Re: AW: [Full-Disclosure] no more public exploits
Baum, Stefan wrote: IMHO, no sysadmin taking his work seriously, will wait patching the systems until an exploit is available throughout the internet. Stefan (I AM A SYSADMIN) Cripes, this is the thread that never ends. What if there were two patches fixing vulnerabilities of equal severity, one with a known, published exploit and one without? Would you give one priority (considering that rolling out a patch involves significant testing)? You do perform regression testing, right? What if you were juggling a slew of very high priority tasks and a patch was made available? Would you drop everything (including those mission critical jobs your boss' boss asked you to handle by days end) in order to push that patch out the door immediately? Part of being a good sysadmin (really, being a good /anything/) involves being able to perform on-the-fly cost/benefit analyses. Realistically, the lack of a widespread published exploit means an attack on any given machine is less likely. An admin who chooses to ignore these probabilities isn't looking at their job with the right perspective. Take care, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Wiretap or Magic Lantern?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | 2., The terrorsts are not stupid, they use strong encryption and there | is proof that PGP repels NSA. Hi Tamas, Although I agree with some of your post, I have to take exception to this point. What proof are you referring to? All conspiracy theories aside, it's silly to assume that the good guys have approximately the same levels of technology, knowledge and resources as the bad guys. Myself, I'll wait until I'm given a tour of the NSA's secret underground bunkers before I make any claims as to what the NSA can and cannot do. :) Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) iD8DBQFAdAnNR2vQ2HfQHfsRAjvOAJ9hBAzHT4CYsJ+kYy1/CDx5rAQEWwCghjcw R3frpGXlvwhlSORC/jLJaTw= =hvt0 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: SEARCH web attack (IP address spoofed?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin Maok wrote: | Anyway, she is (at least) able to spoof any IP address for which she | is able to see the replies - i.e. almost any other IP address on her | local network or behind it (say, she controls the router). This is a very important distinction, one that seems to be frequently overlooked. I wonder if it'll ever be brought up in a courtroom? How can one demonstrate a certain packet came from a certain computer, when any number of faceless upstream deviants could conceivably have been responsible for it? Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) iD8DBQFAbB81R2vQ2HfQHfsRAnkNAJwLdSlnh0KOfoEvcaBLmW+S+azcYwCeJuZR kccu8acu0CBAnzLyO84j684= =EDwH -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NetSupport School Pro: Password Encryption weaknesses
spiffomatic 64 wrote: The letters are expressed using a hexadecimal type of system. Every letter is shown by two characters the first character can be any ascii character while the second is in a range from a-p. This works just like hex in that ap+1=ba. Its not case sensitive so that also makes it easier for kids to get passes. The characters start at EM. So A= EM B=EN and so on. Each letter is also added to by the number of letters in front of it. So the crypt of aa= EN9O while the crypt of aaa=EO9PA. How cute! Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Administrivia (very OT, but should be addressed)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Spiro Trikaliotis wrote: Isn't that the reason why there is a Mail-Followup-To (MFT) header (http://cr.yp.to/proto/replyto.html)? With this, the sender of a mail can decide if he wants a copy of the mail or not. If I want to get a copy of the mail in addition to the list, the header is set to the list and my address, if I don't want this, I set it to the list only. Mutt, my MUA, supports the notion of lists and subscribed list. On a non-subscribed list, I get a copy of any reply by setting MFT to myself, too, while I don't get a copy on subscribed lists. Why don't you all just let the user choose which way he wants to go? [This is way off-topic, but I'm afraid that folks will get the wrong impression from Spiro's e-mail.] Hi Spiro, Unfortunately, last I checked there *isn't* a Mail-Followup-To header. Even though some mail clients support it, it's nonstandard and some folks consider it an ugly kludge. See Keith Moore's plea here: http://pm-doc.sourceforge.net/pm-tips-body.html#replyto_header He suggests that adding another mail header will only complicate matters more, and that Bernstein's MFT concept is inherently broken: Dan's proposal is intrinsically flawed. It incorrectly assumes that the sender can reasonably anticipate the recipient's needs in replying to the message, and that such needs can reasonably be lumped into either reply or followup. It doesn't solve the real problem, which is that responders need to think about where their replies go. Mail-Followup-To won't decrease the number of messages that go to the wrong place. Please give it a read before you continue to advocate MFT. Sincerely, Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) iD8DBQFAWyLKR2vQ2HfQHfsRApwqAKCloX20ztxmfbjuwave1bKVLovdXQCgiXrS LVcPloe0HSGraeewnMLO74s= =zxKs -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Administrivia (very OT, but should be addressed)
Dan's proposal is intrinsically flawed. It incorrectly assumes that the sender can reasonably anticipate the recipient's needs in replying to the message, and that such needs can reasonably be lumped into either reply or followup. It doesn't solve the real problem, which is that responders need to think about where their replies go. Mail-Followup-To won't decrease the number of messages that go to the wrong place. But you can at least tell people if you want or need a separate copy in addition to what gets sent to the list. People who don't want separate copies should be setting mail-followup-to. Even if not all mail clients support it some do. Bruno, did you read the objections raised in that link I provided? I know how Mail-Followup-To works. I also understand there are unresolved problems with it. Here's that link again: http://pm-doc.sourceforge.net/pm-tips-body.html#replyto_header This will be my last post on the subject, but please consider that MFT is *not* a standard (and as far as I know hasn't shown up in an RFC since the late '90s), supported by only a handful of MUAs... And the (default), polite course of action has historically been not to CC folks in mailinglist posts. Enjoy your weekend, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Ancient Trivia: +++ath0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alexander Bochmann wrote: Quite funny how much time has been wasted rediscovering this feature over and over again in the last years. Indeed -- I half expect to see some leet 0day exploits involving ANSI key remapping. Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) iD8DBQFAWiIsR2vQ2HfQHfsRAjM9AKDRzxQfGb3aGcOkENwFURuppKMMkQCgn7UR HUsLn9ttIX9l6cYmFzWyCqY= =vS7p -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] DELL 1600 and 1650 potential fire risk
Chris Cozad wrote: Has anyone experienced any of the supposed problems with the Dell 1600 and 1650 servers? Apparantly a percentage of these servers shipped early last year have a fault on the motherboard, whereby the video chip actually burns up in a huge cloud of smoke. We are getting conflicting reports out of Dell, depending who we talk to. The support technicians have all said they have seen 3 or 4 of these failures each over the past 6 months or so, but our account manager kind of glosses over the problem. Hi Chris, Personally, if my office and everyone in it was conceivably in peril of imminent destruction by raging inferno I don't think I'd let my account rep 'gloss over' the problem. Do you not like your co-workers? :) Take care, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Book of unreleased exploits?
c0hiba wrote: here is something i found on dave aitel using that google search engine thing.. http://groups.google.com/groups?q=birth+of+a+gay+sluthl=enlr=ie=UTF-8oe=UTF-8selm=544eli%249704151525%40qz.little-neck.ny.usrnum=1 --c0hiba Interesting, you posted this same link to FD four months ago. Are you trying to tell us something? http://lists.netsys.com/pipermail/full-disclosure/2003-November/014070.html Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Meth and hacking?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: Hang on a minute. How can you steal public encryption keys? They are useless if they aren't freely available anyway! Now private encryption keys is another matter. Hi John, You're mistaken -- there are tools in the wild RIGHT NOW that make stealing public keys trivial... In fact it can be done via several web browsers! http://pgpkeys.pca.dfn.de:11371/pks/lookup?search=0x77D01DFB We're doomed! Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) iD8DBQFAUOGMR2vQ2HfQHfsRAlU4AJ9O+bQ2eog7LrEE/Or1WjR5KMGaKACeLeEB oRihI9SuxHUvXx0AbkoNpEM= =qr2v -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Comcast using IPS to protect the Internet from their home user clients?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 TooManyMirrors wrote: My Terayon (cable modem) went out for nearly two days and then magicly came back on after a tech appoitment was made. No change in the setup or anything. Solar flares. C -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) iD8DBQFATzlUR2vQ2HfQHfsRApCSAJ9KFptxxOCKf5edGwkh0GI3sH75wACfUXdH OJ5aPb8AEKCkzPRufY+L4QM= =jRBT -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Caching a sniffer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ian Latter wrote: While there's no way to be sure-sure ... you can get into your local LAN segment and send ICMP(/whatever) requests to the correct L3 address with the wrong L2 address and see if you get a response; this will show you if hosts/devices are listening promiscuously (which makes for a good starting point). Not necessarily? I thought that depended on the ip stack implementation. Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) iD8DBQFAT/baR2vQ2HfQHfsRAgZ0AJ46xhi8rNDXAt5TIHUZL2Il/Lil1gCfeGsE GiGW9xeSwCMYgGPl1JvLwNE= =nLkQ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Counter-Attacking hackers? (wtf)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 phased wrote: I think personally they are on crack, it sounds very controversial While other companies offer only passive defense barriers, Symbiot provides the equivalent of an active missile defense system. I am sure any responsible organisation would not want to run such a product, for a start such a product is surely illegal in most countries and an organisation has enough aspects to consider in its daily management without worrying about waging wars with malicious attackers OF COURSE your average skript kiddie versus Symbiot experience will go like this: 1) Kiddie probes/attacks Symbiot-protected network. 2) Symbiot-protected network retaliates, temporarily bringing down kiddie's computer. 3) Kiddie learns her lesson and decides to put aside her Evil Ways, instead turning to making macrame jewelery and wall hangings. Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) iD8DBQFATKduR2vQ2HfQHfsRAj1PAKCan1MJhTXpc13go+ZWU17ASW11dwCgvrjR SjHRQaCzjhRQgXm+SwH05H8= =Yrlh -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] ASP script using OpenTextFile
