Re: [Full-disclosure] scanning
Nightfall Nightfall wrote: Is it illegal if I perform a vulnerability scan on a site without permission from the owner? How about a simple port scan? thanks.. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ For research probably no. A lot of this stuff hangs on intent. When we ground away on computer crime legislation we tried to keep innocent acts from being criminalized. So in general things done out of curiosity are pretty safe. However be squeaky clean. If your house/apartment and disk drive are littered with "destroy the established powers" literature then you are close to the ham sandwhich that can get indicted. If it is funn of "gee whiz this tech stuff is neat and let's go and explore" then you look like a ham sandwhich and more like a chiccken salad sandwhich or better yet a tofu surprise sandwhich which are much hader to indict.. This is all said in kind of analogical fun jest but as they say many a true word is said in jest. Havbe Fun, Sends Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-Disclosure] Fwd: Re: FullDisclosure: Security aspects of time synchronization infrastructure
I have no idea what this is all about but I suspect some have become like angry hornets trying to sting in all directions at anything that bothers them. There is so much quotation out of context, confusing who wrote what to whom. This is the sad state email has decayed to alas. It used to be information was sent back and forth via email, now it seems ranting and screamed and preaching to those who want to here is the best. Mindless insults are the worst and I fear becoming par for the course of things. This is really sad. Most of us old timers will jusrt lurk and shake out heads. It is sad. Have Fun, Sends Steve 3APA3A wrote: On Wed, Dec 07, 2005 at 11:54:08PM +, n3td3v wrote: Go study internet security for 7 years, do CS at college, learn computer programming in C++ and PHP, find hacks for Google/ Yahoo, setup your own security group, be friends with hundreds of people in multiple scenes, have IM and E-mail contact with some of Yahoo's top security advisors and security engineers, then you can come back to this list and challenge me. FOOL! Yes, I'm sure we'd all like to "be friends with hundreds of people" so that we could "challenge" you. Please, could you people just put it away and zip up? The entire world, I promise, is tired of this bullshit. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I'm ready to tell the police
Interesting thought; This certainly would make something happen if they got interested but of course iyou should have something juicy for them. They will be snarly if seems to them to be grumped out ex-exployee or worse yet a current internecine fight between groups of employees. This is what it seems like right now. Although TV has been known to cover all sorts of rather questionable things. So I'd like a 1000ml-2000ml of soda and popcorn w lotsa butter and salt. Have Fun, Sends Steve Exibar wrote: nevermind with the police you want ot talk to Dateline, or 20/20. Dateline is really big on the whole "evil internet" thing right now so they are ripe for this story, if it's true... the media is the way to go if you really want to turn the "bad guys" in. You might even earn some credibility too Exibar - Original Message - From: "n3td3v" <[EMAIL PROTECTED]> To: Sent: Sunday, May 21, 2006 8:45 PM Subject: Re: [Full-disclosure] I'm ready to tell the police On 5/22/06, Michael Silk <[EMAIL PROTECTED]> wrote: yep, fd definately needs it's own tv show. i'd watch it ... You think this is a joke? n3td3v was never a joke, but everyone on fd treated it like one. We're the biggest group around of rogue employees at major internet companies aka dot-coms... i'm ready to walk upto my local police sation right now just get hand them in, i'm not having a major breakdown... ive known them for 7 years and now im ready to hand myself in and give evidence against these guys at yahoo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] For the attention of Mi5, Mi6 or Symantec
womber wrote: Every time I read his posts I picture Napoleon Dynamite. Cause I bet he's got nun chuck skillz to go with his hacking skillz. Oh, I'm sorry. He's not a hacker, but a security "researcher". ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Don't Be too HastySecurity Researchers first proposed the discovery of "Project Paperclip" after World War II and that was supposedly "that damn conspiracy monger stuff" for many years to skeptics but it is now pretty much proven and part of the official canon that went :"boom!" ;) Have Fun, Sends Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I'm ready to tell the police (Note I was goiong to retire from this one but I thought it deserves at least a sensible reply with real information
n3td3v wrote: On 5/22/06, Michael Silk <[EMAIL PROTECTED]> wrote: yep, fd definately needs it's own tv show. i'd watch it ... You think this is a joke? n3td3v was never a joke, but everyone on fd treated it like one. We're the biggest group around of rogue employees at major internet companies aka dot-coms... i'm ready to walk upto my local police sation right now just get hand them in, i'm not having a major breakdown... ive known them for 7 years and now im ready to hand myself in and give evidence against these guys at yahoo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ The problem is that thing that go whoosh by on the Internet these days are often pretty out there so often eveyone gets covered by the same broad brush whenver one believes/behaves strongly about something. I haven't followed all of this but if you think you can prove your point or convince some ADA (Assistant DA) to do something go try it. Santa Clara Countys DAs aee known to be gung ho, although in police work it is street work and gangs and all that stuff that is excitintg to them. The arcance goings on in Internet Companies is often seen by them as something that is the proverbial hard nut to crack and so unless it gets attached to some hot button issue like (sigh**3) terrorism then it doesn't go anywhere. Usually such investigations require that computer experts have to be brought in from outside and they have to be dealt with, unless the FBI can be gotten to be interested. Also if the charge is generally that company A's employees or "your" (as in you plural) are in some small cabal stealing company secrets it is often viewed by many law enforcement types as the rough and tumble of business and is seen as halfway "normal" or "disgusting but it's mpt like gang warfare man" or not such a bread and butter of law enforcement sadly like drug enforcement has become. White Collar types never seem really evil unless there is a real Patrick Bateman out there;) too many people. Patrick Bateman is figment of Bret Easton Ellis' imaagfination and that is something one's accusation have to rise above in order to action out of the autorities, in the case here you are talking about ADAs which is assistant district attorneys who are the people you should try to bend the ear of. However mira! vide infra! (Look Out Below!;) So that's what you are up against. That and being labeled as the disgruntled employee who for personal and emotional reasons just wants to bring people down. Many a law enforcement type has got into some investigation beased on someone's say so and they put lots of effort into it and it came to nothing. The Law Enforecemnt types want to know real clear details of wrongdoing, although they will listen a lot sometimes. It has to be something real that has real details that doesn't sound like a movie plot of spooky geek psychos from hells in secret cabals to do spooky stuff a la Swordfish (the movie) which is kind of what your accusations sound like right now to me. Note a plea from us civil liberties types. If you are serious plesae try to get your facts straight and don't spike it with a hot button issue to get their attention like terroism or child pornography and sex crimes with children or other legal attention getters unless there is factual truth to it. Note even here the powers that be got burned dealing with tech land. Remember the Java CoIventor who the powers that be tried to pretty much harassed because he went to visit some yount thing via his private jet and how there was a big furor and it all fell apart on the authorities side. Note Well from all information we have this was the correct thing because it was just a geek being geeky and running off to see someone he wanted to chat with and din't care if she was 11 or 111 but just had some neat ideas. So please don't spike your ideas with something hot just to get their attention. right now I will be honestg, it does sound like a conspiracy story with tales of "black hats" and a secert cabal that sets out to get people hired based on their relationship to the secret cabal who are set up to do things based in something liike "black hat social culture" and the accusations is like trrading in yahoo secrets to Google, well without proof the mind boggles. It is not like the internal knowledge of yahoo is state secrets of any of the large powerful countries in the world. Please done't muddy the water by spreading clouds of unpoved or unprovable accusations, we are already dealing with a word in which hot button issue worriess, like terrorism here, and terrorism and especially paedophilia in the UK have really got prosecutors and The Crown in the UK having too much power already and causing lots of subtle but very real and often ve
Re: So tell the police already (Re: [Full-disclosure] I'm ready to tell the police
Rowland wrote: Here I am taking notice of a thread in the middle, but I just can't resist jumping in. I'm perverse that way. You think this is a joke? n3td3v was never a joke, but everyone on fd treated it like one. We're the biggest group around of rogue employees at major internet companies aka dot-coms... i'm ready to walk upto my local police sation right now just get hand them in, i'm not having a major breakdown... ive known them for 7 years and now im ready to hand myself in and give evidence against these guys at yahoo If I were in this position I'd cut the bluster short and go straight to the action. In fact I'd have turned the wrongdoers in already by now. Seven freaking years already? What have you been doing all that time? Don't tell it to us. Tell it to the police. Then tell us what happens. I'd really like to know. --- My skills and contact info: http://www.blcss.com/contactme.php Public Freenet gateway: http://blcss.com/cgi-bin/fr.pl ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I tend to agree ok something woke me up so I may as well dig my response out of mothballs, which is where I thought it belonged and send it. So I will so see you next message. Have Fun, Sends Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: FALSE FLAG Re[2]: [Full-disclosure] **LooseChange::Debunk it??**
I traslly think we do. I mean what I was getting at, and this was so off topic as to be out there, was the whole feeling one gets these days of being in a Sally Cruishank, whose name I could never spell correctly, video where at the end something really spooky does happen to someone. I wasn't going to even get near the arguments about 9/11 because they are pretty emotional and the consservative (nothing weird happened) side are the exact people who seemned to end up having worked in the government who keeps telling us, "oh nothings weird..it's all the way we say it is" and at least in many cases it comes out years later "oh whoops we did that...but we had to do it..." This is in reference to Project Paperclip which used to be hot stuff and something only "conspiracy radio buffs" believed in but is now pretty documented. However I have know enough lonely half crazed graduate students unsuire of the powers they were going to serve and the enterprises they were goingto get into after they "get out" and I know enough people in other countries were dislike of the US Government and its symbols runs deep that I can see a bunch of crazy grad stuidents got together and some how pulled off some truly hideous stunt and in the process gave a lackluster loser one term daddy's oil money money boy got me da be da president a chance to play commander in chief with the worlds most powerful armed forces and really make a mess of someplace worse than it ever was before the US intervended, bash the US consitutional Bill of Rights Real Hard and go on being stupid failure after failure. Speaking of fun films it is like: http://www.letsbombiran.com/This is what the whole enterprise in Iran seems like and the mentalities involved. The problem with the 911 inside job folks is they sound very much like the "If I can't be right let me wrong at the top of my lungs" types. While I have my doubts of official stories and looking only within the prescribed box to find solutions if the people who believe otherwise had strong evidence it would be better if they just stated it and let it stand on their own merits rather than resorting to personal attacks. But, oh well it used to be a quiet neighborhood until the humans got out of control. Have Fun, Sends Steve P.S. Enuff of this stilly stuff for awhile.Grey Hat ...Ok hows about Zone VI or VII in the Ansel Adams Zone System eh?;) Rob "Nexis" Nelson wrote: Oh my god, this is classic. A bunch of gray-hats arguing about physics. Man, FD needs its own talk show or something. Oh, and you spelled fuck wrong :) donnydark wrote: Hello Steve, This whole discussion does not belong on this mailing list. HOWEVER, you are so fvcking stupid it hurts: Furthermore, you have a logical fallacy in your argument, because you are insisting that a controlled demolition collapse would be faster than an accidental collapse. Which part of the equation tells you that? Objects faill at 32 feet per second per second. The *cause* of the fall is irrelevant. WRONG, asshat. The cause affects the fall in this case. If the building was collapsing, the top falls down and HITS the floors below, those floors are MASS at REST, and thus absorb downward inertia. It is not free fall, because the building is hitting down upon itself. In demolition, the building "below" is blown up, thus allowing the top part to FREE FALL without loosing inertial energy and slowing down. THAT IS THE DIFFERENCE YOU STUPID FVCK. The American government pulled a FALSE FLAG op and killed its own citizens. FVCK BUSH If you are reading this and your head is in your ass, I suggest you PULL IT OUT and read this: http://en.wikipedia.org/wiki/False_flag LOOK AT _HISTORY_ AND LEARN, YOU IDIOTIC SHEEP. http://en.wikipedia.org/wiki/Operation_Northwoods Operation Northwoods, or Northwoods, was a 1962 plan to generate U.S. public support for military action against the Cuban government of Fidel Castro as part of the U.S. government's Operation Mongoose anti-Castro initiative. The plan, which was not implemented, called for various false flag actions, including simulated OR REAL STATE * SPONSORED TERRORISM (SUCH AS HIJACKED PLANES) on U.S. and Cuban soil. * The plan was proposed by senior U.S. Department of Defense leaders, including the highest ranking member of the U.S. military, the Chairman of the Joint Chiefs of Staff Lyman Louis Lemnitzer. That is just one example you idiots. WAKE THE FVCK UP. The next time you have a zeroday remote, don't you dare publish it instead use it against this murderous asssucking piece of sh1t government, which MURDERED thousands of US citizens with bullsh1t smoke and mirrors, just to get at some fucking OIL!! *SKULLFVCK* *BUSH* *TO* *DEATH* ! ___ Full-Disclosure - We believe in it.
