Re: FW: [Full-Disclosure] Shadowcrew Grand Jury Indictment
On Wed, 17 Nov 2004, n3td3v wrote: ... If I was in gov, I would shut a site down that looks remotely hax0rish, even if they've done nothing wrong. All these crews and hacker groups, fk them all. The net needs zero tollerence with online crime. Govs should have the authority to close anything done because they feel like it, without needing to prove shit. I would even close IRC channels. Hackphreak on undernet looks harmless, but fk that. Close it anyway, its time to get a tighter grip on things. ... Same for zone-h.org, close the crap down.. f**k anything that looks remotely hax0rish. Unfortunately, the US Government operates under the auspices of a small document called The Constitution, and a little concept called Common Law. Now, I know that you trendy kids call things like that quaint (I believe that's what our new Attorney general calls things like the Geneva Convention. See http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2004/06/13/wguan13.xmlsSheet=/news/2004/06/13/ixworld.html) but fortunately for the rest of us, presumption of innocence remains the standard of the land. If you small-minded totalitarians don't like that sacred principle, get the hell out of the US. We don't need your kind. Move to some Banana Republic where they change the rules all the time in the face of 1000 years of tradition and philosophy and the Blood of Patriots who died to protect these rights. Zero tollerence. What will these doofuses think of next? I bet they start up a cult of personality around the nation's leader, including a new salute borrowed from the Romans. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Immunitysec's paper on Windows TC0
On Fri, 13 Aug 2004, neL esoR wrote: I am surprised this hasn't engendered a lively discussion, everything else seems to. In neL's book, this paper ranks as one of the best. What, and risk Dan Geer's fate? In this economy? I have a wife, a cat and two kids that depend on me. Not to put to fine a point on it, the fog of PR-firm-generated balloon-juice that surrounded CyberInsecurity: The cost of Monopoly has me thinking twice about anything MSFT-related. Talk about a sacred cow. The shills and astroturfers have already come out in force with respect to XP SP2 - Give it a chance, they plead. Riiight. NT is the best designed operating system ever. - 1992 NT has marginally better security than Unix. - 1996 Wait 'til Cairo comes out. - 1997 XP will fix all of that, and more. - 2002 Longhorn will fix all of that, and more. - 2004 We (the computer using populace) has given Windows many, many chances. After a few months, the Wag-Ed shills go away, and reality sets in, with flocks of worms and mass mailers that even cause righteous Pine users like myself to lose emails because SirCam mails them so many multi-megabyte Word docs. Still, despite the obvious conclusion, because of Dan Geer's public firing, low-level grunts like myself can't do anything other than cough and fidgit during conference calls when Pointy Haired Upper Managers Who Golf With The Right People mandate the use of MSFT products. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE Web Browser: Sitting Duck
On Wed, 7 Jul 2004, joe wrote: because the *nixs are picking up a lot of the people who were previously clueless in Windows and they aren't learning much going to *nix. They just think it is better and more secure because they know even less about it than they did about Windows. At least in practice the unix-a-likes demonstrate more security than the flavors of Windows, don't they? I mean, where's the linux chain mailer to equal SirCam? Where are the multiple linux worms to equal Code Red, Nimda, Deloder, Witty, SQL Spida, Slammer, Blaster, MyDoom, etc etc etc? Even if the installed bases are taken into account, Linux should suffer from one or two persistent worms like Code Red (I got hits from Code Red for more than two years after it was released), close to 100 file viruses, and a few chain mailers. Linux doesn't. Sure, Staog and Bliss made appearances, Scalper and Slapper made the rounds and a whole raft of mass-mailers... Well, Staog, Bliss, Scalper and Slapper happened. The evidence seems to suggest that Linux is more secure than Windows, particularly in whatever ways cause susceptibility to mass-mailers. Can you propose a test of the install-based theory? If not, I wish you wouldn't use it, it's little more than special pleading for the use of Microsoft products. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] M$ - so what should they do?
