Re: [Full-disclosure] Cyber War or just Cyber Protest?
Dear "you-know-who", On Wed, Jan 14, 2009 at 5:14 PM, andrew. wallace wrote: > > If "cyber war" is just web site defacement then I don't think we ever > need to take "cyber war" too seriously. Starting -- all of a sudden, with wrong and fallacious premises cannot obviously lead to solid conclusions. Defacements constitute compromised information integrity, and that is serious. > > It seems to me that "cyber war" just means protesters protesting and > no actual cyber war is there, as a cyber war would mean two sides > fighting, although two sides aren't fighting in "cyber" its all > one-way script kid web defacement, not real war in any sense. > > Two sides fighting, a government and some other entity and the > internet stuck in the middle, now that would mean "cyber war", there > has been no cyber war and is unlikely to be one. > > If people are marching in London today in the streets against the > Israel-Gaza conflict is that called "war"? Of course not, so why are > the media so quick to call protesting on-line, a war? [1] > > What it really is, is folks protesting... a cyber protest, not a war. > > Why are we using the wrong words to describe stuff? It's not even the > media, it was Gary Warner on a web log. [2] > > [1] http://news.bbc.co.uk/1/hi/uk/7809656.stm > > [2] > http://garwarner.blogspot.com/2008/12/muslim-hackers-declare-cyberwar-on.html > > We as a community should be cautious about using the wrong words to > describe stuff, because the media take influence from us guys on > mailing lists and blogs and at security conferences, so its important > we use "cyber protest" when script kids deface some web sites. > > To put the right angle on this, it's unlikely to be new people doing > the defacements, its likely to be script kids who were defacers > anyway, and just change their political message to go with *whatever > the current climate is*. > > Tomorrow the same folks will be defacing with a new message, they > don't care *really* about the message, defacers will find any reason > to deface. > > It's unlikely the Israel-Gaza conflict defacers were only sprung into > action because of what is going on in the world, they would be > defacing anyway and looking for any excuse to do so. > > Let's be careful from now on I don't like to see the wrong buzzwords > used and i'm sure Gadi doesn't either. > > If Hamas cyber attacked Israel and Israel had a cyber response, then > that would be cyber war. This is not cyber war folks, this is a cyber > protest those kids are doing, they are unlikely to be connected with > anything thats going on and were web defacers anyway with a different > defacement message the day before. > > Please I hope we as security experts know the difference. > > I wrote this Email just incase because i'm sick of certain buzzwords > like cyber war when there isn't a cyber war. > > When the day comes that a government and another entity is two-way > cyber fighting and say for instance critical national infrastructure > is affected then you can talk about cyber war, until then please > describe web site defacers as "cyber protest". > > A cyber war is two-way fighting, one-way fighting is not a war! > > And to clarify, a bunch of kids defacing a web site and you applying a > patch afterwards is not classed as two-way fighting and cannot be > considered "cyber war" either. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Urgent Google Contact
Can't you google it? On 12/18/08, xyberpix wrote: > Hi all, > > Does anyone have contact details for anyone at Google's security > department at all? > > TIA > xyberpix > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What Christianity means to me
On Fri, Nov 7, 2008 at 6:23 AM, Andrew A <[EMAIL PROTECTED]> wrote: > I was recently having an ethics debate where someone said that Christianity > was "just what the greeks taught, but dumbed down". I heartily disagreed, > and I wanted to put my reasons to text while I still remembered them. > No wonder. One has to disagree face to such an extravagant manifestation of cynicism, indeed. Check these passages out, first: Romans 1, 16 Romans 2, 9 Romans 2, 10 then you'll get closer to the referred observation's hypocrisy. -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What Christianity means to me
On Tue, Nov 11, 2008 at 12:57 PM, n3td3v <[EMAIL PROTECTED]> wrote: > Yup, pointless thread that was going no where. Really, Mr n3td3v? -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] security industry software license
Again, you're trying to solve an issue looking at the consequences, whereas your "license scheme" suggestion should lay on the causes; as I wrote before, focusing consequences in this case, brings along no easy solutions. And by the way, why insistently and specifically targeting Metasploit? That is a much broader issue. Best regards, On Mon, Oct 13, 2008 at 10:00 PM, n3td3v <[EMAIL PROTECTED]> wrote: > The intelligence about who downloads metasploit is already there, but > currently it is not actionable intelligence. > > The license scheme would start to make that intelligence actionable, > without the scheme, you've got intelligence sitting there that can't > be used in an actionable way. > > Its all about making intelligence that is already held actionable. > > You've got known cyber criminals and terrorists downloading > metasploit, but no legislation in place where the good guys can > benefit and the bad guys be lockered out. > > We got to get this situation sorted, the intelligence is there, but > nothing actionable can be done with it. > > We've got to get this license scheme implemented sooner rather than later. > > n3td3v > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] security industry software license
Any OSI-based set, but without enforcing security-through-obscurity concepts. Maybe adapting some Bell-LaPadula ideas. There are lots of models to discuss about. The real question however is: can we start fresh? On Mon, Oct 13, 2008 at 1:57 PM, Buhrmaster, Gary <[EMAIL PROTECTED]> wrote: > >> > * writing a whole new set of protocols to be used over a whole new >> > independent backbone infrastructure; and >> >> I suggest the OSI protocol stack, for the security-through-obscurity >> benefits. ASN.1, anybody? :) >> > > GOSIP anyone? > > I think the DMS was claimed to be more secure > since it was based on OSI. > -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] security industry software license
Dear n3td3v, the dreamer, concerning your suggestion -- which is a noble one -- in a wider context, you'd better start with two things: * writing a whole new set of protocols to be used over a whole new independent backbone infrastructure; and * convincing the world to forget about TCP. Best regards, On Thu, Oct 9, 2008 at 10:31 PM, n3td3v <[EMAIL PROTECTED]> wrote: > there should be a central license that people apply for to use > software like metasploit. > > all the *respected* programmers would require the license before you > get to download. > > anyone can apply for a licence, however only those who meet the > criteria get given the licence. > > background checks are done on you to see you are who you say you are. > > that you're not a cyber criminal or terrorist, and that you're going > to be using the software for the intentions of which the product was > designed. > > verbal contracts never hold ground, saying, this software is for > testing purposes isn't any guarantee that the bad guys won't use the > software. > > we need a centralised security industry software license scheme so the > good guys can take full advantage of the tools made by creators of > security software, while shuttering the bad guys out. > > to rely on a "verbal contract" for security software as a safe guard > is no longer enough for the security industry in light of metasploit > and other borderline "evil" purpose software. > > its time that members of the industry work together to form such a > scheme, to insure a streamline programme that all the good guys can be > part of, only letting the good guys use the software for good > purposes. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What Lexical Analysis Became in The Web-Slave New World