Re: [Full-disclosure] **LosseChange::Debunk it??**
Paul Schmehl wrote: Pete Simpson wrote: You have confirmed that the data are correct, you have no way to attack the principles, so where is the logical error? Be very precise. Pete, are you even reading what I wrote? A building the size of the twin towers would fall to the ground in under 10 seconds, per the standard calculations that, as you say, any high school student would know. How much more precise do I need to be? Your calculations are incorrect by an order of ten. Instead of 90+ seconds, the answer is 9.0+ - IOW, precisely the same amount of time it took for the buildings to actually fall. Furthermore, you have a logical fallacy in your argument, because you are insisting that a controlled demolition collapse would be faster than an accidental collapse. Which part of the equation tells you that? Objects faill at 32 feet per second per second. The *cause* of the fall is irrelevant. Now, you're obviously wedded to this believe of yours that the government conspired to collapse the buildings. Why is irrelevant. But until you can deal with the facts staring you in the face, there isn't much point in continuing this discussion. BTW, there's no need to cc me on your posts. I can read the list just fine. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ This is really material for a poli group. The interesting thing is that we indeed seem to have elected a government that many of us don't trust and think is up to no good. I am sorry but this is unsually high. I have haeard too many curious things from too many people who one I would have never heard such things from in the past. Of course there is an election comeing and we can throw some of 'em out of office. Of course some of this sounds like a Sally Churkshank(sp?) Short like the her "Charbucks" presentation. which lives here: http://www.funonmars.com/charflash.html But everytime I hear these things thing comes to mind and it is like one is living in a Sally C production Still really I dunno whther this would be better talked out on a poligroup. But the amount of emotion devoted to all of this is interesting. One would not expect one's freind's child's 4th grade teachers to be into these sorts of things. Have Fun, Sends Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] blue security folds
Teenaged have always been the best things that have happened to my mnachines. I swear I have learned how to fix, find and debug more thingss via the things they havbe accidentally installed on my machines than any of the standardtext book ways/ ALso teaching them how to do tghings has really helped me keep my up and improve my skills. So I guess La Dimpulz Speed of Light Fingers is a blesing in disguise almost all of the time. Actually, a "here's what's going on, he is why it is bad and he is what you can do to help work wonders most of the time.. Mostly I blame the "you don't need to know nothing about the technology culture" we are slipping into We get old "get this network magic" power toy and it will arrange it so so you can do things with a few clicks of the mouse and not knowing anything about how anything really works. What would be nice is a tool like that with a manual that explain how thing actually work with when you do those few clicks of the mouse. Have Fun, Sends Steve evilrabbi wrote: Actually at the ISP I work for we do monitor for botnet activity. It's really not that hard to notice them either. You really have to not know anything or just not care to miss the traffic. I've cut off more then one use because of issues like. After cutting them off I'll give them a call and tell them why, offer proof, explain the proof (ie make them type ipconfig /all so they can see their mac address because it adds validity in their eyes), then I refer them to a computer store we also own. Generally they are happy that we noticed so they can get their machines cleaned up. On 5/17/06, Gaddis, Jeremy L. <[EMAIL PROTECTED]> wrote: nocfed wrote: > And if the ISP's could get their act together then most of the botnets > would be no more. This _IS_ something that can be controlled, to an > extent. Many of the network administrators need a course in > Networking 101 which will greatly assist in tracking down the source > of attacks. If botnets are required to use their own IP's then how > hard would it really be to track them down and disable them? > Disruption of the end users connection and a flag on their account > should clean them up, although not 100%. So if you want someone to > blame, blame the ISP, blame the hosting service, and blame the end > user. While I agree (mostly), getting the ISPs to do what you suggest will never happen. If I, Joe Clueless User, have a bot running on my PC spamming half the world, and my ISP notices this and shuts me off, what will I do? Assuming I'm like the majority of users and either a) don't know, or b) don't care what they're talking about, I'll cancel my account and switch to another ISP (that won't shut me off). To do what you suggest would be for the greater good of the whole "Internet community", but would negatively affect $ISP's bottom line. Since we all know they only care about themselves, well, draw your own conclusions... -j -- Jeremy L. Gaddis GCWN, MCP, Linux+, Network+ http://www.jeremygaddis.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- -- h0 h0 h0 -- www.nopsled.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Shell accounts
Ccan people refrain from stupid one line stements that prover nothing and only waste time. These categorical issues can be argued back and forth forever. Of course my little counter argument is there are lots of people who would like people to believe they have no privacym because it suits their interests. In fact there is probably lots of privacy still around but none of it is absolute. Have Fun, Sends Steve Micheal Turner wrote: You have no privacy anymore, get over it. Send instant messages to your online friends http://uk.messenger.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full Disclosure "Code of conduct" AND AALL THAT JAZZ
Bwing a old time from the ARPANET and dare I say PDP-10 days something is kind of baffling to me. That is it seems that many people just won'r use private person to person email for much of anything. This baffles me to no end. I mean many a time I might just like to say something to afew people and not blast it to a whole list. Whether it is something like "Ok, the kids I teach meteorology too are taking more of my time that they did last months so I am going to spend less time on say computer security and operating sytstems issues or Candaian Politics , but I'll get back to it as soon as I can. I don't think I am that impressive a conrtributor that I should broadcast it to the whole list. But it seems if I send private messages around its like people ignore it. And being aware of spam assasin and vizazzodado's razor and a all that stuff I use prose that won't un afould of those things still people seem to act sometimes as if all private mail is spam or evgil lurking pedophiles or whatve and never check their priovate email. A couple of people on a Candian Poli fgeoup told me they just ignore theuir inbox.. Is trhis becoming a common practice. I know it isn;t so here, because people at least give me kindness of a ereply. The same witgh medical groups. But I do say Political Interest and Intelligence do sometimes seem inversely related, Cute though. Anyone with lots of spare time even think of writing "TROLL-BOT" that would float around acting like a troll and seeing how many people would respond to it and what the reponses would be like. I was wondiring if someone in some place was going to write uo a "lonely girl bot that tried to get naive lonely guys to wire money bu Western Union to Nigeria. Oh well humans are a strange lot. Have FUn, Sends Steve 0.0. 0. GroundZero Security wrote: The trolls arent't the problem, it's the retarded morons who keep responding to and arguing with them. So that means you too are a retarded moron ? - Original Message - From: "Anders B Jansson" <[EMAIL PROTECTED]> To: "Full Disclosure" Sent: Sunday, May 07, 2006 3:09 PM Subject: Re: [Full-disclosure] Full Disclosure "Code of conduct" Aaron Gray wrote: I am suggesting that we all cooperate and produce a "Code of Conduct" for participating on the Full Disclosure mailing list. Suggested start :- 1) No Swearing 2) No slagging others off 3) No selling of exploits and vulnerabilities I have a much better list. 1. Use what ever fucking language you want. 2. Shut the fuck up unless you have something to contribute with. 3. DON'T FEED THE TROLLS. If someone posts something that you think sucks, then _mail that person_, you don't have to mail the list to state this. If you're right ,we already know, if you're wrong, you're just adding to the noise. The trolls arent't the problem, it's the retarded morons who keep responding to and arguing with them. -- // hdw ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-Disclosure] The 'good worm' from HP
Wowzers folks! I seem to be getting messages that are a cross from the "full disclosure " group and the "Rhizome Multidispliciplinary Art Group." If this was iontentional I am quite happy to cheer it on. If it's a bug that's causing it I will have to track it down and see wassup in all of this stuff. Have Fun, Sends Steve' The Central Scroutinizer wrote: -- Pall Thayer [EMAIL PROTECTED] http://www.this.is/pallit + -> post: [EMAIL PROTECTED] -> questions: [EMAIL PROTECTED] -> subscribe/unsubscribe: http://rhizome.org/preferences/subscribe.rhiz -> give: http://rhizome.org/support + Subscribers to Rhizome are subject to the terms set out in the Membership Agreement available online at http://rhizome.org/info/29.php >From - Sun Dec 11 03:20:59 2005 X-Account-Key: account3 X-UIDL: f7f0df4357da5ef5a40af0ac5e93ef15 X-Mozilla-Status: X-Mozilla-Status2: X-Apparently-To: [EMAIL PROTECTED] via 68.142.199.148; Tue, 06 Dec 2005 20:40:59 -0800 X-Originating-IP: [66.240.185.252] Authentication-Results: mta810.mail.scd.yahoo.com from=rhizome.org; domainkeys=fail (bad syntax) Received: from 207.115.57.54 (EHLO ylpvm23.prodigy.net) (207.115.57.54) by mta810.mail.scd.yahoo.com with SMTP; Tue, 06 Dec 2005 20:40:59 -0800 X-Originating-IP: [66.240.185.252] Received: from idx164.idx.net (idx164.idx.net [66.240.185.252]) by ylpvm23.prodigy.net (8.12.10 083104/8.12.10) with ESMTP id jB74dcEn015340 for <[EMAIL PROTECTED]>; Tue, 6 Dec 2005 23:39:38 -0500 Received: from idx164.idx.net (localhost [127.0.0.1]) by idx164.idx.net (8.12.10/8.12.10) with ESMTP id jB74OKcd007164; Tue, 6 Dec 2005 20:24:20 -0800 Received: (from [EMAIL PROTECTED]) by idx164.idx.net (8.12.10/8.12.10/Submit) id jB74OKBv007155; Tue, 6 Dec 2005 20:24:20 -0800 X-Authentication-Warning: idx164.idx.net: majordomo set sender to [EMAIL PROTECTED] using -f Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.197]) by idx164.idx.net (8.12.10/8.12.10) with SMTP id jB74O9cd007077 for <[EMAIL PROTECTED]>; Tue, 6 Dec 2005 20:24:09 -0800 Received: by zproxy.gmail.com with SMTP id 8so255390nzo for <[EMAIL PROTECTED]>; Tue, 06 Dec 2005 20:24:09 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:mime-version:in-reply-to:references:content-type:message-id:content-transfer-encoding:from:subject:date:to:x-mailer; b=sodMo9UmHGuXq73bmR7qkZ721T6MNqHTp7cISCt/pFvUCrgRIcXjivlu2Ji8SWPaFjDsvLGKjHxZ6xYYIaShGqCQ+G6T5/vWNwpxptw6CZRtbi802QX9UtVVMBBjq4SA9Rirv93VtZOYnYtpnuxVfvn2u/t8vFsDa5OUidZ3yqY= Received: by 10.36.220.9 with SMTP id s9mr1118808nzg; Tue, 06 Dec 2005 20:24:08 -0800 (PST) Received: from ?172.16.1.34? ( [70.225.183.77]) by mx.gmail.com with ESMTP id 37sm508546nzf.2005.12.06.20.24.08; Tue, 06 Dec 2005 20:24:08 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v623) In-Reply-To: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <43950327.800 [EMAIL PROTECTED]> <[EMAIL PROTECTED]> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <[EMAIL PROTECTED]> Content-Transfer-Encoding: 7bit From: Ryan Griffis <[EMAIL PROTECTED]> Subject: RHIZOME_RAW: Re: RHIZOME_RARE: new name for Net Art News? Date: Tue, 6 Dec 2005 22:23:40 -0600 To: rhizome <[EMAIL PROTECTED]> X-Mailer: Apple Mail (2.623) Sender: [EMAIL PROTECTED] Precedence: bulk Reply-To: Ryan Griffis <[EMAIL PROTECTED]> in that case... the office should be called "the rhizoom-zoom room" ryan On Dec 6, 2005, at 9:24 PM, Pall Thayer wrote: I don't know what you mean. Who _wouldn't_ want to be seen as glittery golden vinyl upholstery and fake leopard skin pillows? I also feel that Rhizome should move their headquarters into a bowling alley and organize monthly fund-raising bowl-a-thons called "Bowling for Bytes" and once a year use the proceeds to invite all the members to a weekend bash in Tijuana. Art Tomorrow + -> post: [EMAIL PROTECTED] -> questions: [EMAIL PROTECTED] -> subscribe/unsubscribe: http://rhizome.org/preferences/subscribe.rhiz -> give: http://rhizome.org/support + Subscribers to Rhizome are subject to the terms set out in the Membership Agreement available online at http://rhizome.org/info/29.php >From - Sun Dec 11 03:20:59 2005 X-Account-Key: account3 X-UIDL: 43c1910fc857edf9e0865acec3602c8a X-Mozilla-Status: X-Mozilla-Status2: X-Apparently-To: [EMAIL PROTECTED] via 68.142.199.145; Tue, 06 Dec 2005 20:46:59 -0800 X-Originating-IP: [66.240.185.252] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What is wrong with schools these days?
