Re: [Full-disclosure] PDP Architect and your great book
Hi Bob, Thank you for your concerns. The truth is that I've been incredibly busy lately both in my personal and professional life and therefore I am not so active at the moment. I am also taking the time to think about new ideas and wrap up some old projects. In fact, the Agile Hacking project is one of them. I still believe in the idea and I am very excited about it. This project gathered quite a lot of interest but we do not have any deadlines to meet. Just because I am not talking about it, it does not mean that I am not silently working on it. The quality of the final product is very important to me. The way I see it right now, the book should take no more than year and half to be fully completed. I just want to remind you that this is entirely a community project and it depends on the contributions of everyone and I do not financially benefit from it. All the best, pdp On Thu, Feb 26, 2009 at 5:41 AM, bob jones wrote: > I was wondering when your book about how to become a become a real hacker > and write programs through alt codes will be coming out. I read on your blog > long ago about this book you envisioned but I have not seen announcments or > preordering on Amazon. I also have not seen you posting much on the mailing > lists. Did some event in your life that made you less talkative? I hope this > is not true and look forward to your great book. maybe it will rival the > great hacker kevin mitnick's books about hacking stories he could never > accomplish in real life since they did not revolve around social > engineering. > > Thanks, > BB Gun Holder > -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
what about usernames? you still need to keep track of your usernames since sometimes your preferred username is either taken or not possible or you need to login via email or any other peculiarity the site supports. On Mon, Mar 24, 2008 at 2:43 PM, John C. A. Bambenek, GCIH, CISSP <[EMAIL PROTECTED]> wrote: > I would disagree. One could simply create a template password and then salt > it with some acronym for the site in question. > > For instance, S0m3p4ss!### where ### is a 3-letter acronym for the site they > are accessing. Still need only one password to remember and you don't > necessarily have a single point of 0wnership anymore. > > > > On Sun, Mar 23, 2008 at 7:04 PM, Larry Seltzer <[EMAIL PROTECTED]> > wrote: > > > > >>I understand the attractiveness of not having to remember lots of IDs > > and passwords, but when you give up control of your data, you give up > > control of your future. > > > > Normal people aren't going to remember enough passwords, let alone > > strong passwords, to make that control meaningful. I do get your point, > > but I bet that the best alternative is to give them one set of > > credentials and make it as strong as possible. > > > > > > Larry Seltzer > > eWEEK.com Security Center Editor > > http://security.eweek.com/ > > http://blogs.pcmag.com/securitywatch/ > > Contributing Editor, PC Magazine > > [EMAIL PROTECTED] > > > > ___ > > > > > > > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
comments inlined On Mon, Mar 24, 2008 at 3:10 PM, Paul Schmehl <[EMAIL PROTECTED]> wrote: > --On Monday, March 24, 2008 09:13:38 +0000 "Petko D. Petkov" > > <[EMAIL PROTECTED]> wrote: > >> > > >> Yes, and convenience is often the enemy of security. > >> > > > > Not always. I think complexity is the enemy of security. The simpler > > the system is the less chance to screw up, the more secure it is. It > > is much easier to secure a single port then a class B network, don't > > you think? > > > > Of course. Both complexity *and* convenience of often the enemies of > security. > :-) > > > > > First of all, we've proved time and time again that people do reuse > > passwords. Password reuse is a huge problem and it is due to our > > inefficiency of memorizing partial information which is not associated > > with anything substrantial. In psychology this is known as the process > > of anchoring and if you master how to anchor then you can master > > memorizing large sets of useless data without getting corrupted > > sectors in your brain. A good start is reading Darren Brown's book > > "Trick of the Mind". > > > > I don't disagree. > > > > On another note, capturing my OpenID credentials wouldn't be as easy > > as you say. First of all if the OpenID provider has a valid, > > authorized SSL certificate you won't be even able to see when creds > > are flaying around. Second, I've mentioned one-time passwords in terms > > of keyfobs, rsa tokens, whatever. Even if you capture these > > credentials you wont be able to use them and believe me, carrying one > > keyfob just for your OpenID provider is a lot easer then having what > > they call keyfob necklace in order to ensure a good security for every > > single site you visit. I think that verisign provides OpenID service > > which is based on all that. > > > > Verisign *requires* only alpha-numeric characters for my password for my *CA > ADMIN* account for our PKI system. That should tell you something aobut > their > dedication to security. > > > > Last but not least, lets say that you have access to the machine or > > network and you can sniff the cookies and as such get access to the > > openid account. Well, some OpenID providers have features where you > > can configure the account to automatically destroy the session cookie > > once an OpenID authentication is authorized. Your best chance is to > > sniff or attack the sites where the user is logging into but any > > problems associated with them are not problems withing OpenID and they > > will work independently of the authorization/identification mechanism. > > > > Getting access inside networks these days is trivial. There are hundreds and > hundreds of compromised machines inside of corporate networks due to phishing > scams and the ignorance of the average user. Furthermore, you can get access > to at least 10% of the machines on any network simply by logging in as > administrator or root (pick your OS) using either blank, password or > root/administrator as the password. > > Add to that hundreds of trivial sql injection attacks and other easy attacks, > and most networks are like swiss cheese. > > Once you're on one box inside, you can roam around freely and find a way to > capture id information in the clear. > SSL + KeyFob (2 factor authentication) + Session destruction after authorization - I don't think that you can do anything useful with that. If the OpenID does not have any SQL Injection or other problems such as auth-bypass, it is mission impossible. And even if the site is vulnerable to some bugs that has nothing to do with OpenID. > > > > > Well, PayPal is a lot more secure when it comes to money > > transfers/transactions. Do you feel comfortable giving away your > > credit card details to every single merchant from which you want to > > purchase some goods. I don't! > > > > You frame the question wrong. The real question is, do I feel comfortable > exposing $50 to risk by using a credit card or exposing every dollar I've > deposited with Paypal to risk. And the $50 is waived if the vendor is > culpable > for the loss. > > I scanned a card through a gas pump while on a vacation trip last year. > WIthin > two hours someone had charged $1005 on that card. It cost me nothing. The > charges were reversed, because it was clearly fraud. (I was in South > Carolina > - timestamped just two hours before - the charge
Re: [Full-disclosure] OpenID. The future of authentication on the web?
