Re: [Full-Disclosure] Cryptography Mailing List
On Sunday 18 July 2004 10:28, igotroot allegedly wrote: > Can anyone reccomend a good cryptography mailing list? I have > searched and searched and im only able to find archives of several of > them, but no sign up pages. Thanks in advance. sci.crypt see ftp://rtfm.mit.edu/pub/usenet-by-group/news.answers/cryptography-faq/part01 through part10 for more information. Cheers, /g ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: OpenServer 5.0.6 OpenServer 5.0.7 : Multiple Vulnerabilities in Sendmail
On Wednesday 28 July 2004 16:10, [EMAIL PROTECTED] allegedly wrote: > _ >_ > > SCO Security Advisory > > Subject: OpenServer 5.0.6 OpenServer 5.0.7 : Multiple > Vulnerabilities in Sendmail Advisory number: SCOSA-2004.11 > Issue date: 2004 July 28 > Cross reference: sr876461 fz527630 erg712277 CAN-2003-0161 CA-2003-12 > sr884730 fz528323 erg712435 CAN-2003-0694 CA-2003-25 > _ >_ > > > 1. Problem Description > > CERT Advisory CA-2003-12 > > There is a vulnerability in sendmail that can be exploited > to cause a denial-of-service condition and could allow a > remote attacker to execute arbitrary code with the privileges > of the sendmail daemon, typically root. This advisory was issued on March 29, 2003. That was /*sixteen*/ MONTHS ago . . . C'mon, guys! -- George W. Capehart Key fingerprint: 3145 104D 9579 26DA DBC7 CDD0 9AE1 8C9C DD70 34EA "With sufficient thrust, pigs fly just fine." -- RFC 1925 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: OpenServer 5.0.6 OpenServer 5.0.7 : Multiple Vulnerabilities in Sendmail
On Thursday 29 July 2004 22:57, Frank Knobbe allegedly wrote: > > Heya George, > > perhaps the engineers are too busy fixing broken legal strategies and > are putting silly software issues on the back=burner. > > (After all, why fix it if they file Chapter 11 by end of the year > anyway?) Hola Frank, N. They won't need to do that . . . Microsoft needs them to carry on the good fight against Open Source. They'll keep them afloat. http://opensource.org/halloween/halloween10.html :) Cheers, /g ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: MS04-025 - Ignorance is truly bliss....
On Thursday 05 August 2004 18:49, hellNbak allegedly wrote: > On Thu, 5 Aug 2004 someone pretending to have a nmrc email addy wrote: > > The only mistake you make above is that you paint the entire industry > with the same brush. Yes, I and a lot of people make money in this > industry. We took a hobby and made it a job -- why not? Why not get > paid for something you enjoy. Working in this industry does not > automatically make you a false profit as you explain above. > > Over the long term -- no one will benifet -- and I dont care how big > the paycheck is -- telling a client what they want to hear is not the > way many of us choose to make a living. Sure, there are a lot of > people in EVERY industry that are willing to push ethics aside and do > what it takes for that paycheck but I know I can look myself in the > mirror and say that I am not one of those people. > > Eventually the false prophets are exposed, sure they already got > their paycheck and have moved on to the next sucker but eventually > they run out of suckers and money. > > > What do you hope to achieve, or how do you believe your opinion is > > being relevant or novel, if you come to this audience, and state > > that CERT is no longer credible, and is a bunch of crooks who live > > off selling advance vulnerability warnings? Or that Microsoft is > > not exactly particularly devoted to improving security of their > > products and protecting their customers? > > I hoped to stir some shit up, perhaps give the guys over at > [EMAIL PROTECTED] a bit of a kick in the nuts as there was a time > that they were making at least a little progress. I was hoping to > draw enough attention to this issue that perhaps someone from one of > the major banks will one day sit down and correlate the connection > between vulnerabilities such as this and losses due to fraud. The > only way that any vendor is going to be forced to actually care about > security and actually care about users is when those users mean lots > of $$$ to them. There just might be some hope . . . check out this white paper from PWC on "Integrity-Driven Performance." http://www.cfodirect.com/cfopublic.nsf/f19696b6432afb8b8525690a000c9f67/86a39deb761f514d85256e3f00641442/$FILE/PWC_GRC_WP.pdf (URL might wrap). You can get it from Google if you search on pwc_grc_wp.pdf . . . Cheers, /g ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Soft-Chewy insides (was: CyberInsecurity: The cost of Monopoly)