On Mon, 21 Jun 2004, Michael Schaefer wrote: Well, lets see, moving away from the Registry (single point of failure) would be a good step. Separating the operating system from programs would be great, I don't like the fact that everything and it's brother thinks it can or should dump files into the system directory. How about changing the .exe convention? Making a file executable by it's extension probably causes a lot of opportunities for problems, doesn't it? Also, the magic file names, like CON and AUX should go away. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] M$ - so what should they do?
On Mon, 21 Jun 2004, joe wrote: I am not sure I agree with the first thing. Actually I think it helps in that it is easier for people to know something is executable veruss having to look at additional attributes to see if something is executable. I think that making the name of a file determine whether it counts as executable or not conflates two distinct properties: (i) name, (ii) executableness Don't most of the worms like Bagel and Netsky depend on this sort of thing? Naming a file xyz.pif or abc.scr makes it executable. Clearly the name making a file executable contributes rather dramatically to the ease of constructing email worms. Since so many extensions make a file executable, your point is basically wrong. You can't look at a file extension and know whether naming a file with that extension will cause Windows to consider it executable or not executable. What security benefit do you see for the second thing? Here, the second thing is getting rid of magic, in-every-directory device files like CON or AUX or an undocumented host of others. I don't happen to believe in the badness of magic files as such, merely that having some magic file names really confuses things. This property has caused problems over and over through the years: http://www.securityfocus.com/archive/1/322941/2003-05-25/2003-05-31/2 http://www.microsoft.com/technet/security/bulletin/ms00-017.mspx http://support.microsoft.com/default.aspx?scid=kb;en-us;256015 And probably others. The point is that a DIR (or whatever) doesn't show these magic files, but doing an open() works fine. It's an exception to a usual rule about how file names work. Clearly, as evidenced above, it causes problems over and over. Exceptional cases are bad. Note that Unix/Linux/Plan 9/others get this sort of thing correct. Magic files like /dev/null or /dev/tty show up when you run ls or do opendir()/readdir(). Yeah, they're magic in some sense or another, but they follow all the rules that other files follow with their names. And you have to open them by path /dev/null. Just opening null won't hurt, unless the current directory happens to be /dev. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Worm of the worm?
On Fri, 14 May 2004 [EMAIL PROTECTED] wrote: It's really sad that Sasser has nailed *so many* machines that Dabber is able to propagate. Well, what about the Witty worm? It only infected machines running a brand of firewall with a particular plug-in, as I read this document (I'm no Windows expert): http://www.caida.org/analysis/security/witty/ Witty spread through a population almost an order of magnitude smaller than that of previous worms, demonstrating the viability of worms as an automated mechanism to rapidly compromise machines on the Internet, even in niches without a software monopoly. That document claims the vulnerable population of the Witty worm was only about 12,000 computers, and goes on to imply pretty strongly that effectively 100% of the vulnerable population got infected due to the speed of infection. I take this document to mean that a worm (a self-replicating process or set of processes that uses network communications methods to spread) can infect just about any size population. Any vulnerability, even in a small set of hosts, like the Windows hosts running ISS firewalls, can describe a population that can support a viable worm population. Out in the real world, a virus that could only spread between people who were actively infected with the contagious phase of measles, or polio, or smallpox wouldn't be able to spread very well at all. Probably true, but doesn't this point out a flaw in the biological analogy? Network worms, unlike chainmailing viruses, and unlike plagues affecting true biological populations, propagate in something very nearly like a fully-connected network. For a vulnerable population of computers (those running software flawed in an exploitable way) no herd immunity exists. We cannot protect against network worms in the same fashion that we might protect against the spread of Klez or the spread of herpes. For Klez we impart herd immunity by immunizing the host with the most contacts. For herpes, we gain herd immunity, by having the highly social entities only socialize during periods of latency, or prevent the exchange of infectious fluids by latex membranes. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: [FD] Super Worm
