Shannon Johnston wrote:
Hi All,
I'm looking for input on what you all believe the most common keystroke
loggers are. I've been challenged to write an authentication method (for
a web site) that can be secure while using a compromised system.
I don't think that's possible for all compromise situ
Kyle Lutze wrote:
say somebody's password is foobar, on screen there would be a page that
shows the new alignment of characters,such as saying a=c, d=3, b=z, etc.
so instead of typing foobar the password they would type in for that
session would be hnnzck.
The next time the screen came up, it
Frank Knobbe wrote:
You can make the authentication step as secure as you like (and granted,
that's what the thread is about, and what the OTP asked for) but don't
forget that the 0wner of your machine still has the option to take over
your transaction(s) post-authentication.
Frank Knobbe wrote:
That's why I emphasized that the use of tokens should not only be made
for initial authentication, but also for *each transaction*. Any
transaction can be hashed with a one-time code generated by a token and
sent as a control with the transaction parameters. Any MITM intercept
Hochin Chen wrote:
List,
I am looking for a database of default accounts for various software
like MS SQL, Oracle Server, IIS, etc
Any links / pointers?
http://www.phenoelit.de/dpl/dpl.html
http://defaultpassword.com/
BB
__
Paul Schmehl wrote:
So, while everybody eagerly portrays Mr. Gilmore as an innocent citizen
just trying to about his daily life, he was far from it, knew when he
entered the airport he was going to cause trouble, deliberately chose to
do so anyway and now whines about his rights being violated.
Brad Spengler wrote:
> I hope you don't expect me to take you or your reply seriously.
Perhaps you could provide a list of those worthy to speak to you? Might
save some time. I get the impression that the list is pretty small.
BB
P.S. Apologies for addres
I know... your haters are better than mine ever were.
BB
Gadi Evron wrote:
> At first I thought having a fan blog of someone who hates me was cool.
>
> Then I thought the comic strip was cool, but man...
>
> I like the guitar, even if the guy does like Hitler.
>
See what I mean? Mine are lame.
BB
jf wrote:
> wouldnt he have to get owned and then fired to be on the same scale?
>
> On Wed, 23 Apr 2008, Blue Boar wrote:
>
>> Date: Wed, 23 Apr 2008 15:08:28 -0700
>> From: Blue Boar <[EMAIL PR
Randy Mueller wrote:
> Wow. It is amazing to read the out right disrespect for another’s life
> and rights.
>
> I’m stunned. Almost speechless.
And yet, I like to think that JP would have enjoyed giving them one last
reason to demonstrate that they have no class.
Theo de Raadt wrote:
But what did you pay for Sendmail? Was it a dollar, or was it more? Let
me guess. It was much less than a dollar. I bet you paid nothing.
Hey Theo, what did you pay for all the software you started with and/or
still use in your project? How much did YOU pay for Sendma
Theo de Raadt wrote:
(who are you again?)
Your customer.
That does not make it right for our user community to attack
developers for their freely given efforts. People who get attacked
might stop trying to improve the code.
Attacking commercial software developers makes them write better c
[EMAIL PROTECTED] wrote:
Posting a private email to a mailing list is pretty slimeball Ryan.
And what private email was that? Or did you just assume that because
you didn't see Theo's reply before mine that it went just to me? I
believe you'll find that it has been posted to the list now.
Stan Bubrouski wrote:
On 3/24/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Posting a private email to a mailing list is pretty slimeball Ryan.
Funny you would do such a thing when you lost your bullshit job at
Security Focus over getting owned.
Sadly more and more people are posting off-l
So pin it down a bit more for me.
Do you want just public results of standardized blackbox testing?
Something similar to the ICSA firewall certification? (Though, I assume
you want actual public results.)
Would you include source review? The Sardonix project tried to do that.
Who does the
Brian Eaton wrote:
On 5/11/06, Blue Boar <[EMAIL PROTECTED]> wrote:
Don't we fairly quickly arrive at all products passing all the standard
tests, and "passing" no longer means anything?
I believe that point is called "success."
I was thinking more like al
3APA3A wrote:
> First, by reading 'crack' I thought lady can recover full message by
> it's signature. After careful reading she can bruteforce collisions 2000
> times faster.
Cracking a hash would never mean recovering the full original message,
except for possibly messages that were smaller
3APA3A wrote:
> I know meaning of 'hash function' term, I wrote few articles on
> challenge-response authentication and I did few hash functions
> implementations for hashtables and authentication in FreeRADIUS and
> 3proxy. Can I claim my right for sarcasm after call
believe I was wrong about that.
BB
3APA3A wrote:
> Dear Blue Boar,
>
> It's not clear if this 'crack' cam be applied to birthday attack. My
> in-mind computations were: because birthday attack requires ~square root
> of N
http://blogs.technet.com/msrc/archive/2007/04/01/latest-on-security-update-for-microsoft-security-advisory-935423.aspx
Larry Seltzer wrote:
> http://www.microsoft.com/technet/security/bulletin/advance.mspx
>
> Microsoft Security Bulletin Advance Notification
> Updated: April 1, 2007
>
> As part
He compromised the server(s) at the ad network we were using at the
time, and simply served up his ad instead of the usual ones.
BB
Ryan Barnett wrote:
> I believe that the SecurityFocus "defacement" by FluffiBunni a few
> years back would be an example of
Jason Coombs wrote:
> Whether or not the malware does other things as well, everyone I know
> considers a Trojan to be a type of malware that allows an intruder to
> gain entry to a system through the front door once the malware has
> gained entry through some other means such as tricking the user
James Lay wrote:
> Aug 28 06:57:01 kernel: New,invalid SRC=64.94.45.26 DST=24.116.255.102
> LEN=32 PROTO=UDP SPT=11050 DPT=33440 LEN=12
Most likely someone is just tracerouting to your IP. Grab the actual
packets, and check the TTLs to be sure.
BB
I remember people being all paranoid about the DMCA. They were worried
security researchers would be sued for trying to release vulnerability
information. But since that turned out to be unfounded, I guess we don't
have to worry about the German thing. ;)
BB
[EMAIL PROTECTED] wrote:
> Thanks for the responses. I'm more interested in capturing,
> analyzing, and collecting as many types as malware as I can, so that
> I may create a database for my friends and others to use. If there's
> one that I should use speficially for that, please let me know.
Che
[EMAIL PROTECTED] wrote:
> I have to conclude that before that, buffer overflows weren't even well
> known *inside* the security community, much less outside in the wider
> programming community.
They were known and exploited by 1972, in at least some communities.
http://csrc.nist.gov/publications
dfklsddshd wrote:
> 1. Open attachment.
Does this actually work on people on a security mailing list?
BB
Complete scanning result of "Simcard.com", received in VirusTotal at
01.02.2007, 02:38:58 (CET).
Antivirus Version Update Result
AntiVir 7.3.0.
K F (lists) wrote:
> We all know black hats are selling these sploits for <=$25k so why
> should the legit folks settle for anything less? As an example the guys
> at MOAB kicked around selling a Quicktime bug to iDefense but in the end
> we decided it was not worth it due to low pay...
>
> Low
Simon Smith wrote:
> Blue Boar,
> Simply put, and with all due respect, you're wrong.
About? I see basically two assertions in my note; 1) that I would sell
to iDefense or TippingPoint. Surely you're not going to tell me what I
would do? And 2) That iDefense isn't doin
29 matches
Mail list logo