On Sunday 28 September 2003 03:39 pm, Curt Purdy wrote: > When we get this far off-topic, how about putting up a new subject > line with a was: I've followed this thread and, especially the recent exchange among Michael Zalewski, Frank Knobbe and Florian Weimer. My initial response was to respond to specifics, like, for instance, the first paragraph below. Was going to raise my hand and say: But what about the DFS? As the thread grew, I realized that it is really about my pet peeve: The absence of a *real* information security *program* that addresses defense-in-depth, security architectures, etc. _at_the_enterprise_level_. I have been in only *one* organization that actually had an enterprise security architecture and which built systems around it. But that was only one of many with which I am familiar. Paul Schmel's lament was that "we as a 'security community' have [not] even begun to tackle this problem." I would submit that, as a community, we *have*. All one has to do is to look at the ISO/IEC standards, the ANSI standards, the NIST Special Publications, the Common Criteria, DITSCAP, COBIT, etc., etc., etc. the WS* standards coming out of the W3C and OASIS, the IATFF, etc. to see that we understand the problem and have documented almost ad nauseum how to deal with it. The military and intelligence community have been practicing "good security" for years. Even the government is beginning to catch on. IMHO, the problem is *not* with the security community, but with the "governance community." The problem is that there is no accountability at the top for allowing systems to be run in an insecure manner. It seems that neither Boards of Directors nor C-level corporate officers understand that, these days, a significant chunk of the risk that they need to manage arises out of their use of IT systems. Either that, or there is no impetus to *really* manage risk at any level. This is not rocket science. It is risk management. Risk is not being managed top-down in any structured manner. It is being managed bottom up by a few individuals who care. Boards of directors do not ask the tough questions. For many, Information Security is not on the list of things to care about at all. C-level officers don't care about it. If they did, organizations would have robust Information Security programs, there would be clear lines of accountability and responsibility for the management of risk incurred by the operation of IT systems and the "'soft and chewy' problem" would be addressed. My $0.02. George Capehart > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Paul > Schmehl Sent: Sunday, September 28, 2003 12:20 PM > To: Full Disclosure > Subject: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of > Monopoly > > > --On Sunday, September 28, 2003 8:14 AM -0400 Karl DeBisschop > > <[EMAIL PROTECTED]> wrote: > > Crunchy shell, soft-chewy insides? > > I don't think "we" as a "security community" have even begun to > tackle this problem. We talk about it, but who is *really* doing it? > For example, if you want to network machines you *have* to use > SMB/NetBIOS for Windows, NFS for Unix, CIFS, or something similar. > Who is really looking at how to be secure while still allowing > internal machines to talk to each other? Certainly none of the above > protocols qualify as secure. > > When a machine is problematic, for whatever reason, the usual > reaction is "block it at the firewall". But that doesn't protect > that machine from *other* internal machines. It only protects it > from the outside. Oh, you might have a firewall that cordons off > accounting from the rest of the enterprise, but *inside* accounting, > you still have the "soft, chewy" problem. > > I haven't really seen anything that addresses this problem, and I'm > not aware of anyone who is working on solving it. For the most part > security thinking is still in the middle ages - build a castle with > moats and outer defensive rings, and staggered entrances to make it > hard for the enemy to get it. Once he gets in, what does current > security thinking offer? Not much. > > What we need is a paradigm shift in thinking. > > Paul Schmehl ([EMAIL PROTECTED]) > Adjunct Information Security Officer > The University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > ___ > Full-Disclosure - We believe in it. > Ch
Re: [Full-Disclosure] Soft-Chewy insides (was: CyberInsecurity: The cost of Monopoly)
On Monday 29 September 2003 08:23 am, Michael Scheidell wrote: > > These fins and jail time will directly target the C/Board level, and > only indirectly affect the security teams (they may lose their jobs > when the company they work for goes bankrupt) > > Its only a matter of time before the lawyers finish up with big > tobacco and move on to SARBOX/HIPAA and GLBA work. > > > My $0.02. > > I'll see you that .02/c and raise you 5 million dollars (the Maximum > fine under SARBOX) Would that that would really help. I guess maybe in the long run it might, but I'm not holding my breath. There's still the small matter of connecting cause with effect and then implementing a program that will function appropriately at all levels of the organization. I'll bet a dozen Krispy Kremes that the response of many Boards and C-level officers will be a knee-jerk "Off with their heads" followed by a return to business as usual. It's a lot easier to offer up a sacrificial lamb than it is to change corporate culture . . . But it will certianly be interesting to follow . . . ;-) Regards, -- George Capehart capegeo at opengroup dot org PGP Key ID: 0x63F0F642 http://pgp.mit.edu Key fingerprint: BE7A 9A4A 6A8F 363A BAC5 4866 631B B2F6 63F0 F642 "It is always possible to agglutenate multiple separate problems into a single complex interdependent solution. In most cases this is a bad idea. -- RFC 1925 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Soft-Chewy insides (was: CyberInsecurity: The cost of Monopoly)