Well you should if: * you are concerned with the awfully insecure programming "methodologies" imposed by the industry and its productiveness thirst, sadly being held as acceptable; and/or * you are a Google Calendar, Orkut and/or Locamail user. If by one side, the industry induces Internet technologies consumers (regular end users) to act solely via web browsers; by the other, it forces programmers to adopt harmful techniques even for input lexical analysis security algorithms, which is a PARADOX. And once more, regular end users get damaged for that. Yours faithfully, On 10/8/08, destiny <[EMAIL PROTECTED]> wrote: > hello friends > > this email too long > i did not read it > > On Tue, 07 Oct 2008 17:30:38 + "M.B.Jr." > <[EMAIL PROTECTED]> wrote: > >What Lexical Analysis Became in The Web-Slave New World > > > > > >The point here is XSS, but rather than talking about the Internet > >weaknesses it exposes, this text goes against the poor algorithms > >being used to "detect" and/or avoid it. > >Hazardous XSS. Hazardous low-quality-XSS-filtering. These are > >critical > >times for Internet users, undoubtedly. We face negligence‑oriented > >services at each new click. > > > >It's a contradiction seeing so many efforts (RFCs) being made and > >concomitantly, the only "user-friendly" (oh yeah, that expression) > >place offered by the industry to regular end users, remaining the > >same > >application layer, the top of the iceberg. > >But regular end users don't know that. Paraphrasing Josh Homme, > >they > >just "go with the flow", victimized by a doctrine that makes them > >believe those practices and technologies are the only ones > >available, > >this way forming the new industry‑led slave mass. And it becomes a > >severer issue by the moment one realizes this commercially called > >"Web > >2.0" and its risks disclose, more than vulnerabilities, web apps > >programming laziness, also known as XP or Agile methodology. Hail, > >Kent Beck! > >One way or another, a jungle presents itself to users, into the > >highest layer and preoccupations rise faster as indolent techniques > >are applied to XSS‑filtering. > >So, let's discuss it. > > > >You know Google? Well, check this out, there's this Google > >corporation > >stating that their BETA releases represent a new web-based BETA > >concept. As if their web apps weren't client-server software. > >Two of their free BETA services, Google Calendar and Orkut, are > >going > >to be discussed here along with an eager-to-follow-bad-examples > >Brazilian company, Locaweb, and its paid web-based e-mail service, > >Locamail. > >The worst case to be analyzed implies using the combination "<>" > >without quotation marks, to delimit some information. The referred > >services' handling for those characters can cause users' data to be > >lost. > >Readers will be able to test it, easily, at least on Google's > >services. > > > >In opposition to the once vulnerable Google Documents, which was > >used > >to accept html tags, Google Calendar, Orkut and Locamail simply > >discard anything which might resemble a tag. Their input analysis > >is > >like: > > > >"Oh, did you see that less-than character and that other greater- > >than, > >ten lines below? Trim'em. Oh, wait! I just had a better idea. > >Delete > >them and all the content they enclose as well. I'm one helluva > >genius!" > > > >What is worst? A cross-site scripting attack or an "Extreme > >Programming" team deploying such simple anti‑XSS mechanisms? > > > >Why spending time writing cautious lexical analysis algorithms? Why > >struggle seeking and/or trying to forecast specific hazardous > >strings? > >Is it laziness? Perhaps Google doesn't have processing grid guts > >for such: > > > >http://blog.managednetworks.co.uk/it-support/googles-20-petabytes/ > > > >Not yet. > >At least for Google, it seems like some sort of indolence-guided > >programming technique, indeed. > > > >Specifically on Google Calendar, now. It has two basic views. A > >broad > >view of one's schedule and an event‑specific view. The latter is > >where > >one goes for inputting, say, a meeting's prior points to be > >discussed. > >Let's start with its lighter problems. Incoherent > >functions/methods. > >When one's in there, scheduling something means creating an > >"Event". > >By the time one creates an "Event", he's given the option to name > >that > >"Event", like a reminder which will appear in the broader view. If > >that event's name finishes with a semicolon, this character's > >simply > >trimmed. Hey! That's bad for a start, isn't that? > >The incoherency comes with the algorithm which edits an already > >created "Event". > > > >PoC-1: creating an "Event" and editing the "What" field > >When creating an "Event", if one writes something to the "What:" > >field > >and finishes his writing with a semicolon, this last character will > >disappear by the time the "Create Event" button is activated. > > > >Example: > > > > know your enemy
[Full-disclosure] What Lexical Analysis Became in The Web-Slave New World
What Lexical Analysis Became in The Web-Slave New World The point here is XSS, but rather than talking about the Internet weaknesses it exposes, this text goes against the poor algorithms being used to "detect" and/or avoid it. Hazardous XSS. Hazardous low-quality-XSS-filtering. These are critical times for Internet users, undoubtedly. We face negligence‑oriented services at each new click. It's a contradiction seeing so many efforts (RFCs) being made and concomitantly, the only "user-friendly" (oh yeah, that expression) place offered by the industry to regular end users, remaining the same application layer, the top of the iceberg. But regular end users don't know that. Paraphrasing Josh Homme, they just "go with the flow", victimized by a doctrine that makes them believe those practices and technologies are the only ones available, this way forming the new industry‑led slave mass. And it becomes a severer issue by the moment one realizes this commercially called "Web 2.0" and its risks disclose, more than vulnerabilities, web apps programming laziness, also known as XP or Agile methodology. Hail, Kent Beck! One way or another, a jungle presents itself to users, into the highest layer and preoccupations rise faster as indolent techniques are applied to XSS‑filtering. So, let's discuss it. You know Google? Well, check this out, there's this Google corporation stating that their BETA releases represent a new web-based BETA concept. As if their web apps weren't client-server software. Two of their free BETA services, Google Calendar and Orkut, are going to be discussed here along with an eager-to-follow-bad-examples Brazilian company, Locaweb, and its paid web-based e-mail service, Locamail. The worst case to be analyzed implies using the combination "<>" without quotation marks, to delimit some information. The referred services' handling for those characters can cause users' data to be lost. Readers will be able to test it, easily, at least on Google's services. In opposition to the once vulnerable Google Documents, which was used to accept html tags, Google Calendar, Orkut and Locamail simply discard anything which might resemble a tag. Their input analysis is like: "Oh, did you see that less-than character and that other greater-than, ten lines below? Trim'em. Oh, wait! I just had a better idea. Delete them and all the content they