What Planet does all this hypotehtical activity take place on? I for sure have never visited the place. Most school departments are pretty inmdependent. We are far from the days when the Provost had some military powers. Have Fun, Sends Steve Gaddis, Jeremy L. wrote: Mike Iglesias wrote: Many universities do not have a central IT organization running every computer on campus as you would in a commercial enterprise. They have a decentralized model where each school, department, or research group runs their computers. In addition, you have many students, faculty, and staff with personally owned laptops that they take care of (or not) themselves. So you have many little fiefdoms running computers, some with more of a clue than others. The clueless ones have untrained students running the computers, and most of them don't know much about security. They're told to setup a computer and put this data on it so the professor can do his research. While this often holds true, there should always a central infosec department that has the ability to kill a switch port. Kill the network connection to a critical server exposing private information and people take notice pretty quick. Central entities in universities, like the registrar, should know what they are doing if they are setting up ways to remotely access information. Yes, they should, but they often don't. Remember, these end users are just that -- users, not security professionals. Not responding to emails and/or phone calls to the security/abuse/etc group is irresponsible, if you ask me. Agreed, though lack of a response doesn't mean nothing is happening. Often times, the first time infosec must do is contact legal for advice. Legal's first advice is often to simply not respond. -j -- eJeremy L. Gaddis GCWN, MCP, Linux+, Network+ http://www.jeremygaddis.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should I Be Worried?
His question is valid. I mean with Grand Juries going around and letting proscutor indict ham sandwhiches maybe olther food groups should be a little worried and cautious. I haven't weighed in on this other than I kinw people who did manage to get in to their High Schools computer and changed the note on the report cards from "If any of these Grades are incorrect please contact ***such and such a school district***" to "If any of these grades seem incorrect please contact your friendsly local hacker." This happened decades ago and in the school district it was done in they just rolled their eyes and I guess the kids who did it di get something out of the covert technique stuff they learned from a variety of sources. Have Fun, Sends Steve [EMAIL PROTECTED] wrote: If you didnt break the law who cares. On Wed, 26 Apr 2006 11:30:02 -0700 CrYpTiC MauleR <[EMAIL PROTECTED]> wrote: After reading http://www.securityfocus.com/news/11389 it made me think twice about actually going public with my school's security hole by having school notify students, parents and/or faculty at risk due to it. I mean I didnt access any records, just knew that it was possible for someone to access my account or anyone elses. I did not even exploit the hole to steal, modify etc any records. Does this still put me in the same boat at the USC guy? If so I am really not wanting to butt heads with the school in case they try to turn around and bite the hand that tried to help them. Even if my intentions were good, they might even make something up saying I accessed entire database or something. I have nothing to prove me otherwise since they have access to the logs. Already it seems like the school is trying to sweep the incident under the rug, so very wary as to what they might do if they were pushed into a corner and forced to go public. Anyone has any idea what I can do or should I just let this slide? I am already putting my credit report and such on fraud alert just in case, and definelty do not plan on attending this school after my degree or school year is over. A transfer is better than having me risk my data. Regards, CM -- ___ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] kiddie porn warning [was: Fwd: Re: montspace -- child porn (site still up)]
Gadi Evron wrote: Gary E. Miller wrote: And how long did it take that mole to pop back up? Tompa.com is already back on the air. Montspace.com is not back up yet, but that was just Guys, please refrain from going to that site or downloading it. In some western countries just having CP on your PC means your life can be completely ruined without much further evidence or investigation before-hand. Motive is irrelevant. Leave this to the proper authorities. Plus, it will give you nightmares. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Luckily in the US the 3rd Circuit sez otherwise. Though I suspect if that was what was all that was on your machine you'd have problems. But I know pleanty of investigative reporters who have all sorts of curoious things on their compiuter. Still these issues are interesting enpough one often wants to find what got people all worked up. Of course often the sad thing about civil rights it can boil down to having a good atrotney, But overall it is better for us all to go through the world with eyes open, rather refering everything to the proper authorities. Have Fun, Sends Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: kiddie porn warning [was: Fwd: Re: montspace -- child porn (site still up)]
This is an example of politicos gone wild. What funtionally happens is
that when some hot button issue comes down the pike every politico wants
to be seen as having done something about whatever the big scary thing
is. In the 1950s and the early 1960s it was Communism and Communist
Infilitrationm now it is Terrorism and Child Pornography. So all sorts
of laws get passed requiring one to do something just in case. My
suspcions is that lots of technical people get burnt out with all of
these requirements and put them on the bottom of the list of things to do.
I live in a town known for some of its out there residents. I remember
that after September 11th 2001 for several years the local FBI office
was fielding many phone calls from people who had claimed to have
overheard all sorts of diabolical plans while standing in the line at
the local post office. They were getting really burned out by it all. I
was once a sysadmin for a system that lots of folks had access to, lots
of complaints about the "naked kids standing in the bathtub" pix. WHich
by the way "Simple Nudity is Not Obscene" and all that stuff that came
down when artitsts used their children as nude models. I dunno I
haven't ever been able to track down this montspace stuff to see if any
of it was really that reprehensible. There is a difference between
represhensible and something that justg sets off someone,
Usually I wouldn't difgnify this with print but since this is something
that is often part and parcel of a systemadmin's worfld, and heaven
knows if my health should ever improve enough for me to do that sort of
stuff againI suspect it will become part of the world I will have to
deal with again and it will be back to "is this something real that real
resources shold be devoted to, or it kind of like a "Satanic Panic" and
McMartin Preschool Scandal, and all that sort of stuff that really is
pretty questionable.
Have Fun,
Sends Steve
Michael Holstein wrote:
(a) When a provider of electronic communications services or
remote computing services to the public ("provider") obtains
knowledge of facts or circumstances concerning an apparent violation
of Federal child pornography statutes designated by 42 U.S.C.
13032(b)(1), it shall, as soon as reasonably possible, report all
such facts or circumstances to the "Cyber Tipline" at the National
Center for Missing and Exploited Children Web site
(http://www.CyberTipline.com), which contains a reporting form for
use by providers.
Interestingly enough, this form does a "500 Server Error" when you try
to use Firefox on Linux. Missing and exploited children can only be
reported using IE on Windows, I guess :(
I realize that "no good deed goes unpunished" .. but it's hard to
maintain a "head in the sand" approach when it comes to such
reprehensible things.
Not only do we have to fear retribution from perpetrator of a crime,
we also have to worry about being victimized by the authorities for
doing the "right thing".
Sigh
/mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Fwd: Re: montspace -- child porn (site still up)]
n3td3v wrote: On 4/17/06, Gary E. Miller <[EMAIL PROTECTED]> wrote: Congratulations, you whacked a mole. This is the funniest shit i've ever heard. The government or whoever setup the website will be pleased. Although the government or whoever should let providers know when theres a mole website on their network, so they are aware not to shut the website down. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I hate to get into International Law stuff here but oh well it is necessary. Usually I prefer to just watch the goings on from a distance. Interpol and legal entities in the UK setup sites to attract kiddie porn afficiandos, This works in the UK and Europe but fails in the US ever since the FBI lost the "Innocent Images" case in the 3rd Circuit. Mind you it was the 3rd Circuit and not the much malingned 9th Circuit. The FBI and other enforcement authorities would have liked to have held that it took "just one click to convvict". However it can be sucessfully argued that lots of people, specifically investiagtive reporters and others covering the "Internet Beat" look at all sorts of sites to get a "lay of the land/net" These sorts of things are old hat to those of us who look over the civil liberties balancing act that goes on in International Law. There is a lot of differenfce in the US due to the US Bill orf Rights, battered as it is by worries about terrorism and the like. Some rights which are automatic in the US are pretty alien in other places. Of course Canada is an even more curious situation where there are thing one can do but one can not film or boradcast, Anyway this gets intertesting and convoluted but I doinno whether it we should go thruough all of it in full disclosure. Although disclosing the full state of our cyber rights would be an interesting thing to explore if it could be done without as much going into speculatuion amd fantasy as usually happens. Have Fun, Sends Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: strange domain name in phishing email
Now you do make me feel a tad old. giggle... but no I never did name my cat AOBJN and somedays I still do miss the LIGHTS JSYS.;) But alas ITS was fun and many of us started on it flying fast and loose. Giggle never could go through channels. More I won't say. Have Fun, Sends Steve P.S. Maybe someone should hold a JEDGAR day party;) Which is of course cleberated on the anniversary f his death, [EMAIL PROTECTED] wrote: On Thu, 16 Mar 2006 18:55:43 GMT, Dave Korn said: It sure is. Please replace the word "octal" with the word "octet" whereever you may have seen it in this thread. An awful lot of people round here don't know the difference. Bonus points if you've been around long enough to have used one of the machines that originally caused the use of "octet" rather than "byte". ;) (How many different ways could a KL-10 processor do a no-op, anyhow? :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] “if you are not doing a =?WINDOWS-1252?Q?nything_wrong, _why_should_you_worry_about_it=3F=94 ?=
[EMAIL PROTECTED] wrote: On Mon, 20 Feb 2006 15:42:35 PST, coderman said: On 2/20/06, Gadi Evron <[EMAIL PROTECTED]> wrote: ... What's to stop them from putting cameras in our showers, next? ugly fat people nekkid? Guaranteed that there's a market for that, and websites already in existence. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ And this is a discussion sure to get us techies marked as crude and mean, luckily we are too bright to be called stupid;) If it is young and attractive and female (most techies are alas still male) it should have on as little clothes as possible and be seen as much as possible. If it is not it should go hide away and we shouldn't see it. Oh well we will get so marked. Have Fun, Sends Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Orwell's country wants Big Brother backdoor in Vista cipher!
