Re: [Full-disclosure] [OT] the nigger said: "American people understand that not everybody's been following the rules"
You're an idiot... "no offence intended" On 7 October 2011 17:29, Georgi Guninski wrote: > On Thu, Oct 06, 2011 at 06:31:46PM -0500, Elly_Tran_Ha wrote: > > Racists posts like the one that started this thread give me the safe > feeling > > that we are winning the good fight. > > > > you have misunderstood - the post wasn't racist. > i am by no way a racist. > the OP specifically wrote "no offence intended". > being a non-native speaker if someone is offended about skin colour it is a > language mistake of mine. > > -- > joro > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [MOHSEP] Month Of Humorous Stefan Esser Photoshops - 0x07
Since by now everyone would have probably figured that there is one per day surely anyone who is interested can just look themselves... Or maybe you can only send a email if both these criteria are actually met: 1) Are actually Humorous. 2) Are actually quality photoshops and not more accurately described as mspaintshops... Based on the quick look I've had it's doubtful you'll need to send further emails. On 8 August 2011 08:36, Herr E Balls wrote: > Hi guys, > > Day seven of MOHSEP has been released along with some potentially exciting > news. > > Link is here: > http://mohsepblog.blogspot.com/2011/08/sunday-august-7th-2011.html > > Until tomorow! > > Herr E Balls > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On 10 May 2011 15:07, Dobbins, Roland wrote: > On May 10, 2011, at 6:03 AM, Thor (Hammer of God) wrote: > > > Maybe they should call that "You don't have to patch" genius! > > > Stateful firewalls have no place in front of servers, where every incoming > request is unsolicited, and therefore there is no state to inspect in the > first place. Stateful firewalls in front of servers merely serve as DDoS > chokepoints due to the large amount of unnecessary state they instantiate. > > This statement is only true for unauthenticated services which are not dealing with financial information. Would you suggest a bank not protect their internet banking service with a firewall because a DDoS might take the service off line? Or would you tell them to use a firewall in conjunction with a specific upstream device which may even be installed installed at the ISP end of the link to deal with DDoS? As Tracy mentioned having a stateful firewall is useful to block outgoing traffic, using an ACL just doesn't cut it, if an attacker initiates a connection dest port higher than 2048 (to some other server the attacker controls) and source port of 80 that will pass through an ACL without issues, this would not be so on a stateful firewall. mod_security might be good practice to use in a layered approach... but if you're running old versions of apache (like sony were) then it's not hard for an attacker to control the memory space used by mod_security and allow all packets, if the webserver is owned, then it's owned, no controls implemented on that server can be trusted or relied on. Pete ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Announcement posts and the charter (was Re: INSECT Pro 2.5.1 released)
I agree, un-moderated doesn't mean that people can't be banned for breaking the rules or being a troll... Pete On 13 April 2011 06:35, Michal Zalewski wrote: > > It's whatever, un-moderated means exactly that. No-one can tell anyone > else what to release/write. Period. > > Of course you can. That's what the charter is for. Unmoderated means > simply that the charter is usually not proactively enforced (but even > that is hardly an absolute guarantee). > > /mz > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] INSECT Pro 2.5.1 released
John, The following line is within the list charter: Alterations will be made after consultation with list members and a consensus has been reached. I would like to suggest that advertising for products and tools (free or otherwise) be limited to just an initial announcement to tell people about the tool. Sending updates for every single minor update made is just useless spam for the majority of people seeing it, the people who are interested in a product beyond the initial announcement can and will keep upto date on changes themselves. http://lists.grok.org.uk/full-disclosure-charter.html Cheers, Pete On 12 April 2011 09:20, runlvl wrote: > INSECT Pro 2.5 new version is now accessible on Insecurity Research servers > > Get it now to enjoy the positive changes that this update brings, > based directly on user feedback > > INSECT Pro is the ultimate resource to demonstrate the security—or > vulnerability—of your network. INSECT goes beyond simply detecting > vulnerabilities to safely exploiting them. 100 native exploits added. > > Version 2.5.1 includes: > User friendly GUI improved > Minimize to systray to work in background > Remote Video recording > Remote Mic recording > Capture screenshots > Metasploit ( modules - exploits ) support > Keylogging feature > Command line based control > Web Scanner > SQL Injection and HTTP fuzzer > And more than 150+ native exploits > > Thanks to the core developers and everyone else who contributed. > > Get a copy now from: http://www.insecurityresearch.com > > Juan Sacco > -- > _ > Insecurity Research - Security auditing and testing software > Web: http://www.insecurityresearch.com > Insect Pro 2.5.1 was released stay tunned > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Insect Pro 2.1 : New version release
On 9 March 2011 11:13, Ryan Sears wrote: > I agree, in order for it to qualify as 'free' it needs to be just that. > > Forcing someone to make a 'donation' before you give them said free > software is SELLING that software. Saying it's free is not just misleading, > it's a blatantly *not* true. > > Juan did however give me a download to test it out when I contacted him > off-list, which was nice of him, but I don't think that these announcements > should say 'free with a donation from 20$ up'. It should state that you HAVE > to pay 20$ in order to get a download. Anything else is misleading. > > Also due to the fact that this is *not* open-source I did not try it out. > Just too many red flags for me. > > > I agree with Ryan here, too many red flags... Essentially this $20 "donation" is paying for a windows only gui as most of the functionality that is being advertised to encourage people to download and pay the donation is provided by actual open-source products... Do you know what would be really good... not using FD to advertise and drum up donations for your product... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Other recommended lists?