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul Tinsley wrote: Need some help from those out there versed in windows. I am auditing an ASP based (VBScript) application which uses OpenTextFile as follows: Set f = fso.OpenTextFile(sLeadingPath + paramPageToRender + .xsl, ForReading) I have been able to ../../../../ all over the place, but it only allows me to pick up files ending with .xsl. I would like to print the contents of a non .xsl file to prove that not checking paths properly is a large issue. But I have had no luck making it ignore the .xsl I have tried ../../foo.txt%00 ../../foo.txt%0a ../../foo.txt%0d. But none of these seem to be working for me, does anyone know of a good way to end the file where I want and have it ignore the .xsl tacked on the end of the filename to be opened? Any help is greatly appreciated. Hi Paul, You're right to raise concerns about this sort of code. Consider this example: - ---snip--- sLeadingPath = C:\ paramPageToRender = passwords.txt + Chr(0) set fso = CreateObject(Scripting.FileSystemObject) set f = fso.OpenTextFile (sLeadingPath + paramPageToRender + .xsl, 1) WScript.echo (f.ReadAll) - ---snip--- You had the right idea, you only needed to figure out how VBS represents \0. As you know, because strings are terminated with the null character, the final string concatenation performed within OpenTextFile() is disregarded. Cheers, Cael (Heh, fear my leet VBS skills.) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) iD8DBQFATTLwR2vQ2HfQHfsRAvt1AKC2yNAhgIv/LS3EI9WOlS5PG2HzjQCg5hWV QzwMDxw5ZomAit0gkj7Qga8= =qiN/ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] ASP script using OpenTextFile
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Whoops. Offhand I couldn't tell you how to get Chr(0) or vbNullChar into a string without modifying the .vbs -- my mistake. Looks like you don't have to fear my leet vbs skills after all. :) Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) iD8DBQFATTd2R2vQ2HfQHfsRAueYAJ4kfV94mCgK4fjpl6ElRkh0Xs29ZwCgxSk9 J4OJreXMMqXQtGyh2tE6RX8= =9IKl -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: E-Mail viruses
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Methinks you misunderstand. Only the proprietary extension, i.e. .inc or .xyz or .whatever, would be allowed through, and since virus writers would never use this extension, it would eliminate ALL viruses at the gateway. The nice thing about this approach is that it completely eliminates the need for any anti-virus on the mail server since all virus attachments are automatically dropped without the need for scanning. Quite a simple, yet elegant solution, if I do say so myself. Curt, Interesting idea, provided your org is not specifically targeted -- although admittedly none of the currently-touted solutions would do much against a direct attack. Personally I'd dispute this solution's elegance, anything which requires substantial user behaviour change (and doesn't drastically improve the virus/worm situation across the board) is an ugly kludge. Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) iD8DBQFASO4+R2vQ2HfQHfsRAsGgAJ9H6YmejXCkIcV216qGWo+i+aqIDQCffHRv Ht7Ccmlw++aAEcQu9Lw6Fzo= =QhDq -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] E-Mail viruses
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Curt Purdy wrote: Personally I'd dispute this solution's elegance, anything which requires substantial user behaviour change (and doesn't drastically improve the virus/worm situation across the board) is an ugly kludge. I would say that completely eliminating all virus infected attachments, past/present/future without any further interaction by IT dramatically improve the virus/worm situation across the board. The problem is, though, you're training your users and customers (likely at significant expense) to use some bizarre munging method to satisfy the whims of your particular mail gateway. Although it will stem the flow of incoming automated worms/viruses on your end, this will not help reduce virus/worm propagation anywhere else. This, to me, is not what I would call dramatically improving the virus/worm situation across the board. Think about the implementation nightmare. What will you do when someone attempts to send an attachment to one of your users? Will you fire off an automated response, instructing them to use your .xyz solution? How will you prevent sending notifications to forged From: addresses? Will you instead simply silently kill all attachments, passing the body of the message -- that's ugly too, it requires the recipient to notify the sender their attachment was blocked, describe your solution to them, and hope the attachment gets resent. Do you trust your users to accurately describe file renaming to other users? Are your users comfortable with the variety of OSes still out there? Are your users smart enough to realize they shouldn't start renaming attachments they send to other folks? Also, keep in mind your users will still get hammered by all those annoying e-mail virus/worm messages (sans executables), unless you also continue to implement an anti-virus scanner. Didn't you hope to be rid of that? Finally, what if you decide to change procedure in the future? Everything you've taught your users is completely useless to them, all that time and effort ends up being a complete writeoff, and you'll have to *untrain* them all. Your idea is interesting and certainly deserves further thought and discussion, but it's no panacea. Instead of implementing this particular solution (with all its costs), I'd instead recommend Old Faithful: 1) Continue following industry Best Practices. 2) Educate your users as best you can. In my mind this is much, much better (for everyone) in the long run. Sincerely, Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) iD8DBQFASRLaR2vQ2HfQHfsRAn2lAKCLVmeuD+RyFnccu88K8jWDXP0qHACfXlj1 ysYMFduEuVon2BUgdKhtwgk= =/sDh -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Backdoor not recognized by Kaspersky
Another variant against the Netsky virus. It's is packed with UPX. It spreads with the password protected zip file, which gets bypassed through all most all the AV scanners with latest signature updates because No AV can decrypt it without the password. (though password is in the message content), we humans tend to open it after reading the message. Kaspersky, NAI and possibly some other AV-vendors now parse the password from the body of the email to extract the zip and then scan it. Obviously this only helps if it can scan the complete email i.e. on the mailserver. They might need to adapt to new varitions of how the password is included in the body, which will take some analysis when new variants emerge. Does anyone else find this new development a bad idea? I'm of the mindset that anti-virus companies should stick with what they're good at -- namely, detecting and handling infected files. It seems a bad idea to start down the natural language processing road. Are they scanning just for Bagle/Beagle style e-mail, or are their methods more general? What about messages of the form: 'Password is a long yellow fruit enjoyed by monkeys.' What about messages in languages other than English? I can easily see this becoming an arms-race, and one the anti-virus folks have no chance of winning. Leave passworded .zips alone -- take the sensible approach and catch an infected file once it's been extracted. Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Backdoor not recognized by Kaspersky
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 McAfee now detects the password protected zip files. (There are other things you can look for besides trying to decrypt the contents of the zip filel Also, zip passwords are weak and easily broken anyway.) Zip files may be /relatively/ easy to brute force, sure, but there's no way I'm turning my mail gateway into a dedicated .zip cracking box. That's insane. As I mentioned, passworded .zip handling is an arms-race I hope anti-virus folks decide not to get embroiled in. It would be trivial to generate a file_id.diz (or readme.txt, or add zip comments, etc.) in order to skirt checksum / file size checks. It would be trivial to harvest plausible file names from a victim's computer to avoid filename matching checks. The only reasonable check would be what Bart suggests, but I'm not comfortable blocking all passworded .zip files containing an executable. Who knows, I might have to change my mind. Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQFARh/QR2vQ2HfQHfsRAuC4AJ9wMBdKvdlk6/T5aTW0xuBI2a8gKACfZLXQ FNFpzDxA+rzoLdUQkxkaZsc= =pEyk -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Backdoor not recognized by Kaspersky
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cael...take a more sensible approach...no password parsing to scan needed...have the AV/mail gateways stop any zip with any executable inside. You don't need to use the password to see that there is an .exe/.scr/.com/.whatever inside a zip. You see it, you nuke the zip. If your policies allow zipped executables to meander through your mail system as long as they pass a virues scan, you must have damned busy 0 days. This ain't complicated...at all. Hi Bart, Interesting suggestion but I'm not prepared to arbitrarily kill any zipped executable (even just those which have been passworded). I'm just not comfortable with the false-positives. Historically, passworded .zip files have been the only remotely acceptable way to e-mail executables. I'm hesitant to give that up. I'd still rather allow all passworded .zips and rely on the client's AV to nab it. take care, Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQFARhzgR2vQ2HfQHfsRAs3cAKCadpIZHrs4IAekAgzsH9lA9+V1tgCeJKLt xeNUFGPnYnBA9kZXKIFOFas= =/9B3 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] a question about e-mails
ok, it can be. please could someone send an message with bcc to this list, so we could analyze it. use the subject: bcc line regards nico Please drop this thread. It's embarassing. C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Job Opening in Maryland for Security Researcher
[EMAIL PROTECTED] wrote: I have a job opening for a computer scientist with an interest in computer security... Thank you! David Stein Systems Vulnerability Analyst General Dynamics Advanced Information Systems [EMAIL PROTECTED] Psst: If you're going to be posting job offers on public mailinglists, perhaps you should consider taking Comcast up on their '8 e-mail addresses' offer. If you're lucky, [EMAIL PROTECTED] is still available. I can picture the receptionist's face now. Hi, this is in response to a job posting made by a guy named Brass Balls. Hello. Hello? C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] CISSP Study material
jacobjango wrote: Blank hi list, I am preparing for CISSP and looking for study material. Thanks in advance. jacobjango Someone posting in HTML to a mailinglist, using OE, preparing for the CISSP exam. /me shudders C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 morning_wood wrote: | A security researcher, who only identified himself by the initials | gta,posted information on the vulnerability to several security | mailing lists. | | one down... how many more are out there? | | and 'yall thought that post was unconfirmed. muhahah I'm the guy who called the vulnerability unconfirmed -- at the time, it was. What's the big deal? It's prudent to use words like 'supposedly' or 'possibily' when you're working from second-hand information, especially from an unsigned anonymous hushmail post like gta's. I didn't have the means nor desire to test it at the time, so I left it at that. To be honest, I'm a bit concerned that we've only seen one publically-released exploit so far. C -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAM4peR2vQ2HfQHfsRAoN8AJ90nLJvPrNGzlCiDCem6CqblHNyMwCePehp YqLZceHzvoQHF30KAwCPC5Y= =vGdB -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] InfoSec sleuths beware, Microsoft's attorneys may be knocking at your door