Babak Pasdar wrote: Here is a link to a blog entry I did on CALEA. I think you might find it interesting. http://dsb.igxglobal.com/plugins/content/content.php?content.29 Babak On Fri, 2006-02-17 at 08:02 -0600, Leif Ericksen wrote: Yikes but go figure... That is step one at this point to many old farts around that would fight more intense step that is yet on the horizon. I see it coming some day and it is inevitable... Does anybody else know what step 2 is going to be when the old farts are gone? OR at least they can cram it down the throat of society starting with the younger ones... AKA the Children? Ok it goes something like this. TCPA is fully enacted on the hardware and almost a software level. But then again you might not need it on the software level, because of WorldGrid. Now your system will have no local hard drive, will have a flash ROM for the OS (Mac is now going to Intel so it will be easer for this to happen) ALL software vendors are attached to world grid so you will always have access to the latest and greatest software available. In comes Micro Transaction Billing. You will be charged a certain small amount to run the software you desire. Your files will be safe and secure on the grid as well so no matter where in the world you go you can always have access to your data. The story continues but I am sure you all can see the stage. Now of course your data is 'safe' because you can encrypt it on the Grid with your own password that you create. IF you have proper TCPA registration you are allowed on the grind and as thus on the Internet, if you do not sorry access denied! Back to the old days of using a modem on a BBS, or use of packet radio and the like. When the Governments of the world start and companies start trying to do this we know it will be the end of computers as we know them today. But as far as back doors in encryption goes, you seen these stories pop up every now and again. The only way to prevent a back door is to create your own security system and not put in a back door for your own use. That is the way things go in our great big an wonderful world. -- Leif Ericksen On Fri, 2006-02-17 at 12:56 +0100, Feher Tamas wrote: Hello all, http://news.bbc.co.uk/1/hi/uk_politics/4713018.stm According to the above article from BBC News, the british parliament is urging Blair government to negotiate with Microsoft to implement a backdoor into the strong hard disk encryption module of upcoming Windows Vista from day one. The interior affairs committe of MPs heard testimony by Cambridge security design expert Ross Anderson. The academican said new TPM-based "BitLocker Drive Encryption" schemes in Microsoft Vista would be too difficult to break in the short timeframe terror suspects can be held without charge and thus cases could collapse for lack of evidence as detainees avoid self-incrimination by inventing tales of lost keys and passwords. The expert's answer is to put a backdoor into the BitLocker program code to bypass password and key checks. Critics argue this move would be hypocrisy, since the TPM based encryption method was invented to protect the interests of music and movie industry in the first place, who wanted to base their DRM schemes on encrypted files, which cannot be modified, ripped or shared meaningfully. Thus encryption is strong when used against the users, but would become weak or non-existent when people could use it for personal legal defence. Regards: Tamas Feher from Hungary. ___ [origo] klikkbank lakossági számlacsomag havi 199 Ft-ért, bankkártya éves díj nélkül! www.klikkbank.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Living in the so called real wold I can understand this. It is very hard to just stop determoned US Federal Proescutprs who quietly in meetings politely threaten to bring all the powers of the state down on you if you don't comply. In the US much of the public thinks very highly of the Law Enforcement. The Law Enforecement types are very good at exploting this. They will have someone call and tell folks "hey you are being uncooperative and you are letting child molestors get away and we will tell the media about it " and that will work in most places in the US. However not as much on the Left Coast. In most of the US most businesses are very rattled about really offending the powers that be. There are a variety of reasons for this. Some is that marketeers tell them not to offend people becuase you will drive away the 3
Re: [Full-disclosure] Your neighbor's security is critical to your security
Trying to be gentle here, what are your proposed fixes other than a homey proverb and a few examples. I certainly don't want a certrally controlled internet with someone looking over it. You could try to convince people to people they should be careful on what they click. There are lots of things on the net that say "if you are irritated about say for example, the Patriot Act, click here and we will send a post card to your representative or senator. Now the effect this had was that most senators began to ignore their email. So this has happened in the lowly world of a paper mail being sent. This by the way is my grumble about "grassroots movements" fail because they often to convince their representatives that the ideas they hold have sense rather than being a large amount of worked up people. Of course my counter argument has the other side does the same thing of working people up and trying to get them to accept a bunch of politicies that are not based on reality. That is why I pretty much expect people to present a reasonable and concrete plan against what they are worried about, and that they establish what they are worried about is a reasonable thing to be worried about. I dount you can convince 2% of the Internet to click something to bother someone iof they realize it could be done to them too.The question is what you hope are the proper steps to defend against a credible set of threats. I really think there are threats out there but that much of the whole "White Hat", "Black Hat" and if you wiill "Yellow Hat" or "Red Hat" Community is about as real as Dungeons and Dragons games that spawned the terms. This whole idea of the millions and millions of compromised machines maybe a bit exaggerrated. I am sure somc set of bored bright teens could have a bit of fun trying to take down sbcglobal for fun by pinging it or something elese to prove their mispelling of "hacker" prowess. to yours truly but as far as I am concerned vague fears are vague fears until someone actually nails it down. Elsewise it gets to be like all these "Sleeper Cells" we are supposed to be worried about so we will sell all our rights down the river. I am sure encouraging people to be a little more cautious and all that is a good thing. PLease however try to provide some real facts to back up your points. Have Fun, Sends Steve Babak Pasdar wrote: Here is a recent blog entry on why your neighbor's security is important to your organization's security. When I was a child, my mother would share with me a proverb about a woman who lived in a large village. This woman was, using today's terms, a clean freak. She would clean her house day and night, inside and out, but it still would not be clean. So she went to the village elder and asked what she could do so that her house would finally be clean. The elder responded, if you want your house to be clean, you should talk to your neighbors and make sure their homes are clean. This was surprising to the woman who asked why her neighbor's cleanliness would affect her? The elder shared that if the area around her house is clean then there will be less dirt that can find it's way into her house. The same holds true with technology security. So many organizations are extremely engaged in making their security the best it can be. Despite any efforts, what would happen if only 2% of the Internet decided to Ping your site or systems at the same time. Regardless of the capacity you boast and the big boxes in your environment, you would go down for that moment. Read the rest here... http://dsb.igxglobal.com/plugins/content/content.php?content.39 Babak Pasdar Founder / Chief Technology & Information Security Officer Support the Daily Security Briefing Web Site and Register Here: http://dsb.igxglobal.com For this week's DSB/Week-in-Review Audio/Video Security Report: http://dsb.igxglobal.com/news.php?item.50.4 To register for a Daily Security Intelligence e-mail: http://www.igxglobal.com/dsb/register.html Get your security news via Podcast: http://dsb.igxglobal.com/page.php?11 _ igxglobal utilizes state of the art technology from PGP to ensure the safeguard of all electronic correspondences. This message could have been secured by PGP Universal. To secure future messages from this sender, please click this link and contact your representative at igxglobal for further information: https://keys.igxglobal.com/b/b.e?r=full-disclosure%40lists.grok.org.uk&n=4Njq7juzEf1Yn9MHjRn9Ow%3D%3D ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We b
Re: [Full-disclosure] I stole code
Well ok let's see. I am disabled now, so keeping a regular schedule is out; Doing 14 hour days except when I want them is out; So I teach meteorlogy by presenation to kiddies, I always justify it by saying I provide a drain for their youthful energies and they don't do worse things. . Anyway I used to work in the Silicon Valley and in the well off school academia that surrounds it. The very thing you describe was done a lot. There was a lot of diuscussion about people lifting code out of the academic world and inserting it into corporate software that was protected by this, that and the other thing. There is grump among computer graphics people about Lucasfilm grabbing lots of the good computer graphics people at Stanford and various places there around and hiding them behind all sorts of non-disclosure agreements. So to be very new age about it, I wouldn't beat yourself up over it. IF any of that stuff really works and is of interest then just publish it. I wouldn't hide things that much. I would keep too many easy to use toy like tools out of the hands of script kiddies but that is no reason to hide the good stuff. I kind of giggle and laugh at the macho posturing of some hackers. Heaven knows I started in the land of PDP10s and DECSYSTEM 20s and ITS, TENEX, TOPS-20 and the like and hacker was a term to was mostly a compliment. It didn't involve putting the letter x in words and getting haxxors or whatever, but that would have been thought of as cute. Overall open source is better. I have my big catch all windows file in WORD and word crashes all the time when opening this file. SO I have to figure out why it crashes and what is messing up and all of that. It isn't easy and in fact it's a pain in the you know where. I am perfecly playing fast and loose sometimes but overall I do want to do that all the time. So overall I would say be honestly open source is a good idea. Have Fun, Semds Steve Simon wrote: Hello, my name is Simon, founder of segfault.ch and wireless-bern.ch In this mail i want to admit that i copyed other people's code. I took code, edited the headers and printfs, removed the real author's name and added my own. Almost all codes and papers on my Site (http://www.segfault.ch) were written by some else. The only thing that came from me were the segfault.ch ASCII and the printfs with my name. llfe.c by Danny from: http://packetstorm.linuxsecurity.com/UNIX/penetration/log-wipers/lastlog.txt shellcodes (connectback-x86-fbsd.c, dumb-portbind-x86-fbsd.c, portbind-x86-fbsd.c, shellspawn-x86-fbsd.c) by fli from: http://shapeshifter.se/code/shellcodes/shellcodes/ iwconfig-local-r00t-sploit.c by qnix from: http://milw0rm.com/id.php?id=1215 shoutcast_expl.c by crash-x from: http://0x41414141.net/~crash-x/code/shoutcast_expl.c Remote.doc from: http://www.heise.de/security/artikel/61945/1 b0f_11.txt from: http://ww.packetstormsecurity.nl/shellcode/bish.c http://community.core-sdi.com/~gera/InsecureProgramming/ http://www.l0t3k.net/biblio/b0f/en/bufferexploit.txt Even the design of http://simon.segfault.ch was stolen and on my site i said: "Welcome to the official Website of Simon Moser. My major focus is to search for common security vulnerabilities and Reverse engineering. On my Website, you will find Software and Papers, which were released by me. They should provide you with knowledge and the ability to check for security problems. Nevermind, I am a fucking god at computers, so do not test me bitch!" Yes, most things were released by me, but they were not mine. And of course I'm not a god in computers, but rather a god in stealing code. I want to apologise to everyone, who I stole from. And I want to thank the people who got me back to earth and reality from the heaven. My recommendations to all are: Don't publish your exploits! There are too many people like me! Beat all code thiefs up! Regards, Simon Moser ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] complaints about the governemnt spying!
Totally Offtopic a quote from Catholic School was "The Growth of Christianity was watered with the blood of Martyrs" yep that is what the old Irish Nun told us. SO it is not just an Ayatollah who said it. But anyway it would be nice if we could drift back to more technical discusssions. I was hoping the spying thing would eventually get down to measures and countermesaures and how one protects oneself as not all espionage is not always by a government who at least thinks it is out of the general good. Yeah I worked for various powers that be never in anything real exciting, but anywaty generally that is what we thought. I am less worried about the NSA than private detectives and others like that. A friend once ended up being a part of a mistaken identity problem with some bounty hunters and they made her life quite miserable for awhile and it her a longtime to get remuneration from them for the damage they did to her property during their "friendly little error". Also if one works in a medium sizedf firm there is industrial espionage and admittedly most of that like the bounty hunters and the like do things via "social engineering" like dating the executive secretary or chatting up someone, there still was, and probably still is a moderate amount of electronic stuff going on. In the case of my friend they exploited the fact that most portable phones leak and that was the problem, the people listening could not tell which portable phone they were listening to or so they claimed. So I am hoping a more serious discussion would eventually start. I kind of burn out on the "well my instructor back in 198x or 1999 said thhis was old hat" and even more outright rumours that sound like people who get their information from Hollywood movies that no real encryptionb systems exist becaus they are all compromised etc. etc. etc. Have Fun, Sends Steve Bob Radvanovsky wrote: See comments below. -rad - Original Message - From: "Dave Horsfall" <[EMAIL PROTECTED]> To: "Full Disclosure List" Sent: Friday, December 30, 2005 3:12 AM Subject: Re: [Full-disclosure] complaints about the governemnt spying! On Thu, 29 Dec 2005, Stan Bubrouski wrote: "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." (Jefferson, 1759). That's actually a Benjamin Franklin quote, which is worded about 1000 different ways depending on the source. The above is close; the main points are "essential liberty" and "a little temporary safety". In your example case of aphorisms, you are correct. One is from over 200 years ago, the other less than 40. In the meantime, perhaps some, umm, US patriot could tell me who authored these particular aphorisms: "The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants." This was quoted from General Hummel (actor Ed Harris) from the movie, "The Rock", and was a paraphrased quote from Thomas Jefferson (http://www.monticello.org/reports/quotes/liberty.html) "The Tree of Islam has to be watered with the blood of martyrs." This was quoted from the Ayatollah Khomeini in the late 70's/early 80's, probably just before the uprising within Iran. I'm having trouble seeing the difference. -- Dave, who is not pro-US, so therefore has to be anti-US, according to Shrub ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Spy Agency Mined Vast Data Trove and other tales
It is kind of think it is a "UFO story" to say that PGP and the likes don't work and have been quietlty changed to make them easy to break. The inventors being compromised is pretty much an MIB story. It is open code so you can read it and see if it is possible to break and how easily given current open knowledge. Now if the mathematicians in the NSA know things about factoring we don't well oh well. What is depended on is that most people don't encrypt and most things are sent in the open. This includes most transactions that can be used to build a sort of profile. If I were to start spending other than cash quietly and using banks in any way at least my bankers would know some improvement had taken place and they at least have agreed to release a lot of information to competent authorities. Also this stuff is sent pretty much encrypted. SO there is a lot of information out there to gather and much of the idea about datamining is to get things out of easily available unencrypted sources. The same with phone calls. Very few people have STU phones or equivelent. it is amazing how stuff just gets known because people can't or most often won't be careful. The big problem with datamining is getting pattern out of data and telling what that pattern means. This is a problem in a lot of fields, there is a storm sitting out in the Pacific over a relatively sensor rich area and I have all sorts of information about its behavior, about SST (sea surface temperature) etc. but it is hard trying to figure out how that will impact where I live. Those of us who have worked on big projects inside of large entities and the like know that the people there are often like you and me, despite what the X-Files and true believers say. But that scary stuff does make it more romantic. You are right that however that putting pressure on politicos will get them to change, and people in security agencies are human too and not inhuman monsters and many care a lot about the nature of their work and as onme might notice when someone goes too far little leaks sprout. Have Fun, Sends Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Spy Agency Mined Vast Data Trove
