Re: [Full-disclosure] Filezilla's silent caching of user's credentials
On Thu, Oct 14, 2010 at 5:39 PM, Christian Sciberras uuf6...@gmail.com wrote: Not all attackers are created equally. I still see this a simple matter of violating KISS to introduce a layer of encryption. The question is, to which end? Sure, an attacker might see the encrypted file and think it's too difficult for him to get to the passwords. Another might use a certain utility to decrypt the said file. The thing is, to which end are we encrypting the data? Just for the sake of making it work like the N other programs? I mean, if this doesn't *work*, why even *bother*? Sorry, but your comments are totally useless here and can't even really be addressed properly, given their quite ridiculous nature. You are missing the point of the encryption, and it is not my job to convince you, and any further comments with anyone other than the developer are useless. There is no question here. There is no discussion. It should be done, and if it is not, password saving should be stopped in FileZilla or an alternative program should be sought. It's that simple. Great. If it's so simple that it can be done in under 10 mins, go complain to them. This email thread *is* a direct complaint to them, after bugs have been closed for years. I didn't start this thread. Do you even understand what is going on here? Your emails suggest you do not. Cheers, Chris. -- silky http://dnoondt.wordpress.com/ Every morning when I wake up, I experience an exquisite joy — the joy of being this signature. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Filezilla's silent caching of user's credentials
On Thu, Oct 14, 2010 at 6:51 PM, Chris Evans scarybea...@gmail.com wrote: [...] Sorry, but your comments are totally useless here and can't even really be addressed properly, given their quite ridiculous nature. Well done on behaving in a gentlemanly manner and winning people over with your in-depth technical arguments. Just because someone has managed to sign up to full disclosure and send an email doesn't entitle them to have an email from me explaining exactly how wrong their thought processes are. My post was meant to encourage the reader to actually try and re-evalue his position own his own and try a little bit of self-education on the matter. Like I said to the other guy, I really don't care if you understand the issue.The game now (or at least here, on this list) is to try and steer people away from FileZilla if it doesn't change. Anyones opinion other than the developer on the issue of the nature of stored passwords on a local machine is meaningless. If their position is *influenced* by yours, then I will comment, otherwise, I don't see the point. -- silky http://dnoondt.wordpress.com/ Every morning when I wake up, I experience an exquisite joy — the joy of being this signature. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Filezilla's silent caching of user's credentials
On Thu, Oct 14, 2010 at 7:20 PM, Christian Sciberras uuf6...@gmail.com wrote: exactly how wrong their thought processes are. My post was meant to encourage the reader to actually try and re-evalue his position own his own and try a little bit of self-education on the matter. That's some nice encouragement. Kind of reminds me of Windows XP's connection troubleshooter; Please visit the interwebz and we'll help you connect to the internet. Just because you signed up on FD and have a fancy blog doesn't mean you're any better. I accept this point. I will not engage further as I'm adding to the uselessness. I will leave you with one thought. Shouldn't the default be encrypt? -- silky http://dnoondt.wordpress.com/ Every morning when I wake up, I experience an exquisite joy — the joy of being this signature. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Filezilla's silent caching of user's credentials
On Wed, Oct 13, 2010 at 2:33 PM, Mutiny mut...@kevinbeardsucks.com wrote: The issue is that someone gained access to that file. You sharing your drives over the internet with read privileges? You have other vulnerable software being leveraged to read that file? Would you prefer they MD5'd it? It sounds like your issue is that your password is stored. I mean, they moved your encrypted password from passwd to shadow for a reason, but that doesn't change the fact that it's stored and if someone doesn't need access to shadow or passwd, they shouldn't have it. Stop logging into your FTP server from a public terminal with Filezilla. Rubbish. The passwords should be encoded so-as to avoid trivial searching. End of story. It takes 10 minutes to do from a development point of view, and there is no excuse. -- silky http://dnoondt.wordpress.com/ Every morning when I wake up, I experience an exquisite joy — the joy of being this signature. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Filezilla's silent caching of user's credentials