On Tue, 20 Apr 2004, Dave Horsfall quotes: On Mon, 19 Apr 2004, Gregory A. Gilliss wrote: ...as I recall, there were PDPs, IBMs, Cybers (IBM clones), CDC, VAXen, and not much else available in '88 What!?! You must be kidding - there were *tons* more hardware vendors back then, at least in terms of variety, because everyone had their own CPU architecture, or at least a wildly variant operating system. From the 1988 period, you're missing out: ATT (3b2), Prime, Data General, Masscomp, Apollo, Ridge, Sun, Pyramid, Convex, Silicon Graphics, Mt Xinu, some company that made i860 multi- processors, Sequent, Bolt, Beranek and Newman had a 20-bit CPU (Butterfly?), Stellar, Ardent, Elxsi, and probably a pile of others. I seem to recall Z-80 based multi-user systems among others. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause
On Fri, 16 Jan 2004, David F. Skoll wrote: Not running A/V software on a Linux box is no risk at all. Even the McAffee A/V software wouldn't detect a worm in time to do any good. You can take the following simple precautions (which I do): Mount /tmp noexec, and if you're really paranoid, mount /home noexec also. That pretty much kills any propagation vector for viruses. The commercial anti-virus people have never really addressed the lack of in-the-wild viruses for the unixes in general, and linux in particular. Or, back in the day, why didn't VMS suffer from a plague like DOS did and Windows does? Not to beat a dead horse too hard, but maybe the small amount of discretionary access controls (user, group, other, rwx) that typical unix/linux installations have is enough to prevent viral epidemics? Perhaps the greater ecodiversity of email clients, filesystem layouts, mail transfer agents, HTTP severs and version variation of the above provides enough resistance to avoid epidemics and pandemics. Perhaps acknowledging that the big DOS and Windows virus problems were boot sector, Word macro and Outlook viruses would help clarify the situation. Instead, we've got the Linux isn't 100% immune so Linux users should run anti-virus software, too scaremongering that flies in the face of observed reality. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] atrticle in: Security Wire Perspectives, Vol. 5, NO. 93, December 19, 2003
On Fri, 19 Dec 2003, Ron DuFresne wrote: after the @stake recent actions, to be focused these days upon avoiding mentioning the shortcomings from redmond. Are others reading the same these days? Absolutely. After the initial stir that Geer/Scheiener et al's anti- monoculture broadside raised, all the trade rags have run balanced articles designed to soothe CIOs who have all-MSFT shops. I'm all in favor of balanced journalism, but sometimes you can't balance or compromise. I recall reading this little parable: Two childred argue about how to split a cookie: Child A says that he/she/it should get all of the cookie. Child B says that they should cut the cookie in half, and A and B should each get half. Adult C steps in and compromises, by splitting the difference: Child A gets 3/4 of the cookie and Child B gets 1/4. Sometimes balance or fairness just doesn't work. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Comments on 5 IE vulnerabilities
On Mon, 1 Dec 2003, Frank Knobbe wrote: Maybe one solution for MS could be to unhook IE from the OS, slowly distance itself from it and instead add a different browser, one that is more secure, with less bells'n'whistles perhaps. They have abandoned and replaced products in the past, perhaps it's time to do that with IE. (I know I have -- exchanged IE for a different browser... for the most part at least). What did Steve Ballmer say about integration, Windows and a Ham Sandwich? Microsoft *cannot* do what you propose: they swore in US Federal Court that IE constituted an integral part of the Windows operating system. There's more than The Law going on with that, too. MSFT upper management apparently firmly believes that IE is Windows is IE: try explaining to your wife why her computer really is connected to the Internet when IE wants to dial AOL every 3rd or 4th page it downloads. Unhooking IE will never, ever happen. In fact, IE will get further integrated into Windows. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
On Mon, 27 Oct 2003, Bill Royds wrote: Actually most of VMS was written in a programming language called BLISS-32 which was designed to write an OS. ... The result of BLISS was VAX assembler code rather than raw machine code, which is why the port to Alpha went the way it did. Bliss fell out of favour at DEC becuase it required programmers to learn a new style of coding from C so the Alpha code used more C than Bliss. Actually, no. The Digital Technical Journal ran an article at the time titled Porting OpenVMS from VAX to Alpha AXP: Most of the OpenVMS kernel is in VAX assembly language (VAX MACRO- 32). Instead of rewriting the VAX MACRO-32 code in another language, we developed a compiler. In addition, we required inspection and manual modification of the VAX MACRO-32 code to deal with certain VAX architectural dependencies. Parts of the kernel that depended heavily on the VAX architecture were rewritten, but this was a small percentage of the total volume of VAX MACRO-32 source code. http://research.compaq.com/wrl/DECarchives/DTJ/DTJ800/ It's pretty clear from the details given in that article that very, very little of VMS (the OS) was in BLISS at the time of the Alpha port. This counterexample refutes your argument. I'm truly sorry: it's such a seductive theory, like the market share argument for Windows viruses and worms. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