enclose as well. I'm one helluva genius!" What is worst? A cross-site scripting attack or an "Extreme Programming" team deploying such simple anti‑XSS mechanisms? Why spending time writing cautious lexical analysis algorithms? Why struggle seeking and/or trying to forecast specific hazardous strings? Is it laziness? Perhaps Google doesn't have processing grid guts for such: http://blog.managednetworks.co.uk/it-support/googles-20-petabytes/ Not yet. At least for Google, it seems like some sort of indolence-guided programming technique, indeed. Specifically on Google Calendar, now. It has two basic views. A broad view of one's schedule and an event‑specific view. The latter is where one goes for inputting, say, a meeting's prior points to be discussed. Let's start with its lighter problems. Incoherent functions/methods. When one's in there, scheduling something means creating an "Event". By the time one creates an "Event", he's given the option to name that "Event", like a reminder which will appear in the broader view. If that event's name finishes with a semicolon, this character's simply trimmed. Hey! That's bad for a start, isn't that? The incoherency comes with the algorithm which edits an already created "Event". PoC-1: creating an "Event" and editing the "What" field When creating an "Event", if one writes something to the "What:" field and finishes his writing with a semicolon, this last character will disappear by the time the "Create Event" button is activated. Example: know your enemy; becomes know your enemy then, the event is already created, the semicolon is lost and if one corrects (edits) it, adding the disappeared semicolon again in the "What" field, and saves it: know your enemy; there you go, incoherent XP; this time the semicolon remains intact. Well, let's go for it. The worst case. PoC-2: "less-than" and "greater-than" delimiting information Though, let's continue playing in this very same situation. Suppose one encloses his Event's name between less‑than and greater‑than characters: This time, clicking the "Save" button is going to send them all to hell. All is lost. In the "event-specific" view, there's this "Description" field for one to put associated details. It's really nice to emphasize Google Calendar's behavior when a user saves that sort of content in the specific view. By the time he clicks the "Save" button, the web app automatically switches for the "broad" view, stating that the user's stuff was saved: "Your event was updated." Everything looks pretty fine. Bad Google! That is so nasty because as matter of f
[Full-disclosure] Brazil's weirdest infosec aspects: "your private key is officially theirs"
Greetings, Locaweb is the name of the most prominent web hosting organization in Brazil. It was founded in 1998 and hosts more than 260 thousand domains today, according to its main website: http://www.locaweb.com.br/ Unfortunately, not big enough to respect its customers. Locaweb seems to be confusing two concepts, the so called "cloud computing" and "privacy". This is about its e-mail outsourcing service, named Locamail, which offers a web based access option, with lots of features. Some are useful. One of them though, acts really strangely. It's this key generation capable, weird PGP module. The target of this text. The whole thing is simple to depict: by the time one generates a key pair, surprise! One only receives a public key. And as if not automatically providing its customers with their private keys wasn't enough, if some of them happen to formally request their account's private keys, Locaweb denies them, that is to say, one can always use "its" web based private key for decrypting received messages or signing his mail, but that key belongs to Locaweb. One cannot read the private key he uses. Such a horrifying situation clearly poses as a threat to Locaweb's customers privacy. Thinking sensibly, there's no scenario in which a "Private-Key-as-a-Service" model would be welcome. Yours faithfully, -- Marcio Barbado, Jr. "In fact, companies that innovate on top of open standards are advantaged because resources are freed up for higher-value work and because market opportunities expand as the standards proliferate." Scott Handy Vice President Worldwide Linux and Open Source, IBM Esta mensagem e qualquer arquivo nela contido é confidencial. "Pratica crime de violação de telecomunicações quem, transgredindo lei ou regulamento, exiba autógrafo ou qualquer documento ou arquivo, divulgue ou comunique, informe ou capte, transmita a outrem ou utilize o conteúdo, resumo, significado, interpretação, indicação ou efeito de qualquer comunicação dirigida a terceiro." (Artigo 56 da Lei n.º 4.117 de 27 de agosto de 1962, aplicável aos crimes em telecomunicações, nos termos do art. 215, I, da Lei 9.472/97). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] THC releases video and tool to create fake ePassports
Moreover, using a CA would not constitute any good solution. Check out Schneier's blog entry on this: http://www.schneier.com/blog/archives/2008/09/how_to_clone_an.html []s On 10/1/08, Ed Carp <[EMAIL PROTECTED]> wrote: > On Tue, Sep 30, 2008 at 11:50 PM, Tonnerre Lombard > <[EMAIL PROTECTED]> wrote: > > > Please remind me, which electronic attribute tags an ePassport as > > diplomatic if no diplomatic ePassports exist? > > I'm sorry, but you don't have the appropriate security clearance for > me to tell you, nor do you have a demonstrated need-to-know. The > diplomatic version exists, all right, but I can't tell you which bits > to set in the header to flag it as such - again, that's classified. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] To disclose or not to disclose
Hello simon, On 9/27/08, Simon Smith <[EMAIL PROTECTED]> wrote: > What should the security company do? There is not a drive-thru, general answer for such. It depends on the guidelines and "philosophies" each company stablished for itself to follow, previously. And more important, it depends on each signed contract/NDA. You see previous stuff means sth in the commercial world, huh...? Best regards, -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Dietmar Haßelkus is out of the office
Cool, let's horse around with some social engineering techniques applied to Dietmar's help desk staff. LOL On Wed, Sep 17, 2008 at 11:38 AM, Razi Shaban <[EMAIL PROTECTED]> wrote: > On Wed, Sep 17, 2008 at 6:01 AM, Dietmar Haßelkus > <[EMAIL PROTECTED]> wrote: >> >> I will be out of the office starting 16.09.2008 and will not return until >> 20.10.2008. >> > > > Burn in hell. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
Well, "things" keep happening to Safari as a matter of fact. On 9/3/08, James Matthews <[EMAIL PROTECTED]> wrote: > The same thing happened to safari when it came out on windows. > > > On Tue, Sep 2, 2008 at 5:13 PM, Larry Seltzer <[EMAIL PROTECTED]> > wrote: > > > Holy crap, a crash bug in a beta browser! > > > > Larry Seltzer > > eWEEK.com Security Center Editor > > http://security.eweek.com/ > > http://blogs.pcmag.com/securitywatch/ > > Contributing Editor, PC Magazine > > [EMAIL PROTECTED] > > > > > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > Behalf Of Rishi > > Narang > > Sent: Tuesday, September 02, 2008 7:51 PM > > To: full-disclosure@lists.grok.org.uk > > Subject: [Full-disclosure] Google Chrome Browser Vulnerability > > > > Hi, > > > > --- > > Software: > > Google Chrome Browser 0.2.149.27 > > > > Tested: > > Windows XP Professional SP3 > > > > Result: > > Google Chrome Crashes with All Tabs > > > > Problem: > > An issue exists in how chrome behaves with undefined-handlers in > > chrome.dll version 0.2.149.27. A crash can result without user > > interaction. When a user is made to visit a malicious link, which has an > > undefined handler followed by a 'special' character, the chrome crashes > > with a Google Chrome message window "Whoa! Google Chrome has crashed. > > Restart now?". It fails in dealing with the POP EBP instruction when > > pointed out by the EIP register at 0x01002FF4. > > > > Proof of Concept: > > http://evilfingers.com/advisory/google_chrome_poc.php > > > > Credit: > > Rishi Narang (psy.echo) > > www.greyhat.in > > www.evilfingers.com > > --- > > > > -- > > Thanks & Regards, > > Rishi Narang | Security Researcher > > Founder, GREYHAT Insight > > Key: 0x8D67A3A3 (www.greyhat.in/key.asc) > > www.greyhat.in > > > > ... eschew obfuscation, espouse elucidation. > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > -- > http://www.goldwatches.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ISO Standards
