Re: [Full-Disclosure] Re: Web browsers - a mini-farce
Micheal Espinola Jr said: Just out of curiosity, can you you refer to anything in a professional manner - or must you always use demeaning word-play against anything you don't like? Also out of curiosity, when do you hit puberty? Perhaps some of us can rejoin int pot() { int black=1; kettle(black); return 1; } ? Tom Cleary - Security Architect CSC Perth In IT, acceptable solutions depend upon humans - Computers don't negotiate. This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
Isn't the complete lack of naming standardization in the AV industry simply amazing? Imagine that were the case in science, particular medicine... No shit. They should at least get together and come up with some common naming convention. They need to make some common naming authority, it's not difficult, we do it all the time with other software and as mentioned, in all scientific disciplines. Otherwise, things become very convoluted for us in the know. This is irrelevant to the general population, but is necessary for the people who have to deal with these things. heavy_irony Of course, you're making the assumption that IT Security Professionals deserve/get the respect of having a formal body of knowledge recognised by Academia and Government rather than just being a bunch of ungrateful malcontents fulminating in the wilderness instead of knuckling down to life as the hired hands of the Corporate Finance section like we bloody well should, right? /heavy_irony Let the flames begin. ;-) tom. Tom Cleary - Security Architect CSC Perth Tel. +61 8 9254 5345Mobile: 0411208423 [EMAIL PROTECTED] In IT, acceptable solutions depend upon humans - Computers don't negotiate. This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
Re: [Full-Disclosure] M$ - so what should they do?
Valdis Kletnieks said: It's not as simple as throw it out and start again - what's feasible for a student's semester project or a small company's small software package isn't as feasible when it's one of the largest sets of intertwined code ever written And that's the main point - the enemy of security isn't any given company/package/platform. It's complexity. Complexity guarantees that there will be flaws, that might be exploited, in any product. The only products with no reported vulnerabilities are small, low use products, and the main reason there aren't any reports is no-one's bothered to look. It's a principle that no matter how much effort is put into attempting to achieve perfection, not just six sigmas, it can't be achieved. Without perfection no-one, not just Business, can risk a monoculture ( just ask the U.S. Wheat farming industry ) 'Cos this isn't medicine, where acceptable losses can be estimated - who could guess the impact from a code flaw in the root servers? Or base code for HTTP handling? Or the privilege handling code in Windows? I believe Microsoft are making genuine efforts to improve their code. But even with billions in the bank to spend on it, they can't make it perfect. And in order to trust that their code can run EVERYTHING, that's what it'd have to be. The corollary, of course, is that I.T will become more expensive because people will have to bite the bullet and get people with more than one skillset, or more people. Of course, they could outsource.. ;-) Regards, tom. Tom Cleary - Security Architect In IT, acceptable solutions depend upon humans - Computers don't negotiate. This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Akamai
Darren Reed said: What's interesting is that in contrast to old-school protection rackets, there appears to be no offering of protection from attack by others. IIRC the main purpose of DoS attacks ( apart from kiddie fights ) is to allow a trust exploit/MITM to succeed - e.g. session hijacking. Maybe someone wanted to plant something by pretending to be the WindowsUpdate site? If you're akamamai'd, poisoning DNS would be harder, but changing IP address wouldn't seem unusual, would it? Regards, tom. Tom Cleary - Security Architect In IT, acceptable solutions depend upon humans - Computers don't negotiate. This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Hotmail Passport (.NET Accounts) Vulnerability
Maybe you should email this one: [EMAIL PROTECTED] At least you'll get a reply, eh? ;-) ( apologies to Alexander MacLennan. ) Regards, tom. Tom Cleary - Security Architect In IT, acceptable solutions depend upon humans - Computers don't negotiate. This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Cisco's stolen code
Marek Isalski said: IIRC, that law finally got patched a few years ago so that people who pinch cars for a joy ride could still be sentenced. Wrong. Taking and driving away ( TDA ) was always a separate offence, since it got invented. Imagine: You hire a car, but don't return it. Theft, right? Wrong. This is a Civil Debt ( failure to pay a rightful debt for service obtained, so long as you use your real drivers licence. ) If you use a false D/L it's obtaining services by deception. And in case you're interested I could bore the a**e off you with a long story about an ex Green Beret who did just that. Guess who the arresting Officer was? ;-) Regards, tom. Tom Cleary - Security Architect In IT, acceptable solutions depend upon humans - Computers don't negotiate. This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Cisco's stolen code
Rodrigo Gutierrez said: United States and I would guess that a big part of them don't give a tiny rats ass about what the copyright laws in the U.S are. Has your Country got an FTA with the U.S.? Guess what you get as part of the package? Regards, tom. Tom Cleary - Security Architect In IT, acceptable solutions depend upon humans - Computers don't negotiate. This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Cisco's stolen code
Ron DuFresne said: If you know the property was obtained illegally, that would make you an accessory after the fact, would it not? To become painfully boring with real world dodgy analogies, this is similar to handling stolen goods. And in the strictest sense of the word, you're right. However, as I know from personal experience, because of the way law is often cast, prosecutions for these kinds of crime are all too infrequent. This is usually because establishing Mens Rea requires inordinate stupidity. An offender must admit they intended the crime. Result: you get off, because establishing what someone was thinking isn't easy and is usually too expensive in manpower for the average Police Force to undertake frequently. Unless some easy way can be found to get round this issue ( and if there is one, I'm sure Mr. Bush will find it ;-) the practice will not be curtailed because your chances of getting prosecuted are slight. From my archaic memories, in this specific instance: Handling Stolen Goods: Knowingly or recklessly handles stolen goods, knowing such goods to have been stolen. Defence: I didn't know it was stolen. And if your brief can't raise reasonable doubt about your knowledge of ANYTHING being stolen, it must be brain damage. To show you should have known it was stolen takes weeks of undercover work and establishing a pattern of behaviour. Again, I could bore the a**e off you with stories. Regards, tom. Tom Cleary - Security Architect Tel. +61 8 9254 5345Mobile: 0411208423 [EMAIL PROTECTED] In IT, acceptable solutions depend upon humans - Computers don't negotiate. This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Cisco's stolen code
