). Current version of PHP is
5.3.8 (http://www.php.net/).


O really? PHP 1.8? how would you compile that on a modern linux distro?
how would you run drupal on top of it?

// $Id: default.settings.php,v 1.8.2.4 2009/09/14 12:59:18 goba Exp $
that is a line from the default drupal config file.

I agree that the php app was the most likely source of the intrusion, 
I would guess that they didn't kept the drupal core and the contrib 
modules up-to-date, and they were owned through some old vulnerability.


--
Ferenc Kovács
@Tyr43l - http://tyrael.hu


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
And again it makes me wonder how many other so called security companies 
are just as vulnerable.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/7/12 8:51 AM, Ed Carp wrote:
> ROFL!!!
>
> -- Forwarded message --
> From:
> Date: Sat, Jan 7, 2012 at 2:33 AM
> Subject: Rate Stratfor's Incident Response
> To: e...@pobox.com
>
>
> For the video announcement, please see
> http://www.youtube.com/watch?v=oHg5SJYRHA0
> Read full press release: http://bolt.thexfil.es/84e9h!t
> Rate Stratfor's incident response:
> http://img855.imageshack.us/img855/9055/butthurtreportform.jpg
>
> Hello loyal Stratfor clients,
>
> We are still working to get our website secure and back up and running
> again as soon as possible.
>
> To show our appreciation for your continued support, we will be making
> available all of our premium content *as a free service* from now on.
>
> We would like to hear from our loyal client base as to our handling of
> the recent intrusion by those deranged, sexually deviant criminal
> hacker terrorist masterminds. Please fill out the following form and
> return it to me
>
> My mobile: 512-658-3152
> My home phone: 512-894-0125
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
I still find this kind of thing hilarious.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/