as I said, some websites ask you for a username regardless whether that will be an email address. and unfortunately a username is not unique through out the Web. which means that if your username is john-bambenek on one system it could be completely different on another system due the fact that some vendors don't like the "-" or they don't like the length or they ask you to have a number in the username or even they provide you with such. So keeping track of usernames is as hard as keeping track of passwords. Put them all together and then you will experience the pain. On the other hand OpenID provides you with a unique ID. Only you can use it on every system without the need to worry. On Mon, Mar 24, 2008 at 3:22 PM, John C. A. Bambenek, GCIH, CISSP <[EMAIL PROTECTED]> wrote: > Well in my case it's easy... how many people do you know named John Bambenek > (my father doesn't count)? :) > > I was just speaking about passwords in that case, presumably people can > remember their email addresses. > > > > On Mon, Mar 24, 2008 at 10:17 AM, Petko D. Petkov > <[EMAIL PROTECTED]> wrote: > > what about usernames? you still need to keep track of your usernames > > since sometimes your preferred username is either taken or not > > possible or you need to login via email or any other peculiarity the > > site supports. > > > > > > > > > > On Mon, Mar 24, 2008 at 2:43 PM, John C. A. Bambenek, GCIH, CISSP > > <[EMAIL PROTECTED]> wrote: > > > I would disagree. One could simply create a template password and then > salt > > > it with some acronym for the site in question. > > > > > > For instance, S0m3p4ss!### where ### is a 3-letter acronym for the site > they > > > are accessing. Still need only one password to remember and you don't > > > necessarily have a single point of 0wnership anymore. > > > > > > > > > > > > On Sun, Mar 23, 2008 at 7:04 PM, Larry Seltzer <[EMAIL PROTECTED]> > > > wrote: > > > > > > > > >>I understand the attractiveness of not having to remember lots of > IDs > > > > and passwords, but when you give up control of your data, you give up > > > > control of your future. > > > > > > > > Normal people aren't going to remember enough passwords, let alone > > > > strong passwords, to make that control meaningful. I do get your > point, > > > > but I bet that the best alternative is to give them one set of > > > > credentials and make it as strong as possible. > > > > > > > > > > > > Larry Seltzer > > > > eWEEK.com Security Center Editor > > > > http://security.eweek.com/ > > > > http://blogs.pcmag.com/securitywatch/ > > > > Contributing Editor, PC Magazine > > > > [EMAIL PROTECTED] > > > > > > > > ___ > > > > > > > > > > > > > > > > Full-Disclosure - We believe in it. > > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > > > > > > ___ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > > > > > > > > > > -- > > > > Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters > > > > gnucitizen.org | hakiri.org | spinhunters.org > > > > -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
on your last comment, OpenID is exactly design for that! To give the power back to the user! On Mon, Mar 24, 2008 at 3:10 PM, Paul Schmehl <[EMAIL PROTECTED]> wrote: > --On Monday, March 24, 2008 09:13:38 +0000 "Petko D. Petkov" > > <[EMAIL PROTECTED]> wrote: > >> > > >> Yes, and convenience is often the enemy of security. > >> > > > > Not always. I think complexity is the enemy of security. The simpler > > the system is the less chance to screw up, the more secure it is. It > > is much easier to secure a single port then a class B network, don't > > you think? > > > > Of course. Both complexity *and* convenience of often the enemies of > security. > :-) > > > > > First of all, we've proved time and time again that people do reuse > > passwords. Password reuse is a huge problem and it is due to our > > inefficiency of memorizing partial information which is not associated > > with anything substrantial. In psychology this is known as the process > > of anchoring and if you master how to anchor then you can master > > memorizing large sets of useless data without getting corrupted > > sectors in your brain. A good start is reading Darren Brown's book > > "Trick of the Mind". > > > > I don't disagree. > > > > On another note, capturing my OpenID credentials wouldn't be as easy > > as you say. First of all if the OpenID provider has a valid, > > authorized SSL certificate you won't be even able to see when creds > > are flaying around. Second, I've mentioned one-time passwords in terms > > of keyfobs, rsa tokens, whatever. Even if you capture these > > credentials you wont be able to use them and believe me, carrying one > > keyfob just for your OpenID provider is a lot easer then having what > > they call keyfob necklace in order to ensure a good security for every > > single site you visit. I think that verisign provides OpenID service > > which is based on all that. > > > > Verisign *requires* only alpha-numeric characters for my password for my *CA > ADMIN* account for our PKI system. That should tell you something aobut > their > dedication to security. > > > > Last but not least, lets say that you have access to the machine or > > network and you can sniff the cookies and as such get access to the > > openid account. Well, some OpenID providers have features where you > > can configure the account to automatically destroy the session cookie > > once an OpenID authentication is authorized. Your best chance is to > > sniff or attack the sites where the user is logging into but any > > problems associated with them are not problems withing OpenID and they > > will work independently of the authorization/identification mechanism. > > > > Getting access inside networks these days is trivial. There are hundreds and > hundreds of compromised machines inside of corporate networks due to phishing > scams and the ignorance of the average user. Furthermore, you can get access > to at least 10% of the machines on any network simply by logging in as > administrator or root (pick your OS) using either blank, password or > root/administrator as the password. > > Add to that hundreds of trivial sql injection attacks and other easy attacks, > and most networks are like swiss cheese. > > Once you're on one box inside, you can roam around freely and find a way to > capture id information in the clear. > > > > > Well, PayPal is a lot more secure when it comes to money > > transfers/transactions. Do you feel comfortable giving away your > > credit card details to every single merchant from which you want to > > purchase some goods. I don't! > > > > You frame the question wrong. The real question is, do I feel comfortable > exposing $50 to risk by using a credit card or exposing every dollar I've > deposited with Paypal to risk. And the $50 is waived if the vendor is > culpable > for the loss. > > I scanned a card through a gas pump while on a vacation trip last year. > WIthin > two hours someone had charged $1005 on that card. It cost me nothing. The > charges were reversed, because it was clearly fraud. (I was in South > Carolina > - timestamped just two hours before - the charge was in El Paso.) > > The credit card industry is quite robust and equipped to handle fraud. What > happens when an OpenID account is compromised and *every* account is drained > and thousands of dollars are charged and *according to OpenID* it was me? >
Re: [Full-disclosure] OpenID. The future of authentication on the web?
