Re: AW: [Full-Disclosure] no more public exploits

[Cael Abal]

Baum, Stefan wrote:
IMHO, no sysadmin taking his work seriously, will wait patching the systems
until an exploit is available throughout the internet.
Stefan
(I AM A SYSADMIN)
Cripes, this is the thread that never ends.

What if there were two patches fixing vulnerabilities of equal severity, 
one with a known, published exploit and one without?  Would you give one 
priority (considering that rolling out a patch involves significant 
testing)?  You do perform regression testing, right?

What if you were juggling a slew of very high priority tasks and a patch 
was made available?  Would you drop everything (including those mission 
critical jobs your boss' boss asked you to handle by days end) in order 
to push that patch out the door immediately?

Part of being a good sysadmin (really, being a good /anything/) involves 
being able to perform on-the-fly cost/benefit analyses.  Realistically, 
the lack of a widespread published exploit means an attack on any given 
machine is less likely.  An admin who chooses to ignore these 
probabilities isn't looking at their job with the right perspective.

Take care,

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Wiretap or Magic Lantern?

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| 2., The terrorsts are not stupid, they use strong encryption and there
| is proof that PGP repels NSA.
Hi Tamas,

Although I agree with some of your post, I have to take exception to
this point.  What proof are you referring to?  All conspiracy theories
aside, it's silly to assume that the good guys have approximately the
same levels of technology, knowledge and resources as the bad guys.
Myself, I'll wait until I'm given a tour of the NSA's secret underground
bunkers before I make any claims as to what the NSA can and cannot do.  :)
Cael

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)
iD8DBQFAdAnNR2vQ2HfQHfsRAjvOAJ9hBAzHT4CYsJ+kYy1/CDx5rAQEWwCghjcw
R3frpGXlvwhlSORC/jLJaTw=
=hvt0
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: SEARCH web attack (IP address spoofed?)

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin Maok wrote:
| Anyway, she is (at least) able to spoof any IP address for which she
| is able to see the replies - i.e. almost any other IP address on her
| local network or behind it (say, she controls the router).
This is a very important distinction, one that seems to be frequently
overlooked.
I wonder if it'll ever be brought up in a courtroom?  How can one
demonstrate a certain packet came from a certain computer, when any
number of faceless upstream deviants could conceivably have been
responsible for it?
Cael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)
iD8DBQFAbB81R2vQ2HfQHfsRAnkNAJwLdSlnh0KOfoEvcaBLmW+S+azcYwCeJuZR
kccu8acu0CBAnzLyO84j684=
=EDwH
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] NetSupport School Pro: Password Encryption weaknesses

[Cael Abal]

spiffomatic 64 wrote:

The letters are expressed using a hexadecimal type of system. Every 
letter is shown by two characters the first character can be any ascii 
character while the second is in a range from a-p. This works just 
like hex in that ap+1=ba. Its not case sensitive so that also makes it 
easier for kids to get passes. The characters start at EM. So A= EM 
B=EN and so on. Each letter is also added to by the number of letters 
in front of it. So the crypt of aa= EN9O while the crypt of aaa=EO9PA. 
How cute!

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Administrivia (very OT, but should be addressed)

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Spiro Trikaliotis wrote:
 Isn't that the reason why there is a Mail-Followup-To (MFT) header
 (http://cr.yp.to/proto/replyto.html)? With this, the sender of a mail
 can decide if he wants a copy of the mail or not.

 If I want to get a copy of the mail in addition to the list, the
 header is set to the list and my address, if I don't want this, I set
 it to the list only.

 Mutt, my MUA, supports the notion of lists and subscribed list. On a
 non-subscribed list, I get a copy of any reply by setting MFT to
 myself, too, while I don't get a copy on subscribed lists.

 Why don't you all just let the user choose which way he wants to go?

[This is way off-topic, but I'm afraid that folks will get the wrong
impression from Spiro's e-mail.]

Hi Spiro,

Unfortunately, last I checked there *isn't* a Mail-Followup-To header.
Even though some mail clients support it, it's nonstandard and some
folks consider it an ugly kludge.

See Keith Moore's plea here:

http://pm-doc.sourceforge.net/pm-tips-body.html#replyto_header

He suggests that adding another mail header will only complicate matters
more, and that Bernstein's MFT concept is inherently broken:

Dan's proposal is intrinsically flawed. It incorrectly assumes that the
sender can reasonably anticipate the recipient's needs in replying to
the message, and that such needs can reasonably be lumped into either
reply or followup. It doesn't solve the real problem, which is that
responders need to think about where their replies go. Mail-Followup-To
won't decrease the number of messages that go to the wrong place.

Please give it a read before you continue to advocate MFT.

Sincerely,

Cael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFAWyLKR2vQ2HfQHfsRApwqAKCloX20ztxmfbjuwave1bKVLovdXQCgiXrS
LVcPloe0HSGraeewnMLO74s=
=zxKs
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Administrivia (very OT, but should be addressed)

[Cael Abal]

Dan's proposal is intrinsically flawed. It incorrectly assumes that the
sender can reasonably anticipate the recipient's needs in replying to
the message, and that such needs can reasonably be lumped into either
reply or followup. It doesn't solve the real problem, which is that
responders need to think about where their replies go. Mail-Followup-To
won't decrease the number of messages that go to the wrong place.
 
 But you can at least tell people if you want or need a separate copy
 in addition to what gets sent to the list. People who don't want separate
 copies should be setting mail-followup-to. Even if not all mail clients
 support it some do.

Bruno, did you read the objections raised in that link I provided?  I
know how Mail-Followup-To works.  I also understand there are unresolved
problems with it.

Here's that link again:

http://pm-doc.sourceforge.net/pm-tips-body.html#replyto_header

This will be my last post on the subject, but please consider that MFT
is *not* a standard (and as far as I know hasn't shown up in an RFC
since the late '90s), supported by only a handful of MUAs...  And the
(default), polite course of action has historically been not to CC folks
in mailinglist posts.

Enjoy your weekend,

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Ancient Trivia: +++ath0

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Alexander Bochmann wrote:
 Quite funny how much time has been wasted rediscovering
 this feature over and over again in the last years.

Indeed -- I half expect to see some leet 0day exploits involving ANSI
key remapping.

Cael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFAWiIsR2vQ2HfQHfsRAjM9AKDRzxQfGb3aGcOkENwFURuppKMMkQCgn7UR
HUsLn9ttIX9l6cYmFzWyCqY=
=vS7p
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DELL 1600 and 1650 potential fire risk

[Cael Abal]

Chris Cozad wrote:
 Has anyone experienced any of the supposed problems with the Dell 1600
 and 1650 servers? Apparantly a percentage of these servers shipped early
 last year have a fault on the motherboard, whereby the video chip
 actually burns up in a huge cloud of smoke.
  
 We are getting conflicting reports out of Dell, depending who we talk
 to. The support technicians have all said they have seen 3 or 4 of these
 failures each over the past 6 months or so, but our account manager kind
 of glosses over the problem.

Hi Chris,

Personally, if my office and everyone in it was conceivably in peril of
imminent destruction by raging inferno I don't think I'd let my account
rep 'gloss over' the problem.

Do you not like your co-workers?  :)

Take care,

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Book of unreleased exploits?

[Cael Abal]

c0hiba wrote:
 here is something i found on dave aitel using that google search engine
 thing..
 
 http://groups.google.com/groups?q=birth+of+a+gay+sluthl=enlr=ie=UTF-8oe=UTF-8selm=544eli%249704151525%40qz.little-neck.ny.usrnum=1
 
 --c0hiba

Interesting, you posted this same link to FD four months ago.  Are you
trying to tell us something?

http://lists.netsys.com/pipermail/full-disclosure/2003-November/014070.html

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Meth and hacking?

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[EMAIL PROTECTED] wrote:

 Hang on a minute. How can you steal public encryption keys? They are
 useless if they aren't freely available anyway!

 Now private encryption keys is another matter.

Hi John,

You're mistaken -- there are tools in the wild RIGHT NOW that make
stealing public keys trivial...  In fact it can be done via several web
browsers!

http://pgpkeys.pca.dfn.de:11371/pks/lookup?search=0x77D01DFB

We're doomed!

Cael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFAUOGMR2vQ2HfQHfsRAlU4AJ9O+bQ2eog7LrEE/Or1WjR5KMGaKACeLeEB
oRihI9SuxHUvXx0AbkoNpEM=
=qr2v
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Comcast using IPS to protect the Internet from their home user clients?

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

TooManyMirrors wrote:
 My Terayon (cable modem) went out for nearly two days and then
 magicly came back on after a tech appoitment was made. No change in
 the setup or anything.

Solar flares.

C
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFATzlUR2vQ2HfQHfsRApCSAJ9KFptxxOCKf5edGwkh0GI3sH75wACfUXdH
OJ5aPb8AEKCkzPRufY+L4QM=
=jRBT
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Caching a sniffer

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ian Latter wrote:

 While there's no way to be sure-sure ... you can get into your
 local LAN segment and send ICMP(/whatever) requests to the
 correct L3 address with the wrong L2 address and see if you
 get a response; this will show you if hosts/devices are listening
 promiscuously (which makes for a good starting point).

Not necessarily?

I thought that depended on the ip stack implementation.

Cael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFAT/baR2vQ2HfQHfsRAgZ0AJ46xhi8rNDXAt5TIHUZL2Il/Lil1gCfeGsE
GiGW9xeSwCMYgGPl1JvLwNE=
=nLkQ
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Counter-Attacking hackers? (wtf)

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

phased wrote:

 I think personally they are on crack, it sounds very controversial

 While other companies offer only passive defense barriers, Symbiot
 provides the equivalent of an active missile defense system. 

 I am sure any responsible organisation would not want to run such a
 product, for a start such a product is surely illegal in most
 countries and an organisation has enough aspects to consider in its
 daily management without worrying about waging wars with malicious
 attackers

OF COURSE your average skript kiddie versus Symbiot experience will go
like this:

1) Kiddie probes/attacks Symbiot-protected network.

2) Symbiot-protected network retaliates, temporarily bringing down
kiddie's computer.

3) Kiddie learns her lesson and decides to put aside her Evil Ways,
instead turning to making macrame jewelery and wall hangings.