Michael Scheidell wrote: Would that that would really help. I guess maybe in the long run it might, but I'm not holding my breath. There's still the small matter of connecting cause with effect and then implementing a program that will function appropriately at all levels of the Just did a presentation to a bunch of AeA CFO's (AeA is American Electronics Association) where the fist slide I gave them a piece of paper that has to go with their 10K reports and said: Ok, as the CFO of a public company, would you sign this: (a bunch of legal gook I got from our SEC lawyer). Went through a high(board level) presentation with lots of pretty color pictures, talked about jail time and fines and informed them that the CFO is the one who will sign it.. then when done, said 'ok, NOW who will sign this. You KNOW for a FACT that your IT department has taken care of this, right? you don't need an outside/third party audit to make sure the IT or internal security guys did their job, right? NO ONE. wanted to sign it then. Heh. That's great. Wish I could have been there to see that. Sounds like you really got their attention. But this brings me back to the original concern: It's one thing to realize that you have a problem. It's something else to fix it. And my experience has been that the people who have the problem don't have a clue how to fix it. Clueful organizations have a strong Information Security/Assurance *program* in place. CFOs of those organizations *will* sign the document because there *is* a formal risk management process in place which includes some kind of certification and accrediation process. They are *very* likely to be the approving authority on some of the systems. They are also part of the governance process. If there is no Information Security / Assurance *program*, there is a huge problem. This is the one I continue encounter: When an external audit/assessment shows many deficiencies, the response of the clueless organization is to; a) (try to) patch the holes, and b) maybe offer up a sacrificial lamb. However, the _root_cause_ of the existence of the problems in the first place is the absence of a real program. In the absence of a program, even if the holes are patched, within a year they will return or be replaced by others. So the *real* solution to the problem is to patch the holes *and* the organization . . . by implementing an effective program. One would hope that, having had their attention focused on the existence of symptoms, the CFOs will conclude that their organization is sick. Some will. Some won't. Of those that will, how many will know what "the cure" is, or how to go about getting it? *This* has been my frustration: having enough time with the right people to educate them on what the options are and what the solution is . . . Cheers, George Capehart -- George W. Capehart "We did a risk management review. We concluded that there was no risk of any management." -- Dilbert ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Soft-Chewy insides
Schmehl, Paul L wrote: I'm not going to disagree with this at all, however I would point out that standards are one thing, implementation entirely another. It's nice to have standards that provide guidance in security structuring, but without the tools to implement those guidelines, they're guidelines and not much more. Only in the past couple of years have we seen any really useful tools in this area, and the prices are out of reach of many organizations. (Like other things in technology, it would be nice if those prices would come down over time.) That's what I'm referring to when I say "we, as a security community" have only begun to try addressing these issues. Right now, organizations pretty much have to "roll their own" - not a very efficient way of solving a universal problem. Hr. Seems I misunderstood the issues. I wasn't thinking along those lines. Sorry 'bout that. :0 But then, I'm afraid there is always going to be the mix-and-match problem. Different products and processes were designed at different times for different purposes to deal with different threat/risk profiles. Plus, everyone's environment is different. There *are* tools that help make the job a little easier, but the best tools for the job are the carbon-based ones . . . My $0.02. Cheers, George Capehart ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Any news on www.kievonline.org site?