comments inlined On Mon, Mar 24, 2008 at 2:43 PM, Steven Rakick <[EMAIL PROTECTED]> wrote: > Let's be realistic here. It's not about the technical > feasibility, it's about an open standard people trust > and have bought into. This is what Information Cards > are in my mind, much the same as OpenID. > > Sure you could go out and create an extension to serve > the same purpose in your own way, but who would trust > it? I mean PDP is known for javascript port scanning > via XSS (i know you've done more but...), not > authentication. > what do u mean by saying "not authentication", and how is that related to the topic? and why wouldn't you trust it? :) do you code everything yourself so that you trust it? I am just curious to understand what do you mean, that's all. > > My point is simple. With OpenID + Information Cards > much of the security concerns/weaknesses (phishing, > passwords theft/loss) around OpenID as a protocol are > addressed. Sure you still have to trust the provider > (or write your own), but the implementation can be > secure, open and publically accessible using currently > available and supported web technologies. Beemba and > MyOpenID currently do this. > > BTW, Firefox 3 will have support for Information Cards > by default and an extension is available for Firefox 2 > at Codeplex. > > -sr > > On Mon, Mar 24, 2008 at 5:25 AM, Petko D. Petkov > > <[EMAIL PROTECTED]> wrote: > > > > Let's put it this way, > > > > It is easy to prevent phishing attacks against > OpenID on the > > client-side with browser extensions. In fact, I > think that Firefox > > will make this feature a default in their upcoming > versions. It could > > work exactly the same as the current trusted > certificate authorities > > every single web browser comes with. You will have a > list of trusted > > OpenID providers domains which are also > cross-matched with their SSL > > certificates and URLs. Done! > > > > If firefox is not planning to implement this > feature, heck I will code > > it myself. This is a hello world XUL extension. > > > > pdp > > > > > > On Sun, Mar 23, 2008 at 11:16 PM, Steven Rakick > <[EMAIL PROTECTED]> wrote: > > > Many of you have brought up that OpenID is > vulnerable > > > to phishing and have highlighted weaknesses > specific > > > traditional username/password authentication. > > > > > > This was the main reason I bought up Information > Cards > > > in my original post. I've noticed that Beemba > > > (http://www.beemba.com) and MyOpenID > > > (http://www.myopenid.com) have both implemented > > > Information Cards as an authentication option. > > > > > > Good idea? > > > > > > It seems to me that if you were to rely on > Information > > > Cards as opposed to username/password the > phishing > > > angle is mitigated. Is this not the case? > > > > > > -sr > > > > > > > > > > > > > > > > > Be a better friend, newshound, and > > > know-it-all with Yahoo! Mobile. Try it now. > http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > > > > > > > > > > > > ___ > > > > Full-Disclosure - We believe in it. > > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - > http://secunia.com/ > > > > > > > > > > > -- > > > > > Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin > Hunters > > > > gnucitizen.org | hakiri.org | spinhunters.org > > > > > ___ > > > > Full-Disclosure - We believe in it. > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - > http://secunia.com/ > > > > > > > > Never miss a thing. Make Yahoo your home page. > http://www.yahoo.com/r/hs > > ___ > > > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
Let's put it this way, It is easy to prevent phishing attacks against OpenID on the client-side with browser extensions. In fact, I think that Firefox will make this feature a default in their upcoming versions. It could work exactly the same as the current trusted certificate authorities every single web browser comes with. You will have a list of trusted OpenID providers domains which are also cross-matched with their SSL certificates and URLs. Done! If firefox is not planning to implement this feature, heck I will code it myself. This is a hello world XUL extension. pdp On Sun, Mar 23, 2008 at 11:16 PM, Steven Rakick <[EMAIL PROTECTED]> wrote: > Many of you have brought up that OpenID is vulnerable > to phishing and have highlighted weaknesses specific > traditional username/password authentication. > > This was the main reason I bought up Information Cards > in my original post. I've noticed that Beemba > (http://www.beemba.com) and MyOpenID > (http://www.myopenid.com) have both implemented > Information Cards as an authentication option. > > Good idea? > > It seems to me that if you were to rely on Information > Cards as opposed to username/password the phishing > angle is mitigated. Is this not the case? > > -sr > > > > > > Be a better friend, newshound, and > know-it-all with Yahoo! Mobile. Try it now. > http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
agree :) On Mon, Mar 24, 2008 at 10:50 AM, Gorn <[EMAIL PROTECTED]> wrote: > Petko D. Petkov wrote: > > Indeed but this can be a subsystem, a feature of the OpenID provider. > > For example, some OpenID providers have the feature to choose > > different persons depending on the usage. So it will be easier to > > safeguard a persona within one openid provider. So for example, in my > > current OpenID setup I have two personas. One for daily use which is > > completely useless and one for mission critical stuff. Although the > > mission critical persona is not safeguarded :) (lack of > > functionalities here) if such a feature is implemented, wouldn't be > > that much better? :) > > > That could be, I was more hinting to the open structure of OpenID. If > you don't trust a provider choose another one. Other frameworks for > online authentication/autorization don't offer this flexibility, one > provider only, like passport. > OpenID offers the possibility to offer competing authentication services > provided by different providers. So you don't have to put all your eggs > in one basket. (it is easter after all) > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