Uh let's see I don't know if this is thje place to discuss this. There has been enouigh evidence of governmental misbehavior in the past with various programs that I wouldn't trust the powers that be to always be benevolent to go away if nothing bad is happening. There is Steve Kurtz the artists who got into trouble for growing a microrganism commonly gown in high school classes. If one reads the actual transcripts of Federal Prosecutions one finds that often they do go through someone's life and if they don't find the real big thing they wanted, they will try to find some very small thing, something akin to ignoring something on a click license or a shrink license. They threaten the defendents a lot and often they will get some silly conviction which to them is minor to the person who is convicted and has a messed up life is a lot. A lot of the motivating factors here, one is that such prosecutions are expensive and there is the desire not to go away empty handed. Now as of late they have gotten into so much troubl;e with this they have been losing outright in US Federal Court which usually doesn't happen. In most cases it has involved the increased descretion given to various authorities by the current atmosphere of security is so important that if the Bill of Rights is bent or ignored a bit then it's OK. I am not saying any of this(data mining and sorting thru lots of stuff trying to find scary keywords) should never ever happen but just it is sort of naive to assume that if one has nothing to hide and has done nothing wrong that one has nothing to fear. It is easy to go through someone's life and find things that while not illegal are embarassing and use this to threaten them for a variety of purposes. The story of J Edgar Hoover trying to find something to embarass or threaten Martin Luther King is well known. Others are known also and then is somewhat of a history of abuse of power so I hold the "nothing to hide/nothing to fear" concept to be naive. Another point is that if has ever had friends who say grew certain vegetables or did other such questionable things one obviously knows they don't refer to any of the things they are doing by "cleartext names" but use innocent sounding words and phrases, Now one curious thing I heard from a friend who is an Arabic translator is that some people hope that occassional in Arabic or some other native language people will mention something out in the open. I did have a technical thought or question. Datamining can be used for less nefarious purposes and I wonder if anyone knows any good source texts if one were teaching a course in the area. Those I read are woefully inadequate and I was wonde4ring if this is because those that have useful techniques aren't into much disclosure much less full disclosure. So if anyone know of any tests or sources for connections databases it would be nice to here of them. I was thinking of applications in art, science and medicine, like looking through OTC purchases to see if there has been a serious uptick in consumption of products that indicate a possible diesese outbreak. I know there was a plan to track anti-diarrhea medications because many seriousl diseases manifest themselves with that symptom and the condition in itself can be dangerous. Have Fun, Sends Steve P.S. It was funny that the head of the TIA project at DARPA at one point was someone from the Nixon Admin not necessarily concerned with people's privacy or their rights. I suspect it is the overstepping of boundaries by that adninistration that provides the most compelling evidence that maybe we want to be careful giving people too much power to look at our various dealings, Leif Ericksen wrote: Actually after reading some of the the comments I have to say you all missed the point... *IF* you are not doing *nothing illegal* and have nothing to hide no big deal. "I do not want the Government to see my banking info" HUM, did you ever hear of the SSN? Are you putting massive amounts of cash that can not be accounted for into your bank? BUT wait what is the limit it used to be $10,000US that if you moved that much money you had to fill out some papers as to why you were moving that money. So the government will know. Bottom line there will me so much 'noise' if the listen to everything they will loose track of legitimate deviant traffic. The only monitor so much of it and then turn off the listening until the system wakes up. Again, if all you actions are legit they will soon go away and leave you alone. The old joke on the net like 10 years ago was to add lines like Death Bomb Kill Destroy, White House, nuclear, waste, President, Give names of current or recent past presidents, Bush, Clinton, Regan, Nixon Ford, etc. Those supposedly activated the echelon system. Also thinking back to a security to a class I had in computer security (now I may date myself just a little) Back in 1988 T
Maybe I should give a nlon-flaming answer Re: [Full-disclosure] Looking for a job in OrangeCounty California, honestly
Well if you are in California there is General Assitance and couch surfing until you find a job. I mean if you are a good security person you shouldn't be looking for work at Burger King. Put "Consultant" on your resume and if you are impressive in an inerview then you might get hired out of the firstg interview. I looked like an old hippy and used a plastic kid's rope as a belt. My boss at the time gave me an advance and took me shopping and bought me clothes.;) I never could understgand the clothes thing, but I didn't understand the security holes in much of the stuff at the time and how tgo fix them. If the market heats up it might get wasy to get hired again. I dunno I have several friends from here who live and work in Bangalore and like living in India. I never looked into the dynamics of taking a job in India but I know people who have done it and they lived quite well and the climate is pretty nice though raher warm. I you have lived out here on the left coast you know that physical threats are generally considered bad form and don't tend to get you hired or kept. I trust you don't insult the people who want to hire you. Sometimes it is difficult to negioiate the social aspects of a job although technically competent. I personally disliked being hired for computer security and then asked to write device driver's for insano flako devices, but oh well goes with the territory. Have Fun, Sends Steve Day Jay wrote: I tried burger king and they racially discrimintated against me cuz I am white so sorry. Although working fast food has been a goal of mine since they keep denying my applications, its too smelly. I would engage a flame war with you on this pubic list but I'm not gay and don't like having gay sex nor do I dress up as a woman and read this list. I'm speaking for myself. As for the rest of the people, I'm not "begging" or bragging, I think their may be someone out on the internet with some heart if there are any left. :'( I'm saddened by the attitude of people sometimes. This doesnt mean that I wouldnt seek them out at Defcon and beat them down-physically. d. --- InfoSecBOFH <[EMAIL PROTECTED]> wrote: Now now Jason just because you got screwed by a company that sells registry hacks and offers no real value doesn't mean everyone is bad. OK, maybe it does. Day Jay. You are looking for employment and so far this has been your way of doing so; 1.) You sent a stupid email with a WORD attachement to this list begging for a job 2.) You sent another cryptic email to this list begging for work as a cockgobbler 3.) You participated in a flame war on this this and now 4.) You send this gem of an email that not only displays your lack of english as a second language but also your lack of common sense. Perhaps posting a resume, your skills, or something at least remotely intelligent will help your cause. Otherwise, I am sure you can google and find the spots where the male crackwhores hang out, go and try and sell your skills there. Or maybe this list just isn't the place to find a job. On a serious and truly helpful note -- Burger King in New Orleans is hiring and offering large signing bonuses if you already know how to use the fry machine. Perhaps you should look into this. http://www.nola.com/backtowork/ Maybe you and Mr. Coombs can hitchhike your fired and unemployed asses down there. On 12/7/05, Jason Coombs <[EMAIL PROTECTED]> wrote: If you're looking for honest work then Orange County may not be the right place to live. Regards, Jason Coombs [EMAIL PROTECTED] Sent from my BlackBerry wireless handheld. -Original Message- From: Day Jay <[EMAIL PROTECTED]> Date: Wed, 7 Dec 2005 10:20:19 To:full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Looking for a job in OrangeCounty California, honestly Being unemployed is a lot harder than I thought. I have too much time on my hands and that coupled with misc. side jobs, I really would like to find someone to work for that needs some helop. I'm looking to hopefully work on site and not remotely unless sometimes needed and hopefully have some sort of flexible hours if not a set amount. Currently I'm looking in Orange County any part or Los Angeles county would beeven better. If anyone would like to use my services, I would be maturely offering and i promise to not hack or ruin your network. Please send me an email... Regards, d4yj4y __ Yahoo! DSL – Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html H
Re: AW: [Full-disclosure] Clever crooks can foil wiretaps, security flawin tap technology
Roland Ruf wrote: Cool stuff.. *lol* I do not think, that the FBI is still using this old analogue recorders in Total recording mode connected to the analogue extensions... That may have worked 10 or 15 years ago depending on many things like the connection type, the way the recorder detects the signal, etc, but I assume only some single manufactures could have that problem... If you record extension site on analogue extensions and you use the line sense as recording trigger (which is default on many recorders), that thing with the CTONE would not have worked... And we do not talk about the digital lines, where the recording trigger is normally absolutely independent from the audio of that call. Regards Roland coderman wrote, heheheh http://seattlepi.nwsource.com/national/250215_wiretap30.html //snip The tone, also known as a C-tone, sounds like a low buzzing and is "slightly annoying," Obtaining a snooping order based on the fact that this C-tone was detected should be easy. Did you know that escaped prisoners in bright orange outfits are difficult to spot in public? &:-) -- Disclaimer: by reading this disclaimer, you agree not to read it again. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Oh I dunno, the other thing is that local law enforcement might be better and worse off. Sometimes they go and get stuff from Radio Shack other times they just accept stuff from the FBI or some other agency and assume it works. They often get hand me downs. The FBI is in real trouble with technology. I mean if you think of the hacker heros, they were often caught by sloppiness which cooler and more xperienced folks might get around. This is why law enforcement uses a lot of bluster and tells folks they have done things when they haven't. They feel the guilty will confess. Truly irritating if you haven't been doing anything. Trying to say the FBI doesn't have a technology problem is kind of a tad questionable. They do. The main problem is they are still run by the old guy cxriminal division. You'd be surprised at what priomative equipment they use sometimes. So if one wanted to foil them then yes you'd try stuff and hope it would work. Or you'd use a buy and go cell phone with no real name. It's possible to get those and if you have money to burn it might be a good thing. Of course if you are an old style "I don't want a surviellence state no matter how safe the panoptiocn supposedlyt makes me" might try all these things out of spite evedn when doing nothing wrong. Have Fun, Sends Steve P.S. I dunno want equipment is used in Europe and South Africa but sometimes the enfocement agencies tend to have better. If you live in the US you get used to pretty dumb policemen and enforcement authorities who catch dumb criminals and blunder into the lives of innocent citizen and make a mess, and want to say "Oh Opps! Our job is hard you got to understand..." and get out of any reprecussions. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Careless Law Enforcement Computer ForensicsLacking InfoSec Expertise Causes Suicides
I have been following this in the background because a number of my friends who got zapped in the high tech spindown out here in California have ended up in computer forensics and datamining because that's what gets money these days. Some are happy and some are a bit concerned. I am currently disabled and on good days I get the feeling I want to jump back in and on bad days I sleep to 3pm. It would be interesting to look at these questions from an international perspective. I am sure there is some manoevering around by say the "Anti-Sex Tourism " Task Forces to see if they can get things done in the most sympathetic areas. Right now much of the prosecutions happen in the US because the US Federal Government has a lot of power. Federal Prosecution often proceeds by sort of getting a bunch of warrants, going seizing someone's property then looking into everything they could have possibly done wrong and threaten the person involved and thenoffereing them a deal where they become a convicted felon for something. This is what happened in the case of US Artist Steve Kurtz who was going to be charged with bioterrorism and it is now down to questionable mail fraud. If things proceed like this it is good to know this is what might be contributiing too with the fruits of one's labours. So it would be good to look into this stuff and find how it actually works, although yes it would have to be from an international perspective. Speaking of France I mean the US has always been trying to get Roman Polanski back on US soil.;) Have Fun, Sends Steve Paul Schmehl wrote: --On Monday, October 03, 2005 09:38:16 -0400 Lane Weast <[EMAIL PROTECTED]> wrote: In theory, what you say is incorrect. They may take you in but, in court they have to prove it was yours. It is not your responsibility to prove your innocence. It is their responsibility to prove your guilt. Whenever I read stuff like this on an international list, I always wonder if the people posting understand that the rest of the world doesn't necessarily work the way your little corner of the world works. For example, French law, which is based upon Napoleonic law, places the burden of proof on the defendant. You are guilty unless you can prove your innocent. So, your comments almost certainly do not apply to many people reading here. Which causes one to wonder - what value do they have to the audience reading? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Careless Law Enforcement Computer Forensics Lacking InfoSec Expertise Causes Suicides
Jason Coombs wrote: 34 people have killed themselves in the U.K. after being accused of purchasing child pornography using their credit card numbers on the Web between 1996 and 1999; and thousands have been imprisoned around the world for allegedly doing the same. Two of the first, and still ongoing, large-scale investigations of credit card purchases of child pornography through the Internet are known as Operation Ore (U.K.) and Operation Site Key (U.S.) -- tens of thousands of suspects' credit card numbers were found in the databases used by the alleged e-commerce child porn ring, and law enforcement's careless misunderstanding of the Internet and infosec (circa 1999) resulted in every single one of the suspects being investigated and thousands have so far been prosecuted and convicted. Was your credit card number in the Operation Ore / Operation Site Key database? How would you know unless and until you've been arrested? Over the last few years I have seen numerous cases in which the computer forensic evidence proves that a third party intruder was in control of the suspect's computer. More often there is simply no way to know for sure what might have happened between 1996 and 1999 with respect to the computer seized by law enforcement at the time of arrest years later. If security flaws, porn spyware, or mistakes by an unskilled end user resulted, over the years, in some child pornography being downloaded to a suspect's hard drive, even in 'thumbnail' graphic formats and recovered only using forensic data recovery tools that carve files out of unallocated clusters, then the suspect is routinely charged, since the presence of child pornography on a hard drive owned by a person who is accused of purchasing child pornography is the best evidence law enforcement has to prove guilt of these so-called 'electronic crimes against children' -- crimes that are proved by the mere existence of data, where it matters not that a suspect did not and could not have known that the data existed on a hard drive that was in their possession. I ask you this question: why doesn't law enforcement bother to conduct an analysis of the computer evidence looking for indications of third-party intrusion and malware? Some people have indicated to me that sometimes law enforcement actually does do post-intrusion forensics; though this decision is entirely up to the prosecutor or forensic lab director, and if they don't put in the time to do this they still get their conviction so there is presently no incentive to spend hundreds of hours analyzing large hard drives searching for evidence of intrusion just in case one might have occurred. A substantial factor in the answer to this question is that it is nearly impossible to know what might have happened to a computer over the years, and most computers are used by more than end user to begin with. Not only is there no way to differentiate Every person convicted of an electronic crime against a child based only on evidence recovered from a hard drive that happened to be in their possession should be immediately released from whatever prison they are now being held. Law enforcement must be required to obtain Internet wiretaps, use keyloggers and screen capture techniques, and conduct other investigations of crimes-in-progress, because the current approach to computer forensics being taught by vendors such as Guidance Software (www.encase.com) and others (who just happen to sell products designed to analyze and search hard drives) makes the outrageous assertion that a person can be proven guilty of a crime based only on data that is found on a hard drive in their possession. There is simply no way for law enforcement to know the difference between innocent and guilty persons based on hard drive data circumstantial evidence. Something must be done to correct this misuse of computer evidence, and whatever that something is, it is clear that only an information security organization is going to be able to explain it to law enforcement and legislators. Regards, Jason Coombs [EMAIL PROTECTED] -- http://news.independent.co.uk/uk/legal/article316391.ece 30 September 2005 21:24 No evidence against man in child porn inquiry who 'killed himself' By Ian Herbert Published: 01 October 2005 The credibility of a major investigation into child pornography came under renewed scrutiny yesterday after an inquest into the death of a naval officer who was suspended by the Royal Navy despite a lack of evidence against him. The Navy suspended Commodore David White, commander of British forces in Gibraltar, after police placed him under investigation over allegations that he bought pornographic images from a website in the US. Within 24 hours he was found dead at the bottom of the swimming pool at his home in Mount Barbary. The inquest into his death heard that computer equipment and a camera memory chip belonging to Co
Re: [Full-disclosure] [Fwd: MM - #$%@ Kill Google!]