Nick FitzGerald wrote: Alexandre Dulaunoy <[EMAIL PROTECTED]> wrote: It seems to be another spammer who wants to verify the email... I got also the same mail (posted from a GTE network). Not from 67.161.85.41 as mine was then?? I got one of these this morning on another address and this one originated from some IP address in Korea. After Googling around and seeing the same message show up in some newsgroups, I decided that this was a troll of some sort. I debated sending an email to abuse@, but given the general level of response from Korean ISPs, I dropped the idea and sent the message to the bit bucket. Cheers, George Capehart -- George W. Capehart "We did a risk management review. We concluded that there was no risk of any management." -- Dilbert ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: Linux (in)security (Was: Re: [Full-Disclosure] Re: No Subject)
On Wednesday 22 October 2003 11:18 pm, Paul Schmehl wrote: Malware follows > negligent users, *not* OSes. > Bingo! Cheers, /g -- George Capehart capegeo at opengroup dot org PGP Key ID: 0x63F0F642 available on most public key servers "It is always possible to agglutenate multiple separate problems into a single complex interdependent solution. In most cases this is a bad idea." -- RFC 1925 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [Bogus] Microsoft AuthenticodeT webcam viewer plugin
On Wednesday 29 October 2003 08:04 am, Nick FitzGerald wrote: > > Authenticode is useless as a means of ensuring code is trustworthy > _independent_ of such an effort from the CAs. _All_ Authenticode > tells you is that someone was prepared to part with some cash and > they found a CA they convinced that they were who they said they > were. This is why the CA's Certification Practice Statement (CPS) is so important . . . and why, if one is going to accept a certificate, they *really* should read the CPS and understand exactly what process the CA went through to determine the authenticity of the DN. *Then* you should read the audit reports to see if the CA is really following the CPS. If that information is not available publicly available, he/she who accepts those certs deserves what he/she gets. In theory (at least if you trust the CA -- which I doubt few > possibly could in Verisign's case once it issued code-signing certs > under Microsoft's name to non-MS folk despite supposedly having extra > special checking mechanisms for such a large and obviously > "important" client), See above. an Authenticode "all clear" means that if you > were stupid enough to "trust" (in the big sense) a piece of signed > code the CA can help you locate the rat-bag who signed it should you > want to fry their balls... See above again. That is true IFF the RA did it's job. > > Anyone who ever thought Authenticode ever bought them more than that > was seriously delusional and obviously did not understand the basics > of code-signing as a "trust mechanism" (because it isn't one despite > what MS wants you to believe). This is all part of why Authenitcode > and ActiveX were always such fundamentally bad things and why the > decision to take this route showed MS lacked even the most basic > grasp of the fundamentals of security and trust. That Autheticode > has been "sold" (and worse, accepted by some) as anything else but a > poor-man's excuse for "nothing much" is somewhere between really sad > and criminal... > I think "nothing much" is being pretty generous . . . :-> Cheers, /g -- George Capehart capegeo at opengroup dot org PGP Key ID: 0x63F0F642 available on most public key servers "It is always possible to agglutenate multiple separate problems into a single complex interdependent solution. In most cases this is a bad idea." -- RFC 1925 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2
On Saturday 01 November 2003 01:29 pm, [EMAIL PROTECTED] wrote: > On Sat, 01 Nov 2003 19:07:22 +0100, jelmer said: > > pivx probably allready was > > > > http://slashdot.org/article.pl?sid=03/10/12/2221205&mode=thread&tid > >=109&tid=1 > > 26&tid=128&tid=172&tid=187 > > And unfortunately, when they fired Geer, @stake lost a lot of their > credibility, at least in my book. For some reason, is anybody else > hearing: > > "Help me Obi Wan Guninski, you're our only hope..." Whew! Glad to know that I wasn't having auditory hallucinations! :) -- George Capehart "It is always possible to agglutenate multiple separate problems into a single complex interdependent solution. In most cases this is a bad idea." -- RFC 1925 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
On Sunday 02 November 2003 07:01 pm, Geoincidents wrote: > > I don't see it that way. I think that as a function to run network > backups windows has one of the more secure ways to make connections > between machines. I think MS needs to stop claiming this isn't > feature for the internet and realize that there is no difference > between the internet and the internal network, both require security > unless you somehow don't think the payroll system requires security.. Apparently the folks at Microsoft aren't there yet . . . would *you* be willing to expose a stored procedure in a SQL Server database as a Web service? See http://www.theregister.co.uk/content/61/33718.html. The inmates are running the loony bin . . . /g -- George Capehart "With sufficient thrust, pigs fly just fine." -- RFC 1925 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