Indeed but this can be a subsystem, a feature of the OpenID provider. For example, some OpenID providers have the feature to choose different persons depending on the usage. So it will be easier to safeguard a persona within one openid provider. So for example, in my current OpenID setup I have two personas. One for daily use which is completely useless and one for mission critical stuff. Although the mission critical persona is not safeguarded :) (lack of functionalities here) if such a feature is implemented, wouldn't be that much better? :) On Mon, Mar 24, 2008 at 9:51 AM, Gorn <[EMAIL PROTECTED]> wrote: > Petko D. Petkov wrote: > >> > > > > As I said, if you don't trust public OpenID providers, roll your own. > > It is very, very, very easy. > > > You seem to miss one point, in the current online environment you are > not talking about 5 or 6 id/credentials but more like 20 to 30. > (remember each blog you post to, each mailing list each web store > requires its own id/credentials.) OpenID provides for the possibility to > group these id's by function and select the correct provider with the > safeguards you want for each group. An OpenID for money related > transactions would need more safeguards as an OpenID for lets say full > disclosure ;-) > > > > > > > > FG > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
Hey Paul, some valid points indeed but let me inline some of my thoughts. read on. On Sun, Mar 23, 2008 at 10:37 PM, Paul Schmehl <[EMAIL PROTECTED]> wrote: > --On March 23, 2008 2:52:53 PM +0000 "Petko D. Petkov" > > <[EMAIL PROTECTED]> wrote: > > > > > First of all, OpenID is a very simple but rather useful technology. > > With OpenID you have only one account, your ID, which you can use > > everywhere where the OpenID technology is supported. It is not clear > > whether this setup is more secure from what we have at the moment > > (every site forces you to register unique username/password pair) but > > it is definitely more convenient. > > Yes, and convenience is often the enemy of security. > Not always. I think complexity is the enemy of security. The simpler the system is the less chance to screw up, the more secure it is. It is much easier to secure a single port then a class B network, don't you think? > > > > The first argument "for" OpenID is > > that the more you share your secrets, credits card information, > > usernames, password, the higher the chances this information to be > > leaked or stolen. On the other hand, OpenID is prone to phishing > > attacks so user education is required. > > > > However, with OpenID, all I have to do is figure out how to capture your > credentials (which does not require that I compromise OpenID), and I can > own everything that you own. At least with the disparate systems we have > now you only get those things where I've been foolish enough to use the > same credentials. Even then you have to figure out what those systems > are. With OpenID I simply try every site that uses OpenID, trivial to do > programmatically. > Paul, you are right but here are my arguments: First of all, we've proved time and time again that people do reuse passwords. Password reuse is a huge problem and it is due to our inefficiency of memorizing partial information which is not associated with anything substrantial. In psychology this is known as the process of anchoring and if you master how to anchor then you can master memorizing large sets of useless data without getting corrupted sectors in your brain. A good start is reading Darren Brown's book "Trick of the Mind". On another note, capturing my OpenID credentials wouldn't be as easy as you say. First of all if the OpenID provider has a valid, authorized SSL certificate you won't be even able to see when creds are flaying around. Second, I've mentioned one-time passwords in terms of keyfobs, rsa tokens, whatever. Even if you capture these credentials you wont be able to use them and believe me, carrying one keyfob just for your OpenID provider is a lot easer then having what they call keyfob necklace in order to ensure a good security for every single site you visit. I think that verisign provides OpenID service which is based on all that. Last but not least, lets say that you have access to the machine or network and you can sniff the cookies and as such get access to the openid account. Well, some OpenID providers have features where you can configure the account to automatically destroy the session cookie once an OpenID authentication is authorized. Your best chance is to sniff or attack the sites where the user is logging into but any problems associated with them are not problems withing OpenID and they will work independently of the authorization/identification mechanism. > > > Think about OpenID as the equivalent of PayPal for authentication. In > > theory, it is more secure to pay through paypal as you are not sharing > > your credit card information with everyone else but a single provider. > > > > There's a reason I don't use Paypal.. > Well, PayPal is a lot more secure when it comes to money transfers/transactions. Do you feel comfortable giving away your credit card details to every single merchant from which you want to purchase some goods. I don't! > > > > I am all "for" OpenID as you can spend good time on securing a single > > system. If the OpenID provider is not vulnerable to common Web attacks > > and it provides good privacy mechanisms such as SSL and the top of > > which are build good authentication features such as one-time tokens, > > etc then OpenID is the preferable choice. > > The problem is, I have to trust the OpenID provide to both secure his/her > systems and hire trustworthy help. I have to do the same locally, but I > have a great deal more control and ability to monitor. > Well, roll your own OpenID service. It takes 5 minutes and a couple of lines with PHP and you can make it as secure as you want.Isn't that much bette
Re: [Full-disclosure] OpenID. The future of authentication on the web?