First thought A"top or bottom" hmmm sounds kinky;)if I tell this to a 14 year old does someone somewhere have to report it. Anyway my brief take is below. It is Yahoogroups who seeemed to have started the cult of top posting. They asked me to do it that way. I never used to do it. Note with all the Katrina Messagee relay stuff I hasve been doing I FELL ASLEEP ON MY BAD ARM and so hasve to rest to geet feunctionality back. So u folks will be spared much more on this subject P.S. AIt was on bcrants I was first asked to do it. ...but it seems to be the norm in yahooland. Have Fun, Sends Steve Gareth Davies wrote: Micheal Espinola Jr wrote: Ahem, but they still like the products, problems or not. Killing MS is not the answer. Contrary to uber-nerd beleif, there is no rule about top posting - but yea, I shoulda still trimmed. Answer: Usually below the question. Question: Where do you see answers in relation to the question? Isn't that the case? Same goes for points you are addressing, you don't read from the bottom up, you read the top down, so top-posting is just disturbing the natural reading order. Cheers! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Call for new mailing lists @ SecurityFocus (X-POST)
MadHat wrote: issues First, don't reply in pubic a private email. Extremely rude. Giggle you can say that again.;) Giggle funny mispellings are so cuteExcuse my flippancy I need comic relief. I have friends along the Guilf Coast and for awhile it looked pretty grim. They all survived and we were able to help other people but others didn't make it and that is pretty sad even though its a part of life and all of that sort of stuff. Have Fun, Sends Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE: Computer forensics to uncover illegalinternet use
Chuck Fullerton wrote: All, I do find this like of discussion very interesting. However, there has been so much discussion that it's getting difficult to folllow. Therefore, I'd like to make the following recommendation for future posts. 1. Minimize the text you to which you are replying to the pertinent info. 2. Everyone use the same method of replying.. (i.e. inline, top or bottom) I don't care which but it's really getting tough to follow. 3. Keep the discussion going as I'm really getting alot out of this. ;-) Sincerely, Chuck Fullerton It is a pretty complex issue due to the questions raised. I'll try to clip things a bit. It was hard to look at it in a simple manner because it involves several interelated ares I tried to break it into the main issues. Perhaps I should have tried to spell out my points a little more clearly. But it gets down to the whole meat of all sorts of legal things, like the questions of knowingfully and willfully doing something proscribed. The attempts to seperate this from just overlooking of something or the concerns of privacy. The interesting thing for me was when someone brought up the concept of "virtual children" as that was actually legally looked into. What I think would be really edifying is what things are like in other legal systems such as the EU systems and world courts. I say this because one of the big uses of electronic evidence in prosecutions has been with the federal courts attempts to prosecute sex tourists and the not quite underground in that area. By that I mean one can buy the "Have Sex Fun in Asia" books on the secondary open market. My suspicion is there is convert attempt to push things into a more interventionist stance in the hopes that things might be discovered. The problem I see in states with extensive privacy like California is how much one can go through a user's files without their leave. As far as I can tell there has been no real legal precedent and prosecution on the ideas of that say sysadmins are overlooking something. The really insteresting issue is whether the beginning of thread question behavior was highly illegal because it involved destruction of potential evidence. That means it would have to be pretty egregiously say "child porn" and not just say soi disant 18 year olds who weren't. Curious that the 18 as age of adulthood allows two precious years for porn folks to say "Hot Teens" etc. and still be on the safe side. Now the other interesting thing and I am worrying I am making it more complicated than it should be is the hope by some prosecutors that the US would sign treaties the US might have to at least try to obey that would accomplish what they want without getting it passed or having legal precedent in the US. Note MI-6 tried this in reverse about another issue and it died a quiet death. There is a site on the net run by a certain architect and he has been a thorn in the side of MI-5 and MI-6 and "Gardie" (sorry can'r remember real spelling) in Ireland(North and South). Due to the strong First Amendment in the US it has been impossible to block publishing in the US and on the Internet of this information which actually involved pictures of Northern Ireland's Internal Police Folks that work in terrorism supression. They were hoping a treaty would allow them to get at the US publishers and that failed. Overall my suspicion is that overall this end-run technique will fail in general. It is interesting because the failure of the Michael Jackson prosecution pretty much left the Federal Prosecutors as the lone rangers who seldom fail at these various sex crimes prosecutions. It would be their ability to win consistently and get people declared accesories that would change things. I don't think that ios going to happen. Note I won't extend this because it is already longer and more convoluted than I intended it. I am going to kind of shut up now because this is sort of the state of knowledge and practice as I am aware of it. Again if someone knows about these things in other legal systems or has any insights into the attempts to stop people using encryption I would like to hear it. Have Fun, Sends Steve P.S. If anyone finds interesting cases or precedents I would like to hear of them. All that stuff of knowing the cases that set precedent like one knows good novels one has read or movies one has watched that made a tatement has finally began to sink in. It took a long time and a lot of reading but I now know why they quoted things involving Youngstown Tool and Die cases in Constitution Rights cases.;) Have Fun, Sends Steve P.S. Note I have bcc'd many recipients in case they aren't on the list and trying to keep the email to have get moderator approval... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steve Kud
Re: [Full-disclosure] RE: Computer forensics to uncover illegal internet use
dave kleiman wrote: Steve, Inline.. Hate to play alwyer here but doesn't all of this get shot down by 3rd Circuit Federal Court of Appeals decisions regarding the FBI's Innocent Images project? It basicly shot down the concept of "you clicked on a chold porn link therefore you're guilty." Well that applies to when it is determined that it was innocent. This could be via pop-up, trojan, or maleware of some kind. This is all enshired in Federal Cases. No one must admit that a good prosecutor can indioct a ham sandwich and all that. But overall that doesn't happen. Now Federal Prosecutors and Investigations staffs are very good at sort of getting warrants and raiding someone's house or business and going thru everything. But if the person doesn't scare and cop to something they never did, then federal prosecutors generally have to back off in cases where it is just things accumulating on disks etc. Well they do not usually prosecute ham sandwiches, BLT's maybe. I love how everyone is quick to say things just magically accumulated on their H/D. However, they tend not back of when a file structure is found with hundreds of images, often burned to CD's. Futhermore in states with a high privacy expectation like California there is a good reason to say "We don't go through our customers data looking for things out of the ordinary". One might argue it to be different it were one's employees. However if you are offering a primo privacy service then you can legitimately scrub disks as a part of the biz plan. Well that may be, of course you missed the beginning of these threads, where Mr. Combs suggested after discovering contraband on and employees H/D, to make a copy of it take the copy to the companies attorney. Wipe the original and "best course of action is to purposefully falsify the record of the company's response to the incident" The full threads can be read here: http://seclists.org/lists/security-basics/2005/Sep/subject.html http://seclists.org/lists/security-basics/2005/Aug/subject.html Much of Law Enforcement and theiir Public Providers of services depends on scaring people and businesses into good behavior when it is neither necessary or ethical. My suspicion is that one can ignore this tactic if one wishes as one is reasonably careful.. I am sure that people will be offereing "Computer Forensics Services" to find the scary things on your compnys disks for $500 a pop but no good reason one has to engage in such silliness. Yes that crazy scaring people into good behavior... Oh wait that is right only reasonably prudent people follow the law, criminals tend to not care if there is law against something, they are not scared into not committing crimes, that is why they are criminals. Kind of like the lawlessness that is occurring in the situation you mentioned below. Some people would say that the devastation has turned these people into criminals. Although, the reality is the people committing the crimes are the same ones that were committing them before the devastation. Excuse my flipness. I just got through friends caught up in this call people stranded and alone by the hurricane in the SOuthland and all these other things do ring silly right now. Regards, Dave For a long time I sysop'd an open system, I dunno how much time I ended up deleteing "girl with vaccum cleaner" pictures. This is getting weirder and weirder because with photoshop people can create things that do not exist in real reality. Of course you have really funny things like this one image that was from Japanese advertizing. They had a 10 year girl with this incredibly large pretty phallic looking squirt gun which she was squirting with a look of bliss on her face. It was pretty funny. It was funny how when showed this image it became a "cynicism filter". People would divide into the group that thought this was completely enmgineerd from the get-go and those who thought it was just some werid thing that came out and no one noticed it, or that it was the product of the fact that much of Japanese Culture doesn't quite go looking for all possible suggestive variants. It really became a filter. Now my suspicion about people in the US Southland is that it is a bit of opppurtunism in the face of despair and the feeling that "whitey has been shitting on us for centuries". Me being on the North American West Coast doesn't notice that because there were no slave quarters and slave markets in California, Washington, Oregon, British Columbia and we are apt to think a "quadroon" is a small gold coin that would be nice to find in one's progentitors coin collection. I don't think it is because there is just a massive criminal element hidden from us. Now some of the behavior sounded like what I found in my tenure at a small residential hotel. From the last week of the month to the first week of the nex
Re: [Full-disclosure] RE: Computer forensics to uncover illegal internet use
dave kleiman wrote: Jason, You are definitely off here. """Companies and their lawyers who fail to keep up with child pornography law do so at their peril. The bipartisan resolve of state and federal legislators to combat child pornography has led to laws that put the fate of those who innocently possess child porn — such as counsel and their forensic experts — largely at the mercy of prosecutorial discretion. Dealing administratively with employees who use company computers to view or download child pornography no longer suffices. In fact, company lawyers or managers risk serious criminal penalties if they merely terminate an offending employee and delete only visibly illicit images from his desktop computer. The law generally treats child porn like heroin: mere knowing possession of it is a crime. Possession on behalf of a client to assist in an investigation or defense is no exception. As one court put it: “Child pornography is illegal contraband.""" """Criminal liability may also be triggered by knowing possession of a single child porn image. A limited statutory affirmative defense is available when a defendant possesses fewer than three such images, but only if the defendant: (1) does not retain any offending visual depiction; (2) does not allow any person other than a law enforcement agent to access the offending visual depiction; and (3) promptly takes reasonable steps to destroy each such visual depiction or reports the matter to a law enforcement agency and gives the agency access to each such visual depiction. """ """Notably, this statutory affirmative defense is not available if three or more images are found — and usually where there is one such image, there are dozens or hundreds more. Thus, if a company finds multiple child porn images on an employee’s computer, the affirmative defense evaporates, and handling or even destroying the images may expose the company to criminal liability.""" I think you need to read the following: http://www.strozllc.com/publications.html October: Beryl Howell and Paul Luehr co-authored the article, "Child Porn Poses Risks to Companies That Discover it in the Workplace." It appeared in the October 4, 2004 issue of the New York Law Journal http "ChildPornPosesRisks.pdf" January 5: Eric Friedberg's article, "To Cache a Thief: How Litigants and Lawyers Tamper with Electronic Evidence and Why They Get Caught;" published in The American Lawyer magazine "To Cache A Thief.pdf" http://www.ijclp.org/Cy_2004/ijclp_webdoc_6_Cy_2004.htm Characteristics of a Fictitious Child Victim: Turning a Sex Offender’s Dreams Into His Worst Nightmare BY JAMES F. MCLAUGHLIN Reference: IJCLP Web-Doc 6-Cy-2004 There are cited cases pertaining to this exact subject proving your comments and methodologies are wrong!! You do not have the right to wipe the drives!! Regards, Dave -Original Message- From: Jason Coombs [mailto:[EMAIL PROTECTED]] Sent: Friday, September 02, 2005 19:30 To: Craig, Tobin (OIG); [EMAIL PROTECTED]; security-basics@securityfocus.com; [EMAIL PROTECTED]; dave kleiman; Sadler, Connie Cc: Bugtraq; Full-Disclosure; Antisocial Subject: Re: Computer forensics to uncover illegal internet use Tobin Craig ([EMAIL PROTECTED]) wrote: I have spent considerable time researching ad discussing with lawyers your fantastic notion that corporations are exempt from reporting electronic crimes against children. What is this thing you believe in, an 'electronic crime against a child' ? Are you even aware of the self-contradiction in your own position? I understand the psychological conditioning that law enforcement and prosecutors experience that results in your sort of enthusiastic or zealous enforcement and application of law. To a great extent I admire those who undergo this conditioning, and value those persons who are willing to live under its effects in service of my safety and to protect and defend my rights. However, it is my duty, as your employer, to make sure that you receive the mental health care that you need when you begin to believe in fantastic things such as these 'electronic crimes against children'. Your intentions may be fine, but your reasoning is actually quite insane. An 'electronic crime against a child' ? Absolutely outrageous and patently absurd. There is no such thing. Tobin Craig ([EMAIL PROTECTED]) wrote: Title 18, USC 3: Accessory after the fact. "Whoever, knowing that an offense against the United States has been committed, receives, relieves, comforts or assists the offender in order to hinder or prevent his apprehension, trial or punishment, is an accessory after the fact." You presume to deprive me of my right to wipe my hard drive because, in your expert opinion and in the legal opinion of some prosecutors, doing so causes me to violate Title 18, USC 3 - making me an accessory to your so-called 'electronic crime against a child' - and