Cael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFATKduR2vQ2HfQHfsRAj1PAKCan1MJhTXpc13go+ZWU17ASW11dwCgvrjR
SjHRQaCzjhRQgXm+SwH05H8=
=Yrlh
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] ASP script using OpenTextFile

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Paul Tinsley wrote:
 Need some help from those out there versed in windows.  I am auditing
 an ASP based (VBScript) application which uses OpenTextFile as
 follows:

 Set f = fso.OpenTextFile(sLeadingPath + paramPageToRender + .xsl,
 ForReading)

 I have been able to ../../../../ all over the place, but it only
 allows me to pick up files ending with .xsl.  I would like to print
 the contents of a non .xsl file to prove that not checking paths
 properly is a large issue.  But I have had no luck making it ignore
 the .xsl I have tried ../../foo.txt%00 ../../foo.txt%0a
 ../../foo.txt%0d.  But none of these seem to be working for me, does
 anyone know of a good way to end the file where I want and have it
 ignore the .xsl tacked on the end of the filename to be opened?  Any
 help is greatly appreciated.

Hi Paul,

You're right to raise concerns about this sort of code.  Consider this
example:

- ---snip---

sLeadingPath = C:\
paramPageToRender = passwords.txt + Chr(0)

set fso = CreateObject(Scripting.FileSystemObject)
set f = fso.OpenTextFile (sLeadingPath + paramPageToRender + .xsl, 1)

WScript.echo (f.ReadAll)

- ---snip---

You had the right idea, you only needed to figure out how VBS represents
\0.  As you know, because strings are terminated with the null
character, the final string concatenation performed within
OpenTextFile() is disregarded.

Cheers,

Cael

(Heh, fear my leet VBS skills.)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFATTLwR2vQ2HfQHfsRAvt1AKC2yNAhgIv/LS3EI9WOlS5PG2HzjQCg5hWV
QzwMDxw5ZomAit0gkj7Qga8=
=qiN/
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] ASP script using OpenTextFile

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Whoops.  Offhand I couldn't tell you how to get Chr(0) or vbNullChar
into a string without modifying the .vbs -- my mistake.

Looks like you don't have to fear my leet vbs skills after all.  :)

Cael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFATTd2R2vQ2HfQHfsRAueYAJ4kfV94mCgK4fjpl6ElRkh0Xs29ZwCgxSk9
J4OJreXMMqXQtGyh2tE6RX8=
=9IKl
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: E-Mail viruses

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 Methinks you misunderstand.  Only the proprietary extension, i.e. .inc
 or .xyz or .whatever, would be allowed through, and since virus
 writers would never use this extension, it would eliminate ALL viruses
 at the gateway. The nice thing about this approach is that it
 completely eliminates the need for any anti-virus on the mail server
 since all virus attachments are automatically dropped without the need
 for scanning.  Quite a simple, yet elegant solution, if I do say so
 myself.

Curt,

Interesting idea, provided your org is not specifically targeted --
although admittedly none of the currently-touted solutions would do much
against a direct attack.

Personally I'd dispute this solution's elegance, anything which requires
substantial user behaviour change (and doesn't drastically improve the
virus/worm situation across the board) is an ugly kludge.

Cael

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFASO4+R2vQ2HfQHfsRAsGgAJ9H6YmejXCkIcV216qGWo+i+aqIDQCffHRv
Ht7Ccmlw++aAEcQu9Lw6Fzo=
=QhDq
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] E-Mail viruses

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Curt Purdy wrote:

 Personally I'd dispute this solution's elegance, anything
 which requires substantial user behaviour change (and doesn't
 drastically improve the virus/worm situation across the board)
 is an ugly kludge.

 I would say that completely eliminating all virus infected
 attachments, past/present/future without any further interaction by IT
 dramatically improve the virus/worm situation across the board.

The problem is, though, you're training your users and customers (likely
at significant expense) to use some bizarre munging method to satisfy
the whims of your particular mail gateway.

Although it will stem the flow of incoming automated worms/viruses on
your end, this will not help reduce virus/worm propagation anywhere else.

This, to me, is not what I would call dramatically improving the
virus/worm situation across the board.

Think about the implementation nightmare.  What will you do when someone
attempts to send an attachment to one of your users?  Will you fire off
an automated response, instructing them to use your .xyz solution?  How
will you prevent sending notifications to forged From: addresses?

Will you instead simply silently kill all attachments, passing the body
of the message -- that's ugly too, it requires the recipient to notify
the sender their attachment was blocked, describe your solution to them,
and hope the attachment gets resent.  Do you trust your users to
accurately describe file renaming to other users?  Are your users
comfortable with the variety of OSes still out there?  Are your users
smart enough to realize they shouldn't start renaming attachments they
send to other folks?

Also, keep in mind your users will still get hammered by all those
annoying e-mail virus/worm messages (sans executables), unless you also
continue to implement an anti-virus scanner.  Didn't you hope to be rid
of that?

Finally, what if you decide to change procedure in the future?
Everything you've taught your users is completely useless to them, all
that time and effort ends up being a complete writeoff, and you'll have
to *untrain* them all.

Your idea is interesting and certainly deserves further thought and
discussion, but it's no panacea.  Instead of implementing this
particular solution (with all its costs), I'd instead recommend Old
Faithful:

1) Continue following industry Best Practices.
2) Educate your users as best you can.

In my mind this is much, much better (for everyone) in the long run.

Sincerely,

Cael

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFASRLaR2vQ2HfQHfsRAn2lAKCLVmeuD+RyFnccu88K8jWDXP0qHACfXlj1
ysYMFduEuVon2BUgdKhtwgk=
=/sDh
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Backdoor not recognized by Kaspersky

[Cael Abal]

Another variant against the Netsky virus. It's is packed with
UPX. It spreads with the password protected zip file, which
gets bypassed through all most all the AV scanners with
latest signature updates because No AV can decrypt it
without the password. (though password is in the message
content), we humans tend to open it after reading the message.
Kaspersky, NAI and possibly some other AV-vendors now parse the password 
from the body of the email to extract the zip and then scan it. 
Obviously this only helps if it can scan the complete email i.e. on the 
mailserver. They might need to adapt to new varitions of how the 
password is included in the body, which will take some analysis when new 
variants emerge.
Does anyone else find this new development a bad idea?

I'm of the mindset that anti-virus companies should stick with what 
they're good at -- namely, detecting and handling infected files.  It 
seems a bad idea to start down the natural language processing road. 
Are they scanning just for Bagle/Beagle style e-mail, or are their 
methods more general?  What about messages of the form:

'Password is a long yellow fruit enjoyed by monkeys.'

What about messages in languages other than English?  I can easily see 
this becoming an arms-race, and one the anti-virus folks have no chance 
of winning.

Leave passworded .zips alone -- take the sensible approach and catch an 
infected file once it's been extracted.

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Backdoor not recognized by Kaspersky

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 McAfee now detects the password protected zip files.  (There are other
 things you can look for besides trying to decrypt the contents of the
 zip filel  Also, zip passwords are weak and easily broken anyway.)

Zip files may be /relatively/ easy to brute force, sure, but there's no
way I'm turning my mail gateway into a dedicated .zip cracking box.
That's insane.

As I mentioned, passworded .zip handling is an arms-race I hope
anti-virus folks decide not to get embroiled in.

It would be trivial to generate a file_id.diz (or readme.txt, or add zip
comments, etc.) in order to skirt checksum / file size checks.  It would
be trivial to harvest plausible file names from a victim's computer to
avoid filename matching checks.

The only reasonable check would be what Bart suggests, but I'm not
comfortable blocking all passworded .zip files containing an executable.
   Who knows, I might have to change my mind.

Cael

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)

iD8DBQFARh/QR2vQ2HfQHfsRAuC4AJ9wMBdKvdlk6/T5aTW0xuBI2a8gKACfZLXQ
FNFpzDxA+rzoLdUQkxkaZsc=
=pEyk
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Backdoor not recognized by Kaspersky

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 Cael...take a more sensible approach...no password parsing to scan
 needed...have the AV/mail gateways stop any zip with any executable
 inside. You don't need to use the password to see that there is an
 .exe/.scr/.com/.whatever inside a zip.  You see it, you nuke the zip.
 If your policies allow zipped executables to meander through your mail
 system as long as they pass a virues scan, you must have damned busy 0
 days.  This ain't complicated...at all.

Hi Bart,

Interesting suggestion but I'm not prepared to arbitrarily kill any
zipped executable (even just those which have been passworded).  I'm
just not comfortable with the false-positives.

Historically, passworded .zip files have been the only remotely
acceptable way to e-mail executables.  I'm hesitant to give that up.

I'd still rather allow all passworded .zips and rely on the client's AV
to nab it.

take care,

Cael

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)

iD8DBQFARhzgR2vQ2HfQHfsRAs3cAKCadpIZHrs4IAekAgzsH9lA9+V1tgCeJKLt
xeNUFGPnYnBA9kZXKIFOFas=
=/9B3
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] a question about e-mails

[Cael Abal]

 ok, it can be.
 please could someone send an message with bcc to this list, so we
 could analyze it.
 use the subject: bcc line
 regards nico
Please drop this thread.  It's embarassing.

C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Job Opening in Maryland for Security Researcher

[Cael Abal]

[EMAIL PROTECTED] wrote:

I have a job opening for a computer scientist with an interest in computer security...

Thank you!

David Stein
Systems Vulnerability Analyst
General Dynamics Advanced Information Systems
[EMAIL PROTECTED]
Psst:  If you're going to be posting job offers on public mailinglists, 
perhaps you should consider taking Comcast up on their '8 e-mail 
addresses' offer.  If you're lucky, [EMAIL PROTECTED] is still 
available.

I can picture the receptionist's face now.  Hi, this is in response to 
a job posting made by a guy named Brass Balls.  Hello.  Hello?

C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] CISSP Study material

[Cael Abal]

jacobjango wrote:

 Blank
 hi list,

 I am preparing for CISSP and looking for study material.