On Thu, Oct 14, 2010 at 10:57 AM, Christian Sciberras uuf6...@gmail.com wrote: If the encryption key stays on the same PC, there is absolutely no security in that. Given that this is open source, security through obscurity can't even start working (- encrypting local files with a local key / using custom algo == security through obscurity). No, you are completely wrong and I encourage you to specifically consider a layered threat model or perhaps just read the information *already presented* in this thread. Not all attackers are created equally. There is no question here. There is no discussion. It should be done, and if it is not, password saving should be stopped in FileZilla or an alternative program should be sought. It's that simple. (Note that BeyondCompare and probably at least N other programs out there *do* perform a trivial encoding of the passwords, and it is a good and appropriate policy). Chris. -- silky http://dnoondt.wordpress.com/ Every morning when I wake up, I experience an exquisite joy — the joy of being this signature. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] answer
On Sun, Feb 14, 2010 at 3:12 PM, RandallM randa...@fidmail.com wrote: answer me this riddle: Why do you chose to Hack IT? Defend IT? Shut IT -- been great, thanks RandyM a.k.a System -- silky GUERILLA TOP? Corpulent woodpecker, disorderly. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Code-Crunchers] a simple race condition and how you'd solve it
On Fri, Jul 3, 2009 at 10:25 AM, Gadi Evrong...@linuxbox.org wrote: A friend recently demonstrated on his blog a simple race condition he encountered. He also challenged folks to solve the problem. http://www.algorithm.co.il/blogs/index.php/programming/a-simple-race-condition/ There's an interesting discussion in the comments which is worth a quick read. Also, maybe someone here will come up with a cuter idea? Posted my proposed solution in the comments, but will probably take a while to be moderated. Basically, you just need to check if you should still be computing, and, at the end of computation, if your data is still wanted. Gadi. -- Gadi Evron, g...@linuxbox.org. Blog: http://gevron.livejournal.com/ -- noon silky http://lets.coozi.com.au/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Major Greek bank sites with SSL vulnerable to XSS and open redirects
On Mon, May 11, 2009 at 10:33 AM, Paul Schmehl pschmehl_li...@tx.rr.com wrote: --On May 10, 2009 1:08:51 PM -0500 James Matthews nytrok...@gmail.com wrote: Why are these banks still using ASP? It's insecure by default! Everything is insecure by default. There is no such thing as secure by default. Those that assume there is are the first to be hacked. cute (old) opinion, but fairly useless in practice. Paul Schmehl, If it isn't already obvious, my opinions are my own and not those of my employer. ** WARNING: Check the headers before replying -- silky ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Major Greek bank sites with SSL vulnerable to XSS and open redirects
On Mon, May 11, 2009 at 5:59 PM, valdis.kletni...@vt.edu wrote: On Mon, 11 May 2009 16:19:49 +1000, silky said: On Mon, May 11, 2009 at 10:33 AM, Paul Schmehl pschmehl_li...@tx.rr.com wrote: Everything is insecure by default. There is no such thing as secure by default. Those that assume there is are the first to be hacked. cute (old) opinion, but fairly useless in practice. Not useless at all. I'll bet you that if you go look at banks that have gotten hacked, at least 75 to 80 percent of them have we thought the firewall was secure by default or similar failure. He was talking specifically about programming languages and so am I. You can laugh and say 'all insecure' or you can actually look at what does what and make educated decisions. -- noon silky ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
On Wed, Sep 3, 2008 at 5:37 PM, Paul Ferguson [EMAIL PROTECTED] wrote: Okay, well you cannot deny this is a lackluster starting point. I hope Google can use this inauspicious starting point to build the advertising empire they desire. I for one do not welcome the advertisement overlords. you're not the only one; don't worry. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFIvj6aq1pz9mNUZTMRAgEKAKC8rCgCiSPDcSLX8sAe1/ZJRR4fDACeIq9x X1b4Rd9bxRevUo78azKBi5o= =ic8T -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ -- noon silky http://www.themonkeynet.com/armada/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
On Wed, Sep 3, 2008 at 10:13 AM, Larry Seltzer [EMAIL PROTECTED] wrote: Holy crap, a crash bug in a beta browser! oh fuck off with referring to it as beta. beta is just a lame tag so you can release something that you don't entirely trust. imho if it's beta keep it fucking private. if it's public, grow a set of balls and don't call it beta so you can hide behind that when it fails. grow the fuck up, google. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -- noon silky http://www.themonkeynet.com/armada/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linus summarizes state of the security industry with precision and accuracy.