On Sun, 26 Oct 2003, Bill Royds wrote: You are saying that a language that requires every programmer to check for security problems on every statement of every program is just as secure as one that enforces proper security as an inherent part of its syntax? And I suppose that you also believe in the tooth fairy. Well, no, but I don't believe your theory either. VMS usually gets held up as an example of an OS without significant security problems. Sorry to tell you, but DEC wrote VMS mainly in VAX-11 assembler. The Alpha-CPU port of VMS involved writing a VAX-11 assember compiler, and compiling the VAX assembly code to Alpha object code. VAX-11 assembler, although nifty in a macro sort of way, and orthogonal to the point of distraction, had exactly none of the features you claim help secure an OS. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: Linux (in)security (Was: Re: [Full-Disclosure] Re: No Subject)
On Wed, 22 Oct 2003, Peter Busser wrote: Because Linux people in general seem to be more concerned about speed and features than about security. For example, the only reason Linux Security Modules (LSM) have been included in the kernel, is that they don't have a performance impact on users who do not load any security modules. People have ... In general people seem to believe that Linux is either secure or can be made secure by removing packages and unused services. This believe that Linus is already secure makes people uninterested in security. Why improve something ... People apparently do not realise that a wooden house is not sufficient to protect against the big bad wolf. And there is currently no brick house to flee to when the wolf comes... OK. No quibble from me about the absolute security of any particular operating system. But arguments like linux viruses are possible or NetBSD has security flaws, too don't address real questions, and they approach being vacuous truisms. The real questions go something like: Source code for Unix viruses has been available for years, from sources almost too numerous to mention. Why haven't Unix viruses become epidemic the way that Windows viruses have? Security problems of the same magnitude as .ida buffer overflows, or MSRPC buffer overflows exist in unix programs like Sendmail and others. Why hasn't a worm materialized for this problem? The scalper worm didn't effect nearly as many hosts as msblast did. Why not? Why did the scalper worm seem to die out, yet wormwatch.org still records many hits from much older worms like SQLSpida and Nimda? And I guess you can generalize and ask why the Windows culture generates so many problems of such a magnitude, that last so long? My home office web server got a Code Red hit on Sept 19th 2003, for example. Other computing cultures (Unix, Mac, etc) don't seem to exhibit this. Why not? Shouldn't we focus our efforts on figuring out what aspects of Linux or Mac cultures keep epidemics from occuring? It's certainly a waste of breath to point out that OS X has horrendous security flaws when none of them turn into grotesque epidemics like Sobig.f. To extend your wooden house analogy a bit: In a city made entirely of wooden houses, a single house fire is way more likely to level the city than a in a city where a mix of wooden, brick and vinly-sided houses. Having the occasional brick house mixed in with the wooden houses provides a lot of resistance to a whole-city conflagration. It doesn't provide absolute immunity from fires for every house in the city. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] ATT early warning system
On Sat, 18 Oct 2003, S G Masood wrote: IMHO, testing on a private network is always preferable for highly accurate predictions. My guess is that the msblast worm's author did do testing on a private network. I wrote a simulation of msblast that placed susceptible hosts in bands in a 16-bit address space. (http://www.users.qwest.net/~eballen1/nws/, section msblast - effect of banded address space) msblast-style sequential probing does pretty well in a smaller address space that has victim hosts in blocks. That style of probing does poorly against victim hosts placed at random addresses, even in small address spaces. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