 Thanks in advance.

 jacobjango
Someone posting in HTML to a mailinglist, using OE, preparing for the
CISSP exam.
/me shudders

C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
morning_wood wrote:
| A security researcher, who only identified himself by the initials
| gta,posted information on the vulnerability to several security
| mailing lists.
|
| one down... how many more are out there?
|
| and 'yall thought that post was unconfirmed. muhahah
I'm the guy who called the vulnerability unconfirmed -- at the time, it
was.  What's the big deal?
It's prudent to use words like 'supposedly' or 'possibily' when you're
working from second-hand information, especially from an unsigned
anonymous hushmail post like gta's.  I didn't have the means nor desire
to test it at the time, so I left it at that.
To be honest, I'm a bit concerned that we've only seen one
publically-released exploit so far.
C
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)
iD8DBQFAM4peR2vQ2HfQHfsRAoN8AJ90nLJvPrNGzlCiDCem6CqblHNyMwCePehp
YqLZceHzvoQHF30KAwCPC5Y=
=vGdB
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] InfoSec sleuths beware, Microsoft's attorneys may be knocking at your door

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| There are clear, admitted cases of reverse engineering by vulnerabiity
| researchers, which are prohibited by EULA, and which MS has so far
| declined to pursue.  Why should this be different?  MS afraid the EULA
| restrictions wouldn't hold up?
Unless the individual who downloaded the leaked source clicked an 'I
agree not to do anything naughty with this source' button, EULAs have
nothing to do with this particular issue.  Similarly, it could be argued
that trade secrets are no longer trade secrets once they reach the
public -- so I guess that leaves Microsoft in the same boat as the MPAA
and the RIAA, trying to prevent copyright infringement?
Incidentally, the MS press release says the leak was not the result of
any breach of Microsofts corporate network or internal security, nor is
it related to Microsofts Shared Source Initiative or its Government
Security Program...
So, if it wasn't a breach of security and the leak wasn't through their
Shared Source Initiative partners, what else is left?
http://www.microsoft.com/presspass/press/2004/feb04/02-12WindowsSource.asp

C
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)
iD8DBQFAM+apR2vQ2HfQHfsRAhr4AKCsH4l1UID7qgMXyhjiifk5tXU+awCgwCfY
mCb/Z566l3J6h18Gut/7P14=
=vxk+
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] trust? - win2k source code tools

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sander wrote:

| Hi,
|
| am i right, that if this really works, it's not only a problem for
windows
| users, but for everyone surfing the internet?
|
| kick me if i'm wrong.. but that wouldn't be cool! :-)
|
| cheers,
| sander.
Nope, it sounds like the parent poster found tools to apply digital
signatures to binaries -- different from SSL certificates.
If you're running WinXP, check the properties of files found in this dir
for some examples:
C:\WINDOWS\RegisteredPackages\

C

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)
iD8DBQFAMXXJR2vQ2HfQHfsRAoriAJ4sOatVtYTrofmmBtJlsY//JHL5hwCbBbAH
nsRukqn+ne9AL6kE0jZYuBE=
=7uzT
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] http://federalpolice.com:article872@1075686747

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| It has come to my attention that you are being under the police
| investigation.
| Is that true? Have you really commited such crimes?
|
| Please read the following article located at:
|
| http://federalpolice.com:[EMAIL PROTECTED]
MS04-004 just can't propagate fast enough to satisfy me.

C

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)
iD8DBQFAL7PRR2vQ2HfQHfsRAkpxAJ9vvXQa3KjxVE6S29WXYOmAxiDESgCfb1do
vWaG+5mtl/D120vvN7ZnDOM=
=iuvv
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| .. Rggghhhttt.  Way to go, using a signed integer for an
| offset.  Now all we have to do is create a BMP with bfOffBits  2^31,
|
| I would caution everyone against assuming that this code has not
| been altered since it left the confines of Redmond. If I were
| to steal Microsoft code and release it to the Internet, I'd be
| tempted to make a few strategic modifications first, just to
| stir things up.  Especially if I were, shall we say, not exactly
| a Microsoft fan...
Interesting point, but keep in mind the original author also included a
POC which (reportedly, unconfirmed) affected IE5.  That'd suggest it is
indeed Redmond code.
C

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)
iD8DBQFAL8oOR2vQ2HfQHfsRAlq2AJ4pP2TxCp2Ac0uIMxou3uuZVZbMjwCfWQWA
PsPhhr546k91p0ssj/ps0cg=
=k6nN
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Windows 2000 Source Leak Verified. Get ready for the havoc.

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| are they actually .asm, .c files and .h files in them ?
|
| or whatever lang was used to code windows?
As opposed to literally being 'blueprints' as reported by virtually
every major news source?
That's a bit of a pet peeve of mine -- writers who don't quite
understand what they're writing about and/or feel the need to make (bad)
analogies in order to get an idea across.
This bothers me because I can only consistently call them on it when
they're discussing tech-related topics...  I realize they're likely
doing exactly the same thing when discussing things I'm not
knowledgeable about.
Cael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)
iD8DBQFALlJiR2vQ2HfQHfsRArpTAJ0dZEFb1F6nKnfZRVvRXstBxYdv7wCgtttm
o1tOC1/HSwqVZTfr0WBJiPA=
=TdZJ
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Windows 2000 Source code .torrent

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| I would like to recall 99% of what peer to peer tools are sharing are
| illegal copies.
|
| We are sure this is not the case here, but I would not encourage people
| to install BitTorent or similar P2P tools (eMule, mlDonkey, Kazaa, ...)
| on their systems.
|
| Even if they are honnest, a misconfiguration could share their private
| data or some spyware could be installed.
|
| Could you please simply indicate us what is the file behind this hash?
Let me guess, you work for your country's music/movie industry, don't
you?  :)  I would definitely question your sources for that 99% figure.
Although I would agree with you regarding other p2p clients, BitTorrent
is not like the rest.  There's no shared folder visible to all -- you
make available to other BitTorrent users only that file you're currently
downloading.
I don't know how much you trust random anonymous folks on FD, but I find
BT relatively benign.
Cael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)
iD8DBQFALUDsR2vQ2HfQHfsRApfMAJ47RQc2htbtt8JGjJAgMKzyBesY9wCfdm99
DIE69k1HbwrZvRxb6ykeFZo=
=MrwA
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Microsoft confirms source code leak

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| This may be true where WIN OS based box is deployed in a
| commercial environment. However, I think their EULA is trumped
| by the new US Federal Regulations (HIPAA, DHS, CFR, etc)...
This definitely should be the case, but we'll see.

Personally, I'm amazed that EULAs / click-through licences have any
force of law whatsoever.
It's off-topic for the list, but here's a well-written article on EULAs
by Jim Rapoza. His paper hits on most of the major points and serves as
a good fairly primer for Aunt Betty.
http://www.eweek.com/print_article/0,3048,a=111018,00.asp

C

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)
iD8DBQFALT+OR2vQ2HfQHfsRAo8jAJ9wafjYzhnjKprBhUm34onUT6E/0wCfYEmc
Waxg5ARDXjx+6mj6tJgdZzA=
=3J8s
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Removing FIred admins

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Michael T. Harding wrote:

| Anybody know of a checklist or guide to removing access across the entire
| organization for a retired admin?
| Mixed environment including Linux, Unix, Windows, Cisco, Nortel
Wow.  Nightmare.

I would expect this is exactly what you didn't want to hear, but you're
in an awfully scary situation.  Imagine every sneaky thing a cracker
could do -- subvert your IDS, implement Ken Thompson-esque
login/compiler bugs, etc... And then consider that they might've
happened any time in the past few years and have by now completely
infiltrated your backup media.
Good luck.  You're really at the mercy of your (ex) admin.  All you can
hope to do is take care of the obvious stuff -- disable his accounts,
change the passwords of any shared accounts / devices, etc.
The alternative (if you can call it that) is to treat your network as
though it was compromised and go from there.
One choice is relatively inexpensive, the other will result in a network
you might be able to trust.
take care,

Cael

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)
iD8DBQFALE8kR2vQ2HfQHfsRAiolAJ41aFarNC7bLN6v053o/aiTrvqJ9ACg13u5
43iaIpkz0zjXMbpj0wJSrTE=
=YPoR
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Security Watch Essay (was: (no subject))

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
roberta bragg wrote:
| Here's an opportunity to be heard by a number of security interested
people,
| many of whom, don't subscribe to this list:
Just a heads-up to anyone considering responding to this call for
submissions:
The 'MCP' in 'MCP Magazine' stands for 'Microsoft Certified
Professional'.  The blurb next to the first News entry found at
http://www.mcpmag.com/security/ says this:
Microsoft Beefs up Online Security Offerings
Perhaps no company in the industry is working harder than Microsoft at
making sure the public knows what steps to take to secure its products.
Their slant isn't subtle.  Although I sincerely hope this isn't the
case, I have a worrying suspicion that all we're going to see in
Wednesday's commentary by Ms. Bragg will be the fringe element, the
lunatics and kiddies hoping to see their names in the (virtual) paper.
Sadly, I just can't see a newsletter like Security Watch seriously
taking Microsoft to task for their security practices.
By all means respond, but please don't make the security community out
to be idiots.
Cael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFAKr0nR2vQ2HfQHfsRArgHAKCLyvDWTtVD7ZeXSC4Ic0U6yrlRZwCgpUPu
6TNDTy7BNYkGgu0fwtaetU4=
=GRWR
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Virus infect on single user

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
|Spybot Search and Destroy is much better.
|
| I find that you should run both spybot SD *AND* adaware together
for the
| best possible adware/malware/spyware protection. they both catch stuff
| that the other does not. between the two though, you get rid of
| EVERYTHING.
CHS,

It's entirely plausible that neither adaware nor spybot might detect
a particular piece of malware.  'Everything' (especially in
all-caps) is an awfully strong word.
Won't someone please think of the invisible pink unicorns?

C

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)
iD8DBQFAKCjKR2vQ2HfQHfsRAskaAKCJmDSHiE61E/ZzLU+Ee9KfY+Oh+QCgpQMN
vRIxDYCOq4FNsFOjyNuqCpM=
=X2ob
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Apparently the practice was prevalent

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm of the opinion that reinterpreting these particular ancient RFCs
is really of no practical use and that this thread probably deserves
to die a quiet death.
The fact of the matter is, regardless of what the RFCs have to say
about the subject, Microsoft's abandoning of the username:password
http/https feature should drastically hinder an entire class of
unelegant phishing schemes.  This is a good thing.
The patch will also act as another (albeit tiny) nudge away from the
tradition of passwords saved and used in-the-clear, which is also a
good thing.
Does anything else really need to be said?