On 8/26/08, Line Noise <[EMAIL PROTECTED]> wrote: > The B there stands for British, so there it is. Some ISO's servers (from which downloads are done) are located in Switzerland, Geneva specifically. -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [NANOG] IOS rootkits
Dear n3td3v, the person =) I really appreciate your left wing point of view but you need to understand one thing: FD's a free list and all but it's not a blog. Nothing personal, On 5/17/08, n3td3v <[EMAIL PROTECTED]> wrote: > On Sat, May 17, 2008 at 7:38 PM, n3td3v <[EMAIL PROTECTED]> wrote: > > -- Forwarded message -- > > From: n3td3v <[EMAIL PROTECTED]> > > Date: Sat, May 17, 2008 at 12:08 PM > > Subject: Re: [NANOG] IOS rootkits > > To: [EMAIL PROTECTED] > > > > > > On Sat, May 17, 2008 at 11:12 AM, Suresh Ramasubramanian > > <[EMAIL PROTECTED]> wrote: > >> On Sat, May 17, 2008 at 12:47 PM, Matthew Moyle-Croft > >> <[EMAIL PROTECTED]> wrote: > >>> If the way of running this isn't out in the wild and it's actually > >>> dangerous then a pox on anyone who releases it, especially to gain > >>> publicity at the expensive of network operators sleep and well being. > >>> May you never find a reliable route ever again. > >> > >> This needs fixing. It doesnt need publicity at security conferences > >> till after cisco gets presented this stuff first and asked to release > >> an emergency patch. > > > > Agreed, > > > > You've got to remember though that a security conference is a > > commercial venture, it makes business sense for this to be publically > > announced at this security conference. > > > > I think security conferences have become something that sucks as its > > all become money making oriented and the people who run these things > > don't really have security in mind, just the £ signs reflecting on > > their eye balls. > > > >> --srs > >> -- > >> Suresh Ramasubramanian ([EMAIL PROTECTED]) > >> > > > > All the best, > > > > n3td3v > > > > > Full-Disclosure, > > I fully believe British Intelligence are the best in the world and > that they will pull the plug on this presentation without hesitation > before it gets to go ahead. > > I don't see anyone disagreeing how wrong it is for this presentation > to go ahead as a business decision. > > I know the national security boys at MI5 are listening, so I suggest > this gets priority and this presentation doesn't go ahead. > > What I want is a high profile pulling the plug of this presentation to > act as a deterrent to any other security conferences across the world > who think they are going to capitalise through high risk > vulnerabilities as this one is. > > I want UK government officials to walk on stage as this presnetation > is about to start, infront of the media, infront of everybody, > including the money makers who thought they were going to use this > presentation as a way to sell tickets and make money and put UK > national security at risk. > > I don't want a behind the scenes pulling the plug of this > presentation, I want it to be high profile, infront of the worlds > media to show that in Britian we don't fuck about with crappy security > conferences trying to become rich by getting high risk talkers to come > to their security conference to guarantee a sell out and thousands of > pounds made, at a cost to UK national security. > > I will be talking with my private contacts to try and get this to > happen, as many of you know I already had a grudge with EUSecWest > spamming the mailing lists, instead of buying advertisement banners on > websites, so the announcement of a IOS rootkit presentation is the > final insult to injury, and the UK national security boys are likely > to pull the plug on this without hesitation to make an example to > these security conference owners to say that national security becomes > before profit and how dare you try to profit and not giving a shit > about the consequences of this presentation. > > Trust me and mark my words EUSecWest, you upset a lot of people > spamming the mailing lists, this is just the worst possible thing you > could have done to keep people on side, you've lost any respect I may > have had for your conference and I guarantee UK government officials > will pull the plug on your business venture of a security conference. > > Blackhat conference with Michael Lynn was under the control of the > American authorities and they were light weight in response to what > was going on, trust me, the British authorities will be coming down a > lot tougher and won't be thinking twice about pulling this > presentation, but will do it on a grand scale infront of the media, to > send a clear signal that these security conferences and their money > making agenda isn't going to get in the way of our national security. > > This is a subject I feel strongly and passionate about because if this > presentation went ahead it would fuck up a lot of ISPs and would put > national security at risk. > > If the British authorites don't pull the plug on this presentation you > will have let your country down and let your British taxpayers down > who fund MI5 in the first place. > > And its not just me saying th
Re: [Full-disclosure] HD Moore
LOL just get back to work, will ya. boy, who needs damn commercial comedy? I was supposed to be studying your stuff but I can't help laughing like a maniac LOL On 5/2/08, reepex <[EMAIL PROTECTED]> wrote: > no one cares what a CISSP has to say > > > On Fri, May 2, 2008 at 9:44 PM, John C. A. Bambenek, GCIH, CISSP <[EMAIL > PROTECTED]> wrote: > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Free Iraq
Throwaway1, now that your first argumentative pillar succumbed, you dastardly hide yourself behind false interpretations on Resolutions 1441 and 687. Not to mention your silly move, approaching Resolution 678 to the former ones. Convenient and biased interpretations! That's what your law understanding seems to be all about. That's it, study: http://www.un.org/Docs/sc/unsc_functions.html Let's try not to post off-topic (though relevant) stuff here anymore. Kofi Annan sent you his best regards, On Thu, Mar 27, 2008 at 9:48 PM, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > On Wed, Mar 27, 2008 at 3:56 PM, M.B. Jr. wrote: > > > >there is absolutely no sense in evoking 1990's UN-authorized action... > > > > > > You can stop right there M.B. > You claim there was no sense in evoking [sic] the UN's authorization of > 1990? > > That you appear to not understand what the words "Cease Fire" means is your > problem, not mine. Saddam had obligations and failed to meet them. Period. > > Neither your understanding nor your approval is required. > > == > > > On Wed, Mar 27, 2008 at 3:08 PM, "security concern" wrote: > > > > Sorry to inject some real truth here, guys. > >...the then UN Secretary General, Mr. Kofi Annan (referring to the 2003 > Iraq invasion) >termed the invasion 'illegal'. > > > > Two points: > a) It's been my experience that people who claim to be speaking "real > truth" are generally as full of crap as a Christmas Goose. It's almost as > cliched and ridiculous as "speaking truth to power". > b) The notion that you would hold forth a man who was up to his neck in the > United Nations "Oil for Food" scandal as an arbiter of legality is absurd > to the point of surrealism. MC Escher himself would feel compelled to roll > his eyes and say; "Niggah Please". > > > > mail2web.com – Enhanced email for the mobile individual based on Microsoft(R) > Exchange - http://link.mail2web.com/Personal/EnhancedEmail > > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Free Iraq