Rodrigo Barbosa wrote: As I said, I also think that Micro$oft is as insecure as my 8 y/o daughter playing with a handgun. And then, On Mon, 29 Sep 2003, Schmehl, Paul L replied: Your daughter wouldn't be insecure playing with a handgun if she had had proper handgun safety training. Wouldn't the same be true of computer users? I realize you're from Texas and everything, but are you nuts? An 8-year old with a handgun should cause vast feelings of insecurity in you, with or without proper training on her part. Besides that, what do you mean by proper safety training for a computer used? If you mean the failed don't click on any attachments, don't open email from someone you don't know recipe-style of training, then no to that too. That recipe-style training is what got us into the monocultural pickle we're in today. We don't need training, we need more people to know and understand more than I just want to get my job done, and MSFT products are the best, point-n-click power-user training. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
On Fri, 26 Sep 2003, Rick Kingslan wrote: I'll not argue that the Windows operating systems are the target of the majority of virus', but that's typically what happens when a system is used by a known large group of people that might not be qualified to run a computer, much less secure it. Doesn't this just constitute special pleading to use Microsoft's products? For example, this theory is totally unfalsifiable - only Microsoft products are in such a position. Oh, wait. Apache has about 2 times the market share of IIS, and I'm still getting Code Red and Nimda hits TWO YEARS after they were released. By contrast, I only got about 2 days worth of hits from Slapper. The 'bad guys' and 'bored kids' are going to target the largest base - and there will always be holes to compromise and exploit. Viruses have never been a threat to Open Source because the target is not yet juicy enough. Yeah, I guess you're right: Apache's 60% market share is just not juicy enough. Despite it being so much easier to write Linux shell code than Win32 shell code. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Network worm simulator
I've written a framework for simulating network worms like Code Red and msblast. You can read my description of this framework at: http://www.users.qwest.net/~eballen1/nws/ Let me know what you think. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Rootkit
On Fri, 26 Sep 2003, David Hane wrote: I recently had a machine get hacked before I could finish installing all the damn remote-root exploit patches that have been released in the last week. I've done the forensics and I know how they got in and what they did but I would like to know what rootkit they used. In a later message, you said it was a Solaris rootkit. Not all Solaris root kits have a name: http://groups.google.com/groups?q=Ediger+rootkit+solarishl=enlr=ie=UTF-8oe=UTF-8selm=tPLT6.31%244Y4.88875%40news.uswest.netrnum=1 The rootkit I found was a combo of tradey/dor's rootkit and the Universal Root Kit. Based on a couple of other accounts: http://www.cert.org/advisories/CA-2001-05.html http://ouah.kernsh.org/comp_sys.htm and some personal communications, the rootkit I found was used in the wild for quite a while, and it was under continuous development. I even wrote an email to tragedy/dor, hinting that I'd like to have looked at the code. I offered suggestions for improving the rootkit as kind of a quid pro quo. He/she/it/they wrote back saying that the source got lost in a server crash. Anyway, the point is that at least one root kit for Solaris is floating around, has been for a few years, yet it doesn't have a snappy name. For example, it's not really too clear if even the latest chkrootkit would find the tragedy/dor Solaris rootkit - chkrootkit did not find it back in April of 2001. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] SQL Slammer - lessons learned (fwd)
On Mon, 10 Feb 2003, Steve Wray wrote: One word. Ok two; Driving Test. Do you have a driving license? Did you buy it from a shop or did you have to demonstrate an acceptable level of competence? Who administers it? Holy Crap. You've got to be kidding. What an insane analogy. First, the typical driver's license proves next to nothing about the person who obtains it. The test has very little to do with day-to-day safe driving. Go to any high school parking lot in the USA and watch legally licensed drivers perform hair raising maneovers at 3:30pm any school day to verify this. So, NO, you don't have to demonstrate an acceptable level of confidence. Second, the testing is administered by people without wisdom. I refuse to let my competence at anything be judged by some mean-spirited weenie like a driver's license bureau person ever again. Third, I got my driver's license 2 states, 7 cars and 24 years ago. Do you imagine that any skills demonstrated by the person I used to be have any bearing on how I drive today? In the USA, driver's licenses don't serve their nominal purpose very well. They're used more as an internal passport and a method of control, rather than a way to regulate who gets to drive and who doesn't. All that some state- or nationally-certified internet license would do is put in place extremely arbitrary control over who gets to run a server. Security would not increase one jot or tittle. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] interesting?