C
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)
iD8DBQFAKE92R2vQ2HfQHfsRAkFtAKDFcJ066Y2tZyywnC7PArwedVezdwCeJPfO
cRPsvmzrtG/B0qbxoxROFec=
=Bd96
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Interesting side effect of the new IE patch

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| They, fiat and others that used the M$ non-stanard as a basis upon
which
| to build, deserve exactly what they decided to buty into and not
really
| research.  That's what a company gets for buying into the tales their
| local-sales-lizard spews and thinking all those polished and glossy
| brochures are dead set facts.  They need to re-evaluate their lack
of a
| 'grains of salt' procurement processes.
It amazes me what sorts of supremely goofy ideas come to fruition --
http://[EMAIL PROTECTED] ?  That was a horrible idea, and the tech person
who signed off on it absolutely deserves the wrath of Fiat.
Just because you may be able to power up your computer by shorting a
pair of contacts on your motherboard with a paperclip doesn't mean
you should.
Cael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)
iD8DBQFAIw/5R2vQ2HfQHfsRApzzAJ9oAhcC806zQy9G0I8zLjTmBxjBoACfQiqW
Kx1f/yIAxHzCFVWAkHq8XgM=
=WJel
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Culprit Bio: Perfect Storm Averted or Just Ahead?

[Cael Abal]

..Oh...please. Not too hard to track down?! :D

I know at least 10 people that is capable of all the things you mention
(well..except forth.. I only know two of those..)
Really?  What are their names?

/me shoulders his pitchfork and brandishes a torch menacingly

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Culprit Bio: Perfect Storm Averted or Just Ahead?

[Cael Abal]

Henrik Persson wrote:
Do you really think that a person who knows forth and assembler and has
great knowledge in the field of low-level wormproduction would be that
stupid? I think not.
As Frank Knobbe said, you just swallowed hook, line and CVS tag. :D
Hi Henrik,

8086 asm and Forth knowledge, although less common these days, isn't 
necessarily an indicator of shining intelligence or insight.  And as 
for your 'great knowledge' comment -- the sad reality is this: It 
really doesn't take a whole lot of skill to implement a Windows worm.

It's a bit presumptuous to say with any certainty the cvs tag was a 
plant -- people make dumb/costly mistakes.  Personally, I could care 
less about whether or not the mydoom author is caught -- there are 
thousands of kids ready to take his/her spot.

Cheers,

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Microsoft's fix for URL containing username:password@ obfuscation

[Cael Abal]

Zach Forsyth wrote:
And for people saying don't use IE, if you aren't the sole admin on the
server you don't have the choice to install other apps.
Believe me if I could install something else I would just put a real ftp
app and firebird on there and not have to ask silly questions on FD.
Please tell me you don't do a lot of web browsing from your server.

IE being required on a Windows server (for SUS management, etc.) is 
one of my pet peeves -- but folks who browse the internet from their 
server actively freak me out.

(This isn't directed specifically at you, Zach, but to people who 
play Russian roulette logged in as a domain admin.)

C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Anti-MS drivel

[Cael Abal]

Why is it possible that a user is able to make this mistake?
Oh COME now! Are you so INSULAR that you dont realise the real world? My
wife works for a MENSA member, a recognised genius who would likely have
more brain capacity than most people in the world. He doesnt have a CLUE how
to secure his computer. WHY? He isnt in the least INTERESTED in computers
outside of using them to do his work on. Oh and BTW, his work, nothing to do
with computers other than using them as a tool, made him a
multi-millionaire. Why the HELL should this guy, according to you, *HAVE* to
know what he is doing with a computer. He, likely, has more money than you
and I put together EVER will have unless one of us wins over 300 million US
dollars. In my book, this guy is devoting his time the best way possible.
Learning what to do with computers to the extent where he can lock it down
is actually financially irresponsible to him. He can PAY someone US$200 an
hour to do that and per hour STILL come out in front by a LONG shot.
What IS it with computer/I.T. professionals (or those who know as much even
if not so employed) that they think just because THEY know how to do it,
everyone SHOULD know? Not everyone is INTERESTED and not everyone thinks it
Greg,

I just wanted to break in here and suggest you reread Tobias' last few 
posts -- he's not arguing the position you seem to think he is. 
Actually, he's arguing almost completely polar to what you're 
attributing to him.  Are you trolling?

If I understand him correctly, Tobias is simply suggesting that users 
ought not be held accountable for using faulty software.  Using a 
debatable but reasonable definition of faulty software, as he does, it's 
really a fairly robust and straightforward argument.

take care,

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] January 15 is Personal Firewall Day, help the cause

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| i dont usually comment on this list because of my lack of knowledge
but on
| this issue i feel qualified to comment since you are commenting on the
gray
| haired non tech type which is what i am.i am 54 and a grandmother .
| ...
| br3n
My initial delight at learning a 54 year-old grandmother monitors FD
quickly turned to horror after noticing the leet-speak.
Cael

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)
iD8DBQFAC+OvR2vQ2HfQHfsRAgNWAJ0YGm5CK4N6CRaEBnAEAwG2fXTpYQCglDnu
Ssv2VzqnUMRvRLGkcpgUCcs=
=aBXk
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Removing ShKit Root Kit

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| OK, so how does the attacker get the ADS to run? If you open
| something.txt in notepad, it doesn't launch the ADS 'trouble.exe' as
| an executable file. It's ignored.
|
| The easy answer is start a command prompt and type
|
| start something.txt:trouble.exe
|
| it does not even have to be tagged .exe or .com or whatever. As an
| exercise, copy notepad.exe to calc.exe:notepad and then launch a command
| prompt and type start calc.exe:notepad You should be looking at
| notepad. I no longer have a handy M$ system to verify the steps on so if
| it does not work play with it for a few minutes.
Although Jason is exactly right about ADS' under NTFS as covert data
storage (in theory, even if his examples don't quite work) it's all a
bit off topic -- the server in question was a RH 8.0 box and besides,
ADS' are trivial to find if you're looking for them and aren't likely to
see much use in the wild.
All this discussion about particulars is beside the point -- the thrust
of the matter is that attacker/defender roles have been reversed,
leaving the good guy in an untenable position.  Do you really think it's
wise to bet you're smarter or more resourceful than a person who has
(already) rooted the box once?
take care,

Cael



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)
iD8DBQE/6Fo3R2vQ2HfQHfsRAq87AJ93cpOZgTVTMGqFvK9uzQm+3B900wCgmQ3J
Hnjkp79WpgfQj/Y4oePcZQk=
=jrAR
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] 13 NASA Servers Hacked

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| They also have mirrors of the hack.  Apparently, the hacker(s)
| linked to a video of CNN showing american soldiers killing an
| iraqi and cheering.
|
| I analyzed that video frame by frame and it definitely doesn't
| show what the narrator describes.
Heh.  If I pointed out to you a dog turd on the sidewalk and called
it a cache of WMD, would you get down on your hands and knees with a
pair of tweezers and a microscope, or just recognize it as bs?
Although I admire your thoroughness, I'm not sure this required such
careful scrutiny.  :)
Cheers,

Cael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/5M+5R2vQ2HfQHfsRAr0dAKCdo/0fQ8Ok46z3IDzO7H0BMJa4bACfcgQ9
f96AIRLyyXyo4N+OEAn2LA0=
=2w7a
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] A funny (but real) story for XMAS

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| Join www.osvdb.org to make a better non-corporated vulnerability
| database since CERT sucks ! 
|
| CERT sucks? Humm... In my UNIX  Security college course, we're being
| told CERT is a great resource for security-related information. Can
| anybody else make a comment on this? Agree? Disagree?
Hi Chris,

Depends on which side of the fence you're on.  CERT has been criticized
in the past for being frugal with vulnerability information.  They don't
publish exploits, for one, which means k1ddi3z prefer FD.  :)
I remember CERT taking some flack about their Vulnerability Catalog
becoming available by subscription a few years ago.  Here's an article:
http://linuxtoday.com/security/2001042600220SCLF

Oh, and here's a link to the fees:

http://www.isalliance.org/nam/index2.htm

It seems that this database is what the people at http://www.osvdb.org
are up in arms over.  Interesting idea, their database is a little
barren at the moment though.
Additionally, one of CERT's security analysts was arrested for
pedophilia-related crimes a few months ago.  Folks who don't like CERT
gloated for weeks.
http://www.pittsburghlive.com/x/tribune-review/news/s_160861.html

Realistically, CERT is a valuable resource, regardless.

C

PS:  I have no interest in getting into a flamewar over CERT,
disclosure, or pedophilia.  Thanks in advance.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)
iD8DBQE/3w97R2vQ2HfQHfsRAtuOAJ98J3iOL7EwwI4h2x1ECodzGwtshwCcCMX3
dIufrfrWfNbrdBix4/XYKDE=
=E/La
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] cisco acl

[Cael Abal]

 Unfortunately I do not know the new password! otherwise there wouldn't
 be a problem at all.
 and more unfortunately it is not my network and had nothing to do with
 the setup.  or else i would have, as Mort pointed out, a tftp in
 place.
If you've got physical access to the device, reset the password
according to the instructions vb alluded to offered by routergod.com:
http://www.routergod.com/psychic/

C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] (Was: Re: Yahoo Instant Messenger YAUTO.DLL buffer overflow)

[Cael Abal]

Well, I also have the right to free speech; although murder is not a
right...the website is not to be taken literally.  Obviously if I wanted
Bush literally killed, I would not have a website as such exposing my
name/address.  The person who posted my address to a public mailing list is,
however, definitely in violation of my rights and this list's policies.
Although, information should be free and I never support such restrictions
to information in the public domain.
I'm torn.

You see, I'm about as left as they come, and cringe at the very
thought of youths wasting away in jail.  My distaste for
heavy-handed police action, however, is nothing compared to my
desire for you to just shut the hell up.  To speed up the process,
maybe you should go outside, flag down a cop car and confess?
Jesus, you're like a weepy boil.  Take it off list.  Please.

Thanks for motivating me to test out firebird's mail filters,
though.  Plonk!
Yours,

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Cripes (Was Re: Yahoo Instant Messenger YAUTO.DLL buffer overflow)

[Cael Abal]

Well, I also have the right to free speech; although murder is not a
right...the website is not to be taken literally.  Obviously if I wanted
Bush literally killed, I would not have a website as such exposing my
name/address.  The person who posted my address to a public mailing list is,
however, definitely in violation of my rights and this list's policies.
Although, information should be free and I never support such restrictions
to information in the public domain.
I'm torn.

You see, I'm about as left as they come, and cringe at the very
thought of youths wasting away in jail.  My distaste for
heavy-handed police action, however, is nothing compared to my
desire for you to just shut the hell up.  To speed up the process,
maybe you should go outside, flag down a cop car and confess?
Jesus, you're like a weepy boil.  Take it off list.  Please.