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | There are clear, admitted cases of reverse engineering by vulnerabiity | researchers, which are prohibited by EULA, and which MS has so far | declined to pursue. Why should this be different? MS afraid the EULA | restrictions wouldn't hold up? Unless the individual who downloaded the leaked source clicked an 'I agree not to do anything naughty with this source' button, EULAs have nothing to do with this particular issue. Similarly, it could be argued that trade secrets are no longer trade secrets once they reach the public -- so I guess that leaves Microsoft in the same boat as the MPAA and the RIAA, trying to prevent copyright infringement? Incidentally, the MS press release says the leak was not the result of any breach of Microsofts corporate network or internal security, nor is it related to Microsofts Shared Source Initiative or its Government Security Program... So, if it wasn't a breach of security and the leak wasn't through their Shared Source Initiative partners, what else is left? http://www.microsoft.com/presspass/press/2004/feb04/02-12WindowsSource.asp C -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAM+apR2vQ2HfQHfsRAhr4AKCsH4l1UID7qgMXyhjiifk5tXU+awCgwCfY mCb/Z566l3J6h18Gut/7P14= =vxk+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] trust? - win2k source code tools
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sander wrote: | Hi, | | am i right, that if this really works, it's not only a problem for windows | users, but for everyone surfing the internet? | | kick me if i'm wrong.. but that wouldn't be cool! :-) | | cheers, | sander. Nope, it sounds like the parent poster found tools to apply digital signatures to binaries -- different from SSL certificates. If you're running WinXP, check the properties of files found in this dir for some examples: C:\WINDOWS\RegisteredPackages\ C -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAMXXJR2vQ2HfQHfsRAoriAJ4sOatVtYTrofmmBtJlsY//JHL5hwCbBbAH nsRukqn+ne9AL6kE0jZYuBE= =7uzT -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] http://federalpolice.com:article872@1075686747
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | It has come to my attention that you are being under the police | investigation. | Is that true? Have you really commited such crimes? | | Please read the following article located at: | | http://federalpolice.com:[EMAIL PROTECTED] MS04-004 just can't propagate fast enough to satisfy me. C -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAL7PRR2vQ2HfQHfsRAkpxAJ9vvXQa3KjxVE6S29WXYOmAxiDESgCfb1do vWaG+5mtl/D120vvN7ZnDOM= =iuvv -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | .. Rggghhhttt. Way to go, using a signed integer for an | offset. Now all we have to do is create a BMP with bfOffBits 2^31, | | I would caution everyone against assuming that this code has not | been altered since it left the confines of Redmond. If I were | to steal Microsoft code and release it to the Internet, I'd be | tempted to make a few strategic modifications first, just to | stir things up. Especially if I were, shall we say, not exactly | a Microsoft fan... Interesting point, but keep in mind the original author also included a POC which (reportedly, unconfirmed) affected IE5. That'd suggest it is indeed Redmond code. C -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAL8oOR2vQ2HfQHfsRAlq2AJ4pP2TxCp2Ac0uIMxou3uuZVZbMjwCfWQWA PsPhhr546k91p0ssj/ps0cg= =k6nN -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows 2000 Source Leak Verified. Get ready for the havoc.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | are they actually .asm, .c files and .h files in them ? | | or whatever lang was used to code windows? As opposed to literally being 'blueprints' as reported by virtually every major news source? That's a bit of a pet peeve of mine -- writers who don't quite understand what they're writing about and/or feel the need to make (bad) analogies in order to get an idea across. This bothers me because I can only consistently call them on it when they're discussing tech-related topics... I realize they're likely doing exactly the same thing when discussing things I'm not knowledgeable about. Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQFALlJiR2vQ2HfQHfsRArpTAJ0dZEFb1F6nKnfZRVvRXstBxYdv7wCgtttm o1tOC1/HSwqVZTfr0WBJiPA= =TdZJ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows 2000 Source code .torrent
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | I would like to recall 99% of what peer to peer tools are sharing are | illegal copies. | | We are sure this is not the case here, but I would not encourage people | to install BitTorent or similar P2P tools (eMule, mlDonkey, Kazaa, ...) | on their systems. | | Even if they are honnest, a misconfiguration could share their private | data or some spyware could be installed. | | Could you please simply indicate us what is the file behind this hash? Let me guess, you work for your country's music/movie industry, don't you? :) I would definitely question your sources for that 99% figure. Although I would agree with you regarding other p2p clients, BitTorrent is not like the rest. There's no shared folder visible to all -- you make available to other BitTorrent users only that file you're currently downloading. I don't know how much you trust random anonymous folks on FD, but I find BT relatively benign. Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQFALUDsR2vQ2HfQHfsRApfMAJ47RQc2htbtt8JGjJAgMKzyBesY9wCfdm99 DIE69k1HbwrZvRxb6ykeFZo= =MrwA -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft confirms source code leak
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | This may be true where WIN OS based box is deployed in a | commercial environment. However, I think their EULA is trumped | by the new US Federal Regulations (HIPAA, DHS, CFR, etc)... This definitely should be the case, but we'll see. Personally, I'm amazed that EULAs / click-through licences have any force of law whatsoever. It's off-topic for the list, but here's a well-written article on EULAs by Jim Rapoza. His paper hits on most of the major points and serves as a good fairly primer for Aunt Betty. http://www.eweek.com/print_article/0,3048,a=111018,00.asp C -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQFALT+OR2vQ2HfQHfsRAo8jAJ9wafjYzhnjKprBhUm34onUT6E/0wCfYEmc Waxg5ARDXjx+6mj6tJgdZzA= =3J8s -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Removing FIred admins
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael T. Harding wrote: | Anybody know of a checklist or guide to removing access across the entire | organization for a retired admin? | Mixed environment including Linux, Unix, Windows, Cisco, Nortel Wow. Nightmare. I would expect this is exactly what you didn't want to hear, but you're in an awfully scary situation. Imagine every sneaky thing a cracker could do -- subvert your IDS, implement Ken Thompson-esque login/compiler bugs, etc... And then consider that they might've happened any time in the past few years and have by now completely infiltrated your backup media. Good luck. You're really at the mercy of your (ex) admin. All you can hope to do is take care of the obvious stuff -- disable his accounts, change the passwords of any shared accounts / devices, etc. The alternative (if you can call it that) is to treat your network as though it was compromised and go from there. One choice is relatively inexpensive, the other will result in a network you might be able to trust. take care, Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQFALE8kR2vQ2HfQHfsRAiolAJ41aFarNC7bLN6v053o/aiTrvqJ9ACg13u5 43iaIpkz0zjXMbpj0wJSrTE= =YPoR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Security Watch Essay (was: (no subject))
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 roberta bragg wrote: | Here's an opportunity to be heard by a number of security interested people, | many of whom, don't subscribe to this list: Just a heads-up to anyone considering responding to this call for submissions: The 'MCP' in 'MCP Magazine' stands for 'Microsoft Certified Professional'. The blurb next to the first News entry found at http://www.mcpmag.com/security/ says this: Microsoft Beefs up Online Security Offerings Perhaps no company in the industry is working harder than Microsoft at making sure the public knows what steps to take to secure its products. Their slant isn't subtle. Although I sincerely hope this isn't the case, I have a worrying suspicion that all we're going to see in Wednesday's commentary by Ms. Bragg will be the fringe element, the lunatics and kiddies hoping to see their names in the (virtual) paper. Sadly, I just can't see a newsletter like Security Watch seriously taking Microsoft to task for their security practices. By all means respond, but please don't make the security community out to be idiots. Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAKr0nR2vQ2HfQHfsRArgHAKCLyvDWTtVD7ZeXSC4Ic0U6yrlRZwCgpUPu 6TNDTy7BNYkGgu0fwtaetU4= =GRWR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Virus infect on single user
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 |Spybot Search and Destroy is much better. | | I find that you should run both spybot SD *AND* adaware together for the | best possible adware/malware/spyware protection. they both catch stuff | that the other does not. between the two though, you get rid of | EVERYTHING. CHS, It's entirely plausible that neither adaware nor spybot might detect a particular piece of malware. 'Everything' (especially in all-caps) is an awfully strong word. Won't someone please think of the invisible pink unicorns? C -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAKCjKR2vQ2HfQHfsRAskaAKCJmDSHiE61E/ZzLU+Ee9KfY+Oh+QCgpQMN vRIxDYCOq4FNsFOjyNuqCpM= =X2ob -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Apparently the practice was prevalent
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm of the opinion that reinterpreting these particular ancient RFCs is really of no practical use and that this thread probably deserves to die a quiet death. The fact of the matter is, regardless of what the RFCs have to say about the subject, Microsoft's abandoning of the username:password http/https feature should drastically hinder an entire class of unelegant phishing schemes. This is a good thing. The patch will also act as another (albeit tiny) nudge away from the tradition of passwords saved and used in-the-clear, which is also a good thing. Does anything else really need to be said? C -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAKE92R2vQ2HfQHfsRAkFtAKDFcJ066Y2tZyywnC7PArwedVezdwCeJPfO cRPsvmzrtG/B0qbxoxROFec= =Bd96 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Interesting side effect of the new IE patch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | They, fiat and others that used the M$ non-stanard as a basis upon which | to build, deserve exactly what they decided to buty into and not really | research. That's what a company gets for buying into the tales their | local-sales-lizard spews and thinking all those polished and glossy | brochures are dead set facts. They need to re-evaluate their lack of a | 'grains of salt' procurement processes. It amazes me what sorts of supremely goofy ideas come to fruition -- http://[EMAIL PROTECTED] ? That was a horrible idea, and the tech person who signed off on it absolutely deserves the wrath of Fiat. Just because you may be able to power up your computer by shorting a pair of contacts on your motherboard with a paperclip doesn't mean you should. Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAIw/5R2vQ2HfQHfsRApzzAJ9oAhcC806zQy9G0I8zLjTmBxjBoACfQiqW Kx1f/yIAxHzCFVWAkHq8XgM= =WJel -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Culprit Bio: Perfect Storm Averted or Just Ahead?