Re: [Full-disclosure] Re: JA
Exibar wrote: I don't know about y'all, but if I was admin of a public ISP (or whatever), I wouldn't want to give anyone the idea that I'm smarter than everyone on the list that's just begging to be hacked/defaced/owned/etc exibar - Original Message - From: "Bardus Populus" <[EMAIL PROTECTED]> To: Sent: Monday, August 29, 2005 1:02 AM Subject: [Full-disclosure] Re: JA [EMAIL PROTECTED], please follow your own rules. "Missouri FreeNet staff and users are both held to the same general rules of conduct, as only a uniform policy of openness and respect can be reasonably expected to further MFN's goal of universal education." -bp ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ But everyone starting out goes through this, sometimes we get over it pretty fast, with or without any help. I have known a lot of technical people over my life and many are pretty arrogant and think highly of themselves. I don't think it changes too much. So people get over it and calm down, but some people just have to feel their oats. It also depends what sort of world one comes out of, if one has ever met physical security types one knows that they are worse, I mean half the security guards act as if they are already police people. Of course the companies encourage this. And of course if this person is successful overa;; he or she gets accolades and doesn't notice those who don't think highly of them. Of course boasting on the net will encourage attacks in many cases. So I never screamed about the systems that I admin'd I just read the logs and tried to figure out if anyone was getting closer to a successful attack. Luckily no one did during my watch as they said. Have Fun, Sends Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] J. A. Terranson
Atte Peltomaki wrote: I get it. This is a place where he gets to feel like a big man. A tough guy. Fine. Whatever floats his boat. While I'm not taking a stand in this issue, I would like to point out that there are quite a few people on this list who push their egos by putting down other people. Remember: Arguing on the Internet is like competing in special olympics. (Even if you win, you're still retarded) Security collects a lot of people like this. Whether male or female they are often pretty brazen. But remember that those of us who descended from 545 Tech Square were fond of calling people's ideas "bogus" way back when too, so there is historical precedent. So I don't worry about it and just figure it goes with the territory and all of that sort of stuff. Have Fun, Sends Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] J. A. Terranson
[EMAIL PROTECTED] wrote: and phone numbers :-) -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Guys! Stop wasting our time and bandwidth! If you want to argue about bullshit, you have each other's email. Thanks, Honza - -- - -BEGIN GEEK CODE BLOCK- Version: 3.12 GIT/CS d- s: a-- C$ ULS$ P L+++ E--- W- N+ o? K? w-->--- O? M->+ V? PS PE Y++ PGP+++ !t 5? X++ R tv-- b++ DI+ D++ G+>+++ e h--- r++ y? - --END GEEK CODE BLOCK-- () ascii ribbon campaign - against html mail /\- against microsoft attachments -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iD8DBQFDEirLSVzvioqX7FkRA+IdAKDXkrncL9Li1KS5VfF7k2Sigq9pVA CgilEB /dvuV2WGiufAqkt0t4J8jjM= =w0v6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I want to thanke everyone for helping with my research project. It deals with moderation styles of various groups. From USENET where there was no real moderation for the most part and frequent flamefests, to yahoogroups when saying something offensive to the moderator often causes puniasahment or banning. The two worst being "Buffy the Vampire Slayer" and "INTIMACY FOR THE DISABLED" which has a "zero tolerence policy" for the whatever upsets the moderator. One must admit the Biffy Group had production folks involved so wanted to keep them involved, so their wished had to be acceded to and overall it has worked well. Now to us net old timers what goes on here is just another flamewar and mos t of the time if one ignores the combatants whether they are right or wrong they calm down and go away, or at least calm down. I'd suggest Xanax .5mg to 1mg but even if had the power to prescrbe such it would not be medically legitimate to do so without talking to the people involved. Anyway this is most curious and seems like a blast back to the Wild West of the Internet. circa USENET groups, many of which regulaly get abandoned when a different group takes over. I suspect on a mialing list someone has it and could delete people. Of course this if one this isn't a grammar argument but usually that only happens when F users outnumber M users by greater than 3 to one, c.f. Linuxchix but also INTIMACY FOR THE DISABLED, which was sort of a fascist paradise. Anyway it would be nice to calm down and get back to basics. What I was about to ask about was whether a hard to break into and recover infromartion Cryptocard existed that would allow one to put one's private key on it and have it be difficult to recover. The reason I ask this is I have been reading US Federal Court cases and I am getting more and more concerned that even people who feel they are doing little to knothing wrong should encrypt their communication. If one's machine and stuff is seized in a raid then having your private key on an easily obtainable media it does not good. Have Fun, Sends Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] violent words
y0himba wrote: You know, I am brand new to this list, I an expected to find good intelligent discussion as well as information that up until now I only had an idea existed. I am no where near as intelligent as most of the people on this list, but I am scraping the surface and learning. Seeing all the ego fueled idiocy going on here is very disappointing. We live in an age where we all know that violence and power corrupt. To see this kind of childish posturing coming from two supposedly intelligent individuals is a disgrace. I would recommend that they be removed from the list, and banned from it( correct term?), but I have not been here long enough and don't really have the right to request such things. Hopefully the truly enlightened and intelligent, curious individuals on this list will take this matter into their hands and do something about it. I would hope that the individuals who act this way, both the two currently, and any future persons who would act in this manner, see how egotistical and small they appear to others, and correct their actions. You are not winning anything or coming out on top, you are just lowering yourselves and causing people to nod their heads because they are ashamed of your behavior. Thanks to all that post to this list and contribute some of the most fascinating information I have read on the Internet. I really appreciate your efforts and discoveries. -y0himba -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer Janssen Sent: Sunday, August 28, 2005 5:45 PM Cc: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] violent words [some violent words between two people on this list] I am new to this list. I suppose the goal of "full disclosure" is to make this world a better place. So I'm quite astonished about the tone I'm reading in the last mails. Is this the general tone here ? I never read such a thing before. Maybe in films, but this is real life, and you are real persons. Why are you doing this to yourself? Is any of you feeling happier talking like this to your fellow human beings? And in front of probably thousands of people? Is this the kind of world you want to create? I guess I somewhat understand both your point of view and what your friction is about, but I think if you try and put yourself in the shoes of your diskussion partner, you could figure out some way to get along better. I'm sure you can do that. I appreciate franc words which are better than keeping silent about injustice, but I also suppose that gentle and humble -- everybody has some dark sides -- words will generally work better. Cheers Peer ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.16/83 - Release Date: 8/26/2005 Usually if one let's arguments burn themselves out and skips their subject lines then they go away. I get distressed with yahoo groups when the owners and modeators are essentially dictators. Sometimes I think so aee inexperienced or something. So I hope this will go away after awhile and I am for being patient and not responsding to infurated email and hoping things calm down. I guess I should take a peak at this stuff. I used to moderate/SYSOP several sorts of things and these things come up a lot. Have Fun, Sends Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disney Down?
Micheal Espinola Jr wrote: Absolutely. Once a system has been exploited in such a manner, it is completely untrustable. It should most definitely be wiped. The IT ppl in SDC (and many other places) need to all be lined up and smacked Three Stooges style. On 8/19/05, Donald J. Ankney <[EMAIL PROTECTED]> wrote: Any IT department that simply removes a worm and shoves a box back into production has serious issues. After a machine has been compromised, it should be wiped and rebuilt. As a practical matter how many boxes are we talking about. I mean I have removed worms and viruses (note I don't use the l;ural virii because it is too close to the proper Latin Plural of "men";) and put boxes back into use. But not in places that are critical. Does one rebuiild everytime something goes wrong? Seems extreme to me. I dunno if this is the place to discuss issues like this. Now of course with worm designers getting more sophisticated it might be that more extereme measures should be taken earlier in the descision chain. Now if people implement a really adequate backup system, like everything over the last hour is safely backed up it might be possible to do that. Anyway it is an interesting case, easy to say now that I am disabled and watching from the sidelines. Have Fun, Sends Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] thunderbird privacy...
[EMAIL PROTECTED] wrote: Hi, Adam Neale wrote: My understanding is, to remove these items for good you compact the folder, this is done by right clicking the folder and selecting "Compact This Folder", then its gone for good. confirmed for thunderbird 1.0.2/WinXP. GTi ___ Right, that is what the manual said. I would say the obvious obscenity.;) My suspicion is that so many people make "boo boos" throwing away stuff that many things have been designed to deal with this. Fewer people get investigated by people at the Federal Level or Very Good Private Invesitgators or bugged by Filoratzis (people who dig goodies out of famous persons computer files). When I did this stuff for a living, I think out of 100 people, it was 95 who wanted things they threw away back, and this includes people who went through a multi-step throw away process (move to trash, empty trash) and only 5 wanted something really gone as "find its location on disk and write over it for sure"...Ah the joys of physical I/O! Have Fun, Sends Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Off topic rant to my friends
I dunno if this is any worse than the many, many replies one sees to some hot topic about Microsoft and stuff like that.. Overall everytime I went to a security conference users got insulted. They were stupid, they fell for things, hook line and sinker etc. etc. etc. Of course sometimes the "professionals" never mentioned that the poor users are bombarded by a bunch of directives that are not explained and are hard to follow and seem like another stupid directive handed down from on-high that ask them to do something difficult without explaining how, for example how to pick passwords that are not in the dictionary. The take a phrase and take the first letter technique is something that does not intuitively spring to mind to everyone. It took a lecture to explain that "F*CK SUSAN and BOB" were not good passwords. N.B. I have been around for awhile and on the old TOPS-20 Systems passwords were not intially encrypted. So it was easy to find actual passwords and tell people not to use those. Now things are encrypted and all that but still a weakpassword doesn't work and other small things that people could do to be just reasonably careful they don't. Dunno how much verbage to waste on random issues. Have Fun, Sends Steve I read the article and it was interesting. I don't quite know how much of it to believe. It is clear some people are up to something questionable. Whether it fits the model the authors have of well coordinated effort to deliver services to organized crime maybe a bit much on the conspiracy side for me tyo swallow. Security experts often miss that they use FUD without knowing it. But it is still to be careful because there are people who don't realise one's machine might be for something important and not just a plaything for others to mess with and ruin if they had a bad day or wanted to play weird "process war games". Have Fun, Sends Steve J.A. Terranson wrote: You don't have a blogspot account you could have posted this to? On Sun, 5 Jun 2005, Randall M wrote: Date: Sun, 5 Jun 2005 10:32:20 -0500 From: Randall M <[EMAIL PROTECTED]> To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Off topic rant to my friends Sorry to rant to this list. This list though has the only people on it who totally understand this ranting. Every morning before heading for work I read all my security alert emails and website collections about possible Trojans, worms and viruses found. Being a faithful worker I do this on the Weekends too. Once at work I check my web appliances, gateway, Exchange boxes and data servers for dat updates and check log files. I spend the first two-three hours of my work day doing this every day. Why do I do this? I do it to protect my company's investment. To ensure that the employee's have a job that day. To make sure that customers will have on time delivery and so new customers can make orders, etc., etc. Today I read this article: http://www.eweek.com/article2/0,1759,1823633,00.asp?kc=EWRSS03129TX1K614 For some reason, maybe the coffee, I sat there thinking what the hell am I doing all this for? Am I being paid by my company to set up and protect only for some future use as a botnet for some organized crime boss!! I continually spend time, money and research on ways to protect. All of my mechanisms I use are actually as helpless as I am!! It's the blind leading the blind!! Then, like a message from God, a memory of a phone call from one of our users came to me: "Hey, I received this email about my account being suspended for security reasons, I immediately deleted it but just wanted to let you know". My small employee awareness program was slowly paying off. A year ago that same phone call would have been the "I think I did something bad" type. I now realize that my investments and my time have been spent MORE in the wrong place. I'm turning that around and heading back to the user. They are MY PROACTIVE, PREEMPTIVE protection!! I am no longer depending on the Anti-Virus dats or the front-end Appliances or the Gateways because a simple "Click" by the user makes them all useless. And it looks as though I can't depend on them to keep that "click" opportunity from the user. Praise be to God for the User! They are powerful! They are trainable! They are my BEST defense! There. I fell better now. thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Not even the NSA can get it right
