Not all attackers are created
equally.
I still see this a simple matter of violating KISS to introduce a layer of
encryption.
The question is, to which end? Sure, an attacker might see the encrypted
file
and think it's too difficult for him to get to the passwords. Another
might use
a certain
On Thu, Oct 14, 2010 at 5:39 PM, Christian Sciberras uuf6...@gmail.com wrote:
Not all attackers are created
equally.
I still see this a simple matter of violating KISS to introduce a layer of
encryption.
The question is, to which end? Sure, an attacker might see the encrypted
file and
Yeah I definitely have to go with silky on this one.
Maybe if you elaborate on your point? I'm not sure I entirely grasp what you're
trying to say, because if I am, then you share relatively the same view as the
dev that's causing this problem. You can argue that any security measure
doesn't
My point is, if you are granting access to this password file to everyone,
the security hassles you're going through are all useless.
I mean, ok, you might prevent script kiddies (or lazy hackers) from getting
to the passwords, but discrimination is not the point of security is it?
With regards
On Wed, Oct 13, 2010 at 11:46 PM, silky michaelsli...@gmail.com wrote:
On Thu, Oct 14, 2010 at 5:39 PM, Christian Sciberras uuf6...@gmail.com
wrote:
Not all attackers are created
equally.
I still see this a simple matter of violating KISS to introduce a layer
of encryption.
The
Ah, now your point becomes clear to me.
Of course you shouldn't be granting access to that kind of stuff. That
shouldn't even really need to be stated, but I whole-heartedly agree.
Rule #1 of security: You're only as secure as your weakest, and most easily
manipulated layer (or link if
On Thu, Oct 14, 2010 at 6:51 PM, Chris Evans scarybea...@gmail.com wrote:
[...]
Sorry, but your comments are totally useless here and can't even
really be addressed properly, given their quite ridiculous nature.
Well done on behaving in a gentlemanly manner and winning people over with
your
I'm not quite sure I grasp your 'red district' example, perhaps it's a
difference in national slang?
It's no use the criminal is handcuffed if he's not locked up in jail (or on
the way to one) - it's a matter of time for him/her sawing/picking them off.
I also think that a flame war might be
Ok. Granted I'm not talking about a 0-day in OpenSSH here, but this IS a real
issue affecting REAL people.
I'm not really sure *who* you're trying to take a jab with point 7 and beyond,
but I know at least part of it is towards me.
Filezilla's behavior is *wrong* and what I was doing was
On Thu, Oct 14, 2010 at 7:20 PM, Christian Sciberras uuf6...@gmail.com wrote:
exactly how wrong their thought processes are. My post was meant to
encourage the reader to actually try and re-evalue his position own
his own and try a little bit of self-education on the matter.
That's some nice
On Thu, Oct 14, 2010 at 1:23 AM, Ryan Sears rdse...@mtu.edu wrote:
Ok. Granted I'm not talking about a 0-day in OpenSSH here, but this IS a
real issue affecting REAL people.
I'm not really sure *who* you're trying to take a jab with point 7 and
beyond, but I know at least part of it is
Product: Netgear CG3100D Residential Gateway
Vendor: http://www.netgear.com
Discovered: August 30, 2010
Disclosed: October 14, 2010
I. DESCRIPTION
The Netgear CG3100D Residential Gateway with firmware version 5.5.2 (and
probably other CG3000/CG3100 models with the same firmware) has
Gmail JSON Hijacking Attack Technique
Author:
pz [http://hi.baidu.com/p__z]
hi_heige [http://hi.baidu.com/hi_heige]
Team: http//www.80vul.com
Release Date: 2010/10/14
Overview:
Google Defensives JSON Hijacking by javascript-loops ,like :
throw 1; , but it can bypass by IE8 Css
On Thu, 14 Oct 2010 10:20:30 +0200, Christian Sciberras said:
And that is my point exactly. While I'm shouting out loud, let me ask a
question:
How many FD readers are dumb enough to share their harddisks with the world?
None? So what is the problem in using FileZilla personally? I mean,
Valdis, the thing is, if people want their password-keeping software secure,
they ought to be limiting access to this said software.
Instead, what we are proposing here is limiting software capability.
Why? I can't back up the password file reliably anymore, thanks to this
feature.
I can't
Stop logging into your FTP server from a public terminal with Filezilla.
It's about a program insecurely and permanently storing user
credentials without informing the user about this - in many cases
certainly uncalled - behaviour.
This issue is not about public terminals or users uploading
The report is inaccurate (not a buffer overflow, but freeing unallocated
memory). For reference, this is Debian #600129 in xterm's changelog.