Throwaway1, there is absolutely no sense in evoking 1990's UN-authorized action to justify 2003's UN's-Security-Council-unauthorized-and-illegal invasion. Your childish reasoning is no more than a poor attempt of sophistic argumentation. Yours sincerely, On 3/26/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > === > > On Wed, Mar 26, 2008 at 3:55 PM, net-dummy wrote: > > > > >Iraq is an invaded country, and America has no right to be there at all. > > > > Actually, dummy... > The Iraqi invasion of Kuwait in August of 1990 led to a United Nations > authorization to remove Saddam's forces from Kuwait. This military action > was carried mainly by the Americans for entirely practical reasons. The > United Nations halted hostilities and declared that a ceasefire would be in > effect as long as Saddam cooperated fully with United Nations Inspectors > who were looking for an extensive list of banned weapons, which included > but was by no means limited to; chemical, biological and > nuclear/radiological weapons. > After over a decade of continual failure to cooperate, the American > political leadership decided that they could no longer take the same > patient approach that they had taken for the previous 12 years; and resumed > hostilities. After invading Iraq and removing Saddam, American forces > searched for the aforementioned list of banned weapons, and while they > found most of them they did not find stockpiles of weaponized biologicals, > final stage chemicals or nuclear/radiologicals. Whether you believe this is > because Saddam didn't possess them at the time of the invasion or that he > simply did a better job of hiding them than the American's did of looking > for them doesn't change the facts. Nor does your opinion of the current > American administration or your opinion of their actions. > > However, the most disturbing part of your post was not that you > demonstrated your ignorance once again... That is basically; your job here. > > No, the disturbing part of your asinine post was that you made Saddam's > murderous Ba'athist thugs the moral equivalent of the Free Tibetan People. > > THAT needed to be answered, or I would have ignore this post as I > ordinarily do to ALL of your posts. > > > > > mail2web.com – What can On Demand Business Solutions do for you? > http://link.mail2web.com/Business/SharePoint > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Diceware method adoption - brute force me if you dare
jf, if your analogy was somehow decent, it would consider the police giving citizens some shotguns since the Diceware dictionary is freely available for download. On Wed, Mar 12, 2008 at 11:49 PM, jf <[EMAIL PROTECTED]> wrote: > police officers (in the states) wear bullet proof vests because there is a > high probability of them getting shot/shot at, do you think that somehow > makes it legal? > > > On Wed, 12 Mar 2008, M.B.Jr. wrote: > > > Date: Wed, 12 Mar 2008 16:15:56 -0300 > > From: M.B.Jr. <[EMAIL PROTECTED]> > > To: Full-Disclosure mailing list > > Subject: [Full-disclosure] Diceware method adoption - brute force me if you > > dare > > > > > > Dear list, > > I was studying this passphrase creation method called Diceware: > > > > http://world.std.com/~reinhold/diceware.html > > > > In it, one rools a common dice five times, write down the results, in > > a sequential manner, and then check the suggested word in the > > DICTIONARY they provide. > > You got that? The method is supposed to give the user the words to use. > > Say your results were "5;6;1;5;3", then you check their table and the > > word listed under that number sequence is "sus"; well, that's the > > (pretty short) word to use in your passphrase. > > A 46,656 (6^6) word dictionary, publicly available. The method is > > clearly one bad choice for password creation but it's fairly > > acceptable for obtaining passphrases and concerning the latter, it > > assumes that eventual attackers know the referred dictionary, however > > offering a low guessing probability (high information entropy) for > > passphrases. > > > > Despite the "rite of passage" idea in which the target stops trying to > > hide and starts expecting attacks as a certainty, my point here is > > legal. > > Doesn't adopting the Diceware method in a, say, government corporative > > environment means legalizing brute force attacks? > > > > Yours faithfully, > > > > > > > > > -- Marcio Barbado, Jr. "In fact, companies that innovate on top of open standards are advantaged because resources are freed up for higher-value work and because market opportunities expand as the standards proliferate." Scott Handy Vice President Worldwide Linux and Open Source, IBM ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Diceware method adoption - brute force me if you dare
Dear list, I was studying this passphrase creation method called Diceware: http://world.std.com/~reinhold/diceware.html In it, one rools a common dice five times, write down the results, in a sequential manner, and then check the suggested word in the DICTIONARY they provide. You got that? The method is supposed to give the user the words to use. Say your results were "5;6;1;5;3", then you check their table and the word listed under that number sequence is "sus"; well, that's the (pretty short) word to use in your passphrase. A 46,656 (6^6) word dictionary, publicly available. The method is clearly one bad choice for password creation but it's fairly acceptable for obtaining passphrases and concerning the latter, it assumes that eventual attackers know the referred dictionary, however offering a low guessing probability (high information entropy) for passphrases. Despite the "rite of passage" idea in which the target stops trying to hide and starts expecting attacks as a certainty, my point here is legal. Doesn't adopting the Diceware method in a, say, government corporative environment means legalizing brute force attacks? Yours faithfully, -- Marcio Barbado, Jr. "In fact, companies that innovate on top of open standards are advantaged because resources are freed up for higher-value work and because market opportunities expand as the standards proliferate." Scott Handy Vice President Worldwide Linux and Open Source, IBM ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [FDSA] Notepad Highly Critical Cross-Site Scripting (XSS) Vulnerability
Guess Fredrick's sarcastic and cynical suggestion is: xss-like menaces seems as unstoppable as this web-slavery the industry imposes. Well, if so, I agree. On 1/17/08, BlackHawk <[EMAIL PROTECTED]> wrote: > > == > > 4) Fix > > == > > > Notepad should be rewritten to filter potentially dangerous > > characters. Characters can be converted to their html encoded > > equivalents. > > translated: you CAN'T write pages in HTML with any program.. > > >Fredrick Diggle Security Services is probably the best application > >security researchers on the scene this month. They have identified > >several hundred thousand vulnerabilities this week[..] > > i think you must read this: > http://www.amazon.com/PCs-Dummies-Quick-Reference-Gookin/dp/0764507222 > > > -- > Best regards, > BlackHawkmailto:[EMAIL PROTECTED] > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [FDSA] Notepad Highly Critical Cross-Site Scripting (XSS) Vulnerability
No,
that "fuel on the fire" was so inopportune.
