you have too much time on your hands, but this is hilarious stuff =)
It's true though, most people don't even know what a zombie process is :(
On Tue, Jun 12, 2012 at 11:34 AM, Григорий Братислава
wrote:
> Hello is Full Disclosure!! !! !!
>
> Is like to warn you about is Zombie apocalypse. Is on
On Wed, Jun 6, 2012 at 12:13 PM, Laurelai wrote:
> On 6/6/12 11:50 AM, Charles Morris wrote:
>>> I know for a fact HBGary was working with the NSA in regards to stuxnet.
>> I've never been all that good at spelling... but am I wrong that
>> HBGary is an ana
>I know for a fact HBGary was working with the NSA in regards to stuxnet.
I've never been all that good at spelling... but am I wrong that
HBGary is an anagram for "posturing charlatan" ?
Alternatively: if this is true then we are even worse off than I thought.
___
Let's just ditch browsers already. =)
On Wed, May 30, 2012 at 4:35 PM, Michal Zalewski wrote:
> Another moderately interesting tidbit, I guess...
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
H
> I request your permission to test any and all of your facilities in any way I
> deem appropriate including (by not limited to) your personal machines, the
> machines of your coworkers and family, and any other device I deem within
> scope of my testing. Further, I request you to grant full,
You should have went to a CERT with this, shouldn't vendor
coordination be of urgency here?
On Thu, May 17, 2012 at 12:35 PM, Григорий Братислава
wrote:
> Hello Full-Disclosure!! !! !!
>
> Is like to warn you about is vulnerability in Dopewars. I'm is
> discover vulnerability perhaps 10 years ago
On Tue, Apr 24, 2012 at 11:13 AM, Michal Zalewski wrote:
>> IMHO, anyone who willingly, knowingly places customer data at risk by
>> inviting attacks on their production systems is playing a very dangerous
>> game. There is no guarantee that a vuln discovered by a truly honest
>> researcher cou
Welcome to 2002
On Tue, Apr 3, 2012 at 10:01 AM, Adam Behnke wrote:
> We all know that hackers are constantly trying to steal private information
> by getting into the victim's system, either by exploiting the software
> installed in the system or by some other means. By performing routine
> upda
Dear Valdis and whoever else;
The really ridiculous points are the following:
A) Every time you execute/install/download a program you are
committing evil data theft by not only copying
"secret" or "illegal" information into
RAM/Disk/Registers/Buffers/Busses/photons coming off the screen/human
mem
I'm curious what everyone's opinion is on the following question...
esp. to any FF dev people on list:
Do you think that the Firefox "warning: unresponsive script" is meant
as a security feature or a usability feature?
___
Full-Disclosure - We believe i
Just quickly I digress; this is a massive problem in the mindset of many.
They won't ever learn about something if they aren't ever made aware of it.
Say, by fixing the problem...
>
> I have seen the "most users don't understand X anyway" as an argument
> against fixing X in the browser several
Okay.. I'd be happy to help you, but could you rephrase the question?
>So, whos going to offer REAL DAMN ONLINE SEC HELP HERE , SIMPLE
On Fri, Dec 9, 2011 at 5:27 AM, xD 0x41 wrote:
> Oh wow anothwer fucking genius!
>
> Upir actually know him, why arent you a nice guy who thimks theyre top
thing Google's program is
> directed to those that already are willing to gain no money for their work
> in disclosing vulns. Again, this is just my point of view.
>
>
>
> 2011/12/8 Charles Morris
>>
>> Granted, but I know that vulnerability research can take a hu
"pretty much nearly almost implying" and "implying" are very different things.
On Thu, Dec 8, 2011 at 10:05 AM, Benji wrote:
>>>IMHO, 500$ is an incredibly minute amount to give even for a error
>>>message information disclosure/an open redirect,
>>>researchers with bills can't make a living like
Granted, but I know that vulnerability research can take a huge chunk
of time out of a person's life,
and without getting in to "monetary philosophy", I feel that in our
current system, a person should
be compensated for their time if they've done something useful for society.
That's sort of the po
Don't be strange, was I not specific enough?
I think people should be encouraged to do the work,
if they are good enough to find something that nobody else has noticed yet-
and all of these "cash for bugs" programs have me a bit annoyed.
Not offering the money for issues that they claim to offer
Michal/Google,
IMHO, 500$ is an incredibly minute amount to give even for a error
message information disclosure/an open redirect,
researchers with bills can't make a living like that.. although it
might? be okay for students.
How many Google vulnerabilities per month are there expected to be?
Gr
+1. Except instead of MD5 you want to use something that isn't garbage.
On Tue, Dec 6, 2011 at 1:18 PM, Paul Schmehl wrote:
> A "poor man's" root kit detector is to take md5sums of critical system
> binaries (you'd have to redo these after patching), and keep the list on an
> inaccessible media (
Sorry paul, Gage is right here!
Instead of "silly" maybe more like "correct" :(
On Tue, Dec 6, 2011 at 2:42 PM, Paul Schmehl wrote:
> Don't be silly. You can run static binaries off a thumb drive without
> taking the system down. And that includes md5sum. You can put everything,
> including t
fact that the entire idea behind
> hashes is for them to be uniqueyeah.
>
>
> On Dec 2, 2011 11:17 AM, "Charles Morris" wrote:
>>
>> This is extremely depressing.