Thanks for motivating me to test out thunderbird's mail filters,
though.
Yours,

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] #hackphreak lecture series (2)

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| The #hackphreak series of lectures are composed as variations upon one
| very simple theme -- the thesis that freedom of information is power.
| They develop a ground of knowledge within the field of hacking sh1t.
| This second lecture in the series is prepared by Mr. Nemster
| (mr_nemster[at]yahoo[dot]com) and deals with the advanced syntax of
| hardcore windows utilities such as ping, tracert, and msconfig. Be
| prepared for a look into the advanced tekneeqz of netstat.
|
| This lecture and previous #hackphreak lectures can be found at the
| following URL: http://www.geocities.com/haqphreak/lectures/
I for one look forward to the advanced lecture series detailing chmod
and extended ascii characters in directory names.
C

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (MingW32)
iD8DBQE/y1cLR2vQ2HfQHfsRApD5AKDVh0z8GvtHX6286T10sx92OPJPvwCguxj/
ZK3/PdVXSKzvkVZrUZ9wRh4=
=qMyv
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Comments on 5 IE vulnerabilities

[Cael Abal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Thor Larholm wrote:
| When I attended the NTBugtraq Retreat earlier this year, most of the
| attendees were surprised to hear that I am using Internet Explorer on
| a daily basis, particularly since I should know how vulnerable it can
| be at any given time. I surf with JavaScript and ActiveX enabled, see
| flash movies and play Java games, but despite this I am not vulnerable
| [0] to a single command execution vulnerability or system compromise
| through Internet Explorer.
|
| How, you might ask? Simple, I have locked down the My Computer
| security zone on my installations [1].
Hi Thor,

Don't you think perhaps that time used to take a bad browser and make it
better is really time better spent elsewhere? It's like taking a pie
out of the trash and picking off the coffee grounds and ashes instead of
just baking another pie.
It's probably worthwhile to note for the peanut gallery that you've
really only demonstrated a resistance to known exploits which depend on
local security zones, and not any number of unknown exploits which
(conceivably) do not. Not that you claimed otherwise, of course.
Don't get me wrong, I do think your efforts are valuable -- you
effectively point out how IE can be hardened. Regardless, I'll
personally continue to recommend an alternative browser.
Take care,

Cael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/y/3nR2vQ2HfQHfsRAie1AKC+FNSZKWD63rdSALhw+MQObM2WMQCguwxf
Tv8pQ0tKf8B+M+Nq27ePsjE=
=a5Yq
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] automated vulnerability testing

[Cael Abal]

Wasn't there a slint tool or something like that?
Yup, Splint -- from 'Secure Programming Lint'.  I provided a link to
their site in a previous message.
C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] News from the future (OFF TOPIC)

[Cael Abal]

Between Microsoft, RIAA, software patents, and the DMCA... It looks like
we might yet get to relive all the fun and excitement of McCarthyism and
the Spanish Inquisition. I wonder if we'll get to burn people at the
stake and have public stonings too?
Ask Maher Arar if he's real concerned about the infosec realm being the
next arena of McCarthyism.
I'm just as critical of the DMCA and failures of the intellectual
property concept as the next guy, but I don't think we'll be hearing
about fourteen year-old VB scripters being called before the House
Un-American Activities Committee any time soon.
If you're worried about the erosion of freedom and democracy there's no 
need for hypothetical articles from 20X6.

C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Red Hat Linux end-of-life update and transition planning

[Cael Abal]

Without giving too much away (eg breaking the NDA I've signed), almost all
of the practical parts of the RHCE exam are command line based. 
This isn't directed at RH (or John) but come on, NDAs?  For tests?
Please.  I realize that quite a few orgs do exactly this, but that
doesn't make it reasonable.
I can't help but be annoyed by this steady creep of secrecy-through-
paperwork, the contractual equivalent of rot13 + DMCA.
/incomprehensible ranting off
C
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Red Hat Linux end-of-life update and transition planning

[Cael Abal]

In my home town, this is equivalent to getting pulled over for following
too closely, then arrested for sodomy.
Yeah Jon, you were following *way* too closely if a cop could mistake
the two.
C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security

[Cael Abal]

like the locks for floppy drives, put in USB port lockers that keep folks
from using such devices in the corp network if the policy forbids such.
Got a URL so I can see one for sale?  One that works on laptops, desktops
and hubs?
Hey Gary,

You might want to take a look at this kit, it sounds like exactly what
you need:
http://www.plumbingmart.com/repairkit.html

Cheers,

C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Shortcut...... may cause 100% cpu use!!!

[Cael Abal]

THIS FORMAT C: /U VULNERABILTY JUST DOS'ED MY WHOLE HDD !! I HAD TO
DO IT TWICE AND IT DOESNT WORK SOMETIMES ON ALL PC'S I AM REPORTING
TO M$ AND THE FBI AND NASA 


Folks, I think we have a new FD meme.  Thanks, Lorenzo!

C



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] when will IE exploits COME TO AN END...

[Cael Abal]

Internet explorer can't click and properly open long URL's! in the browser...
http://www.geocities.com/visitbipin/index9.htm
see... IT'S A URL but ... you can't click at the link!!!
  I don't see the point.
  
  How it is a security flaw? Or even a bug (is a browser supposed to support
very long URLs anyway)?

  Yes, IE is probably the most outdated and the most buggy browser out there
(ridiculous CSS bugs) but not every bug should be posted to full-disclosure.
New exploit just discovered:

My toilet won't flush reliably when it rains!  Both the vendor and major 
news outlets has been notified.  Screen captures are available here!!!

http://www.geocities.com/visitbipin/

BIpin

PS: NASA might somehow be involved.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] when will IE exploits COME TO AN END...

[Cael Abal]

it's a off-topic! anyway... INDEED A BUG BUT i got lot of flamings
... while trying to explain one of my advisory to some 31337's. out
here!
http://www.blackcode.com/forums/viewtopic.php?t=10577

ANYONE WILLING TO EXPLAIN THE STRANGE PHENOMENON! (o; why does the
bug works on some PC and doesn't in other... I am just screwed up
SEEING THIS STUPID BEHAVIOR!
Thanks for posting the link to that forum, Bipin -- there seeme to be
quite a lot of very useful information there!  I'm especially interested
in following this thread:
http://www.blackcode.com/forums/viewtopic.php?t=1704

AMuller: need help with FTP passwd

ok i am pretty sure i got the password file. whta i pulled out is
this:
root:*:0:0:::
bin:*:1:1:::
operator:*:11:0:::
ftp:*:14:50:::
nobody:*:99:99:::
how do u decode this? and if u tell me a program name also please
tell  me HOW to use it.
-Thanks

P.S. I dont just want this decoded i wanna know how 2 do it
It's definitely a good idea to keep tabs on encryption-defeating
technologies -- if someone is able to recover a root password from an
/etc/passwd file like the above then we're *all* in serious trouble.
Cheers,

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: Trojan author revealed (was: Re: [Full-Disclosure] ProFTPD-1.2.9rc2 remote root exploit)

[Cael Abal]

Hi, Mitch -- welcome to the Internet!  Here's a tool you might find
helpful, it's called a 'Search Engine'!  ;)
A quick google for a few bytes worth of shellcode returned a few
pages of jinglebellz.c related discussion.
http://www.jikos.cz/jikos/dev/shcode.asm for example.
They're obviously in on it too.
Between you and me Mitch, it's clearly a Communist plot to sap and
impurify our bodily fluids.
C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: Trojan author revealed (was: Re: [Full-Disclosure] ProFTPD-1.2.9rc2 remote root exploit)

[Cael Abal]

Hrmm. Ok I'm no Sherlock Holmes but even I could see through this
'analysis'. This is obviously an elaborate attempt to soil the reputations of the fine people, dare I say heros of information
security, at GOBBLES security. 

Let's examine the case at hand:

1) Someone makes the effort of cutting up an existing public GOBBLES
shellcode. An act that requires just as much effort as writing
original opcode.
2) This cutup version is used in a 'trojan' even my grandmother
would be able to spot. (Obscure in-exploit overflows are way more
effective folks, ask HD I pioneered screensavers Moore). 

3) Some random hero pops up on the list pointing out that
'hey, this is GOBBLES shellcode *WINK*'
Now who, on God's green earth, would recognise shellcode from
an obscure exploit that was published months ago. If they
didn't have it fresh in memory? 

So I think it's rather obvious either zeroboy, or one of his
friends is responsible for this trojan. And he has some sort of
rancune towards GOBBLES. Either that or he
has a serious hardon for memorising hex opcode buffers.
Hi, Mitch -- welcome to the Internet!  Here's a tool you might find
helpful, it's called a 'Search Engine'!  ;)
A quick google for a few bytes worth of shellcode returned a few pages
of jinglebellz.c related discussion.
http://www.jikos.cz/jikos/dev/shcode.asm for example.

C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] RE: Linux (in)security

[Cael Abal]

Linux is the hands of someone with no interest or regard for security is the
same as Windows or any other OS in the hands of the same clueless
individual.  The main difference between the Linux and Unix variants (i.e.
BSD, Solaris, HP-UX) is that they have already learned their lesson regarded
buffer overflows and kernel hardening and allowed the user more control in
securing their systems.
This is repeated over and over again, but it is simply not entirely true. It
may protect against script kiddies, but not against more sophisticated
crackers. The following URL proves that:
http://groups.google.com/groups?selm=20030525190037%2470c6%40gated-at.bofh.it
Both persons in this conversation have a Linux box which:

1) Has the latest security patches installed and
2) Is only running the necessary services.
In other words, boxes that have ``been made secure by their users''.
Hi Peter,

You're investing a significant amount of time into convincing us that
linux boxes sitting on the internet (even when completely up to date and
reasonably locked down) aren't 100% secure.
Rest easy, each and every one of us knows this.