..Oh...please. Not too hard to track down?! :D I know at least 10 people that is capable of all the things you mention (well..except forth.. I only know two of those..) Really? What are their names? /me shoulders his pitchfork and brandishes a torch menacingly Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Culprit Bio: Perfect Storm Averted or Just Ahead?
Henrik Persson wrote: Do you really think that a person who knows forth and assembler and has great knowledge in the field of low-level wormproduction would be that stupid? I think not. As Frank Knobbe said, you just swallowed hook, line and CVS tag. :D Hi Henrik, 8086 asm and Forth knowledge, although less common these days, isn't necessarily an indicator of shining intelligence or insight. And as for your 'great knowledge' comment -- the sad reality is this: It really doesn't take a whole lot of skill to implement a Windows worm. It's a bit presumptuous to say with any certainty the cvs tag was a plant -- people make dumb/costly mistakes. Personally, I could care less about whether or not the mydoom author is caught -- there are thousands of kids ready to take his/her spot. Cheers, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft's fix for URL containing username:password@ obfuscation
Zach Forsyth wrote: And for people saying don't use IE, if you aren't the sole admin on the server you don't have the choice to install other apps. Believe me if I could install something else I would just put a real ftp app and firebird on there and not have to ask silly questions on FD. Please tell me you don't do a lot of web browsing from your server. IE being required on a Windows server (for SUS management, etc.) is one of my pet peeves -- but folks who browse the internet from their server actively freak me out. (This isn't directed specifically at you, Zach, but to people who play Russian roulette logged in as a domain admin.) C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
Why is it possible that a user is able to make this mistake? Oh COME now! Are you so INSULAR that you dont realise the real world? My wife works for a MENSA member, a recognised genius who would likely have more brain capacity than most people in the world. He doesnt have a CLUE how to secure his computer. WHY? He isnt in the least INTERESTED in computers outside of using them to do his work on. Oh and BTW, his work, nothing to do with computers other than using them as a tool, made him a multi-millionaire. Why the HELL should this guy, according to you, *HAVE* to know what he is doing with a computer. He, likely, has more money than you and I put together EVER will have unless one of us wins over 300 million US dollars. In my book, this guy is devoting his time the best way possible. Learning what to do with computers to the extent where he can lock it down is actually financially irresponsible to him. He can PAY someone US$200 an hour to do that and per hour STILL come out in front by a LONG shot. What IS it with computer/I.T. professionals (or those who know as much even if not so employed) that they think just because THEY know how to do it, everyone SHOULD know? Not everyone is INTERESTED and not everyone thinks it Greg, I just wanted to break in here and suggest you reread Tobias' last few posts -- he's not arguing the position you seem to think he is. Actually, he's arguing almost completely polar to what you're attributing to him. Are you trolling? If I understand him correctly, Tobias is simply suggesting that users ought not be held accountable for using faulty software. Using a debatable but reasonable definition of faulty software, as he does, it's really a fairly robust and straightforward argument. take care, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] January 15 is Personal Firewall Day, help the cause
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | i dont usually comment on this list because of my lack of knowledge but on | this issue i feel qualified to comment since you are commenting on the gray | haired non tech type which is what i am.i am 54 and a grandmother . | ... | br3n My initial delight at learning a 54 year-old grandmother monitors FD quickly turned to horror after noticing the leet-speak. Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAC+OvR2vQ2HfQHfsRAgNWAJ0YGm5CK4N6CRaEBnAEAwG2fXTpYQCglDnu Ssv2VzqnUMRvRLGkcpgUCcs= =aBXk -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Removing ShKit Root Kit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | OK, so how does the attacker get the ADS to run? If you open | something.txt in notepad, it doesn't launch the ADS 'trouble.exe' as | an executable file. It's ignored. | | The easy answer is start a command prompt and type | | start something.txt:trouble.exe | | it does not even have to be tagged .exe or .com or whatever. As an | exercise, copy notepad.exe to calc.exe:notepad and then launch a command | prompt and type start calc.exe:notepad You should be looking at | notepad. I no longer have a handy M$ system to verify the steps on so if | it does not work play with it for a few minutes. Although Jason is exactly right about ADS' under NTFS as covert data storage (in theory, even if his examples don't quite work) it's all a bit off topic -- the server in question was a RH 8.0 box and besides, ADS' are trivial to find if you're looking for them and aren't likely to see much use in the wild. All this discussion about particulars is beside the point -- the thrust of the matter is that attacker/defender roles have been reversed, leaving the good guy in an untenable position. Do you really think it's wise to bet you're smarter or more resourceful than a person who has (already) rooted the box once? take care, Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQE/6Fo3R2vQ2HfQHfsRAq87AJ93cpOZgTVTMGqFvK9uzQm+3B900wCgmQ3J Hnjkp79WpgfQj/Y4oePcZQk= =jrAR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] 13 NASA Servers Hacked
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | They also have mirrors of the hack. Apparently, the hacker(s) | linked to a video of CNN showing american soldiers killing an | iraqi and cheering. | | I analyzed that video frame by frame and it definitely doesn't | show what the narrator describes. Heh. If I pointed out to you a dog turd on the sidewalk and called it a cache of WMD, would you get down on your hands and knees with a pair of tweezers and a microscope, or just recognize it as bs? Although I admire your thoroughness, I'm not sure this required such careful scrutiny. :) Cheers, Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/5M+5R2vQ2HfQHfsRAr0dAKCdo/0fQ8Ok46z3IDzO7H0BMJa4bACfcgQ9 f96AIRLyyXyo4N+OEAn2LA0= =2w7a -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] A funny (but real) story for XMAS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | Join www.osvdb.org to make a better non-corporated vulnerability | database since CERT sucks ! | | CERT sucks? Humm... In my UNIX Security college course, we're being | told CERT is a great resource for security-related information. Can | anybody else make a comment on this? Agree? Disagree? Hi Chris, Depends on which side of the fence you're on. CERT has been criticized in the past for being frugal with vulnerability information. They don't publish exploits, for one, which means k1ddi3z prefer FD. :) I remember CERT taking some flack about their Vulnerability Catalog becoming available by subscription a few years ago. Here's an article: http://linuxtoday.com/security/2001042600220SCLF Oh, and here's a link to the fees: http://www.isalliance.org/nam/index2.htm It seems that this database is what the people at http://www.osvdb.org are up in arms over. Interesting idea, their database is a little barren at the moment though. Additionally, one of CERT's security analysts was arrested for pedophilia-related crimes a few months ago. Folks who don't like CERT gloated for weeks. http://www.pittsburghlive.com/x/tribune-review/news/s_160861.html Realistically, CERT is a valuable resource, regardless. C PS: I have no interest in getting into a flamewar over CERT, disclosure, or pedophilia. Thanks in advance. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQE/3w97R2vQ2HfQHfsRAtuOAJ98J3iOL7EwwI4h2x1ECodzGwtshwCcCMX3 dIufrfrWfNbrdBix4/XYKDE= =E/La -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] cisco acl
Unfortunately I do not know the new password! otherwise there wouldn't be a problem at all. and more unfortunately it is not my network and had nothing to do with the setup. or else i would have, as Mort pointed out, a tftp in place. If you've got physical access to the device, reset the password according to the instructions vb alluded to offered by routergod.com: http://www.routergod.com/psychic/ C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] (Was: Re: Yahoo Instant Messenger YAUTO.DLL buffer overflow)
Well, I also have the right to free speech; although murder is not a right...the website is not to be taken literally. Obviously if I wanted Bush literally killed, I would not have a website as such exposing my name/address. The person who posted my address to a public mailing list is, however, definitely in violation of my rights and this list's policies. Although, information should be free and I never support such restrictions to information in the public domain. I'm torn. You see, I'm about as left as they come, and cringe at the very thought of youths wasting away in jail. My distaste for heavy-handed police action, however, is nothing compared to my desire for you to just shut the hell up. To speed up the process, maybe you should go outside, flag down a cop car and confess? Jesus, you're like a weepy boil. Take it off list. Please. Thanks for motivating me to test out firebird's mail filters, though. Plonk! Yours, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Cripes (Was Re: Yahoo Instant Messenger YAUTO.DLL buffer overflow)