deer reepex, every single time. :) yet another prove that you are troll. why don't you come up with something constructive for a change? the email thread reads "OpenID. The future of authentication on the web?" not "how to troll full-disclosure, reepex style". FYI, do you research and show examples next time before pointing fingers. as you can see yours and your friends' useless comments did not got moderated out. And yes the blogsphere is gigantic and it has many useful, troll free blogs that provide good information resources and discussion grounds for everybody, even you. Kind Regards, pdp On Sun, Mar 23, 2008 at 10:33 PM, reepex <[EMAIL PROTECTED]> wrote: > thats right pdp - go run to your protected lists and blogs where you don't > have to hear anything negative and where you can flame people without > contest who talk against you. > > you are another Bill O Reilly and everyone thinks of you as such. enjoy your > sheep. > > > > > On Sun, Mar 23, 2008 at 9:52 AM, Petko D. Petkov > <[EMAIL PROTECTED]> wrote: > > Hi Steven, > > > > I guess most 1337 hax0rs will flame you on this list. There are good > > security blogs you can follow and learn from instead. Full-disclosure > > is for rants and bashing only! > > > > I can point you to some articles that I wrote regarding OpenID, > > however, let me share my thoughts quickly as that will save you some > > time and of course if you are still curious you can go research > > further. > > > > First of all, OpenID is a very simple but rather useful technology. > > With OpenID you have only one account, your ID, which you can use > > everywhere where the OpenID technology is supported. It is not clear > > whether this setup is more secure from what we have at the moment > > (every site forces you to register unique username/password pair) but > > it is definitely more convenient. The first argument "for" OpenID is > > that the more you share your secrets, credits card information, > > usernames, password, the higher the chances this information to be > > leaked or stolen. On the other hand, OpenID is prone to phishing > > attacks so user education is required. > > > > Think about OpenID as the equivalent of PayPal for authentication. In > > theory, it is more secure to pay through paypal as you are not sharing > > your credit card information with everyone else but a single provider. > > > > I am all "for" OpenID as you can spend good time on securing a single > > system. If the OpenID provider is not vulnerable to common Web attacks > > and it provides good privacy mechanisms such as SSL and the top of > > which are build good authentication features such as one-time tokens, > > etc then OpenID is the preferable choice. Keep in mind though, > > that if your OpenID account is hacked, the attacker will be able to > > login as you anywhere they want. This is the main concern and > > disadvantage. > > > > pdp > > > > P.S. dear list, the only reason I am not priv-massaging Steven is > > because I believe that there are other people who are interested in > > this topic. So, instead of wasting valuable resources and energy > > answering everyone individually, I've decided to do it once hoping > > that this message will be seen by others. Thanks! > > > > > > > > > > On Sun, Mar 23, 2008 at 12:18 PM, Steven Rakick <[EMAIL PROTECTED]> > wrote: > > > Hello list, > > > > > > I'm curious what the group thinks about the recent > > > surge in support for OpenID across the web and the > > > impact it will have. > > > > > > 1) Beemba - http://www.beemba.com > > > 2) ClaimID - http://www.claimid.com > > > 3) MyOpenID - http://www.myopenid.com > > > 4) Many others... > > > > > > These sites are gaining in popularity quickly and with > > > the announcements of support from big players Yahoo, > > > AOL, Microsoft and Google, combined with smaller > > > web2.0 celeb-run sites like Digg, OpenID appears to > > > what will eventually be the norm. > > > > > > Thoughts? > > > > > > I've also noticed that many of these sites are > > > bundling Information Card support (CardSpace on > > > Windows). Sounds like a good idea as it compliments > > > OpenID and helps address some weaknesses. > > > > > > Again, any thoughts? > > > > > > I'm really just interested in a dialog. > > > > > > -sr >
Re: [Full-disclosure] OpenID. The future of authentication on the web?
Hi Steven, I guess most 1337 hax0rs will flame you on this list. There are good security blogs you can follow and learn from instead. Full-disclosure is for rants and bashing only! I can point you to some articles that I wrote regarding OpenID, however, let me share my thoughts quickly as that will save you some time and of course if you are still curious you can go research further. First of all, OpenID is a very simple but rather useful technology. With OpenID you have only one account, your ID, which you can use everywhere where the OpenID technology is supported. It is not clear whether this setup is more secure from what we have at the moment (every site forces you to register unique username/password pair) but it is definitely more convenient. The first argument "for" OpenID is that the more you share your secrets, credits card information, usernames, password, the higher the chances this information to be leaked or stolen. On the other hand, OpenID is prone to phishing attacks so user education is required. Think about OpenID as the equivalent of PayPal for authentication. In theory, it is more secure to pay through paypal as you are not sharing your credit card information with everyone else but a single provider. I am all "for" OpenID as you can spend good time on securing a single system. If the OpenID provider is not vulnerable to common Web attacks and it provides good privacy mechanisms such as SSL and the top of which are build good authentication features such as one-time tokens, etc then OpenID is the preferable choice. Keep in mind though, that if your OpenID account is hacked, the attacker will be able to login as you anywhere they want. This is the main concern and disadvantage. pdp P.S. dear list, the only reason I am not priv-massaging Steven is because I believe that there are other people who are interested in this topic. So, instead of wasting valuable resources and energy answering everyone individually, I've decided to do it once hoping that this message will be seen by others. Thanks! On Sun, Mar 23, 2008 at 12:18 PM, Steven Rakick <[EMAIL PROTECTED]> wrote: > Hello list, > > I'm curious what the group thinks about the recent > surge in support for OpenID across the web and the > impact it will have. > > 1) Beemba - http://www.beemba.com > 2) ClaimID - http://www.claimid.com > 3) MyOpenID - http://www.myopenid.com > 4) Many others... > > These sites are gaining in popularity quickly and with > the announcements of support from big players Yahoo, > AOL, Microsoft and Google, combined with smaller > web2.0 celeb-run sites like Digg, OpenID appears to > what will eventually be the norm. > > Thoughts? > > I've also noticed that many of these sites are > bundling Information Card support (CardSpace on > Windows). Sounds like a good idea as it compliments > OpenID and helps address some weaknesses. > > Again, any thoughts? > > I'm really just interested in a dialog. > > -sr > > > > > Never miss a thing. Make Yahoo your home page. > http://www.yahoo.com/r/hs > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [full disclosure] agile hacking?