On Sat, 1 Feb 2003, Gregory Steuck wrote: batz == batz [EMAIL PROTECTED] writes: batz They use: da/dt = Ka(1-a) ... batz Where K is the rate of information spread (based on number of batz subscriptions to public lists vs. consortiums) 'a' being the batz proportion of subscribers informed, 't' is hours, and 'd' batz seems to be iteration? da/dt is a clear sign of differential equation (which they mention in the paper). So, d is NOT iteration nor is it a factor in da, it's a marker of differential. Sure, and that particular differential equation has a closed form solution, which I'm sure they also give in the paper. *But* a lot of differential equations that one finds in practice don't have closed form solutions, or the finder might be too lazy or too stupid to recognize that the particular DE has a closed form solution. In that case, a cheap and dirty method of solution is to make da into Delta-a, the change in a, and dt into Delta-t, a time increment. In this example you'd get: Delta-a/Delta-t = Ka(1-a) The change in a (Delta-a) for a time interval (Delta-t) becomes: Delta-a = Ka(1-a)(Delta-t) And after each interval a becomes: a = last-a + Delta-a = last-a + Ka(1-a)(Delta-t) That's really easy to express in a cheap-and-dirty Perl program: --- #!/usr/bin/perl use strict; use diagnostics; my $K = 1./65535.; my $delta_t = 1.; my $a = 1./65535.; for (my $i = 0; $i 135; ++$i) { my $U = 1. * (1. - $a); my $I = 1. * $a; print $i\t$U\t$I\n; $a += $K * $a * (1. - $a) * $delta_t; } --- That's 65,535 element address space, (2^16 - 1), with 10,000 actual hosts in the address space. $U contains the count of hosts not infected, $I contains the count of hosts infected. By time step 120, 9,990 out of the 10,000 infectable hosts have been infected. I believe this is a numerical method for solving differential equations called Euler's Method. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] format strings on HP-UX
On Mon, 20 Jan 2003 [EMAIL PROTECTED] wrote: Are they exploitable? I was looking for a format strings exploit on HP-UX,but couldn't find any. Maybe because they are not exploitable???If they are,I would appreaciate very much if anyone could provide some information about that. I think that's a pretty good question, and I don't have an answer. Since HP-UX runs on HP's PA architecture, the answer may very well be no. The PA architecture has a few oddities: 1. What unix people think of as stack and heap are reversed relative to how they appear in SPARC, Mips, 68k and x86. The stack is at a lower address than the heap. 2. Stack grows up, heap grows down. This, too, is reversed relative to SPARC, Mips, x86, 68k. I think this implies that stack underflows are more exploitable than stack overflows, but I don't really know for certain. 3. The PA architecture is segmented. HP does their best to hush this up and obfuscate it, but there's a SR segment register. I forget exactly how this thing works, but it's *not* like x86. You can only get to a given memory location with 1 combination of SR and 32-bit address. It's possible that stack and heap and .text segment live in different segments. 4. The heap and the stack are typically marked non-executable. I realize this doesn't protect 100% against stack overflows, but it sure makes them harder. All-in-all the PA architecture is a bit hard to get your head around, if you're used to Mips/SPARC/68k big-endian memory arrangments. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Trustworthy Computing Mini-Poll
On Sun, 22 Dec 2002, Simon Richter wrote: I believe they have thought about this. Trusted software can only be debugged on a special developer machine. My personal favourite would be the carefully crafted DVD, which uses a buffer overflow in a player routine (where people optimize for speed over security anyway). :-) So, let me get this straight: (1) TCPA will only protect us against the what's traditionally been the least virulent form of computer viruses, file infectors. (2) TCPA won't help the spam situation. (3) Only specially licensed machines can run a debugger. (4) TCPA machines won't allow us to copy arbitrary files - the hardware or something prevents us from copying some magic files. The upshot of #3 seems like you can compile programs only if you you've got a special license, but I don't know if the whole thing goes that far. Why on earth would I pay money for such a deliberately, cynically crippled piece of hardware? Sure, Mr Gates and Mr Grove! I'll pay a thousand dollars for your new Tee Vee I mean Pee Cee! You've got to be kidding about all this. Surely a free market won't allow this kind of crippling to take place - it will have to be performed by some kind of government fiat. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Trustworthy Computing Mini-Poll