A default browser setting matter, Nate.
Other programs also open it up, when set to default.
On 1/17/08, Nate McFeters <[EMAIL PROTECTED]> wrote:
> Not to through fuel on the fire, but wouldn't that XSS actually be in IE,
> since IE is what opens the file? Could've been a funny joke though, a real
> knee slapper.
>
> Nate
>
>
> On 1/17/08, Fredrick Diggle <[EMAIL PROTECTED]> wrote:
> >
> ###
> >
> > Fredrick Diggle Security
> Advisory
> >
> > Application: Notepad
> > Versions: 5.1.2600.2180 verified to be vulnerable
> > Platforms: Microsoft Windows (All Versions)
> > Bugs: Cross Site Scripting (XSS)
> > Severity: Critically High
> > Date: 17 Jan 2008
> > Credit: Estr Hinan
> >
> >
> ###
> >
> > 1) Introduction
> > 2) Bugs
> > 4) Fix
> >
> >
> ###
> >
> > ===
> > 1) Introduction
> > ===
> >
> > Fredrick Diggle Security Services is probably the best application
> > security researchers on the scene this month. They have identified
> > several hundred thousand vulnerabilities this week for which Priv8
> > 0dayz have been developed. Fredrick Diggle Security Team periodically
> > releases several of these vulnerabilities to the community at large
> > (Pre Vendor Release). Fred Diggle would like to ensure that you
> > understand this is 0DAY!!!. The vendors are completely unaware of this
> > vulnerabilities.
> >
> >
> ###
> >
> > ===
> > 2) Bug
> > ===
> >
> > Notepad is a utility which is built into all current versions of
> > Microsoft Windows. Notepad contains a highly exploitable stored
> > cross-site scripting vulnerability when files are saved with the
> > following extensions:
> >
> > htm
> > html
> >
> > Other extensions may also be vulnerable in your environment depending
> > on configuration. When arbitrary javascript code is entered into the
> > notepad text window and saved using one of the vulnerable extensions a
> > payload file is created. When an innocent user opens this payload file
> > cross-site scripting occurs.
> >
> >
> ###
> >
> > ===
> > 3) Proof of Concept
> > ===
> >
> > 1. Open Notepad
> > 2. Enter the following text
> > alert("xss");
> > 3. Save file as "exploit.html"
> > 4. double click the payload file
> >
> >
> ###
> >
> > ==
> > 4) Fix
> > ==
> >
> > Notepad should be rewritten to filter potentially dangerous
> > characters. Characters can be converted to their html encoded
> > equivalents.
> >
> >
> ###
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
Marcio Barbado, Jr.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable
Wouldn't it be more beneficial (and maybe ethical as well) if one could just start putting PoCs or whatever inside the message's body? On 12/7/07, Aaron Katz <[EMAIL PROTECTED]> wrote: > > Could you please explain the vulnerability? When I test, and I submit > a correct response to the CAPTCHA, I'm presented with knowledge based > authentication. > > -- > Aaron > > On Dec 7, 2007 1:58 AM, Kristian Erik Hermansen > <[EMAIL PROTECTED]> wrote: > > Proof of concept here... > > http://www.kristian-hermansen.com > > -- > > Kristian Erik Hermansen > > "I have no special talent. I am only passionately curious." > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Someone is impersonating Gadi Evron and spamming this list
whats up with this goddam Vitale-moron?! "... I don't have time for that shit!..." (Trinity'd say) muthafuckin-captain-obvious cryin baby! On 10/20/07, phioust <[EMAIL PROTECTED]> wrote: > which replies of mine have been uneducated or nasty? after i see a list of > these and proof of their nastiness i will apologize > > On 10/20/07, Anthony V. Vitale <[EMAIL PROTECTED]> wrote: > > On Sat, 20 Oct 2007 20:29:38 -0500, you wrote: > > > > Actually, I will stop when you grow up and say you are sorry for your > > rather nasty, uneducated replies > > > > > > >Please stop harassing me in private emails. If you have something to say > you > > >can tell the whole list. > > > > > >On 10/20/07, Anthony V. Vitale <[EMAIL PROTECTED]> wrote: > > >> > > >> On Sat, 20 Oct 2007 20:11:50 -0500, you wrote: > > >> > > >> In addition to learning to spell correctly, you should also learn to > > >> read > > >> > > >> My response was to you personally and not to the list. > > >> > > >> Grow up. Shut up. > > >> > > >> >you are still spamming the list with non-security related topics > > >> > > > >> >On 10/20/07, Anthony V. Vitale <[EMAIL PROTECTED] > wrote: > > >> >> > > >> >> On Sat, 20 Oct 2007 19:37:52 -0500, you wrote: > > >> >> > > >> >> First - learn to spell correctly. > > >> >> Then you may continue with your stupid comments. > > >> >> > > >> >> >Anthony V. Vitale == captian obvious > > >> >> > > > >> >> >quit with your spam > > >> >> > > > >> >> >On 10/20/07, Anthony V. Vitale < [EMAIL PROTECTED]> > wrote: > > >> >> >> > > >> >> >> Hello, > > >> >> >> > > >> >> >> >From past postings on this list, I know that there are people > that > > >> do > > >> >> >> not like Mr. Evron. > > >> >> >> > > >> >> >> Now, it seems that someone has resorted to impersonating him and > is > > >> >> >> spamming this list! > > >> >> >> > > >> >> >> -- > > >> >> >> Anthony > > >> >> >> > > >> >> >> ___ > > >> >> >> Full-Disclosure - We believe in it. > > >> >> >> Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > >> >> >> Hosted and sponsored by Secunia - http://secunia.com/ > > >> >> >> > > >> >> > > > >> >> > > > >> >> > > > >> >> >__ NOD32 2604 (20071019) Information __ > > >> >> > > > >> >> >This message was checked by NOD32 antivirus system. > > >> >> >http://www.eset.com > > >> >> > > >> > > > >> > > > >> > > > >> >__ NOD32 2604 (20071019) Information __ > > >> > > > >> >This message was checked by NOD32 antivirus system. > > >> > http://www.eset.com > > >> > > > > > > > > > > > >__ NOD32 2604 (20071019) Information __ > > > > > >This message was checked by NOD32 antivirus system. > > > http://www.eset.com > > > > > ___ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: Hacking secured CITRIX from outside
On 10/10/07, pdp (architect) <[EMAIL PROTECTED]> wrote: > > http://www.gnucitizen.org/blog/0day-hacking-secured-citrix-from-outside > > All an attacker needs to do to exploit the weakness is to lure > a victim no way!!! really?! -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Core Impact 7.5 Web App pen-testing framework, as good as the hype?