Well, I also have the right to free speech; although murder is not a right...the website is not to be taken literally. Obviously if I wanted Bush literally killed, I would not have a website as such exposing my name/address. The person who posted my address to a public mailing list is, however, definitely in violation of my rights and this list's policies. Although, information should be free and I never support such restrictions to information in the public domain. I'm torn. You see, I'm about as left as they come, and cringe at the very thought of youths wasting away in jail. My distaste for heavy-handed police action, however, is nothing compared to my desire for you to just shut the hell up. To speed up the process, maybe you should go outside, flag down a cop car and confess? Jesus, you're like a weepy boil. Take it off list. Please. Thanks for motivating me to test out thunderbird's mail filters, though. Yours, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] #hackphreak lecture series (2)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | The #hackphreak series of lectures are composed as variations upon one | very simple theme -- the thesis that freedom of information is power. | They develop a ground of knowledge within the field of hacking sh1t. | This second lecture in the series is prepared by Mr. Nemster | (mr_nemster[at]yahoo[dot]com) and deals with the advanced syntax of | hardcore windows utilities such as ping, tracert, and msconfig. Be | prepared for a look into the advanced tekneeqz of netstat. | | This lecture and previous #hackphreak lectures can be found at the | following URL: http://www.geocities.com/haqphreak/lectures/ I for one look forward to the advanced lecture series detailing chmod and extended ascii characters in directory names. C -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQE/y1cLR2vQ2HfQHfsRApD5AKDVh0z8GvtHX6286T10sx92OPJPvwCguxj/ ZK3/PdVXSKzvkVZrUZ9wRh4= =qMyv -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Comments on 5 IE vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thor Larholm wrote: | When I attended the NTBugtraq Retreat earlier this year, most of the | attendees were surprised to hear that I am using Internet Explorer on | a daily basis, particularly since I should know how vulnerable it can | be at any given time. I surf with JavaScript and ActiveX enabled, see | flash movies and play Java games, but despite this I am not vulnerable | [0] to a single command execution vulnerability or system compromise | through Internet Explorer. | | How, you might ask? Simple, I have locked down the My Computer | security zone on my installations [1]. Hi Thor, Don't you think perhaps that time used to take a bad browser and make it better is really time better spent elsewhere? It's like taking a pie out of the trash and picking off the coffee grounds and ashes instead of just baking another pie. It's probably worthwhile to note for the peanut gallery that you've really only demonstrated a resistance to known exploits which depend on local security zones, and not any number of unknown exploits which (conceivably) do not. Not that you claimed otherwise, of course. Don't get me wrong, I do think your efforts are valuable -- you effectively point out how IE can be hardened. Regardless, I'll personally continue to recommend an alternative browser. Take care, Cael -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/y/3nR2vQ2HfQHfsRAie1AKC+FNSZKWD63rdSALhw+MQObM2WMQCguwxf Tv8pQ0tKf8B+M+Nq27ePsjE= =a5Yq -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] automated vulnerability testing
Wasn't there a slint tool or something like that? Yup, Splint -- from 'Secure Programming Lint'. I provided a link to their site in a previous message. C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] News from the future (OFF TOPIC)
Between Microsoft, RIAA, software patents, and the DMCA... It looks like we might yet get to relive all the fun and excitement of McCarthyism and the Spanish Inquisition. I wonder if we'll get to burn people at the stake and have public stonings too? Ask Maher Arar if he's real concerned about the infosec realm being the next arena of McCarthyism. I'm just as critical of the DMCA and failures of the intellectual property concept as the next guy, but I don't think we'll be hearing about fourteen year-old VB scripters being called before the House Un-American Activities Committee any time soon. If you're worried about the erosion of freedom and democracy there's no need for hypothetical articles from 20X6. C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Red Hat Linux end-of-life update and transition planning
Without giving too much away (eg breaking the NDA I've signed), almost all of the practical parts of the RHCE exam are command line based. This isn't directed at RH (or John) but come on, NDAs? For tests? Please. I realize that quite a few orgs do exactly this, but that doesn't make it reasonable. I can't help but be annoyed by this steady creep of secrecy-through- paperwork, the contractual equivalent of rot13 + DMCA. /incomprehensible ranting off C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Red Hat Linux end-of-life update and transition planning
In my home town, this is equivalent to getting pulled over for following too closely, then arrested for sodomy. Yeah Jon, you were following *way* too closely if a cop could mistake the two. C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
like the locks for floppy drives, put in USB port lockers that keep folks from using such devices in the corp network if the policy forbids such. Got a URL so I can see one for sale? One that works on laptops, desktops and hubs? Hey Gary, You might want to take a look at this kit, it sounds like exactly what you need: http://www.plumbingmart.com/repairkit.html Cheers, C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Shortcut...... may cause 100% cpu use!!!
THIS FORMAT C: /U VULNERABILTY JUST DOS'ED MY WHOLE HDD !! I HAD TO DO IT TWICE AND IT DOESNT WORK SOMETIMES ON ALL PC'S I AM REPORTING TO M$ AND THE FBI AND NASA Folks, I think we have a new FD meme. Thanks, Lorenzo! C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] when will IE exploits COME TO AN END...
Internet explorer can't click and properly open long URL's! in the browser... http://www.geocities.com/visitbipin/index9.htm see... IT'S A URL but ... you can't click at the link!!! I don't see the point. How it is a security flaw? Or even a bug (is a browser supposed to support very long URLs anyway)? Yes, IE is probably the most outdated and the most buggy browser out there (ridiculous CSS bugs) but not every bug should be posted to full-disclosure. New exploit just discovered: My toilet won't flush reliably when it rains! Both the vendor and major news outlets has been notified. Screen captures are available here!!! http://www.geocities.com/visitbipin/ BIpin PS: NASA might somehow be involved. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] when will IE exploits COME TO AN END...
it's a off-topic! anyway... INDEED A BUG BUT i got lot of flamings ... while trying to explain one of my advisory to some 31337's. out here! http://www.blackcode.com/forums/viewtopic.php?t=10577 ANYONE WILLING TO EXPLAIN THE STRANGE PHENOMENON! (o; why does the bug works on some PC and doesn't in other... I am just screwed up SEEING THIS STUPID BEHAVIOR! Thanks for posting the link to that forum, Bipin -- there seeme to be quite a lot of very useful information there! I'm especially interested in following this thread: http://www.blackcode.com/forums/viewtopic.php?t=1704 AMuller: need help with FTP passwd ok i am pretty sure i got the password file. whta i pulled out is this: root:*:0:0::: bin:*:1:1::: operator:*:11:0::: ftp:*:14:50::: nobody:*:99:99::: how do u decode this? and if u tell me a program name also please tell me HOW to use it. -Thanks P.S. I dont just want this decoded i wanna know how 2 do it It's definitely a good idea to keep tabs on encryption-defeating technologies -- if someone is able to recover a root password from an /etc/passwd file like the above then we're *all* in serious trouble. Cheers, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: Trojan author revealed (was: Re: [Full-Disclosure] ProFTPD-1.2.9rc2 remote root exploit)
Hi, Mitch -- welcome to the Internet! Here's a tool you might find helpful, it's called a 'Search Engine'! ;) A quick google for a few bytes worth of shellcode returned a few pages of jinglebellz.c related discussion. http://www.jikos.cz/jikos/dev/shcode.asm for example. They're obviously in on it too. Between you and me Mitch, it's clearly a Communist plot to sap and impurify our bodily fluids. C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: Trojan author revealed (was: Re: [Full-Disclosure] ProFTPD-1.2.9rc2 remote root exploit)
Hrmm. Ok I'm no Sherlock Holmes but even I could see through this 'analysis'. This is obviously an elaborate attempt to soil the reputations of the fine people, dare I say heros of information security, at GOBBLES security. Let's examine the case at hand: 1) Someone makes the effort of cutting up an existing public GOBBLES shellcode. An act that requires just as much effort as writing original opcode. 2) This cutup version is used in a 'trojan' even my grandmother would be able to spot. (Obscure in-exploit overflows are way more effective folks, ask HD I pioneered screensavers Moore). 3) Some random hero pops up on the list pointing out that 'hey, this is GOBBLES shellcode *WINK*' Now who, on God's green earth, would recognise shellcode from an obscure exploit that was published months ago. If they didn't have it fresh in memory? So I think it's rather obvious either zeroboy, or one of his friends is responsible for this trojan. And he has some sort of rancune towards GOBBLES. Either that or he has a serious hardon for memorising hex opcode buffers. Hi, Mitch -- welcome to the Internet! Here's a tool you might find helpful, it's called a 'Search Engine'! ;) A quick google for a few bytes worth of shellcode returned a few pages of jinglebellz.c related discussion. http://www.jikos.cz/jikos/dev/shcode.asm for example. C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Linux (in)security
Linux is the hands of someone with no interest or regard for security is the same as Windows or any other OS in the hands of the same clueless individual. The main difference between the Linux and Unix variants (i.e. BSD, Solaris, HP-UX) is that they have already learned their lesson regarded buffer overflows and kernel hardening and allowed the user more control in securing their systems. This is repeated over and over again, but it is simply not entirely true. It may protect against script kiddies, but not against more sophisticated crackers. The following URL proves that: http://groups.google.com/groups?selm=20030525190037%2470c6%40gated-at.bofh.it Both persons in this conversation have a Linux box which: 1) Has the latest security patches installed and 2) Is only running the necessary services. In other words, boxes that have ``been made secure by their users''. Hi Peter, You're investing a significant amount of time into convincing us that linux boxes sitting on the internet (even when completely up to date and reasonably locked down) aren't 100% secure. Rest easy, each and every one of us knows this. The point raised by others in this thread (which you seem to object to, although you haven't really responded to) is that linux (operated by a knowlegable user) is 'stronger' than a similar Microsoft box. This, you should have realized immediately, is one of those my-dad-can-beat-up-your-dad type arguments which really don't deserve a response. Cheers, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] JAP Wins Court Victory
Privacy is an important adjunct to security, IMHO. Perhaps the JAP folks did not handle their police issues as well as they should have. However let us not abandon them or the project yet, unless we can find more compelling and better solutions to the problem of the powers that be improperly intruding onto the use of the online community. Terrorists would not make bombs if they were satisfied with their condition. I suspect that JAP and other privacy services would not have been widely deployed if there were not the threat of snooping and privacy invasion. I vote that we stay focused on the problem, and not bash the solution (well not *too* much at least). You're right, of course -- but I can't help but feel that a weak or untrustworthy anonymizer/encryption algo is worse than none at all. I didn't mean to rag on the JAP guys, they were put in a very awkward position and I don't know how well I'd have done in their place. All personal issues aside though, a tool in this industry which can't be trusted is worthless. C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] JAP Wins Court Victory