On Fri, 20 Dec 2002, Simon Richter wrote: On Fri, Dec 20, 2002 at 02:47:59AM +0100, yossarian wrote: What features will my new computer have, that will convince me to lose certain options I have right now - playing music, copying what I like, etc?. I'd say protection from binary viruses and stack overflows, plus if someone breaks into your computer and you have stored your key in a safe place you can tell what she modified. So this would be a definitve must if you're builing a server, and I'm asking now whether you would like those features on your home box as well, even if you had to give up DVD copying or get special illegal hardware for it. I'm sorry, maybe I was sleeping in class... can somebody explain to me how a TCPA machine (as currently hypothesized) would keep stack overflows from happening? Is this a facet of having a nub check each and every memory access, and having a stack marked read/write/no execute? Or is my vision not far enough? I'm serious here - I'm not trying to be argumentative, I just want to figure this out so I can evaluate it. I see that you qualified protection from *binary* viruses - the nub sure wouldn't allow a file that a file virus (Staog or something like that) had tinkered with to execute. But file viruses were never a serious threat as far as I can tell (see http://news.com.com/2009-1001-254061.html). The really widespread viruses were boot sector (basically BIOS infectors) and macro (code for Word macro) viruses - right? Not to say that other viruses don't exist, just that those were by far the greatest number in the wild. Now, Outlook viruses (Klez, SirCam, etc) seem like the real problem. Windows 98/ME seem to have enough reliability that people don't reboot with a floppy in place often enough to spread boot sector viruses. Can someone explain how TCPA might prevent Word macro viruses? It's my understanding that (unlike some Outlook viruses) macro viruses do exactly what a user might do - they don't take advantage of bugs to do their work. The automatic execution of macros in a Word document is the feature that enables macro viruses to spread. How does a TCPA computer prevent that? Users modify Word doc files all the time - TCPA can't stop users from tampering with .doc files and still retain any use for the computer in question. Outlook viruses seem to either spread via bugs in Outlook or the HTML engine used to render HTML email (part of IE?). How is a TCPA computer supposed to prevent that? A signed application has a bug that allows the signed application's scripting language to do things automatically that the application should only do at a user's behest. Very honestly, I don't see how a TCPA-crippled computer will help the macro virus or email virus situation. Maybe someone can explain, and I'd really appreciate that. Cause right now I get immunity from Word macro viruses and Outlook viruses by running AbiWord and Pine respectively. I don't need to trade in my Turing-capable machine for something that's crippled in ways that will cause problems we haven't yet forseen. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] 60 Poot ze-a cheekee in de-a oofee!
On Fri, 11 Oct 2002, David Vincent wrote: Even an unmoderated list requires some filtering of abusers. Otherwise, what good is a list charter? my point exactly. At first, I thought the Poot messages were just spam. But the GOBBLES identity possesses a certain amount of credibility. Now, I believe that GOBBLES is revealing the multi-platform root exploit in steganographic fashion, spread out over many list articles. I just can't find anything obvious - the Swedish Chef text part of each Poot compares identically with every other one. Perhaps the invalid digital signatures contain the hidden bit(s). ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html