The point raised by others in this thread (which you seem to object to,
although you haven't really responded to) is that linux (operated by a
knowlegable user) is 'stronger' than a similar Microsoft box.
This, you should have realized immediately, is one of those
my-dad-can-beat-up-your-dad type arguments which really don't deserve a
response.
Cheers,

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] JAP Wins Court Victory

[Cael Abal]

Privacy is an important adjunct to security, IMHO. Perhaps the JAP folks
did not handle their police issues as well as they should have. However
let us not abandon them or the project yet, unless we can find more
compelling and better solutions to the problem of the powers that be
improperly intruding onto the use of the online community.
Terrorists would not make bombs if they were satisfied with their condition.
I suspect that JAP and other privacy services would not have been widely
deployed if there were not the threat of snooping and privacy invasion.
I vote that we stay focused on the problem, and not bash the solution (well
not *too* much at least).
You're right, of course -- but I can't help but feel that a weak or
untrustworthy anonymizer/encryption algo is worse than none at all.  I
didn't mean to rag on the JAP guys, they were put in a very awkward
position and I don't know how well I'd have done in their place.
All personal issues aside though, a tool in this industry which can't be
trusted is worthless.
C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] JAP Wins Court Victory

[Cael Abal]

The JAP folks have won a major court victory.
See their site.
http://anon.inf.tu-dresden.de/index_en.html
Since you ran all the negative side of their
backdoor activity, how about running the new
positive outlook - anonymity has a bright
future and JAP is cool.  And the German courts
are not all bad.
Ever considered that the spooks would not have
needed a court order if they knew how to crack
JAP?  It's solid code.  Do your due diligence
and follow up on the negative headlines with
the good news now.
Tarapia,

This doesn't change how the JAP folks behaved -- the correct course of
action would have been for them to have notified their users of the
request to backdoor JAP immediately.  I fear the JAP people have lost a
fair amount of credibility and it'll take more than a, JAP is okay
again!  Trust us! before they regain the world's trust.
Please lets not rehash the backdoor issue.

As for the idea that the existence of a court order somehow proves the
robustness of a certain piece of code, well, that's just silly.  Cops
aren't software developers, they're cops.  Court orders are their tools
of choice, not disassemblers.
Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] IRC DCC Exploit

[Cael Abal]

Ferdinand:
5)  And in which language people were made ?
It is writen in C i know it.
/me shakes his head

Only an FD geek would have the guts to suggest that C is the language of
love.  What about Italian?  French?  Cripes, I'd suggest lisp is more
romantic than C/C++.
C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Gaim festival plugin exploit

[Cael Abal]

DUH... would help if I attached my attachment.

I am right proud of myself for this, and it also needs mention to
address the security issue that our friend Error (is that a reference to
Zelda 2?) raised.
 
Attached, find the latest reissue of the Gaim festival plugin.  The guy
that wrote it, wrote it for pre-0.68 Perl API, but it was secure against
the sort of attack that Error described.  I have since taken it and
recoded it to work with post-0.68 versions of Gaim.  It is attached.  By
all means, if you see an exploitable bug in there, let me know!  I'm
just a perl-tot..
Hi Brian,

This updated version is still vulnerable.  You should be *very* wary of 
any call to system() or fork().  Consider this input:

This is only a test  rm -rf /

Notice that ';' isn't the only way to inject into a commandline.

Cheers,

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] New Microsoft security bulletins today

[Cael Abal]

This tool is not bad for some *basic* monitoring: 
http://www.pdxconsulting.com/sus/

/paranoia mode off
Grab your SUS log files and parse them through that web site... 
/paranoia mode returned to normal
That's what I've been using. It works well to see that all seems to 
be working as expected.  I was going to setup another tool that sends 
the log data in to a SQL server so you can have all the data in one 
place and work with it. (I have 2 SUS boxes so 2 sets of logs.)
Try this: http://www.susserver.com/Software/SUSreporting/
I'm dissatisfied with both.  With the first one, you're sending your 
logs out for remote processing -- that's just silly.  The second 
requires all sorts of fiddling around with sql / iis which doesn't seem 
like it's worth the effort.

I've been meaning to throw together something more streamlined (and with 
fewer prereqs) for a while now -- I guess it's time.

C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] New Microsoft security bulletins today

[Cael Abal]

Yes, I got the same.  Somethings I found though:

It's complaining about basesrv a dynamicly linked library.  I rebooted
into Linux and ran some finds and found 3 files:
WINNT/$NtUninstallKB824141$/basesrv.dll
WINNT/ServicePackFiles/i386/basesrv.dll
WINNT/system32/dllcache/BASESRV.DLL
the one in system32/dllcache is dated Aug5, the other two are dated June
19th.  As soon as I finish backing up a couple critical files I'm going
to use the recovery console to copy the $NTUninstall version back to
system32/dllcache and see if that helps.
Hi Robert,

Can you narrow down which of the 15 (!) newly-released updates might be 
responsible?

Which OS?

take care,

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] SPAM, credit card numbers, what would you do?

[Cael Abal]

And as you can probably guess, orders.txt contains --
ORDERS. Names, addresses, phone numbers, and CREDIT
CARD NUMBERS. Dozens of them.
So I got to thinking... what should I do here?
My suggestion?  Speak with a lawyer.

A number of 'hackers' recently in the news did their 'hacking' via web
browsers -- just like you.  It could likely be successfully argued by a
prosecutor that you intentionally stole this credit card data.  Yes, I
know it was a via clickable link and the site was ridiculously
unsecured, but that probably wouldn't make a difference to a court.
Anyhow, take care and good luck.

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] SPAM, credit card numbers, what would you do?

[Cael Abal]

A number of 'hackers' recently in the news did their 'hacking' via web
browsers -- just like you.  It could likely be successfully argued by a
prosecutor that you intentionally stole this credit card data.  Yes, I
know it was a via clickable link and the site was ridiculously
unsecured, but that probably wouldn't make a difference to a court.
How is 'hacking' defined where you are? In Australia (at least in NSW),
and some other places, an access control mechanism of some description
has to be circumvented for it to be an offence.
In Canada, anyone who fraudulently and without colour of right obtains,
directly or indirectly, any computer service is guilty of Unauthorized
Use of a Computer -- note 'computer service' includes computer service
'data processing and the storage or retrieval of data'.  It definitely
wouldn't be a stretch to say that accessing a server-held record of
previous orders was without colour of right.
Additionally, any number of fraud / mischief offences may be applied to
computer-related charges.
I believe the US laws are similar.

Cheers,

Cael

---

See PART IX: OFFENCES AGAINST RIGHTS OF PROPERTY -- 342.1: Unauthorized 
Use of Computer

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] something evil in your email

[Cael Abal]

Michael 'Moose' Dinn wrote:
Folks might want to be on alert for this:
Same old, same old.  At this point I would expect any
halfway-intelligent user to be suspicious of this sort of e-mail -- wake
me up when the con does something novel.
Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Do you really think CDs will be protected in future?

[Cael Abal]

Alan said:
The whole question really comes down to this:

warranty of merchantability definition - a warranty of merchantability
simply guarantees that goods sold are fit for the ordinary purpose for
which the goods were sold... This is a general rule of fairness that
what looks like a carton of milk in the supermarket dairy case really
is drinkable milk and not sour or unusable. 
Damn it.  There goes my business plan of selling Golden Poison Frogs in 
a container indistinguishable from a bag of Oreos.

I think the real problem lies with the concept of hand-me-down 
Acceptable Use Policies / Licence Agreements -- that a party completely 
removed from a retail environment might be able to dictate conditions of 
a sale (and in some cases, resale!)  Although I'll readily admit that 
some restrictions may be reasonable, they shouldn't be entirely up to 
the supplier/manufacturer.

C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m

[Cael Abal]

Okay... So according to the law it's illegal to remove the program if later
you decide to not agree to the EULA? (Which I'm sure it says that the terms
can be changed at any time within it)
That sure doesn't seem kosher to me... I feel that you should be able to
remove/disable whatever on your computer. According to this logic... Using
Ad-Aware is illegal because it removes spyware from your system without
their non-existent uninstall interface!
Oh, and you're also not allowed to know what the file/driver name of the
program that they've installed is either?
Nice!
Hi Poof,

Odds are the copy-protection-related drivers can be removed via Windows' 
Add/Remove Programs control panel applet -- rendering your 'protected' 
media a defacto coaster until you accept the EULA a second time.

C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Signed e-mail vs. turning off HTML mail under XP

[Cael Abal]

Alas, the Continue button was just text, just as the tick box to not show me
this help screen again was not there. This means I'll have to re-enable HTML
mail, and wait for the next signed mail to arrive.to turn it off. I
wonder what will happen to messages that have been tampered with when I have
turned off HTML mail? I will probably get a warning, but will not be able to
go beyond that, since it is in ASCII and that does not (AFAIK) support nice
buttons. So in order to enable signed mail, I will have to enable HTML in my
mail
Good evening Yossarian,

I'm sorry, do I understand correctly when you say that the mechanism for 
verifying / managing signed e-mail seemed to be included within the 
e-mail itself -- in html, no less?  Although I'm unfamiliar with 
certificate-based digitally-signed e-mail (I'm a pgp/gpg kind of guy) I 
can't help but be very suspicious.

Also, you mentioned that the machine will be used for business purposes 
and (directly?) connected to the internet.  Might I recommend against 
using OE for e-mail?  Mozilla Thunderbird is what I recommend for 
Microsoft folks.

take care,

Cael



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Local DoS in windows.

[Cael Abal]

Steve Wray wrote:
How long do you have to hold the mouse button down for?
I see no effect after about 30 seconds then I got bored...
Tried in outlook and wordpad. In fact the 'ambient' CPU useage
actually appeared to flatten out.
Seems to me that users of FD and bugtraq have just been social 
engineered into wasting a couple man-hours 'testing' for this XP bug.

Not quite Scaggs-worthy, granted, but it did manage to tie up Steve for 
half a minute.  :)

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Is the record industry turning to Trojan horse programs to copy-protect CDs?

[Cael Abal]

If permanent installation of this driver was included in the EULA, then
this is not a trojan horse.  Since I don't have a copy of the license
agreement handy, I couldn't say whether it's in there or not...but IMHO,
too many people ignore the fact that they are allowing themselves to be
legally bound to such agreements without even reading them, and many
newer EULAs even include an auditing clause giving the manufacturer to
visit your facility and audit your systems.  One of these days the RIAA
might try and install monitoring software under such an agreement, and
people who blindly agree to EULAs will be the ones nabbed by the RIAA.
I'm anxiously awaiting the attempted enforcement of a blatantly 
ridiculous EULA -- something so preposterous that it can't help but make 
the news.

C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Do you really think CDs will be protected in future?

[Cael Abal]

What the RIAA are afraid of is *digital* copies where each copy is as good
if not better than the original.
Hi Dave,

A digital copy *better* than the original?  Oh, wait, I get it!