The JAP folks have won a major court victory. See their site. http://anon.inf.tu-dresden.de/index_en.html Since you ran all the negative side of their backdoor activity, how about running the new positive outlook - anonymity has a bright future and JAP is cool. And the German courts are not all bad. Ever considered that the spooks would not have needed a court order if they knew how to crack JAP? It's solid code. Do your due diligence and follow up on the negative headlines with the good news now. Tarapia, This doesn't change how the JAP folks behaved -- the correct course of action would have been for them to have notified their users of the request to backdoor JAP immediately. I fear the JAP people have lost a fair amount of credibility and it'll take more than a, JAP is okay again! Trust us! before they regain the world's trust. Please lets not rehash the backdoor issue. As for the idea that the existence of a court order somehow proves the robustness of a certain piece of code, well, that's just silly. Cops aren't software developers, they're cops. Court orders are their tools of choice, not disassemblers. Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IRC DCC Exploit
Ferdinand: 5) And in which language people were made ? It is writen in C i know it. /me shakes his head Only an FD geek would have the guts to suggest that C is the language of love. What about Italian? French? Cripes, I'd suggest lisp is more romantic than C/C++. C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Gaim festival plugin exploit
DUH... would help if I attached my attachment. I am right proud of myself for this, and it also needs mention to address the security issue that our friend Error (is that a reference to Zelda 2?) raised. Attached, find the latest reissue of the Gaim festival plugin. The guy that wrote it, wrote it for pre-0.68 Perl API, but it was secure against the sort of attack that Error described. I have since taken it and recoded it to work with post-0.68 versions of Gaim. It is attached. By all means, if you see an exploitable bug in there, let me know! I'm just a perl-tot.. Hi Brian, This updated version is still vulnerable. You should be *very* wary of any call to system() or fork(). Consider this input: This is only a test rm -rf / Notice that ';' isn't the only way to inject into a commandline. Cheers, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Microsoft security bulletins today
This tool is not bad for some *basic* monitoring: http://www.pdxconsulting.com/sus/ /paranoia mode off Grab your SUS log files and parse them through that web site... /paranoia mode returned to normal That's what I've been using. It works well to see that all seems to be working as expected. I was going to setup another tool that sends the log data in to a SQL server so you can have all the data in one place and work with it. (I have 2 SUS boxes so 2 sets of logs.) Try this: http://www.susserver.com/Software/SUSreporting/ I'm dissatisfied with both. With the first one, you're sending your logs out for remote processing -- that's just silly. The second requires all sorts of fiddling around with sql / iis which doesn't seem like it's worth the effort. I've been meaning to throw together something more streamlined (and with fewer prereqs) for a while now -- I guess it's time. C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Microsoft security bulletins today
Yes, I got the same. Somethings I found though: It's complaining about basesrv a dynamicly linked library. I rebooted into Linux and ran some finds and found 3 files: WINNT/$NtUninstallKB824141$/basesrv.dll WINNT/ServicePackFiles/i386/basesrv.dll WINNT/system32/dllcache/BASESRV.DLL the one in system32/dllcache is dated Aug5, the other two are dated June 19th. As soon as I finish backing up a couple critical files I'm going to use the recovery console to copy the $NTUninstall version back to system32/dllcache and see if that helps. Hi Robert, Can you narrow down which of the 15 (!) newly-released updates might be responsible? Which OS? take care, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SPAM, credit card numbers, what would you do?
And as you can probably guess, orders.txt contains -- ORDERS. Names, addresses, phone numbers, and CREDIT CARD NUMBERS. Dozens of them. So I got to thinking... what should I do here? My suggestion? Speak with a lawyer. A number of 'hackers' recently in the news did their 'hacking' via web browsers -- just like you. It could likely be successfully argued by a prosecutor that you intentionally stole this credit card data. Yes, I know it was a via clickable link and the site was ridiculously unsecured, but that probably wouldn't make a difference to a court. Anyhow, take care and good luck. Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SPAM, credit card numbers, what would you do?
A number of 'hackers' recently in the news did their 'hacking' via web browsers -- just like you. It could likely be successfully argued by a prosecutor that you intentionally stole this credit card data. Yes, I know it was a via clickable link and the site was ridiculously unsecured, but that probably wouldn't make a difference to a court. How is 'hacking' defined where you are? In Australia (at least in NSW), and some other places, an access control mechanism of some description has to be circumvented for it to be an offence. In Canada, anyone who fraudulently and without colour of right obtains, directly or indirectly, any computer service is guilty of Unauthorized Use of a Computer -- note 'computer service' includes computer service 'data processing and the storage or retrieval of data'. It definitely wouldn't be a stretch to say that accessing a server-held record of previous orders was without colour of right. Additionally, any number of fraud / mischief offences may be applied to computer-related charges. I believe the US laws are similar. Cheers, Cael --- See PART IX: OFFENCES AGAINST RIGHTS OF PROPERTY -- 342.1: Unauthorized Use of Computer ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] something evil in your email
Michael 'Moose' Dinn wrote: Folks might want to be on alert for this: Same old, same old. At this point I would expect any halfway-intelligent user to be suspicious of this sort of e-mail -- wake me up when the con does something novel. Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Do you really think CDs will be protected in future?
Alan said: The whole question really comes down to this: warranty of merchantability definition - a warranty of merchantability simply guarantees that goods sold are fit for the ordinary purpose for which the goods were sold... This is a general rule of fairness that what looks like a carton of milk in the supermarket dairy case really is drinkable milk and not sour or unusable. Damn it. There goes my business plan of selling Golden Poison Frogs in a container indistinguishable from a bag of Oreos. I think the real problem lies with the concept of hand-me-down Acceptable Use Policies / Licence Agreements -- that a party completely removed from a retail environment might be able to dictate conditions of a sale (and in some cases, resale!) Although I'll readily admit that some restrictions may be reasonable, they shouldn't be entirely up to the supplier/manufacturer. C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m
Okay... So according to the law it's illegal to remove the program if later you decide to not agree to the EULA? (Which I'm sure it says that the terms can be changed at any time within it) That sure doesn't seem kosher to me... I feel that you should be able to remove/disable whatever on your computer. According to this logic... Using Ad-Aware is illegal because it removes spyware from your system without their non-existent uninstall interface! Oh, and you're also not allowed to know what the file/driver name of the program that they've installed is either? Nice! Hi Poof, Odds are the copy-protection-related drivers can be removed via Windows' Add/Remove Programs control panel applet -- rendering your 'protected' media a defacto coaster until you accept the EULA a second time. C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Signed e-mail vs. turning off HTML mail under XP
Alas, the Continue button was just text, just as the tick box to not show me this help screen again was not there. This means I'll have to re-enable HTML mail, and wait for the next signed mail to arrive.to turn it off. I wonder what will happen to messages that have been tampered with when I have turned off HTML mail? I will probably get a warning, but will not be able to go beyond that, since it is in ASCII and that does not (AFAIK) support nice buttons. So in order to enable signed mail, I will have to enable HTML in my mail Good evening Yossarian, I'm sorry, do I understand correctly when you say that the mechanism for verifying / managing signed e-mail seemed to be included within the e-mail itself -- in html, no less? Although I'm unfamiliar with certificate-based digitally-signed e-mail (I'm a pgp/gpg kind of guy) I can't help but be very suspicious. Also, you mentioned that the machine will be used for business purposes and (directly?) connected to the internet. Might I recommend against using OE for e-mail? Mozilla Thunderbird is what I recommend for Microsoft folks. take care, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Local DoS in windows.
Steve Wray wrote: How long do you have to hold the mouse button down for? I see no effect after about 30 seconds then I got bored... Tried in outlook and wordpad. In fact the 'ambient' CPU useage actually appeared to flatten out. Seems to me that users of FD and bugtraq have just been social engineered into wasting a couple man-hours 'testing' for this XP bug. Not quite Scaggs-worthy, granted, but it did manage to tie up Steve for half a minute. :) Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Is the record industry turning to Trojan horse programs to copy-protect CDs?
If permanent installation of this driver was included in the EULA, then this is not a trojan horse. Since I don't have a copy of the license agreement handy, I couldn't say whether it's in there or not...but IMHO, too many people ignore the fact that they are allowing themselves to be legally bound to such agreements without even reading them, and many newer EULAs even include an auditing clause giving the manufacturer to visit your facility and audit your systems. One of these days the RIAA might try and install monitoring software under such an agreement, and people who blindly agree to EULAs will be the ones nabbed by the RIAA. I'm anxiously awaiting the attempted enforcement of a blatantly ridiculous EULA -- something so preposterous that it can't help but make the news. C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Do you really think CDs will be protected in future?