On Monday 03 November 2003 06:22 pm, Geoincidents wrote: > > Apparently the folks at Microsoft aren't there yet . . . would > > *you* be willing to expose a stored procedure in a SQL Server > > database as a Web service? See > > http://www.theregister.co.uk/content/61/33718.html. The inmates > > are running the loony bin . . . > > Of course not, but then isn't that the point, to run this stuff on > the internet without leaving it "exposed"? But IMHO, that *is* the point. If it's on the Internet, it's exposed . . . And if a stored procedure is exposed, then the whole system is exposed . . . The following URL (may wrap) points to what *Microsoft* has to say about Web services security. Now, imagine what a "secure" stored procedure must look like . . . http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/securitywhitepaper.asp /g ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
On Tuesday 04 November 2003 06:03 am, Geoincidents wrote: > > But IMHO, that *is* the point. If it's on the Internet, it's > > exposed . . . And if a stored procedure is exposed, then the whole > > system is exposed . . . > > Nonsense, you read to many MS papers . Lots of ISP's run SQL > servers on the internet for radius authentication, where the database > and stored procedures are not exposed. Just because MS describes > something you don't consider safe, you are assuming there isn't a > safe way to do it? Heh. We're in violent agreement on this issue. My thrust wasn't that it is not *possible* to run a database where the database and stored procedures are not exposed . . . it was that the corporate vice president, SQL Server Team is saying that Yukon is designed to support stored procedures being exposed as Web services. Put another way, they're purposely designing a system so that it that can be easily used in a *very* unsecure way, and touting it as a design coup. I have a hard time reconciling that with the notion that Microsoft has the slightest clue about system security and secure system design. This is a shining example of "innovation and enhanced feature/function" trumping secure system design. > > If what you say is true, then all the MS databases where they store > registration information, windows update information, activation > information, they must all be exposed so how about posting exploits > for them so we can get MS to secure our data? Or are those on the net > yet not exposed? Don't know. I have never been in a situation where anybody had *any* database exposed to the Internet. There have always been several layers of software and firewalls between the Internet and a production database . . . and there has always been a distinction between "DMZ" databases and production databases. DMZ databases may keep some state information, cache, and, maybe even some "local" authentication information in them. But databases that held production data and which would have stored procedures that provide business function (or service), are on the internal network 'way far away from the Internet. /g ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Increase probe on UDP port 1026
On Tuesday 02 December 2003 04:21 pm, Paul Dokas wrote: > On Tue, 02 Dec 2003 10:16:23 +0100 Nicob <[EMAIL PROTECTED]> wrote: > > I captured some packets and it appears to be (only) a Windows > > Messenger "spam" for a "penis enlargement" product. > > I caught one last night scanning 1026/UDP and 1030/UDP and doing > popups directing people to www.PopAdStop.com. The 1026/UDP and > related traffic is *definitely* popup spam related. At this point, I > suspect that the malware is getting onto computers via .HTA mime or > ADODB.Stream vulnerabilites in IE. However, I have no proof of this > yet. > > BTW, I did `wget http://www.PopAdStop.com` a little bit ago. Looks > like they could win an obfuscated JavaScript contest. Heh. Out of curiosity, I tried to get there just now (1845 EST - GMT -5). Interesting results. Firstly, wget complained about not being able to resolve www.popadstop.com. Dig(1)ing for *.popadstop.com got nothing. Whois for popadstop.com shows that it is registered at TUCOWS by NewestStuff.com LLC and the nameservers for popadstop.com are ns1 and ns2.neweststuff.net. Whois for neweststuff.net just also happens to be NewestStuff.com LLC. If one digs for the IP address for www.popadstop.com @ns1.newstuff.com, it bombs. However, if on digs for the IP address of www.popadstop.com @IPAddressofns1.newstuff.net (from whois), one gets a reply (66.225.219.162), it seems that they have been removed from the world. To make a long story very short, it looks like www.popadstop.com is no longer on the air and newstuff.net's nameservers are no longer listed in DNS. They are on the air, but DNS can't resolve their addresses from their names. Interesting. > > > Paul -- George Capehart capegeo at opengroup dot org PGP Key ID: 0x63F0F642 available on most public key servers "It is always possible to agglutenate multiple separate problems into a single complex interdependent solution. In most cases this is a bad idea." -- RFC 1925 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] atrticle in: Security Wire Perspectives, Vol. 5, NO. 93, December 19, 2003