Way back when I worked for government agencies for a living all the easy to get to sites had nothing sensitive on them. Everything that had sensitive stuff was not on the ARPANET or was behind multiple gsteways. Right now even normal citizens like you and me can build pretty secure systems that will stop a lot of stuff. I assume the NSA does the same too but can do better. I come from the "Rainbow Books" era and those have been replaced by other things at this point. But there were a few bugs in Sun's C-2 Security and that's low level. Now it could be they hired some standard webdesign firm to do it and that the website is only its sort of public face. There are Intanets with much better security and there are secure Networks that run on nice BSD variants that are very good. BSD is good because a lot of it is people who every morning or evening;) they get up for the past 20+ years they have thought about security issues and watched what happened and all that stuff. I have been giggling at the teenagers who have been attacking my website as of late. I learned a lot by reading the logs. But but we have secure passwords that are not in any dictionary and all that good stuff. It is also completely seperate from public accounts like this one I use for day to chattering about on the Internet.. Have Fun, Sends Steve Have Fun, Sends Steve [EMAIL PROTECTED] wrote: On Wed, 25 May 2005 12:58:37 EDT, Dan Margolis said: Right, but why is XSS interesting? Why would they *want* a "suspected script kiddie" list? Honeypots are good for learning about what sorts of attacks are in the wild, *not* for learning who the attackers are. So watching the console logs on a tempting target like www.nsa.gov for a month isn't going to give a *really* good idea of what's out there? Consider - of those who went and tried the XSS that got posted, what percent probably tried some *other* tricks to see what *else* they could get it to do? Yes, the NSA crew almost certainly know the attacks themselves - but by keeping an eye on what tricks have made it out to the script kiddies, they can measure how fast the tricks propagate. Any attack they see on *that* server they can safely conclude that it's part of the script kiddie canon (as it's very unlikely that a black hat would blow a 0-day attacking that server when everybody *knows* there's probably nothing worthwhile on there...) Remember - we're talking about the organization that provided guidance on the design of DES's S-boxes, which made *no* sense at the time. Many years later, we find out that the NSA knew about differential cryptanalysis, the IBM crew independently discovered it, but kept quiet at the NSA's urging, and then when differential cryptanalysis came out in the open literature, the S-boxes made sense. This gave the NSA a *very* good measure of how far ahead they were at the time. Or the public website is just maintained by low-pay civil servants (after all, there's no need for a security clearance for any of those pages ;) Granted, we don't know everything the NSA does, but I see little to gain from a public XSS hole, however insignificant. Occam's razor, folks; why should I buy into such a twisted conspiracy theory? I never said you should. I merely implied that immediately concluding that it was a stupid mistake might in itself be stupid. Remember - we *know* that many black hats try to stay under the radar by leaving tracks that look like common script kiddies (so all the recon probes disappear in the noise). Why shouldn't the world leader in spreading and recognizing disinformation do the same once in a while? ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Hack Your Credit Card Company (OT)
Ididn't think this was a pickup or mett people group though I am sure it happens. You could try flonk which come to think of it I should go back and try again because I actually found interesting people theere. Not quite of my technical bent, though more of literary types. Have FUn, Sends Steve imipak wrote: Kristian Hermansen wrote: I think I look pretty hot in that picture actually, but you sickly emaciated Russian bastards must know it all. I kinda agree with the comment from my fellow comrade. Young spotty gay beatch playing kewl hax0rzz games, ha? What's the matter? gay people make you feel nervous, hmmm? uneasy? An undefinable sense of fear perhaps? Did you realise there are actually GAY HACKERS? Now... tell me more about your mother? Returning to the topic - to the O.P. - Kristian, weren't you concerned that you've posted prima facae evidence of attempted fraud and whatever computer intrusion laws are applicable where you are? Didn't it occur to you that the bank might just possibly have systems to flag anomalous transactions, and that you might get the 5am alarm call courtesy of your local filth? i-. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Benign Worms
The idea of a begin worm is a nice idea but doesn't work in practice. Oh I have known admins who let loose all sorts of automatic update process that were little different from worms and they regretted it. These people were far from middle school. and "millions and billions" sounds something Carl Sagan used to say. I do worry that this is another of those flame war topics that have been beat to death. Have Fun, Sends Steve J.A. Terranson wrote: On Fri, 13 May 2005, k k wrote: There is debate surrounding whether releasing benign worms such as Nachi or Welcha, First off, lets get something straight: Neither of your two examples was in any way "benign". Both of these cost carriers and their customers *billions* of dollars. Many of us spent weeks with little to no sleep cleaning up the mess these "benign viruses" created. in general is ethical or not. I don't know where you've been looking, but the only place I've seen the ethics of this "seriously debated" is in middle schools and the like. There is no serious question that this is a hostile act, and cannot logically be considered "ethical" under *any* conceivable circumstances. But network administrators can still create benign worms for their need (not necessarily Nachi or Welcha) and release them in their domain to patch systems. You actually know admins that write viruses to do their patching? Sorry, but I think you're full of shit. If you're not, then these "admins" need to be immediately given a boot in the balls, followed by an unemployment benefit. Why would an *administrator*, someone with FULL rights to the machine, use such a device to place patches??? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sprint telco service?
KF (lists) wrote: I am interested in hearing from folks with stories similar to this: http://www.security-focus.com/news/10083 Ever hear weird shit on your phone line? Weird billing errors? Weird non dtmf tones randomly stray into your conversations? Had your lines redirected? Have extra lines that you did not ask for? Do DMS100's give you a hard on? shoot me a private email. hell if ya feel like it talk about it on list. -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I have had a number of weird things with all telcos. In fact one happened today. If you're not on the West Coast ofg NOrth AMerican sorry to bore you with local meteorology. I called a friend to talk about my travails in moving out of the place I was in and into a real two bedroom apartment with a friend. When I called this freind I heard a voice that said: "Well with the amount of moisture you can feel in the air..." I said "hello" and I got no answer ...I tried calling his number back and got no answer and then got a busy signalthen I tried later and got the usual answwwering machine. The strange stray voices or "ghost voices" as I sometimes call them I have gotten a lot. Weirdly I have accidentally called a local bumber and go some phone company linemaan's service in some state many miles away. If people were intertested I could dig them up. I might ask if anyone remembers 8BBS, Bernie Klatt, Suisan Thunder or other people there and "Bow Wow Net"... Have Fun, Sends Steve P.S. I dunno if this is the place for this sort of thing..I would like to know where one gets tthe numbers that one calls that repeat your number back to you etc. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FBI declares war on hackers
Seems to be there as far ass I can tell. Perhaps itg might have been related to the fact that April the 1st was a few days ago. SO this sound A WHOLE LOT LIKE AN APRIL FOOLS JOKE. Amazing that these old jokes still work. Have Fun, Sends Steve Milan 't4c' Berger wrote: FBI shuts down well known hacker site _http://www.crime-research.org/news/04.01.2005/1106/_ YHBT... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Internet Going Down For Maintenance
Please Please calm down. Techies and Geeks have a rough and ready sense of humour. There is >no way< to take the Internet down for maintainence. It was designed to have no central point of control so that no one could shut it down. Don't you think that RIAA would have been filing lawsuits left and right if they thought they could take the Internet down or even take large parts of it down. This is a big joke because those of us who have been on this thing since it was called the ARPANET know it was designed without a central point of control without anyone owning it or controlling it etc. It was designed to supposed survive a nuclear war, which is something even the producers of "Internet KIlled the Video Star" understand. I advise watchingt that and relaxing. Here is a link to it: http://atomfilms.shockwave.com/af/content/regurge01 Have Fun, Sends Steve Carlos de Oliveira wrote: Is this serious? It is not funny. On Apr 1, 2005 8:36 PM, Corey Vaila <[EMAIL PROTECTED]> wrote: Is anyone else scheduling around this event? I may need to hire an internet specialist to make sure this won't affect my business. If you are an internet specialist and can help me, I will pay $75/hour for your services, however long it takes to insure that my systems will still work after they finish working on the internet. You must be in the Seattle area. If you can help, send me a resume immediately, because I'll need someone right away for this weekend. You must know how to help me if my IP is resorted or if we have a data surge, as posted above. Send your resume to: [EMAIL PROTECTED] Thanks Everybody Corey Vailas Digital Architects, Inc. On Apr 1, 2005 1:55 PM, Todd Towles <[EMAIL PROTECTED]> wrote: So we are all going to failover to Internet2, right? lol Sweet, no spam..lol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Kurczaba Sent: Friday, April 01, 2005 3:48 PM To: Jason Weisberger Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Re: Internet Going Down For Maintenance Wait... Its not? :) Jason Weisberger wrote: LOL. I'd love or someone to buy this one. As if the Internet is in one central location. On Fri, 1 Apr 2005 08:51:26 -0800, [EMAIL PROTECTED] wrote: Actually, I believe that since the internet core is run off of the MS platform that this has something to do with the release Microsoft SP1 for their 2003 release yesterday. ;) On Fri, 01 Apr 2005 08:09:02 -0800 Steve Kudlak <[EMAIL PROTECTED]> wrote: I suspect that this has something to do with today being April First called "April Fool's Day". My sister in Pittsburgh is one year oloder today. Since she was born a couple months permature she was a pretty big April Fool's surprise. Have Fun, Sends Steve Larry Seltzer wrote: Internet To Close For Maintenance This Weekend April 1, 2005 Posted: 6:36 AM EDT (1136 GMT) BERN, Switzerland (Reuters) -- Long-scheduled maintenance will bring the Internet down this Saturday from 9PM to 3AM Greenwich Mean Time. The Internet Architecture Board, in coordination with the United Nations, has planned an "infrastructure maintenance window" for several years. According to IAB Senior Consultant Ursula Techenspüf "such a massive network requires occasional maintenance to upgrade aging equipment." Also planned is the first resorting of IP (Internet Protocol) numbers since before the dotcom boom. Techenspüf added "Years ago, when the Internet was largely academic, such maintenance was not as stressful or disruptive. Most maintenance can be performed on a 'hot' network now, but resetting of the Internet core still requires taking it down." Users should not expect to lose much data, although experts do warn of a potential data surge when the network comes back up, and advise users to bring systems back on the network slowly and cautiously. Copyright 2005 Reuters. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. C
Re: [Full-disclosure] Internet Going Down For Maintenance
I suspect that this has something to do with today being April First called "April Fool's Day". My sister in Pittsburgh is one year oloder today. Since she was born a couple months permature she was a pretty big April Fool's surprise. Have Fun, Sends Steve Larry Seltzer wrote: Internet To Close For Maintenance This Weekend April 1, 2005 Posted: 6:36 AM EDT (1136 GMT) BERN, Switzerland (Reuters) -- Long-scheduled maintenance will bring the Internet down this Saturday from 9PM to 3AM Greenwich Mean Time. The Internet Architecture Board, in coordination with the United Nations, has planned an "infrastructure maintenance window" for several years. According to IAB Senior Consultant Ursula Techenspüf "such a massive network requires occasional maintenance to upgrade aging equipment." Also planned is the first resorting of IP (Internet Protocol) numbers since before the dotcom boom. Techenspüf added "Years ago, when the Internet was largely academic, such maintenance was not as stressful or disruptive. Most maintenance can be performed on a 'hot' network now, but resetting of the Internet core still requires taking it down." Users should not expect to lose much data, although experts do warn of a potential data surge when the network comes back up, and advise users to bring systems back on the network slowly and cautiously. Copyright 2005 Reuters. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hacked: Who Else Is Using Your Computer?
If someone came and made themselves a polite guest I wouldn't mind. In fact a pretty open computer protects me from lots of things. "Well you see I have an open system and I have no ideas how those objectionable, questionable, illegal things got here." I mean that has seemed to work well as a defense for lots of sysadmins I knew,;) That was the big problem I had with fully open systems which was keeping down the amountof questionable clutter that would accumulate. It was always a bit of an effort. I dunno that original message did sound like an advert by some anti-virus company. However castlecops are. I mean giggle sounds like someone who protects things for that creepy burger king guy. Gack they did revive trhe king thing!!! Have Fun, Sends Steve Vladamir wrote: I leave my computer open with no passwords so everyone can use it :) Nah -- I do agree this article is in the wrong board, and I love finding new ways to let others use my computer without my permission :) dk wrote: Ill will wrote: I think this article should have been posted on some aol mailing list. I'm sorry but it looks like it was written for someone whos never used a computer, hehehe agreed. I had flagged Laudanski's stuff for filtration as it is rather light-weight; but some of the articles are worth a giggle or two. Esp the link to firefox with "Browse Safely" above it. Perhaps "Browse-a-bit-safer" would be more appropriate Paul. ;/ This article reminds me of pamphlets or self-help tapes for out-of-touch parents to "communicate with your teenager today! (tm)". You know; the ones that inevitably cover how kids talked and acted in the 80's but published in the 90's. (etc, etc) >;/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