What the RIAA are afraid of is *digital* copies where each copy is as good if not better than the original. Hi Dave, A digital copy *better* than the original? Oh, wait, I get it! # aplay britney_spears.wav | swedishchefify | arecord -mw new.wav Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Do you really think CDs will be protected in future?
Agreed, for the most part. As I work for a retailer, however, I know that what consumers think is irrelevant to the record folks. The retailer I work for has an agreement with it's suppliers such that once a customer opens a CD (or DVD, VHS tape, software package, etc) they cannot return it, unless the media is defective, in which case they get another copy of the same product only. So if your newly purchased CD is copy protected and won't play in your CD player, you're stuck with it anyway, unless you want to get another copy of the same useless disc. Hi Phillip, Very good points. As I am occasionally a consumer, however, I understand that consumers quite often have little respect for retailer/supplier agreements -- specifically, if an item doesn't work, it should be replaced with another /which does/. If my-newly purchased album and its subsequent replacement both failed to play in my cd player I would be fairly adamant about receiving a refund, regardless of any existing agreements between retailer and supplier. I would expect any reasonable business bureau would agree, no? Take care, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Shift key breaks CD copy locks
Edward W. Ray wrote: http://news.com.com/2100-1025-5087875.html I'm so relieved. Now I can start buying CDs again You're *relieved*? My keyboard is a bloody Copy Protection Circumvention Device -- now what the hell am I supposed to do? http://www.eff.org/IP/DMCA/ C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Electronic Crimes Act 2003 of Pakistan
Cutthroat Truth wrote: Look at your neighbor country, what lammer. It sounds like the author does not know anything about Computer Crimes IT IS SO FUNNY at such low profile countries with substandard authorities with a dictator and laughable democracy hahahahaha http://www.tremu.gov.pk/tremu1/workingroups/pdf/Proposed%20E-Crimes%20Act.pdf Brr. I need a sweater, it's getting kind of stupid around here. C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Bush Bashing (use to be Has Verisign time arrived ?)
I could go on and on, but this has already turned out to be longer than I expected. But we should all be grateful for the actions this administration is taking to make sure we are safer in our homes, despite the bashings of liberals like you. God Bless the USA, and yes, the President too I like you Dark Avenger, you're funny. C PS: Please don't liberate me. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Google FILTERS searches for possible DMCA infringable content!!!
The fact that they have at least two former NSA personnel in the ranks of senior technical management should be all the tip-off that anyone would need. Are you kidding? Former NSA tech folks are a dime a dozen. I work with half a dozen of them at FedEx. Psst: It would've been funnier if you had said McDonald's but still, nice riff! ;) .c ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] EartStation 5 P2P application contains malicious code
Conclusion -- The people behind ES5 have intentionally added malicious code to ES5. If you have followed the ES5 discussions on message boards and read what the ES5 people have said and done (eg. DoS attacking BitTorrent sites), this comes as no surprise. The question then is why did they do it? I'm sure they won't tell us, but here's a theory: They could be working for the RIAA, MPAA, or a similar organization. Once they have enough users on their ES5 network, they would start deleting all copyrighted files they own which their users are sharing. The users wouldn't know what hit them. Hi nut, Excellent job finding and documenting this feature. As for the developers' motivations, though, I don't think it's necessary to point at colusion with the RIAA/MPAA. In all honesty, I'm surprised we haven't seen *more* backdoors of this type in various popular closed-source, network-aware apps. I don't condone it, but I understand the mentality: Our network, our rules. Really, all it takes is one rogue developer, coupled with insufficient code review. What does surprise me is that you report only delete functionality and not read/write. If I was going to the trouble to implement naughty features into an app like ES5, that'd be my priority. All this does is reinforce the value of independent code auditing (insert various pro-open-source comments here). take care, C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
Yeah you know, that has always been my theory as to why, in Star Trek (and others), the control panels on starship bridges sometimes explode with sparks and smoke for no better reason than that some component on the outer hull got shot up by the Klingons (or whoever); its an important feedback mechanism ensuring that the operator knows that something is very seriously wrong. Now if only desktop PCs had such a system... Hi Steve, You know, now that you mention it that makes perfect sense. Although, keep in mind we're talking about MS machines here -- these machines will need to be capable of emitting a shower of sparks and smoke virtually non-stop. Hmm. Actually, I think it might be fun to construct a spring-loaded BANG! type flag, triggered every time Dr. Watson or the current equivalent is executed. take care, C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
Oh come on. We don't expect our mechanics to brake and steer for us, fer cryin' out loud. We're not talking about *maintaining the computer. We're talking about *operating* it. Things like passwords, awareness of attachment dangers, the need for routine patching (think oil changes) and up to date antivirus software (think gas). The car mechanic takes care of repairs and maintenance, yes, but the driver is the one who has to bring the car in. That means they have to be *aware* that maintenance is required. They have to realize that if they don't change the oil every 3000 miles they will have long term problems. I believe I can safely say that easily 75% of my users would recognize that their computer needed attention if it started billowing huge noxious clouds of black smoke. Okay, 50% at a minimum. As an aside, I loved this quote: We counted the number of application and operating systems failures and found that Windows XP Professional ran over 30 times as long without encountering problems as those systems running Windows 98 SE. http://microsoft.com/windowsxp/pro/evaluation/whyupgrade/reliability.asp Err, congratulations? C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows
would it have been possable to actually replace these files manually and the PC therefore be patched so to speak? I assume so, provided you're resourceful enough to circumvent any file-is-currently-in-use type errors. It'll probably not be noticed by a Windows Update type tool though, and be patched again in the future. Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Wow! How Times are a Changing.
Certification The Certified Ethical Hacker certification exam 312-50 applies to this class. Students need to pass the online Prometric exam to receive CEH certification. Beautiful! Okay, seriously, who in *any* IT-related field wouldn't crack up seeing something like that on a CV? Incidentally, I wonder if 'Ethical Hacker' has been trademarked a la MCSE? That'd be rich. C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows
Schmehl, Paul L wrote: Oh, things like, you don't have sufficient access rights to check file properties. I know in the ideal world that every machine logs in to the domain and every machine has Domain Admins in the Local Administrator group and every machine has the SMS agent (or some similar agent) and reports all its properties back to a management console and every machine can be controlled remotely, etc., etc., etc., yada, yada, yada. I just don't know where that ideal world is. Hi Paul, Personally, I'm of the opinion that if a person doesn't have admin privs on a machine, they shouldn't be expect to *cough* /administrate/ it. I realize that in a school environment it's not that simple (you can't really stand by while the worm du jour has its way with your campus network) but really, the student subnets are virtually guaranteed to be a wasteland of Mad Max-like proportions no matter what you do, no? Isn't your only real weapon a set of very enthusiastic edge filters? Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SAM Switch - Win2k/XP password-less login
I found that SAM file could be replaced just like PWL files in Win9x. I posted the following to Bugtraq, but in spite of posting twice it never appeared in the list... (possibly moderated) Folks, go ahead and change the boot options in your BIOS ASAP. I guess this fallacy will never go away. Changing the boot options in your BIOS will actually exactly nothing. Anyone with a modicum of computer knowledge and physical access to your box can change them back at will. Trusting the BIOS to protect you against attack is foolhardy. Its password protection is worthless. Many BIOSes have backdoor passwords in case of emergency, and all BIOSes can be easily reset to default passwordless configuration. We've always known that once an attacker has physical access to a machine it's vulnerable to a host of low-tech attacks... That doesn't mean that we collectively throw our hands up in the air and leave the root password on a note next to the keyboard. In reality, all our efforts to prevent local attacks are little more than an inconvenience, placed into effect in order to repel casual snoops and the least persistent attackers. Don't want users to have admin-level privs? Develop an appropriate security policy and implement it. Don't want them to circumvent your policy? Implement safeguards. Don't want them to side-step your safeguards? Well, how many levels deep are you prepared to go? In all but the most security-conscious orgs I think the consensus is that if the attacker is prepared to crack open a case, they're going to get root. I know that my network's security just isn't worth epoxying cases shut. :) Cheers, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] BugTraq Speed
As probably many of you, I am subscribed to both BugTraq and this list. The past few (3?) weeks I think I notice a slow-down on BugTraq. Posts very often appear on BugTraq *hours* after they appear on this list. Incidentally, FD isn't especially raising the bar when it comes to speedily bouncing posts -- how am I supposed to brag about my 0day xpliots when they spend upwards of 45 minutes in transit? Grr. C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] p63: Call for Articles!
Phrack Magazine, the ONE AND ONLY REAL AND ACTIVE HACKER MAGAZINE is sending out a call for articles for p63!!! Guess you never heard of http://www.2600.org ? Last I checked Eric / Emmanuel was still in business. I'm all for a good hacker mag, but keep things honest at least in your claims. When you are as accurate as you can be, then people will believe what you say. Don't hurt your cause with phrases like the above. Hey John, They are being completely honest and accurate -- provided you accept their definitions of 'hacker', 'fake', and 'hoax'. That said, p62 was pretty entertaining. Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Please don't feed the troll (was: Re: [Full-Disclosure] Is Marty Lying?)