On Sat, Aug 16, 2008 at 12:42 PM, coderman [EMAIL PROTECTED] wrote: ... hypothesis that security researchers are all masturbating monkey whores is now proven definitively. [0] I feel I can speak for the entire monkeynet project (http://www.themonkeynet.com/) when saying we are offended by this comparision. Too often, so-called security is split into two camps: one that believes in nondisclosure of problems by hiding knowledge until a bug is fixed, and one that revels in exposing vendor security holes because they see that as just another proof that the vendors are corrupt and crap, which admittedly mostly are, Torvalds states. Torvalds went on to say he views both camps as crazy. Both camps are whoring themselves out for their own reasons, and both camps point fingers at each other as a way to cement their own reason for existence, Torvalds asserts. 0. Torvalds Interview with Network World , 08/14/2008 http://www.networkworld.com/news/2008/081408-torvalds-security-circus.html [ ED: Dr. Diggle the Zoologist grunt / proctologist has lots of company, lol ] -- noon silky http://www.themonkeynet.com/armada/ http://www.themonkeynet.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (:
On Fri, Jun 13, 2008 at 2:37 PM, I)ruid [EMAIL PROTECTED] wrote: MD5:89ec9df95c1315dcb1a668e35b051b07 SHA1: 9f351ae9a3fbbbadaf10fea91384a32ed9836d36 SHA256: 02acfbfe892a47de50273f367f98cc2b5023dec34e668ca3ffbaa42c7dcbd5eb i'm yet to see anyone actually claim one of these posted hashes yet. like in the see i told you so fashion. maybe i've missed it. -- I)ruid, C²ISSP [EMAIL PROTECTED] http://druid.caughq.org -- silky http://www.boxofgoodfeelings.com/ http://www.themonkeynet.com/ http://lets.coozi.com.au/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v says don't let EUSecWest Cisco IOS presentation go ahead
wait. maybe valdis is n3td3v. On Wed, May 21, 2008 at 11:16 AM, [EMAIL PROTECTED] wrote: On Wed, 21 May 2008 01:48:21 BST, n3td3v said: This is a last minute plea to MI5, the UK Security Service to stop this presentation going ahead. I will hold you responsible in later threads if n3td3v and Gadi Evron's fears become reality. The Security Service (MI5) is responsible for protecting the United Kingdom against threats to national security. This website provides information about the Security Service, the threats it counters, links to sources of security advice and details of careers with the Service. http://www.mi5.gov.uk/ Has it ever occurred to you that *maybe* MI5 is fully aware of the situation, and thinks that the best way to improve security is to let the talk happen? If he gives the talk, the trade rags will cover it, the C-levels that pay attention to the trade rags will get on the case of the Chief Info Officer, who will lean on their chief networking guys To Do Something About It, Dammit, and if the routers weren't secured to BCP before, they hopefully will be. If the talk doesn't happen, the C-levels don't see it in the trade rags, they don't lean on the CIO, who doesn't lean on the networking guys, who go off and deal with whatever *other* problem they have to deal with (like why their BGP feeds keep creating BGP Wedgies at two remote sites, or why they're having performance issues on one of their trans-ocean lines, or...) , and the company gets pwned by somebody with a rootkit. -- silky http://www.boxofgoodfeelings.com/ http://lets.coozi.com.au/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ureleet
On Fri, May 2, 2008 at 10:31 AM, Pat [EMAIL PROTECTED] wrote: Was there any reason for the both of you to include the mailing lists on your petty personal rants heretofore? dude, they're the same person. 2008/5/2 Ureleet [EMAIL PROTECTED]: -- http://lets.coozi.com.au/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gmail 0day
On 11/9/07, pdp (architect) [EMAIL PROTECTED] wrote: well this XSS can lead to so much data being stolen that it is not even funny! orly? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gmail 0day
worked for me minutes after it was posted. seems fixed now.
On 11/9/07, crazy frog crazy frog [EMAIL PROTECTED] wrote:
i tested it on gmail latest version,itsnot working for me?
On Nov 8, 2007 7:04 AM, Scripter Hack [EMAIL PROTECTED] wrote:
There is a html injection vulnerability in https://www.google.com.
It is very critical,you can get the cookie to login into gmail ore other
service.