try me. I am quite confident that we can make this project into a salable book but that's not the point. the point is to accumulate valuable knowledge into one place and if, if this start making some money you will decide what to do with them. I am for investing them back into something positive. moreover, the project is not a Phrack knock-off as you said. It is very different. As I said, it wont contain explanations but like hands on tips/tricks and techniques even the most knowledgeable can learn from or use as a base reference. On Wed, Mar 19, 2008 at 5:12 PM, don bailey <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > > I have no clue how it will go. However, just because no one has done > > it and there are too many IFs, it does not mean that we should not > > approach this problem. > > > > Actually attempting to submit the book to a publisher would probably > not work because they're publishing to make money. How can you make > money off a bunch of people noone knows or gives a shit about? The > publisher isn't going to be technically capable of researching every- > thing the book claims unless it's old news. So, because you've got a > ton of random people contributing that don't necessarily have any > valid credentials the publisher isn't going to be confident releasing > material they can't substantially verify. Hell, if I were a contributor > they'd probably burn the manuscript. > > If you publish the book "open source" online, you're just another > Phrack knock-off. > > Either way, it's been done. > > D > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFH4Ul9yWX0NBMJYAcRAu2JAKCy43I6L8Q3WummORPcxDAE3Va+yACgqFqx > Qwo045QXOWstyUwBOdIAI84= > =4+W9 > -END PGP SIGNATURE- > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [full disclosure] agile hacking?
Michael, I have no clue how it will go. However, just because no one has done it and there are too many IFs, it does not mean that we should not approach this problem. If we manage to find a way to crowdsource all the information in a timely manner, keep up-to-date with the latest and be at the time as agile as possible, heck, I don't think that we've wasted our time. We could even come up with a better system for managing information different from Wikis, forums, blogs, etc. But that's part of the challenge and the fun. How can you justify being called a hacker when we cannot resolve a problem like this one? As I said, for all of us the gain is more then the lost. 100 people 2 short posts = 200 posts. I can post two things in a single day. Can you? I think it is a good start. But this is a community project and without a community it wont work. On Wed, Mar 19, 2008 at 3:24 PM, Michael Krymson <[EMAIL PROTECTED]> wrote: > I'm not sure a "community book" is going to make a lot of sense, have any > coherency, or be all that useful. If you want a view of the future, go to > packetstorm, grab up 100 random text "how to's" and see how well they read > when placed back to back as a book. It won't be pretty. It'll read worse (or > better content-wise) than Ankit Fadia's The Unofficial Guide to Ethical > Hacking, which was a joke even back in the day. > > Will the "book" have any point to it, technical oversight, or applicability > to different environments? It might be great that someone in Pakistan can > hack wireless router B, but can he only do it from his special build of > FreeBSD? What about details on attacking gateway C version 1.34.2 that is > already 2 years old? Is that fair game, even though it is so specific that > it really just becomes one more bit in a reference manual? Will the material > be outdated by the time it even gets posted? Are you teaching principles or > specifics? I wonder if your "book" will be heavily weighted towards web > attacks and hardware gateway attacks. That would be a shame, but might be > defensible as the hot new topic in recent years...but you'd lose out on the > chance to include networking voodoo and OS/code ninjitsu. I'm sure everyone > can learn something beyond their slice of the pie, which would be a benefit > if you can get a more even field of submissions. > > Agile hacking might be taken to mean you should teach people how to hack in > general, not how to hack specifics. Teach a man to fish... Just a quibble on > your choice of subject line. Can someone reading a hack how-to be able to > apply it agilely to other situations? > > You might be better served encouraging participation in a wiki-styled site > as opposed to some book. Allow for search, peer review, and anonymous/open > submissions. You can then control the categories and maybe exert some > editorial review to keep the spirit of the work centered without deviating > into a load of crap with some gems hidden here and there. Is it browsable? > Is it readable cover-to-cover? Or is it a categorial or search reference? > > Heck, you can even use forums, but make sure not everyone can create new > threads. Only create threads for appropriate materials but allow open > commenting on such posts. > > Of course, any attempt to exert editorial control will result in loud and > unhappy kiddies who think you're a nazi and have no skill and suck just > because what they wrote belongs in some hacker kiddie group e-zine that > rambles for 87 pages. Such is the nature of our field, it ranges from high > school kiddies to geek squad tech support jockeys to pen testing consultants > to fortune 100 managers with some technical chops. Who do you want to > include? > > Then again, maybe you just need to do it, naysayers be-damned, and see how > it goes. But I'd be concerned that you're wasting your time. Though, it'll > get you attention and as most marketers may say, any attention is good > attention. Successful or not, it keeps you busy in the eyes of the > journalists who give you the press. (Or maybe you can do a Month of PDP Book > Submissions?) :) > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] agile hacking?