The code audit that you guys did to make sure nothing was backdoored was quite thorough too, considering since then remote bugs in Snort have been published. If you can't even spot the vulnerable code you introduce into your source tree by accident, how can you definitively argue that no one else snuck in subtle bugs that you also didn't catch? I'm sure it would have been extraordinarily difficult to run 'diff' on the codebase before the intrusion and the one after, to see if any of the changes weren't accounted for. For you, yes. We all know how snot feels about IDS', and all agree he's absolutely, undeniably, wrong -- let's not waste any more bandwidth on it, shall we? take care, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Web counter in the new Swen/Gibe.F worm
I was tracking the number of infected computers, but around 4:30am Pacific the counter was replaced with a GIF image reading: WARNING: Your computer may be infected by W32/[EMAIL PROTECTED] worm. It's no joke. See mcaffee.com for info. The last good number I have for the hit count was 1,576,803 at 4:30am. It's a shame the counter was replaced, this gave us a good idea of how many hosts were infected and could reveal real numbers of the rate of infection - I'm still recieving these emails, over 100 overnight. Maybe the admins of vutbr.cz would open their web logs to give us more accurate information about the point of origin and rate of spread. If anyone wants the numbers I collected (I have data from the 18th at 13:56 through 4:30am today) I'd be happy to provide them. Correction -- it *would've* been valuable, if the url hadn't been publicized. As it is, the only useful information would have to come from the vutbr.cz web logs. Without stripping out all the polluting GETs from web browsers the data is meaningless... Thankfully we've got user agents to filter by. Incidentally, it might be valuable to carefully scrutinize those web logs -- there's an excellent chance that the first non-worm-originated hit of that web counter came from the worm's creator. Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: new openssh exploit in the wild! *isFAKE AS SH@!*
Why bother? If you were stupid enough to run that obvious piece of crap, changing your password is the least of your worries. (In fact, if you run *anything* that's posted here without first checking it out thoroughly or if you don't understand code at all, you might as well run up the white flag right now.) What? I've been dutifully following every link and executing every binary that's hit Full-Disclosure! How else are we supposed to ensure our machines are secure? Wait, hold on, I have to go click on a monkey. Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Lun_mountd.c vs mounty.c
It astounds me that so many people on this list (well, two) use the full disclosure ethic as an excuse to oblige programmers to give up our privacy rights and divulge all their code to a group of strangers. Can you *seriously* not see the problem with someone taking credit for someone else's work? That is just exquisite bullshit, regardless of the nature of the code itself, or with whom it was initially shared. Tobias was right on the money to take issue with this, and some of you need to back off and let talented hackers claim a little due credit and take pride in their work once in a while. Hi Person/Devon/[t], Personal pride and quality of work is important, I'll give you that. Also, I am intimately aware of how unpleasant it can be to have someone else take credit for ones work. Now, do I feel a whole lot of pity when I see a script kiddie take credit for someone else's exploit? Nope. Consider this analogy: A graffiti artist spends long hours labouring over a wall mural, only to come back the next day and see some seven year-old surrounded by his friends, proudly taking credit for it. Know what? The world at large doesn't give a shit. I don't give a shit. The end result is still the same either way, one more eyesore in a jungle of eyesores. Realistically, it was only a matter of time before that wall was tagged. The only folks who care about graffiti art is graffiti artists -- like any community. Mr. Brown was exactly right, if a tad terse: If an exploit writer wants privacy, they should not release the code (or release it anonymously). If an exploit writer wants fame and fortune, they should release it publicly under their real name with much fanfare -- Either of these choices quite efficiently prevent some kiddie from taking credit for their work. There's really no in-between to speak of, not one with much value to society. The other alternative -- a limited release amongst friends or colleagues -- is really nothing more than self aggrandizement. Understandable, maybe, but not very valuable... All it does is add one more tool to the script kiddie cookbook -- and set up the original author for plagiarism. Cordially, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IE Object Type Validation Vulnerability Exploit
http://morningwood.ethicsdesign.com/fucked4test.html id that... who cares if its a trojan, you surely didnt think it was benign??? i didnt click it knowing it was a object tag exploit.. or try a HEAD on the link first.. or even nc -vv someurl.isp/link.html *sigh* If I didn't know better I might think you presented that link maliciously. As for your criticism, I believe you misunderstood. I wasn't warning folks the script was malicious. For anyone interested, I simply *identified* the executable which was MakeVBSed into the .vbs file Andreas posted to the list. Symantec calls it 'Download.Trojan'. Here's that link again: http://www.symantec.com/avcenter/venc/data/download.trojan.html If you're unfamiliar with MakeVBS, you can learn more here: http://rattlesnake.at.box.sk/newsread.php?newsid=7 Cheers, Cael --- - Original Message - From: Cael Abal [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 16, 2003 7:03 PM Subject: Re: [Full-Disclosure] IE Object Type Validation Vulnerability Exploit Decrypted (undo VBS.Encode) it is the following: Andreas Hi Andreas, The 'x.exe' created by this script is reported by Symantec as 'Download.Trojan': http://www.symantec.com/avcenter/venc/data/download.trojan.html Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] VBScript/JScript.Encode Decoder
i ( we ) ( illmob.org ) released the first windows compiled rpc-dcom exploit into the wild weeks before msblaster used the basic version of this, and we live in the US. since when did releasing non propagating code constitute a crime??? morning_wood I'm not a lawyer but as far as I know tools which can be used for Circumvention of Copyright Protection Systems are expressly forbidden by the US Digital Millenium Copyright Act. It could be argued that Andreas' VBS decrypt tool released Tuesday is one of these. I wasn't commenting on the legality of exploits, just Andreas' VBScript / JScript.Encode Decoder tool. My comment was really only me poking a bit of fun at US laws -- that of all the ethically-dubious information which come through Full-Disclosure, something so innocent as Andreas' pascal code might be actually be illegal. Remember Sklyarov? take care, Cael - Original Message - From: Cael Abal [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 16, 2003 8:25 PM Subject: Re: [Full-Disclosure] VBScript/JScript.Encode Decoder VBS_DEC.PAS - program vbs_dec; { Decrypts encrypted VBScript and JScript programs } { Copyright (c) 09/2003 Andreas Marx / http://www.av-test.org } Greetings Andreas, I hope you aren't intending to visit the US any time soon -- you've just released into the wild a tool which can be used for Circumvention of Copyright Protection Systems. Yay, DMCA! (Thanks, by the way.) Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] new ssh exploit?
SSH over VPN ? whould this be more secure or Telnet ( no i dont use this ) over VPN Good morning Aditya, Although I can't find any sources other than this at the moment, it's commonly understood that a significant number of malicious behaviour originates within an organization's internal network -- that is, your users are the bad guys. The article referenced below says 35%, but I have no idea where they got that number. http://lists.insecure.org/lists/isn/2000/Jan/0011.html That being the case, consider that VPNs only protect you across the public (untrusted) network. Once you hit your internal (untrusted) network, telnet sessions would be in the clear. take care, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Lun_mountd.c vs mounty.c
frew min ago i was browsing packetstorm and i cant belive my eyes anyone has changed a half haeder of my code and disclosures it to packetstorm i cant understand why pplz does that are they not able to got there own skills i have investigate many hours to write this code and it should never released but some sucker leaked it and some other gay changes the half haeder and disclosures it attached is the ORGINAL EXPLOIT code i wrote months ago /me blinks That's so unethical of them!!! Unfortunately, we have only your word as proof that you were the first to exploit the xlog off-by-one. Next time, be the first one to publically release your exploit to Full-Disclosure, that way you'll be sure to get credit! Good luck! Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Who else is Omniture doing snooping for?
Here's how the Omniture describes themselves: http://www.omniture.com/company.html Imagine a device that could be placed by the front door of a department store to tell the store manager all kinds of detailed information about customers - what store they came from, who they were referred by, if they have been to the store previously, what advertisement they were responding to and much more, says CEO Josh James. Imagine how useful this kind of information is to a store manager or marketing agent. That is the kind of information SiteCatalyst can provide, instantaneously, in real-time. Okay, that's just creepy. Anyone who is upset by this sort of thing should enthusiastically consider disabling javascript. Alternatively, many browsers can also be configured to not download third-party images ('Load images for the originating web site only'). I took a quick look at the code. I love the source address for the offending web bug: https://102.112.2o7.net/ Sneaky, huh? Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Security firm Symantec has rubbed subscribers to the Full-Disclosure mailing list the wrong way
Yes, in this time of the Buschwackers, it is all too easy for the gov'ment to rob us of our freedom. And unfortunately there are far too many corporate types ready to take advantage of that in the name of the almighty buck. Wired is cool though. They went on to say He did not say, though, how legislators would determine the difference between malicious information and that used for legitimate security research, or whether such a law might compromise freedom of speech. Good morning Curt, Incidentally, if you're worried about corporate types and their quest for the almighty buck, I'm not so sure you should consider Wired the last bastion of truth and freedom. The mag is owned by Conde Nast Publications *, a gigantic conglomerate which also happens to own: The New Yorker GQ Vogue / Teen Vogue Vanity Fair Glamour Nearly 20 magazines in total, I believe. Oh, and the fun doesn't stop there. Conde Nast is owned by Advance Publications, which also owns Parade Publications, Fairchild Publications, American City Business Journals, the Golf Digest Companies, and newspapers in more than twenty American cities; Advance Publications also has extensive interests in cable television, as well as in Internet sites which are related to its print publications. * Take from this what you will. Sincerely, Cael --- http://condenet.com http://www.advance.net/index.ssf?/advance_publications/about_advance_publications.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IE Object Type Validation Vulnerability Exploit
Decrypted (undo VBS.Encode) it is the following: Andreas Hi Andreas, The 'x.exe' created by this script is reported by Symantec as 'Download.Trojan': http://www.symantec.com/avcenter/venc/data/download.trojan.html Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html