# aplay britney_spears.wav | swedishchefify | arecord -mw new.wav

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Do you really think CDs will be protected in future?

[Cael Abal]

Agreed, for the most part. As I work for a retailer, however, I know that
what consumers think is irrelevant to the record folks. The retailer I work
for has an agreement with it's suppliers such that once a customer opens a
CD (or DVD, VHS tape, software package, etc) they cannot return it, unless
the media is defective, in which case they get another copy of the same
product only. So if your newly purchased CD is copy protected and won't play
in your CD player, you're stuck with it anyway, unless you want to get
another copy of the same useless disc.
Hi Phillip,

Very good points.  As I am occasionally a consumer, however, I
understand that consumers quite often have little respect for
retailer/supplier agreements -- specifically, if an item doesn't work,
it should be replaced with another /which does/.
If  my-newly purchased album and its subsequent replacement both failed
to play in my cd player I would be fairly adamant about receiving a
refund, regardless of any existing agreements between retailer and
supplier.  I would expect any reasonable business bureau would agree,
no?
Take care,

Cael



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Shift key breaks CD copy locks

[Cael Abal]

Edward W. Ray wrote:
 http://news.com.com/2100-1025-5087875.html

I'm so relieved.  Now I can start buying CDs again
You're *relieved*?  My keyboard is a bloody Copy Protection
Circumvention Device -- now what the hell am I supposed to do?
http://www.eff.org/IP/DMCA/

C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Electronic Crimes Act 2003 of Pakistan

[Cael Abal]

Cutthroat Truth wrote:
Look at your neighbor country, what lammer. It sounds
like the author does not know anything about Computer
Crimes IT IS SO FUNNY at such low profile countries
with substandard authorities with a dictator and
laughable democracy 
hahahahaha

http://www.tremu.gov.pk/tremu1/workingroups/pdf/Proposed%20E-Crimes%20Act.pdf
Brr.  I need a sweater, it's getting kind of stupid around here.

C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Bush Bashing (use to be Has Verisign time arrived ?)

[Cael Abal]

I could go on and on, but this has already turned out to be
longer than I expected. But we should all be grateful for the
actions this administration is taking to make sure we are safer
in our homes, despite the bashings of liberals like you.
God Bless the USA, and yes, the President too 
I like you Dark Avenger, you're funny.

C

PS: Please don't liberate me.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Google FILTERS searches for possible DMCA infringable content!!!

[Cael Abal]

The fact that they have at least two former NSA personnel in the ranks of 
senior technical management should be all the tip-off that anyone would need.  
Are you kidding?  Former NSA tech folks are a dime a dozen.  I work with
half a dozen of them at FedEx.
Psst:  It would've been funnier if you had said McDonald's but still, 
nice riff!  ;)

.c

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] EartStation 5 P2P application contains malicious code

[Cael Abal]

Conclusion
--
The people behind ES5 have intentionally added malicious code to ES5. If
you have followed the ES5 discussions on message boards and read what the
ES5 people have said and done (eg. DoS attacking BitTorrent sites), this
comes as no surprise. The question then is why did they do it? I'm sure
they won't tell us, but here's a theory: They could be working for the
RIAA, MPAA, or a similar organization. Once they have enough users on their
ES5 network, they would start deleting all copyrighted files they own which
their users are sharing. The users wouldn't know what hit them.
Hi nut,

Excellent job finding and documenting this feature.  As for the 
developers' motivations, though, I don't think it's necessary to point 
at colusion with the RIAA/MPAA.

In all honesty, I'm surprised we haven't seen *more* backdoors of this 
type in various popular closed-source, network-aware apps.  I don't 
condone it, but I understand the mentality:  Our network, our rules. 
Really, all it takes is one rogue developer, coupled with insufficient 
code review.

What does surprise me is that you report only delete functionality and 
not read/write.  If I was going to the trouble to implement naughty 
features into an app like ES5, that'd be my priority.

All this does is reinforce the value of independent code auditing 
(insert various pro-open-source comments here).

take care,

C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly

[Cael Abal]

Yeah you know, that has always been my theory as to why,
in Star Trek (and others), the control panels on starship
bridges sometimes explode with sparks and smoke for no better reason
than that some component on the outer hull got shot up by the
Klingons (or whoever); its an important feedback
mechanism ensuring that the operator knows that something
is very seriously wrong.
Now if only desktop PCs had such a system...
Hi Steve,

You know, now that you mention it that makes perfect sense.

Although, keep in mind we're talking about MS machines here -- these 
machines will need to be capable of emitting a shower of sparks and 
smoke virtually non-stop.

Hmm.  Actually, I think it might be fun to construct a spring-loaded 
BANG! type flag, triggered every time Dr. Watson or the current 
equivalent is executed.

take care,

C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly

[Cael Abal]

Oh come on.  We don't expect our mechanics to brake and steer for us,
fer cryin' out loud.  We're not talking about *maintaining the computer.
We're talking about *operating* it.  Things like passwords, awareness of
attachment dangers, the need for routine patching (think oil changes)
and up to date antivirus software (think gas).  The car mechanic takes
care of repairs and maintenance, yes, but the driver is the one who has
to bring the car in.  That means they have to be *aware* that
maintenance is required.  They have to realize that if they don't change
the oil every 3000 miles they will have long term problems.
I believe I can safely say that easily 75% of my users would recognize 
that their computer needed attention if it started billowing huge 
noxious clouds of black smoke.

Okay, 50% at a minimum.

As an aside, I loved this quote:

We counted the number of application and operating systems failures and 
found that Windows XP Professional ran over 30 times as long without 
encountering problems as those systems running Windows 98 SE.

http://microsoft.com/windowsxp/pro/evaluation/whyupgrade/reliability.asp

Err, congratulations?

C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows

[Cael Abal]

would it have been possable to actually replace these files manually and the
PC therefore be patched so to speak?
I assume so, provided you're resourceful enough to circumvent any
file-is-currently-in-use type errors.  It'll probably not be noticed by
a Windows Update type tool though, and be patched again in the future.
Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Wow! How Times are a Changing.

[Cael Abal]

Certification

The Certified Ethical Hacker certification exam 312-50 applies to this class. 
Students need to pass the online Prometric exam to receive CEH certification.
Beautiful!

Okay, seriously, who in *any* IT-related field wouldn't crack up seeing
something like that on a CV?
Incidentally, I wonder if 'Ethical Hacker' has been trademarked a la
MCSE?  That'd be rich.
C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows

[Cael Abal]

Schmehl, Paul L wrote:

Oh, things like, you don't have sufficient access rights to check file
properties.
I know in the ideal world that every machine logs in to the domain and
every machine has Domain Admins in the Local Administrator group and
every machine has the SMS agent (or some similar agent) and reports all
its properties back to a management console and every machine can be
controlled remotely, etc., etc., etc., yada, yada, yada.
I just don't know where that ideal world is.
Hi Paul,

Personally, I'm of the opinion that if a person doesn't have admin privs
on a machine, they shouldn't be expect to *cough* /administrate/ it.
I realize that in a school environment it's not that simple (you can't
really stand by while the worm du jour has its way with your campus
network) but really, the student subnets are virtually guaranteed to be
a wasteland of Mad Max-like proportions no matter what you do, no?
Isn't your only real weapon a set of very enthusiastic edge filters?
Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] SAM Switch - Win2k/XP password-less login

[Cael Abal]

I found that SAM file could be replaced just like PWL files 
in Win9x. I posted the following to Bugtraq, but in spite of 
posting twice it never appeared in the list... (possibly moderated)

Folks, go ahead and change the boot options in your BIOS ASAP.
I guess this fallacy will never go away.  Changing the boot options in
your BIOS will actually exactly nothing.  Anyone with a modicum of
computer knowledge and physical access to your box can change them back
at will.  Trusting the BIOS to protect you against attack is
foolhardy.  Its password protection is worthless.  Many BIOSes have
backdoor passwords in case of emergency, and all BIOSes can be easily
reset to default passwordless configuration.
We've always known that once an attacker has physical access to a
machine it's vulnerable to a host of low-tech attacks...  That doesn't
mean that we collectively throw our hands up in the air and leave the
root password on a note next to the keyboard.
In reality, all our efforts to prevent local attacks are little more
than an inconvenience, placed into effect in order to repel casual
snoops and the least persistent attackers.
Don't want users to have admin-level privs?  Develop an appropriate
security policy and implement it.  Don't want them to circumvent your
policy?  Implement safeguards.  Don't want them to side-step your
safeguards?  Well, how many levels deep are you prepared to go?
In all but the most security-conscious orgs I think the consensus is
that if the attacker is prepared to crack open a case, they're going to
get root.  I know that my network's security just isn't worth epoxying
cases shut.  :)
Cheers,

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] BugTraq Speed

[Cael Abal]

As probably many of you, I am subscribed to both BugTraq and this list.
The past few (3?) weeks I think I notice a slow-down on BugTraq. Posts
very often appear on BugTraq *hours* after they appear on this list.
Incidentally, FD isn't especially raising the bar when it comes to
speedily bouncing posts -- how am I supposed to brag about my 0day
xpliots when they spend upwards of 45 minutes in transit?
Grr.

C

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] p63: Call for Articles!

[Cael Abal]

Phrack Magazine, the ONE AND ONLY REAL AND ACTIVE HACKER MAGAZINE is 
sending out a call for articles for p63!!!
Guess you never heard of http://www.2600.org  ? Last I checked Eric / 
Emmanuel was still in business.  I'm all for a good hacker mag, but keep 
things honest at least in your claims. When you are as accurate as you 
can be, then people will believe what you say. Don't hurt your cause 
with phrases like the above.
Hey John,

They are being completely honest and accurate -- provided you accept
their definitions of 'hacker', 'fake', and 'hoax'.
That said, p62 was pretty entertaining.

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Please don't feed the troll (was: Re: [Full-Disclosure] Is Marty Lying?)

[Cael Abal]

The code audit that you guys did to make sure nothing was backdoored was
quite thorough too, considering since then remote bugs in Snort have been
published.  If you can't even spot the vulnerable code you introduce into
your source tree by accident, how can you definitively argue that no one
else snuck in subtle bugs that you also didn't catch?
I'm sure it would have been extraordinarily difficult to run 'diff' on
the codebase before the intrusion and the one after, to see if any of
the changes weren't accounted for.
For you, yes.
We all know how snot feels about IDS', and all agree he's absolutely, 
undeniably, wrong -- let's not waste any more bandwidth on it, shall we?

take care,

Cael



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Web counter in the new Swen/Gibe.F worm

[Cael Abal]

I was tracking the number of infected computers, but around 4:30am Pacific
the counter was replaced with a GIF image reading:
WARNING: Your computer may
be infected by W32/[EMAIL PROTECTED] worm.
It's no joke. See mcaffee.com for info.
The last good number I have for the hit count was 1,576,803 at 4:30am.