by the way, you perform pentesting with non-transparent-code... ... legally talking, how the hell those professionals assure 100% trustable results? get outta here... On 10/5/07, Kristian Erik Hermansen <[EMAIL PROTECTED]> wrote: > Has anyone upgraded to Core Impact 7.5 and utilized the web > application pen-testing framework? And if so, do you have any > thoughts on it? Good? Bad? Evil? Not worth the hype? Etc? Any > other vendors do it better? Have any issues with large sites? What > makes it so special? Any input is appreciated. If you have questions > about CI 7.x itself, I can give you some info from my experience with > the product over the past three years as well if you would like to > take the discussion offline and not flood this list... > -- > Kristian Erik Hermansen > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Marcio Barbado, Jr. == == "In fact, companies that innovate on top of open standards are advantaged because resources are freed up for higher-value work and because market opportunities expand as the standards proliferate." Scott Handy Vice President Worldwide Linux and Open Source, IBM ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Month of Random Hashes: DAY THREE
On 6/16/07, William Lefkovics <[EMAIL PROTECTED]> wrote: I wish I knew more about it when I was younger living in Vancouver. Walking downtown, shady looking characters would walk past and whisper under their breath... "hash?" well, guess that sort of hash also produces confusing outputs aint that...? =P Now I understand... Seriously, thanks for the FAQ'n explanation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 15, 2007 1:57 PM To: M.B.Jr. Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Month of Random Hashes: DAY THREE On Fri, 15 Jun 2007 16:59:01 -0300, "M.B.Jr." said: > but only one string can produce that md5 hash signature, that sha1 > hash signature, fucking that sha256 hash signature, fucking that > hash signature, etc... Nope. There's an infinite number of strings that would produce the same MD5/sha1/sha256/whatever hash. The interesting point about such hashes is that although given a particular string A, we can *easily* compute the hash H. However, knowing H, we don't have a good way to recover A, nor do we have any easy way to compute a *second* string B that hashes to H. So, given a hash H, we know one of 3 things is true: 1) The person we got H from has A, and easily computed H. 2) The person doesn't have A, but does have either a way to use several million CPU-years or a crypto breakthrough to compute some string B that also hashes to H 3) The person just pulled a pseudo-random string of bits out of their ass, called it H, and has as little clue about A and B as we do. At the current time, (2) is believed to be impractical, and (3) fails the instant the person actually has to produce A itself. As a result, we can usually presume that if they have a hash H, they've got the A it hashed from. This becomes interesting if you want to prove that you have a prior claim on something, without revealing the something (for instance, an advisory or PoC for something while you're still working with a vendor about fixing it) - you can (for instance) post the hash of it on May 1, release the announcement on July 1, and when others dispute your claim you knew about it on May 1, you can point to the hash from May 1, and show it's the same as the hash of your July 1 announcement, and thus prove you knew about it back on that date. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Marcio Barbado, Jr. == == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Month of Random Hashes: DAY THREE
damn man, you complicate it so much. right now, Deepan is more confused than before. like, "Hey Deepan, in order to kill that mosquito we have this missile and..." Math is simple, and so must be the explanations surrounding it. the thing is, many different strings can result in the same, say md5 hash signature. but only one string can produce that md5 hash signature, that sha1 hash signature, fucking that sha256 hash signature, fucking that hash signature, etc... On 6/14/07, Brian Dessent <[EMAIL PROTECTED]> wrote: Dëêþàñ Çhäkrãvârthÿ wrote: > > I am not sure what exactly people do with random hashes. Do you people > try to decrypt using rainbow table or anything similar to that ? > Guys I am in the dark, please help me. The original intent was that someone discovering a vuln would post the hash of the POC to the list so that later when it was widely released they could prove the point in time at which they found it. Hashing is not encryption, so flush the notion of "decrypt a hash" from your brain. For any given hash there are an infinite number of inputs that would result in that same output, though most of them are meaningless strings of garbage of astronomical length. In the case of passwords since it is known that they are typically short in length and have a limited set of characters it's sometimes possible to come up with an input that is sensible, but for something like a POC of a vulnerability it would be quite naive to think that you could ever recover it in any reasonable amount of time. That was never the intent anyway; it was about proving who was first to discover something. But seeing as this is FD and there has been a rash of "Month of Foo" nonsense, I think someone is just taking the piss and further degrading the already miniscule SNR of this list. Unless a posted hash is correlated to the release of some POC or other item of interest, it's noise. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Marcio Barbado, Jr. == == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] You shady bastards.