reepex, you are the only one backing up troth, read on all comments... I don't bash people. I encourage them and this is present in all my work and the work behind the GNUCITIZEN umbrella. Not I, but the crowd hanged him, as well they will hang you for your arrogant, egocentric, foolish and rather juvenile behavior. I personally don't care about you, nor I care if you like the work on GNUCITIZEN or even my work. In my eyes and the eyes of others you follow very basic parasitic social pattern: making a name for yourself not based on your knowledge but based on your arrogant, bottomless comments. You don't lead by example! You are a parasite, a vampire, sucking blood and energy from those around you. I hardly doubt that anyone can consider you as a friend or even appreciate your skills and knowledge when you are nothing more but a vulture. Comparing the Agile Hacking project with books such as "How to Own a Continent" (by FX, Paul Craig, Joe Grand, and Tim Mullen...), "How to Own the Box" (by Ryan Russell, Ido Dubrawsky, FX, and Joe Grand...), "How to Own a Shadow" (by Johnny Long, Tim Mullen, and Ryan Russell...), "The Art of Intrusion" (by Kevin D. Mitnick, and William L. Simon..) and the "Hacking Exposed" series (by some of the most recognized information security experts such as, but not only, Johnny Cache, Chris Davis, Stuart McClure, Joel Scambray, Andrew Vladimirov, Brian Hatch, David Endler...), is nothing but a flattering comment. I hope that this project achieves and even superseeds their success. These are some of my favorite books and I have a great respect for their authors. You and all others who support your dieing cause and who have repeatedly attacked what we have build from scratch with far too many sacrifaces, can laugh now but the simple fact is that you will never even come close to what we have already achieved and gave to this community. You and all other Full-disclosure trolls proved to be untrustworthy, unworthy even creatures. I hope that your real identities stay well hidden behind your nicknames as I highly doubt that you will succeed in life. If I were in your place I would have reconsidered my values. Your and the other trolls comments are not satire but idiocracy as a fellow GNUCITIZEN reader have pointed out. Kind Regards, pdp founder of GNUCITIZEN, information security research, penetration tester, life hacker, co-author of two best-selling books, author of numerous printed publications and online media outlets, active speaker and opinion former, hacker culture evangelist, founder of Hakiri, entrepreneur, lecturer, etc... I am far behind the people I look after for inspiration and guidance but I am well ahead of you. On Wed, Mar 19, 2008 at 8:35 AM, reepex <[EMAIL PROTECTED]> wrote: > so no one respects me, i bash people's projects, etc... whatever. > > You still do not explain why you have the attitude that any who does not > like your work or ideas is a talentless troll that you can brush off. > > > > On Wed, Mar 19, 2008 at 2:40 AM, Petko D. Petkov > <[EMAIL PROTECTED]> wrote: > > Dear Reepex, > > > > Unfortunately, you've already lost all the respect for a larger > > portion of people on this mailing list as well outside of it. You have > > never led by example but by bashing people on what they try to > > accomplish. Everyone who has been in this industry/life style for long > > enough know that they don't know everything. In fact, as the saying > > goes: "A wise man never knows all, only fools know everything". > > > > My advise to you is to stop pretending being someone and be who you > > are. If you think that this project is crap then help to make it > > better. Everyone that has ever written a book, knows how hard it is to > > put everything together and how frustrating it is to want to put the > > things that you want not having the chance to do so. It is easier to > > say what is crap but 100x harder to do it wright. Also, it is very > > easy to take apart people from what they have accomplished, I've done > > it myself: > > > > > http://www.gnucitizen.org/blog/hamster-plus-hotspot-equals-web-20-meltdown-not/ > > > > but 100 of times harder to put yourself in their shoes: > > > > http://www.gnucitizen.org/blog/reconsidering-the-side-jacking-attack/ > > > > Again, lead by example not by baseless comments. > > > > Regards, > > pdp > > > > > > > > > > On Wed, Mar 19, 2008 at 3:59 AM, Nate McFeters <[EMAIL PROTECTED]> > wrote: > > > Ok, I'll buy that, that's reasonable. I wasn't in the exchange with > thoth. > > > I guess when I read about a community project to write the ultimate &
Re: [Full-disclosure] agile hacking?
Dear Reepex, Unfortunately, you've already lost all the respect for a larger portion of people on this mailing list as well outside of it. You have never led by example but by bashing people on what they try to accomplish. Everyone who has been in this industry/life style for long enough know that they don't know everything. In fact, as the saying goes: "A wise man never knows all, only fools know everything". My advise to you is to stop pretending being someone and be who you are. If you think that this project is crap then help to make it better. Everyone that has ever written a book, knows how hard it is to put everything together and how frustrating it is to want to put the things that you want not having the chance to do so. It is easier to say what is crap but 100x harder to do it wright. Also, it is very easy to take apart people from what they have accomplished, I've done it myself: http://www.gnucitizen.org/blog/hamster-plus-hotspot-equals-web-20-meltdown-not/ but 100 of times harder to put yourself in their shoes: http://www.gnucitizen.org/blog/reconsidering-the-side-jacking-attack/ Again, lead by example not by baseless comments. Regards, pdp On Wed, Mar 19, 2008 at 3:59 AM, Nate McFeters <[EMAIL PROTECTED]> wrote: > Ok, I'll buy that, that's reasonable. I wasn't in the exchange with thoth. > I guess when I read about a community project to write the ultimate hacking > book, I assumed people from all backgrounds of security would be interested > in contributing... maybe that's a bit of a Utopian view, but I could imagine > a one stop Frankenstein of a book (probably one so large you couldn't even > carry a hard-copy) that has some really great great stuff if the right > people contribute. > > Right now, I've got disjointed information everywhere that I reference for > various things all over my damn computer and bookshelfs... Uninformed > papers, presentations from various sources, manuals, books, blah blah blah. > If it was done right, I think the book could be pretty damn cool. Of > course, that depends on the community support and the content that comes out > of that. I'm not sure what PDP has envisioned for the book, I've been just > too busy today to give the article a good read, but I've always been very > interested in these community projects. > > I think that's why I love ToorCon and really was bummed that I didn't get to > make it out to 24c3 this year... lots of collaboration going on there. > > Nate > > > On 3/18/08, reepex <[EMAIL PROTECTED]> wrote: > > > On Tue, Mar 18, 2008 at 10:36 PM, Nate McFeters <[EMAIL PROTECTED]> > wrote: > > > > > > > > > > I don't consider myself a 'kiddie' and I've considered contributing to > it. I feel like the old adage of blowing out someone elses flame to make > yours burn brighter applies here. Reepex, I didn't get a chance to see your > presentation at kiwicon, bit to expensive for an American on a tight budget > to get out there, but if you have a link, I'd love to have a look. We've > talked before, so I assume the presentation is good since I know you know > your stuff; however, I've also seen some cool stuff come out of PDP and > Gnucitizen... why the need to bash? > > > > > > I did not give the talk, thoth did. The reason I brought it up is because > of > > http://www.gnucitizen.org/blog/agile-hacking/#comment-116766 > > where pdp blindly assumes thoth does not have a clue, while not knowing > his background which must be some strange complex where people think anyone > who disagrees with them is inferior. > > > > > > > > > > > Web app hacking may not be the coolest topic in the world to yourself > and many others, but it is something that a lot of companies are concerned > with these days, > > > > > > Yes and we agreed web hacking has its place... the point I made was that > you cannot write 'the best hacking manual ever made' as pdp is touting it > while only covering web hacking and running combinations of different tools > such as kismet/tcpdump that pdp mentined as an example. > > > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] agile hacking?