On Friday 19 December 2003 12:20 pm, Ron DuFresne wrote: > missed this. The reason I ask is, there has been a large shift in > the security "lists/field/top dogs" in trying to avoid casting > blame/responsibility at M$ for the products it has pushed into the > market place, perhaps due to the deep pockets and breadth of market > saturation, thus dependance of many upon the M$ pocketbook to feed > the rest of the industry in one fashion or another. The critical > articles of a year+ past seem to now, especially after the @stake > recent actions, to be focused these days upon avoiding mentioning the > shortcomings from redmond. Are others reading the same these days? Yep. -- George Capehart capegeo at opengroup dot org PGP Key ID: 0x63F0F642 available on most public key servers "It is always possible to agglutenate multiple separate problems into a single complex interdependent solution. In most cases this is a bad idea." -- RFC 1925 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] OT: http://rss.com.com/2100-1002-5076903.html?tag=nl
On Sunday 11 January 2004 05:28 am, Georgi Guninski wrote: > (sorry for the OT but i can't resist) > > http://rss.com.com/2100-1002-5076903.html?tag=nl > > Ballmer: 'Thieves, con artists' attacking Microsoft > Last modified: September 15, 2003, 4:44 PM PDT > By Ina Fried > Staff Writer, CNET News.com > > > SANTA CLARA, Calif.--Microsoft Chief Executive Steve Ballmer warned > Monday that recent security vulnerabilities represent a "new and > growing challenge to innovation" and conceded that his company is > under attack from "thieves, con artists, terrorists and hackers." Well, while we're OT . . . That should qualify for some award . . . Poor Microsoft! Being attacked by Thieves, Con Artists, terrorists and, God forbid(!) HACKERS. Well, here's a flash for Mr. Ballmer. If your software wasn't Swiss cheese, it wouldn't be vulnerable and you wouldn't be attacked!!! Seriously, though, this is yet another bit of evidence to me that they just don't get it . . . Sorry. That just insulted even my limited intelligence . . . /g -- George Capehart capegeo at opengroup dot org PGP Key ID: 0x63F0F642 available on most public key servers "It is always possible to agglutenate multiple separate problems into a single complex interdependent solution. In most cases this is a bad idea." -- RFC 1925 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] OT: http://rss.com.com/2100-1002-5076903.html?tag=nl
On Sunday 11 January 2004 01:15 pm, Ka wrote: > > OK, my serious answer -- I hope the straight way of expressing myself > is not taken personally. Not at all. I appreciate straight talk. > > > I think "they" got "it" quite well. > > > It's just a question, what this "it" is for you. > MS plays for market share and public opinion and influence to > politicians. And MS does that quite well. While the IT professionals > have not managed to create a professional association in 35 years. > > If "we" (IT professionals) had a world wide organisation with as many > members (percent-wise) as MS has world wide market share, > there would be no need to nag about Balmers statements. You are absolutely right. > > > Sorry. That just insulted even my limited intelligence . . . > > Everybody has his limits. It just depends for what you use your > resources. > > It's time we as a professional group start talking and walking like > adults (at least more than in the past), I think. Just playing with > computers is fine, but not enough. Agreed. And believe me, I have spent many an hour trying to figure out how to approach the problem. Unfortunately, every solution I can come up with involves educating the masses . . . many of whom don't want to be confused with facts . . . ;> /g ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft's fix for URL containing username:password@ obfuscation
On Tuesday 27 January 2004 09:47 pm, Zach Forsyth wrote: > > Anone know a workaround to tell IE not pass anonymous credentials > automatically? Don't use IE. Use Camino, Opera, Netscape, Mozilla, Firebird, or, God forbid, ftp . . . -- George Capehart capegeo at opengroup dot org PGP Key ID: 0x63F0F642 available on most public key servers "It is always possible to agglutenate multiple separate problems into a single complex interdependent solution. In most cases this is a bad idea." -- RFC 1925 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.1 : apache multiple vulnerabilities, upgraded to apache-1.3.29
On Wednesday 05 May 2004 04:46 pm, Dave Aitel wrote: > They're switching to Linux, btw. It's the first thing they say when > you meet them. Well, *that* tell me a lot about their level of sophistication . . . ;> -- George Capehart capegeo at opengroup dot org PGP Key ID: 0x63F0F642 available on most public key servers "It is always possible to agglutenate multiple separate problems into a single complex interdependent solution. In most cases this is a bad idea." -- RFC 1925 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Vendor casual towards vulnerability found in product
On Wednesday 26 May 2004 10:52 am, morning_wood wrote: > > some disclosure policys can be found at.. > > http://oisafety.org/ > http://oisafety.org/process.html > > http://exploitlabs.com/disclosure-policy.html > http://www.cert.org/kb/vul_disclosure.html > http://www.atstake.com/research/policy/ > http://www.hut.fi/~tianyuan/slides/template/template.html see also the granddaddy of disclosure policies: http://www.wiretrip.net/rfp/policy.html /g -- George Capehart capegeo at opengroup dot org PGP Key ID: 0x63F0F642 available on most public key servers "It is always possible to agglutenate multiple separate problems into a single complex interdependent solution. In most cases this is a bad idea." -- RFC 1925 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