--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net
-- Forwarded message --
Date: Wed, 13 Oct 2010 19:50:36
as i remembers oracle simply remove the vulnerable samples/demo from the system
after applying the patch. but it would be interesting to check if they still
shift the vulnerable demo/sample with there products latest release (i.e
releases after patch release ).
Regards
Sumit
Has anyone asked the developer to include a don't cache credentials
or kiosk mode (as someone else suggested) option even if this is not
the default at the very least it makes people aware that the passwords
are stored and may be (trivially) recoverable.
Pete
On 14 October 2010 18:51, Chris
On 14.10.2010 08:39, Christian Sciberras wrote:
I still see this a simple matter of violating KISS to introduce a layer of
encryption.
The question is, to which end? Sure, an attacker might see the encrypted
file
and think it's too difficult for him to get to the passwords. Another
might
Hi,
USBsploit is a PoC to generate Reverse TCP backdoors (x86, x64, all
ports) and malicious LNK files. It can also help to run Autorun or LNK
USB remote infections, also dumping all USB files remotely on multiple
targets (and multiple USB drives) at the same time, a set of specific
extensions to
Hi to all,
If you are interested check:
http://extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.html
--
http://extraexploit.blogspot.com
___
Full-Disclosure - We believe in it.
Charter:
On Thu, 14 Oct 2010 17:13:04 +0200, Christian Sciberras said:
Valdis, the thing is, if people want their password-keeping software secure,
they ought to be limiting access to this said software.
Defense in Depth. It's a Good Idea.
Yes, that guy who lost his house and got to watch it burn
On 10/13/2010 11:11 AM, Bonsai Information Security Advisories wrote:
Oracle Virtual Server Agent Command Injection
=
I'd like to thank Juan Pablo Perez Etchegoyen from Onapsis, for helping
me with this research.
kind regards,
--
Nahuel Grisolia -
SHMOOCON VII, JANUARY 28-30, 2011
ANNOUNCEMENT AND CALL FOR PAPERS
ShmooCon and The Shmoo Group are soliciting papers and presentations for the
seventh annual ShmooCon.
--== IMPORTANT DATES ==--
August 31, 2010 – CFP opens
October 31, 2010 – Papers for preferential first round consideration
Core Security Technologies - CoreLabs Advisory
http://corelabs.coresecurity.com
Microsoft Office HtmlDlgHelper class memory corruption
1. *Advisory Information*
Title: Microsoft Office HtmlDlgHelper class memory corruption
Advisory Id: CORE-2010-0517
Advisory URL:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Team SHATTER Security Advisory
SQL Injection in Oracle Database CREATE_CHANGE_SET procedure
Oct. 13 2010
Affected versions:
Oracle Database Server version 10gR1, 10gR2, 11gR1 and 11gR2
Remote exploitable:
Yes (Authentication to Database Server is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2010:204
http://www.mandriva.com/security/
If the encryption key stays on the same PC, there is absolutely no security
in that. Given that this is open source, security through obscurity can't
even start working (- encrypting local files with a local key / using
custom algo == security through obscurity).
Linux [apparently] has not
I've had several communications with some of you guys about music and such, so
I thought this would be a fun way to kick off yet another blog about security
and other such crap.
For anyone interested, here is Hacking Pink Floyd: The Wall -
http://www.hammerofgod.com/thorblog.aspx
Do you have to take a breath every couple of seconds? It's painful to listen
to
On Thu, Oct 14, 2010 at 11:26 PM, Thor (Hammer of God) t...@hammerofgod.com
wrote:
I’ve had several communications with some of you guys about music and
such, so I thought this would be a fun way to kick off yet
Sorry :) It was tough to get the levels right for the audio input as well as
the mic simultaneously...
t
From: Benji [mailto:m...@b3nji.com]
Sent: Thursday, October 14, 2010 3:32 PM
To: Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] OT: Hacking Pink
Dear All,
It is a pleasure to announce that the H2HC 2009 videos are finally
available online!
We had a very exciting conference with some 0day vulnerabilities
affecting Microsoft Platforms released by Cesar Cerrudo. Those
vulnerabilities have been later explained in Blackhat this year, which
On 10/14/2010 05:09 AM, Chris Evans wrote:
In this instance, the most productive way forward might be to submit a
patch. I'm sure the developers would be more receptive to an approach
based on here's a nice new feature rather than an approach based on
pitchforks recruited from full-disclosure.
It says “My name is Roger Waters and I’m a completely selfish asshole and
I’m taking my ball and going home now.”
*From:* full-disclosure-boun...@lists.grok.org.uk [mailto:
full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *Thor (Hammer of
God)
*Sent:* Thursday, October 14, 2010 6:33 PM
35 matches
Mail list logo
