Re: [Full-disclosure] (no subject)
Hmmh, I personally see a lack of defense and a need for more white hats, who aren't constantly trying to gain media attention by breaking stuff. - Because most stuff is already broken - as we see. Even trolls nowadays can course some damage. If you need a good example to proof that we need new security concepts, look at what even idiots can do. And sell this as a good argument, for sure!! ;) My 5 year old niece could have hacked this 4chan site. I'm still waiting for this so called ssh thingy. Hack something real: release an OpenSSH patch. Have fun, wishi Ed Carp schrieb: > Do not fuck with anti-suck. LOL! > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] security industry software license
n3td3v schrieb: > there should be a central license that people apply for to use > software like metasploit. > Well. There's. It's called competence. Clueless people don't use Metasploit. Normally it doesn't lower the bar very much. Think of Core or Canvas. You can get this too, nevertheless it's expensive. Who's going to prevent Warez? - Right, no one. So if you're talking about a theoretical concept, you should face the reality: there's no software you can't get for free. And if there's, nothing prevents you from writing your own exploits. Just grab some source, and search through it. You'd be surprised how much crap you'll find. > only letting the good guys use the software for good > purposes. First build a devel, let it run, and sell the holy water. That's how it works. Without any evil approaches, we wouldn't work. Today's process of hardening needs something, which speeds it up by fear. And that's exactly what Metasploit does. It pwns incompetent management, driven by the idea to develop feature rich blaotware in no time - without caring for design, structure and security of the customers. I guess nobody who's having the good old skills needs an exploit framework. So - what's the software you're going to certify by n3rd3v license? Shellcode with 0s? :) Or some wrapper scripts? By the way: security is a market. Nothing prevents you from selling exploits at wabisabi or so. Nevertheless I wouldn't chose eBay. :) -- --__- wishinet.blogspot.com just wishi - does Netninpo __--___-_ - http://www.gnu.org/philosophy/no-word-attachments.html - PGP ID: 0xCCCA5E74 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] security industry software license
[EMAIL PROTECTED] schrieb: > On Fri, 17 Oct 2008 09:37:59 EDT, n3td3v said: >> I've realized that I don't really understand what Metasploit is or does and >> generally have a weak grasp on the security industry as a whole. So, please >> disregard any of my previous, ignorant comments. > > I have to conclude that n3td3v has fallen under the control of The Pod People. > That's the proof: Trolling causes braindamage! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] To disclose or not to disclose
AaRoNg11 schrieb: > Well, if you've already warned your client that their software is vulnerable > and they haven't changed to an alternative, then it's fine to release an > advisory with all of the details. Just don't waste my tell jelling aloud there's a problem, when you can post on a bugtracker, reaching the persons, that need to be reached. > I really don't understand why they'd pay for a penetration test to not take > action if their software was vulnerable. Because it's tested. Knowing a vulnerability is worth a lot. >> yet to address the vulnerability in their own network too. >> >>Is it the ethical duity of the security company to release an >> advisory? >> Does that advisory put the customer at risk? It is clearly unethical to >> do nothing and to leave everyone else at risk. How to proceed? Fact is fact. if you've got valid facts, point them out. If you want a great show, just mail to Slashdot, point out you're a researcher, say the Internet will break and have fun. Many do so. Media are stupid enough to believe, because there are very few really security minded people. And they usually don't work in press. Security as a market depends on disclosure, for reconstruction _and_ construction in general. It's future depends on how open security-people are, on trust, on legitimate processes. Unorganized chaos, conference disclosure, and advertisement security circus stuff is shit. Do so, and it fails. If there's just a small knowing circle, vendor based, blackhats can cause huge damage, because any reconstruction gets much harder. A secretive security response in very few cases is constructive. The blackhats are steps ahead, if you disclosure your small finding or not. Who really think that botnet owners are dependent on socks-stress or DNS spoofing, never saw the backend of a huge botnet! What you need is to address the right motivated people. That's easily done with leaving out explanations and just posting pure code ;) *g*. Really: use the bugtracker, not the media. Thanks, wishi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Nameless but interesting podcast
Hi fellows! Found an interesting podcast, which is quite new: %% Adam Shostack, a well-respected voice on privacy and security issues, joins Dennis Fisher in this episode of the Nameless Security Podcast to discuss the data breach epidemic, the untimely demise of Zero Knowledge Systems and his new book, “The New School of Information Security.” %% http://securitywireweekly.blogs.techtarget.com/2008/10/03/adam-shostack-on-privacy-data-breaches-and-“the-new-school-of-information-security”/ Found this accidently ;) Have fun, wishi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] notd3v
d3vnu11 schrieb: > N3td3v u should stop threating people.In my opinion you are a small little > fuck.You should stop spamming fd.I recommend halting whatever you are trying > to do to fd.If you are getting sponsored for the shity payload you bring on > fd just to lower and degrade it's quality and mislead+misdirect alot of great > security experts and hackers or you are just doing it simply because of your > little used mind than i advise you to come to Romania and see what things > people like you and that Richard you are talking about are getting when > trying to destroy something so valuable and loved(like fd) and threatining > around like you would be such a vip.There is always someone more higher than > you who can put you to silence in a matter of seconds. > I advise anyone and i mean anyone and everyone to add it's email address to > the spam or shitlist and stop replying to it's postings.It is the easiest and > at most handy way we can stop such an attack. > n3td3v you are disposable. > > http://www.sharpmail.co.uk - Send 'fake' email for free! Send 'fake' SMS > Remove this footer by upgrading. > > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ Let's pipe him to /dev/null :-) -- --__- wishinet.blogspot.com just wishi - does Netninpo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Could n3td3v win a Pwnie award?