Valdis, you're a troll... ;) On 22 February 2011 09:25, wrote: > On Mon, 21 Feb 2011 16:21:47 -0300, Pablo Ximenes said: > > > I ask: Might calling someone a troll in an unsubstantiated fashion be > > considered trolling? > > counter-trolling. But it's been a while since we've seen a totally > baseless > accusation of trolling. ;) > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Getting Off the Patch
On 20 January 2011 17:37, Tracy Reed wrote: > > I use HP Procurve switches and it's very easy to update firmware using scp. > A > quick google produces this blog entry describing the process: > > I don't actually think it's how easy it is to upgrade it's more so that most vendors have a monolithic software image so frequently the upgrade fixes a multitude of things and you can't pick and choose which you want and which you do not. This is where I can see a lot of money and time being consumed in the "patching" process, some vendors even provide (potentially expensive) services to do this testing for you. I know that JUNOS is based on FreeBSD and leverage's the FreeBSD packaging system for upgrades but not many other vendors have adopted a package management or modular software strategy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Getting Off the Patch
All, I agree with most of the stuff that Thor has been saying and from what I have read this has mostly been centred around patching software on servers. However most large companies take the don't patch or patch infrequently stance when it comes to network infrastructure, Cisco, Juniper, 3COM, HP and other large network infrastructure companies by no means have a clean record when it comes to vulnerabilities in their software but yet businesses will often not patch even in environments that are highly redundant and can be rebooted with no or little impact. Can anyone seriously say that they patch every time Cisco releases a new version of IOS? ... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Filezilla's silent caching of user's credentials
Has anyone asked the developer to include a "don't cache credentials" or "kiosk mode" (as someone else suggested) option even if this is not the default at the very least it makes people aware that the passwords are stored and may be (trivially) recoverable. Pete On 14 October 2010 18:51, Chris Evans wrote: > On Wed, Oct 13, 2010 at 11:46 PM, silky wrote: >> >> On Thu, Oct 14, 2010 at 5:39 PM, Christian Sciberras >> wrote: >> > > Not all attackers are created >> > > equally. >> > >> > I still see this a simple matter of violating KISS to introduce a layer >> > of encryption. >> > The question is, to which end? Sure, an attacker might see the encrypted >> > file and think it's "too difficult" for him to get to the passwords. >> > Another >> > might use a certain utility to decrypt the said file. The thing is, to >> > which end are >> > we encrypting the data? Just for the sake of making it work like the N >> > other programs? >> > I mean, if this doesn't *work*, why even *bother*? >> >> Sorry, but your comments are totally useless here and can't even >> really be addressed properly, given their quite ridiculous nature. > > Well done on behaving in a gentlemanly manner and winning people over with > your in-depth technical arguments. > I think you need to break down the problem into the various threats against > these stored secrets. > 1) You're worried about some random person who has transient physical access > to your logged-in machine. > 2) You're worried about some sophisticated actor who has transient physical > access to your machine. > 3) You're worried about your machine getting stolen, or improper disposal of > your hard drive. > 4) You're worried about the worst-possible impact of a file-theft bug, > perhaps in a browser. > 5) You're worried about having used FileZilla on a public terminal. > 6) You're worried because multiple users without full trust between one > another share the same account. > Feel free to add 7), 8), etc. > Once you start breaking it down, you realize that you're completely > shit-out-of-luck in cases 2), 5) and 6); in case 1), the worst attacks > comprise of writing to the drive and not reading from it; you're negligent > if you're worried about 3) and don't have full-disk encryption; and 4) is > actually the most nuanced and interesting threat yet it doesn't seem to be > figuring in the reasoning of prior entrants to the thread. > In fact, given the current state of the security industry, I think I have > the worst threat yet: > 7) You're worried about a large number of bike-shedding lower-tier security > researchers posting en-masse to f-d. You're worried that subsequent to this, > some less technical security journalists will pick up on it and write a > bunch of sensationalist news articles covering what is essentially a minor > issue. > > The opening e-mail used or quoted phrases such as "critical deficiency", > "total lapse" and "quite disturbing". This shows a disappointing > misunderstanding of what "critical" really is. > This bug is not being used to break into nuclear reactors in Iran, or to > distribute mass malware. It's important to be balanced and realistic whilst > discussing security issues. > > Cheers > Chris >> >> You >> are missing the point of the encryption, and it is not my job to >> convince you, and any further comments with anyone other than the >> developer are useless. >> >> >> > > There is no question here. There is no discussion. It should be done, >> > > and if it is not, password saving should be stopped in FileZilla or an >> > > alternative program should be sought. It's that simple. >> > >> > Great. If it's so simple that it can be done in under 10 mins, go >> > complain >> > to them. >> >> This email thread *is* a direct complaint to them, after bugs have >> been closed for years. I didn't start this thread. Do you even >> understand what is going on here? Your emails suggest you do not. >> >> >> > Cheers, >> > Chris. >> >> >> -- >> silky >> >> http://dnoondt.wordpress.com/ >> >> "Every morning when I wake up, I experience an exquisite joy — the joy >> of being this signature." >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/