well, let's see how it goes On Tue, Mar 18, 2008 at 7:19 PM, reepex <[EMAIL PROTECTED]> wrote: > Just because you call me troll doesn't mean you should ignore my questions. > > > Who is your book aimed towards? You said this will be the ' best hacking > reference/manual/book ever made' . Doesn't that mean it should contain lots > of low level/kernel level exploitation of which you are incapable? Covering > web based stuff doesn't exactly qualify a book as the best hacking reference > ever made. > > It seems you are going to write a grand manual for script kiddies and other > non-talented people who like to run scripts and perform XSS. > > Also I find it funny you told rzn that you think of more original ideas > everyday then he does when your two 'ideas' for the book were: > > 1) running kismet and tcpdump at the same time > 2) 'How can you write a small .COM virus without a compiler or any other dev > tools?' > > Seeing how both of these have been 1000s of times ( > http://www.awarenetwork.org/home/iqlord/articles/extreme.coding.txt ) how > are your ideas original or interesting? > > Your book is going to be lame and grouped in with the mitnick books, how to > own series, and 'hacking exposed' collection. I guess this isn't new to you > since only CISSPs liked your previous work anyway. > > > > > > > > -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Agile Hacking
http://www.gnucitizen.org/blog/agile-hacking/ Help us create the best hacking reference/manual/book ever made. We provide the scene, the resources and the money, and you keep the credits and the control over the eventual profits. Read on. During the next couple of months we are open for your submissions. The idea is to harvest the knowledge of the crowds in order to create the best hacker manual ever made. The process is very simple. We, as well as you, will commit new hacks, tips, tricks and techniques in the fields of information security to our system. Each hack will be published under its author's Name and URL (blog, site, etc) on the blog under the title and category of "Agile Hacking". Once we have a good enough number of hacks, we will tip some money in, in order to make our mutual work into a book, which will preserve all the credits of its authors. The book will be available for a free download but also as a hard/soft cover printed version. If the book makes some money, you will decide how to spend them. "Agile Hacking" like in quick and well-coordinated in movement or marked by an ability to think quickly, mentally acute or aware. Overall, a breathtaking experience. Keep it small, keep it simple, keep it agile! It just cannot get better then that. Now is the time to become part of the history. We will soon open a more agile interface for your entries but we are still hesitant on the actual implementation as we would like to keep the process as simple and transparent as possible. So, for now, and maybe for the future, keep posting your entries to our group email at [EMAIL PROTECTED] Let's the experiment begin. pdp -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] agile hacking?
reepex, I know how much I know and I know that you fall into the group
of lamers, trolls and all other unfriendly inhabitants (you know who
you are) of full-disclosure who are incapable of showing what they
know and incapable of producing anything of a value so that they keep
doing what they do best - bragging on the skills they/you pretend to
have. even if you have any skills, which I highly doubt, since you
repeatedly proved the lack of, you mostly gained them by
mirroring/cultivating what others have achieved and made public for
you to learn.
therefore, your email is a manifestation of your own insecurities.
this is to be expected from your kind.
Kind Regards,
pdp
On Tue, Mar 18, 2008 at 7:29 AM, reepex <[EMAIL PROTECTED]> wrote:
> Since you admit you do not know anything interesting related to low level
> hacking I guess your amazing hacker book will be a mix of the hacking
> exposed series ( profiling of tools the books' authors are incapable of
> writing ), and a bunch of lame high level bugs that only idiots who run the
> read mitnick series ( art of deception, intrusion ) and the how to own a
> {network,continent} will enjoy?
>
> also why didnt you mail full disclosure about your new project?
>
--
Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters
gnucitizen.org | hakiri.org | spinhunters.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] securls.com
I would like to inform you that securls.com is back online: Harder, Better, Faster, Stronger! http://www.securls.com and it has videos...and you can also have your own premium page for a small fee (that's for companies/organizations that are interested). We will keep improving the service so that you will never ever miss what's going on in this crazy, crazy industry. cheers pdp -- http://www.gnucitizen.org http://www.gnucitizen.com GNUCITIZEN ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] like goolag but online
cDc's goolag tool is pretty cool but here is an online alternative for those of you who are interested: http://www.gnucitizen.org/ghdb/ pdp -- http://www.gnucitizen.org http://www.gnucitizen.com GNUCITIZEN ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The Router Hacking Challenge is Over!
http://www.gnucitizen.org/projects/router-hacking-challenge/ The Router Hacking Challenge is Over! We've got some very interesting results which prove that routers', and in general embedded devices', security is poor. There is definitely more room for further development and we urge security researchers and hobbyists to keep the challenge alive with new submissions. I hope that the challenge was as educational and entertaining as practical and useful to all of us. Here is a quick summary, in no particular order, of the types of vulnerabilities we are exhibiting: * authentication bypass * a-to-c attacks * csrf (cross-site request forgeries) * xss (cross-site scripting) * call-jacking - like making your phone dial numbers or even survey room's sound where the phone resides * obfuscation/encryption deficiencies * UPnP, DHCP and mDNS problems - although not officially reported, most devices are affected * SNMP injection attacks due to poor SNMP creds. * memory overwrites - well it is possible to overwrite the admin password while being in memory and therefore be able to login as admin * stealing config files * cross-file upload attacks - this is within the group of csrf attacks * remote war-driving - way cool * factory restore attacks * information disclosure * etc, etc, etc Please check the project page for more information and be sure that we will continue posting interesting info on that subject in the future. Also, if you have some findings on your own, pls let us know as we are very interested to learn about. pdp -- http://www.gnucitizen.org http://www.gnucitizen.com http://www.hakiri.org GNUCITIZEN ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