cool, HD Moore started a thread, yeah, lets reply the more we can!!! On 6/6/07, Kradorex Xeron <[EMAIL PROTECTED]> wrote: On Wednesday 06 June 2007 09:47, H D Moore wrote: > Hello, > > Some friends and I were putting together a contact list for the folks > attending the Defcon conference this year in Las Vegas. My friend sent > out an email, with a large CC list, asking people to respond if they > planned on attending. The email was addressed to quite a few people, with > one of them being David Maynor. Unfortunately, his old SecureWorks > address was used, not his current address with ErrattaSec. > > Since one of the messages sent to the group contained a URL to our phone > numbers and names, I got paranoid and decided to determine whether > SecureWorks was still reading email addressed to David Maynor. I sent an > email to David's old SecureWorks address, with a subject line promising > 0-day, and a link to a non-public URL on the metasploit.com web server > (via SSL). Twelve hours later, someone from a Comcast cable modem in > Atlanta tried to access the link, and this someone was (confirmed) not > David. SecureWorks is based in Atlanta. All times are CDT. > > I sent the following message last night at 7:02pm. > > --- > From: H D Moore > To: David Maynor > Subject: Zero-day I promised > Date: Tue, 5 Jun 2007 19:02:11 -0500 > User-Agent: KMail/1.9.3 > MIME-Version: 1.0 > Content-Type: text/plain; > charset="us-ascii" > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > Message-Id: <200706051902.11544.hdm[at]metasploit.com> > Status: RO > X-Status: RSC > > https://metasploit.com/maynor.tar.gz > --- > > Approximately 12 hours later, the following request shows up in my Apache > log file. It looks like someone at SecureWorks is reading email addressed > to David and tried to access the link I sent: > > 71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] "GET /maynor.tar.gz > HTTP/1.1" 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) > AppleWebKit/419 (KHTML, like Gecko) Safari/419.3" > > This address resolves to: > c-71-59-27-152.hsd1.ga.comcast.net > > The whois information is just the standard Comcast block boilerplate. > > --- > > Is this illegal? I could see reading email addressed to him being within > the bounds of the law, but it seems like trying to download the "0day" > link crosses the line. > > Illegal or not, this is still pretty damned shady. > > Bastards. > > -HD I will seldom touch on the legal side but I have a possible scenario: -- If David is no longer at that address, it could be said that his mail account was taken down and the mail sent ended up in a possible "catch all" box, perhaps someone at SecureWorks was looking through the said catchall mailbox for any interesting mail sent to the secureworks.com domain (i.e. to old employees) - It's quite common for companies and organizations to monitor former employee mailboxes in the event anyone that doesn't have any new contact information to be able to still get somewhere with the old address. And them being a security organization, maybe they proceeded to investigate the link sent. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Marcio Barbado, Jr. == == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Blu-Ray key - Oh Nine, Efe Nine
> DRM != security and you are absolutely correct because cryptography == fun 0.01cts... your change, monsieur. On 5/17/07, Guasconi Vincent <[EMAIL PROTECTED]> wrote: > On 5/17/07, M. B. Jr. <[EMAIL PROTECTED]> wrote: > > well, > > since no one mentioned yet... > > > > here is the hex sequence 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 > > C0, already famous key for breaking HD-DVDs' Advanced Access Content > > System and Blu-Ray as well, thanx to Doom9 team. > > DRM != security > and > 64 bytes from marcio.barbado: icmp_seq=0 ttl=255 time= 4 months > > My 0.02cts. > :) > > -- > Guasconi Vincent > Etudiant. > http://altmylife.blogspot.com > -- Marcio Barbado, Jr. == == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Blu-Ray key - Oh Nine, Efe Nine
well, since no one mentioned yet... here is the hex sequence 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0, already famous key for breaking HD-DVDs' Advanced Access Content System and Blu-Ray as well, thanx to Doom9 team. no more workarounds... whats DMCA again...? -- Marcio Barbado, Jr. == == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] March 2nd Chicago 2600/DefCon 312 Meeting Information
haha modern days underground survivors! viva mr. Corley-Goldstein! On 3/1/07, James Matthews <[EMAIL PROTECTED]> wrote: Great i cannot wait! On 2/28/07, Steven McGrath <[EMAIL PROTECTED]> wrote: > > The March Chicago 2600 Meeting is near! The meeting will be Friday, > March 2nd at the Neighborhood Boys and Girls Club and will feature much > of the same usual fun that all of you have grown to expect! > > [Presentation Information] > - 9:00pm - Hacklab: Current Progress (Maniac, et al.) > - 10:00pm - How to build a public server (Maniac) > - After hours - Wii, Music, Socializing, etc. > > [General Information] > - Meeting Time: 7.00pm - Approx. 3-5am > - Meeting Date: Friday, March 2nd > - Place : 2501 W Irving Park Road, Chicago > - More Info : http://chicago2600.net > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- http://www.goldwatches.com/watches.asp?Brand=39 http://www.wazoozle.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Marcio Barbado, Jr. == == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phishing sites examples "source code"
On 2/19/07, Juergen Fiedler <[EMAIL PROTECTED]> wrote: you can't readily get to the source code for the form action because it is done in some sort of server side scripting (CGI, PHP, ASP, whatever...) that can't readily be viewed from the client side. Can't readily be viewed BUT that part is sort of not-the-problem. Those obvious server-side scripts Juergen mentioned would most probably consist in a MVC-like design with persistence function code storing collected data the simple way: in clear text... Since those fine illegal gentlemen ain't gathering someone's Internet banking passwork in order to encipher them and protect them from this bloodthirsty world... Thus, concerning traditional phishing sites, the code itself is not really an issue. Code starts being problematic by the moment potential damaging load-time scripts -- say AJAX techniques -- spread. That said, I have run into one or two phishers who compromise a site (or create a throwaway site themselves), upload their scripts in a tarball, install them - and then leave the tarball around for posterity to analyze. I kid you not. Unfortunately, the only good way to get to that source code is by asking the administrator of a compromised site whether they found anything that they would be willing to share; going in and poking around yourself may put you into a legal position that you'd rather not be in. HTH, --j -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFF2brEvKOJTPSBKa0RAr72AKC3NUDFCA2AbvCtZxLerx0KMekzagCfdTo6 eNUf9cXUllk9i5eatnCyGM0= =9wg4 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Marcio Barbado, Jr. == == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phishing sites examples "source code"
social-engineering-beggars... On 2/16/07, Andres Riancho <[EMAIL PROTECTED]> wrote: Hi, For a research i'm doing I need a somehow "big"(around 100 would be nice...) amount of phishing sites html code . I have googled for them but I only get a lot of screenshots of those sites, not the actual code. Anyone has an idea of where I could get those sites html ? Cheers, -- Andres Riancho ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wikipedia and Pedophilia
Summarizing, V Vendetta wrote: > "do you have the time to listen to me whine about nothing and everything all > at once?" Billy Joe?! Is that you? On 1/24/07, endrazine <[EMAIL PROTECTED]> wrote: > Could you please please move to alt.politics.personal.statements.on.drugs ? > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Marcio Barbado, Jr. == == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Universal XSS with PDF files: highly dangerous
On 1/3/07, Jim Manico <[EMAIL PROTECTED]> wrote: > I'm most worried about the CSRF vector. how come? this is client-side stuff. -- Marcio Barbado, Jr. == == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The Month of Kernel Bugs (MoKB)
Hello gentlemen, I'm new to the list. Hope I can contribute and learn. Just want to share this thing I'm studying right now. It promises to be an interesting initiative from veteran researcher HD Moore, founder of Metasploit. http://projects.info-pull.com/mokb/ Sort of didactic also. // best regards-- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