G. D. Fuego schrieb: > On Sat, Apr 26, 2008 at 10:32 PM, Joey Mengele <[EMAIL PROTECTED]> > wrote: > >> wishi, >> >> On Sat, 26 Apr 2008 12:19:46 -0400 wishi <[EMAIL PROTECTED]> >> wrote: >> >>> I thought exactly the same. Security is a process. If someone >>> doesn't >>> understand, that it's better to know the vulnerabilities to >>> defend, he >>> didn't understand it. >>> >> I think you have this mixed up. Security a destination, not a >> process. >> >> > If that was true then the system you secure today would be safe untouched a > year from now or the year after that. > No... that's a general aspect: of course security is a destination. But it's never fully reached. We develop it further every day, by finding exploits, patching the systems, fixing the issues create it. That's the processes of reaching the destination as far as possible. ---__- wishinet.blogspot.com just wishi - does Netninpo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fwd: Re: Could n3td3v win a Pwni e award?
Yes man, sorry for this. That was no Spam attack, but a crazy smtpd - that rejected but sent. It's fixed now. I think every software contains it's own WTF experiences. That's one of those ;) Original Message Subject: Re: [Full-disclosure] Could n3td3v win a Pwnie award? Date: Sat, 26 Apr 2008 19:38:32 +0200 From: Ferdinand Klinzer <[EMAIL PROTECTED]> To: full-disclosure@lists.grok.org.uk -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 LoL i think you mail client is fucked up! cheers Ferdinand Am 26.04.2008 um 18:01 schrieb wishi: > n3td3v schrieb: > >> David, your research was responsible for the SQL Slammer Worm... but >> that makes you elite doesn't it, not a black hat. >> >> No wonder the UK security service is interested in you, but I >> wouldn't >> call it an achievement, that calls you irresponsible in my view. > > Never read such stupid comments here before :). You want this award, > don't you? You seem to be qualified. > > >> "He is a regular speaker at a number of computer security conferences >> and has delivered lectures to the National Security Agency, the UK's >> Security Service, GCHQ and the Bundesamt für Sicherheit in der >> Informationstechnik in Germany. David is a CHECK team leader and >> holds >> SC clearance." >> >> http://www.davidlitchfield.com/ >> >> > > Yes... I'd create a PWNIE for the "best nomination to PWN". > > > Greetings, > wishi > > ---__- > wishinet.blogspot.com > just wishi - does Netninpo > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (Darwin) iD8DBQFIE2iZivpgT1glX4cRAlSkAJ9axiQkwcoJItpCstsY6J7vmIjlaACdHD6Z x2paV/uoCfiVfKD+7OSYo7c= =BllU -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Could n3td3v win a Pwnie award?
n3td3v schrieb: > David, your research was responsible for the SQL Slammer Worm... but > that makes you elite doesn't it, not a black hat. > > No wonder the UK security service is interested in you, but I wouldn't > call it an achievement, that calls you irresponsible in my view. Never read such stupid comments here before :). You want this award, don't you? You seem to be qualified. > "He is a regular speaker at a number of computer security conferences > and has delivered lectures to the National Security Agency, the UK's > Security Service, GCHQ and the Bundesamt für Sicherheit in der > Informationstechnik in Germany. David is a CHECK team leader and holds > SC clearance." > > http://www.davidlitchfield.com/ > > Yes... I'd create a PWNIE for the "best nomination to PWN". Greetings, wishi ---__- wishinet.blogspot.com just wishi - does Netninpo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Could n3td3v win a Pwnie award?
n3td3v schrieb: > David, your research was responsible for the SQL Slammer Worm... but > that makes you elite doesn't it, not a black hat. > > No wonder the UK security service is interested in you, but I wouldn't > call it an achievement, that calls you irresponsible in my view. Never read such stupid comments here before :). You want this award, don't you? You seem to be qualified. > "He is a regular speaker at a number of computer security conferences > and has delivered lectures to the National Security Agency, the UK's > Security Service, GCHQ and the Bundesamt für Sicherheit in der > Informationstechnik in Germany. David is a CHECK team leader and holds > SC clearance." > > http://www.davidlitchfield.com/ > > Yes... I'd create a PWNIE for the "best nomination to PWN". Greetings, wishi ---__- wishinet.blogspot.com just wishi - does Netninpo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Could n3td3v win a Pwnie award?
G. D. Fuego schrieb: > > In fact, if Security Researchers are to blame for any bad uses of the > vulnerabilities they discovered then what are you doing here? AND: > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ I thought exactly the same. Security is a process. If someone doesn't understand, that it's better to know the vulnerabilities to defend, he didn't understand it. "It's hard to protect yourself if you don't know what you're up against." (Ed Felton) I'd say: nominate the nominator! Greetings, wishi ---__- wishinet.blogspot.com just wishi - does Netninpo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Could n3td3v win a Pwnie award?
G. D. Fuego schrieb: > > In fact, if Security Researchers are to blame for any bad uses of the > vulnerabilities they discovered then what are you doing here? AND: > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ I thought exactly the same. Security is a process. If someone doesn't understand, that it's better to know the vulnerabilities to defend, he didn't understand it. "It's hard to protect yourself if you don't know what you're up against." (Ed Felton) I'd say: nominate the nominator! Greetings, wishi ---__- wishinet.blogspot.com just wishi - does Netninpo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