POC:
https://www.google.com/accounts/ServiceLogin?service=mailrm=falsecontinue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dlltmpl=defaultltmplcache=2passive=truel#;/scriptscriptalert('xss')/script1-=1
More:http://xss2root.blogspot.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
mike
http://lets.coozi.com.au/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gmail 0day
On 11/9/07, pdp (architect) [EMAIL PROTECTED] wrote: this means a lot today :) if you haven't noticed! of course i've noticed it's just pretty fucking obvious to absolutely everyone. i don't really see why you decided to point it out. news at 11: xss leads to ability to steal data. On Nov 8, 2007 10:00 PM, silky [EMAIL PROTECTED] wrote: On 11/9/07, pdp (architect) [EMAIL PROTECTED] wrote: well this XSS can lead to so much data being stolen that it is not even funny! orly? -- pdp (architect) | petko d. petkov http://www.gnucitizen.org -- mike http://lets.coozi.com.au/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] an open letter to kevin bacon: hello, how's it going?
please, if you know kevin bacon, can you forward this mail to him, and have him reply to me? or at least if you know someone who you think might then know him, please send it on. i'm testing something. thanks. == hi kevin! it's mike! how are you? doing any new movies? i hope so. keep up the good work. all the best. -- mike ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] !!! W4RN1NG N1GS und P1GZ !!!
next week on animal planet: the mating habits of security noobs ... On 10/15/07, Dude VanVinkle [EMAIL PROTECTED] wrote: MISS DUDE VAN WINKLE, VALDIS KINIETIKZ AND GAY EVRON OFF OF THIS LIST NOW. GTFO PLZ U R RUINING THE INTERNET. -- mike http://lets.coozi.com.au/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] extension for Firefox to force HTTPS always?
on the google sites; customisegoogle lets you force them into ssl. but obviously that's not all sites. On 10/13/07, Kristian Erik Hermansen [EMAIL PROTECTED] wrote: So one example is that you are in a wifi cafe and you want to browse sites which may be available on both http and https. One example is when you browse google calendar. By default you will get http even after logging in over https. It doesn't really matter anyways and I should just code this up for myself. I was just wondering if something already existed...that whole code reuse concept...you know :-/ On 10/12/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Fri, 12 Oct 2007 15:06:14 PDT, Kristian Erik Hermansen said: I just wanted to clarify that I am looking for an extension that will rewrite all encountered HTTP references in Firefox to HTTPS. I would already have a firewall or some other layer7 filtering device blocking unencrypted traffic. The addon Better Gmail does something similar to this, with the force HTTPS option, but not exactly... What should this hypothetical extension do if it automagically redirects http: to https:, but the target server is something that is only listening on port 80 because it doesn't have https: enabled? https://www.cnn.com just sorta sits there for me. -- Kristian Erik Hermansen ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- mike http://lets.coozi.com.au/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] List of security conferences
maybe this is of some use; i don't know https://www.google.com/calendar/embed?src=pe2ikdbe6b841od6e26ato0asc%40group.calendar.google.comgsessionid=BinzC1HQmHc On 10/10/07, Bernd Marienfeldt [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: Good day everyone, I might be going for a student exchange program next year, and I'm wondering where the major ITsec conferences will be held so that if possible, Hope that list is any help: * AusCERT2007 - http://conference.auscert.org.au/ * BlackHat - http://www.blackhat.com/ * CanSecWest - CanSecWest * DefCon - http://www.defcon.org/ * EuSecWest - http://eusecwest.com/ * FOSDEM,- http://www.fosdem.org/ * HackCon - http://www.hackcon.org/ * Hack.lu - http://hack.lu/ * HITBSecConf - http://conference.hitb.org/ * IT-Defense - http://www.it-defense.de/ * MEITSEC - http://www.meitsec.ae/ * 0sec 2006 - http://0x736563.org/ * PacSec - http://pacsec.jp/ * PH-Neutral - http://ph-neutral.org/ * IT Underground - http://www.itunderground.org/ * IT-Defense - http://www.it-defense.de/ Regards, - -- Bernd Marienfeldt The London Internet Exchange Ltd. Tel: +44 1733 207 724 | Fax: +44 1733 207 729 Mob: +44 7789 987 022 | E-mail:[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHDKmwuhj/IfS3mc4RAtqBAKC//Yr8PVXRQCkJKPg4g6M4Va0FAgCeMj/j mSB42wuUAgnKdmJCihrG9pM= =/3fK -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- mike http://lets.coozi.com.au/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] In ur server-status
wow. coolest thing ever. can't blame people. apache don't even disable it. http://www.apache.org/server-status nice find! On 7/22/07, Todd Troxell [EMAIL PROTECTED] wrote: Noticing lots of admins tend to forget about /server-status, I typed at random: http://www.cnn.com/server-status http://www.webshots.com/server-status http://www.download.com/server-status http://slashdot.org/server-status I am sure there are ten billion others. In some cases this is worse than someone grabbing your access log. -- Todd Troxell http://rapidpacket.com/~xtat ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- mike http://lets.coozi.com.au/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