James Edwards said: With all due respect...Fair Use does not cover stolen works ! See, this is where we get to the bit where the Global Legal system has yet to catch up with I.T. When I was a Police Officer in the U.K. the definition of Theft was ( and had been for a LONG time ): Dishonestly obtains the property of another with the intent to permanently deprive them of it. Problem: Cisco still have the code - offence not complete, therefore prosecution not possible. That's why Govt is thrashing around inventing new offences, most of which ( what's new? ;-) are unenforceable. And it still doesn't address the global nature of the Internet. And it still doesn't address the fact that the only proof they can often get is transient records in an ISP syslog. And it still doesn't just grok how Computing works, Technically or Commercially. At present, the offence committed is like taking an unauthorised picture of a work of art and giving prints to your friends - they can still appreciate it, it works for them but that infringes copyright - a civil tort for which you can get sued. Depending on which country they live in, they may have committed unauthorised access, which is criminal someplaces. Hence attempts to get software patents put through, and draconian powers to enforce it, globally. So, at the moment this kind of behaviour is mostly unethical and morally reprehensible, but not a criminal offence. IMHO, most of the laws that have been passed are not good law, to the extent that they do not permit easy investigation and prosecution and mostly because ( like the U.S. prohibition laws ) they do not take into account the will of the people who want to use their CD/DVD burners, which they were legally permitted to buy, for things THEY want, not things Disney would like them to buy, despite having to turn a blind eye to where their copy came from. But the problem for content owners is how to get people to want to buy things they can copy more cheaply? To a certain view, this can be seen as a Caxton issue - the Genie's out of the bottle. Our issue as thought leaders is how we can get the issue resolved correctly. Because I for one don't want to go to be a test case for some poorly cast law purely for doing my job. Apologies for the length. Regards, tom. Tom Cleary - Security Architect In IT, acceptable solutions depend upon humans - Computers don't negotiate. This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: AW: [Full-Disclosure] no more public exploits
Cael Abal said: Realistically,the lack of a widespread published exploit means an attack on any given machine is less likely. An admin who chooses to ignore these probabilities isn't looking at their job with the right perspective. You missed the IMHO. In the Military your generalisation is probably not a self evident truth. To quote another posters sig. Knowing what you don't know is more important than knowing what you know. and I would add that that's because what you do know you can try to deal with. Enough of the philosophy class. Regards, tom. Tom Cleary - Security Architect In IT, acceptable solutions depend upon humans - Computers don't negotiate. This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] viruses being sent to this list
John Sage said: What does this tell us? Virii are getting out via the list; whether they are being transmitted inadvertently or deliberately is still open to question... .and on that very topic, I'm getting bounces where the headers seem valid, containing old posts of mine to FD from the mailer-daemons of very reputable sources, containing virus scanner responses ( and viruses ) that get caught by our scanners. It seems that either: a) A worm is sending mails as if from an FD poster and as if the headers were from the list, using valid addresses and valid/spoofed received headers from old emails found on cracked machines. or b) The worms are being forwarded via the list with apparently valid subscriber details, as should be happening for an unmoderated list. I vote the list is not responsible. I say this because my email address is not subscribed to FD. Ergo, the list can't have sent the messages I'm getting responses to, unless the moderator has been sending out my old posts, again. I think this is conclusive? Regards, tom. In IT, acceptable solutions depend upon humans - Computers don't negotiate. This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Pepsi Bottlecap Liner Labeling Information Leak Vulnerability
Vendor Status: The vendor has not been notified. humour I am horrified that you released this without working closely with the Manufacturer. You have caused a huge problem for the enormous number of hard-working retailers who are now exposed to tremendous risk as the uninitiated exploit this vector. Shame on you - even if you know that fix would be scheduled for the early part of April ( probably the first, I expect.. ) As with all irresponsible disclosure, I fully expect the Vendor to not give you credit - as is right! Boo! Hiss! tom. /humour This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] FW: Last Microsoft Patch
I guess there's still no patch for stupidity. SNIP Or callousness, arrogance, bad-naturedness... I think the phrase you're looking for is Let he who is without sin cast the first stone. Right? ;-) Regards, tom. --- The only reason acceptable compromises occur in IT based activities is because a Human did some lateral thinking: Computers don't negotiate. __ Security Consultant/Analyst CSC Ph: +61 8 9429 6478Email: [EMAIL PROTECTED] This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Cisco IOS Denial of Service that affects mostCisco IOS routers- requires power cycle to recover
Guys, So... has anyone been able to verify that the problem occurs when the TTL expires without the packet being addressed to the router? Or is it a requirement that the evil packet be addressed to the router? As far as we know, the TTL has to go to 1/0 on the target IP address. Haven't been able to get the effect on a transit packet. Regards, tom. __ Security Consultant/Analyst CSC Ph: +61 8 9429 6478Email: [EMAIL PROTECTED] This email, including any attachments, is intended only for use by the addressee(s) and may contain confidential and/or personal information and may also be the subject of legal privilege. Any personal information contained in this email is not to be used or disclosed for any purpose other than the purpose for which you have received it. If you are not the intended recipient, you must not disclose or use the information contained in it. In this case, please let me know by return email, delete the message permanently from your system and destroy any copies. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html