It's a shame the counter was replaced, this gave us a good idea of how
many hosts were infected and could reveal real numbers of the rate of
infection - I'm still recieving these emails, over 100 overnight.
Maybe the admins of vutbr.cz would open their web logs to give us more
accurate information about the point of origin and rate of spread.
If anyone wants the numbers I collected (I have data from the 18th at
13:56 through 4:30am today) I'd be happy to provide them.
Correction -- it *would've* been valuable, if the url hadn't been 
publicized.  As it is, the only useful information would have to come 
from the vutbr.cz web logs.  Without stripping out all the polluting 
GETs from web browsers the data is meaningless...  Thankfully we've got 
user agents to filter by.

Incidentally, it might be valuable to carefully scrutinize those web 
logs -- there's an excellent chance that the first non-worm-originated 
hit of that web counter came from the worm's creator.

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: new openssh exploit in the wild! *isFAKE AS SH@!*

[Cael Abal]

Why bother?  If you were stupid enough to run that obvious piece of
crap, changing your password is the least of your worries.  (In fact, if
you run *anything* that's posted here without first checking it out
thoroughly or if you don't understand code at all, you might as well run
up the white flag right now.)
What?  I've been dutifully following every link and executing every
binary that's hit Full-Disclosure!  How else are we supposed to ensure
our machines are secure?
Wait, hold on, I have to go click on a monkey.

Cael



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Lun_mountd.c vs mounty.c

[Cael Abal]

It astounds me that so many people on this list (well, two) use the full
disclosure ethic as an excuse to oblige programmers to give up our privacy
rights and divulge all their code to a group of strangers.
Can you *seriously* not see the problem with someone taking credit for
someone else's work?  That is just exquisite bullshit, regardless of the
nature of the code itself, or with whom it was initially shared.
Tobias was right on the money to take issue with this, and some of you
need to back off and let talented hackers claim a little due credit and
take pride in their work once in a while.
Hi Person/Devon/[t],

Personal pride and quality of work is important, I'll give you that. 
Also, I am intimately aware of how unpleasant it can be to have someone 
else take credit for ones work.  Now, do I feel a whole lot of pity when 
I see a script kiddie take credit for someone else's exploit?

Nope.

Consider this analogy:  A graffiti artist spends long hours labouring 
over a wall mural, only to come back the next day and see some seven 
year-old surrounded by his friends, proudly taking credit for it.

Know what?  The world at large doesn't give a shit.  I don't give a 
shit.  The end result is still the same either way, one more eyesore in 
a jungle of eyesores.  Realistically, it was only a matter of time 
before that wall was tagged.  The only folks who care about graffiti art 
is graffiti artists -- like any community.

Mr. Brown was exactly right, if a tad terse:  If an exploit writer wants 
privacy, they should not release the code (or release it anonymously). 
If an exploit writer wants fame and fortune, they should release it 
publicly under their real name with much fanfare -- Either of these 
choices quite efficiently prevent some kiddie from taking credit for 
their work.  There's really no in-between to speak of, not one with much 
value to society.

The other alternative -- a limited release amongst friends or colleagues 
-- is really nothing more than self aggrandizement.  Understandable, 
maybe, but not very valuable...  All it does is add one more tool to the 
script kiddie cookbook -- and set up the original author for plagiarism.

Cordially,

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] IE Object Type Validation Vulnerability Exploit

[Cael Abal]

http://morningwood.ethicsdesign.com/fucked4test.html
id that... who cares if its a trojan, you surely didnt think it was
benign??? i didnt click it knowing it was a object tag exploit.. or try a
HEAD on the link first.. or even
nc -vv someurl.isp/link.html
*sigh*
If I didn't know better I might think you presented that link maliciously.

As for your criticism, I believe you misunderstood.  I wasn't warning
folks the script was malicious.  For anyone interested, I simply
*identified* the executable which was MakeVBSed into the .vbs file
Andreas posted to the list.  Symantec calls it 'Download.Trojan'.
Here's that link again:

http://www.symantec.com/avcenter/venc/data/download.trojan.html

If you're unfamiliar with MakeVBS, you can learn more here:

http://rattlesnake.at.box.sk/newsread.php?newsid=7

Cheers,

Cael

---

- Original Message -
From: Cael Abal [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, September 16, 2003 7:03 PM
Subject: Re: [Full-Disclosure] IE Object Type Validation Vulnerability
Exploit


Decrypted (undo VBS.Encode) it is the following:
Andreas
Hi Andreas,

The 'x.exe' created by this script is reported by Symantec as
'Download.Trojan':
http://www.symantec.com/avcenter/venc/data/download.trojan.html

Cael


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] VBScript/JScript.Encode Decoder

[Cael Abal]

i ( we ) ( illmob.org ) released the first windows compiled rpc-dcom exploit
into the wild weeks before msblaster used the basic version of this, and we
live in the US.
since when did releasing non propagating code constitute a crime???
morning_wood
I'm not a lawyer but as far as I know tools which can be used for
Circumvention of Copyright Protection Systems are expressly forbidden by
the US Digital Millenium Copyright Act.  It could be argued that
Andreas' VBS decrypt tool released Tuesday is one of these.  I wasn't
commenting on the legality of exploits, just Andreas' VBScript /
JScript.Encode Decoder tool.
My comment was really only me poking a bit of fun at US laws -- that of
all the ethically-dubious information which come through
Full-Disclosure, something so innocent as Andreas' pascal code might be
actually be illegal.  Remember Sklyarov?
take care,

Cael

- Original Message -
From: Cael Abal [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, September 16, 2003 8:25 PM
Subject: Re: [Full-Disclosure] VBScript/JScript.Encode Decoder
VBS_DEC.PAS -

program vbs_dec;  { Decrypts encrypted VBScript and JScript programs }
 { Copyright (c) 09/2003 Andreas Marx /
http://www.av-test.org }
Greetings Andreas,

I hope you aren't intending to visit the US any time soon -- you've just
released into the wild a tool which can be used for Circumvention of
Copyright Protection Systems.
Yay, DMCA!

(Thanks, by the way.)

Cael


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] new ssh exploit?

[Cael Abal]

SSH over VPN ? whould this be more secure or 
Telnet ( no i dont use this ) over VPN 
Good morning Aditya,

Although I can't find any sources other than this at the moment, it's 
commonly understood that a significant number of malicious behaviour 
originates within an organization's internal network -- that is, your 
users are the bad guys.  The article referenced below says 35%, but I 
have no idea where they got that number.

http://lists.insecure.org/lists/isn/2000/Jan/0011.html

That being the case, consider that VPNs only protect you across the 
public (untrusted) network.  Once you hit your internal (untrusted) 
network, telnet sessions would be in the clear.

take care,

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Lun_mountd.c vs mounty.c

[Cael Abal]

frew min ago i was browsing packetstorm and i cant belive my eyes
anyone has changed a half haeder of my code and disclosures it to 
packetstorm

i cant understand why pplz does that
are they not able to got there own skills
i have investigate many hours to write this code and it should never 
released
but some sucker leaked it and some other gay changes the half haeder and
disclosures it

attached is the ORGINAL EXPLOIT code i wrote months ago
/me blinks

That's so unethical of them!!!

Unfortunately, we have only your word as proof that you were the first
to exploit the xlog off-by-one.  Next time, be the first one to
publically release your exploit to Full-Disclosure, that way you'll be
sure to get credit!
Good luck!

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Who else is Omniture doing snooping for?

[Cael Abal]

Here's how the Omniture describes themselves:

   http://www.omniture.com/company.html
 
   Imagine a device that could be placed by the front 
   door of a department store to tell the store manager 
   all kinds of detailed information about customers - 
   what store they came from, who they were referred by, 
   if they have been to the store previously, what 
   advertisement they were responding to and much more, 
   says CEO Josh James. Imagine how useful this kind of 
   information is to a store manager or marketing agent. 
   That is the kind of information SiteCatalyst can provide, 
   instantaneously, in real-time.


Okay, that's just creepy.

Anyone who is upset by this sort of thing should enthusiastically
consider disabling javascript.  Alternatively, many browsers can also be
configured to not download third-party images ('Load images for the
originating web site only').
I took a quick look at the code.  I love the source address for the
offending web bug:
https://102.112.2o7.net/

Sneaky, huh?

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Security firm Symantec has rubbed subscribers to the Full-Disclosure mailing list the wrong way

[Cael Abal]

Yes, in this time of the Buschwackers, it is all too easy for the gov'ment
to rob us of our freedom.  And unfortunately there are far too many
corporate types ready to take advantage of that in the name of the almighty
buck. Wired is cool though.  They went on to say  He did not say, though,
how legislators would determine the difference between malicious information
and that used for legitimate security research, or whether such a law might
compromise freedom of speech.
Good morning Curt,

Incidentally, if you're worried about corporate types and their quest 
for the almighty buck, I'm not so sure you should consider Wired the 
last bastion of truth and freedom.  The mag is owned by Conde Nast 
Publications *, a gigantic conglomerate which also happens to own:

The New Yorker
GQ
Vogue / Teen Vogue
Vanity Fair
Glamour
Nearly 20 magazines in total, I believe.  Oh, and the fun doesn't stop 
there.

Conde Nast is owned by Advance Publications, which also owns Parade 
Publications, Fairchild Publications, American City Business Journals, 
the Golf Digest Companies, and newspapers in more than twenty American 
cities; Advance Publications also has extensive interests in cable 
television, as well as in Internet sites which are related to its print 
publications. *

Take from this what you will.

Sincerely,

Cael

---

http://condenet.com
http://www.advance.net/index.ssf?/advance_publications/about_advance_publications.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] IE Object Type Validation Vulnerability Exploit

[Cael Abal]

Decrypted (undo VBS.Encode) it is the following:
Andreas
Hi Andreas,

The 'x.exe' created by this script is reported by Symantec as 
'Download.Trojan':

http://www.symantec.com/avcenter/venc/data/download.trojan.html

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html