>>
>> On Fri, Dec 2, 2011 at 2:14 PM, Jeffrey Walton wrote:
>> > On Thu,
Valdis,
> (For real fun, consider that published and unpublished works are treated
> differently. And
> a password list almost always becomes a published work without the permission
> of
> the author(s) ;)
Talking of currently implemented systems...
One could argue that the author of lists re
This is extremely depressing.
On Fri, Dec 2, 2011 at 2:14 PM, Jeffrey Walton wrote:
> On Thu, Dec 1, 2011 at 10:59 PM, Sanguinarious Rose
> wrote:
>> I am at a lack of words for this, why pay $4.99 when you can just do
>> some simple googling? You can even search pastebin and get a mass
>> colle
nice try though
On Fri, Nov 18, 2011 at 9:10 AM, Dan Kaminsky wrote:
>
>
> On Fri, Nov 18, 2011 at 5:01 AM, wrote:
>>
>> On Thu, 17 Nov 2011 15:53:41 CST, C de-Avillez said:
>>
>> > There is no guest account on an Ubuntu server, so at least there
>> > this is not a real/perceived risk.
>>
>> And
Nathan, It IS an issue, don't let their foolishness harsh your mellow.
Although it's a completely ridiculous, backwards, and
standards-relaxing "security" mechanism,
the fact is they implemented it, and you subverted it.
In my book that's Pentester 1 :: Fail Vendor 0
I've had large vendors (read
1) Fix CVSS from disastrously broken to "slightly broken" or better
2) eliteness = #CVE* avg CVSS /sec + coolpoints
3) eliteness *= (taking credit for other people's vulns and known
issues) ? 0 : 1
On Fri, Jun 3, 2011 at 6:28 AM, Georgi Guninski wrote:
> On Thu, Jun 02, 2011 at 03:29:01PM -0700,
>
> Ok great, but by comparing MitM with sniffing, we're already assuming
> the attacker has access to the traffic. Think about it. There aren't
> any networks in common use today which in their physical
> implementation make alteration of packets harder than observation of
> packets. This is wh
On Fri, Mar 4, 2011 at 11:14 AM, bk wrote:
> On Mar 4, 2011, at 7:53 AM, Michael Krymson wrote:
>
>> The problem with this discussion is simply one of definition of security.
>> For some, security is entirely black and white.
>
> I can't speak for others, but I don't see anything as black & white
>
> It's hard to do if you're starting from zero and have to write your own
> tools. It's not hard to do when you can just download something off the
> Internet, which is the reality we're dealing with. Jay Beale released a tool
> to do this years ago at Toorcon. There are many others. Game
> the same. Another way to look at it is O(MitM) = O(sniff). There may
> be some implementation details that make MitM harder, but it's within
> a constant factor.
>
> To illustrate this point, we merely need to search the web for MitM
> tools. At the network layer, we could achieve this in one
> - ENCRYPTION IS POINTLESS WITHOUT AUTHENTICATION
> BTW there really isn't a security difference between
> encrypted-but-unauthenticated traffic and just plain unencrypted traffic.
> The only "attacker" you're defeating is a casual observer,
Fail. I hear the blackhats cackle as you switch to t
>> Disclosing how their epic story simply involved SQLi, well, what about the
>> guys discovering 0days in native code?
>
> Totally. I have long postulated that perl -e '{print "A"x1000}' is
> considerably more l33t than alert(1) or ' OR '1' ==
> '1.
>
> I don't understand the point you are gettin
I always felt "purposefully antagonizing others and inciting general
distress, fear, uncertainty, doubt, and frustration among as many
people as possible, without letting others know it was your intention"
was a better description..
All in all it means you aren't a nice person and you have
psychol
> Sorry, when I say eligible, I mean "which server would they be allowed to
> take down by law?".
> I'm not too hot on the laws of encryption, but I'm sure there is something
> which states that hosting encrypted files are not illegal, it's distributing
> the key which allows you to gain access to
>> It is my personal belief that all vulnerabilities should be patched
>> regardless of existence of a known attack vector or exploit.
>
> Let me fix that for you:
>
> All vulnerabilities should be evaluated as to whether patching them
> makes sense. If it's a one-liner fix for a stupid logic erro
Michele,
Granted I don't know or really care about drupal, and I'm not just
trying to defend MustLive,
who just seems to be a guy trying to get ahead in the world, even if
he's a little misguided; but what really gets to me is when people
dismiss issues like that. Not to mention you are assuming t
food for thought:
https://bugzilla.mozilla.org/show_bug.cgi?id=602181
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
On Thu, Oct 7, 2010 at 11:10 PM, Ryan Sears wrote:
> Hi all,
>
> As some of you may or may not be aware, the popular (and IMHO one of the
> best) FTP/SCP program Filezilla caches your credentials for every host you
> connect to, without either warning or ability to change this without editing
>
On Tue, Aug 31, 2010 at 7:03 PM, Dan Kaminsky wrote:
>
>
>
>
> On Aug 31, 2010, at 2:20 PM, Charles Morris wrote:
>
>> On Tue, Aug 31, 2010 at 5:15 PM, Dan Kaminsky wrote:
>>
>>>
>>> Again, the clicker can't differentiate word (the docume
On Tue, Aug 31, 2010 at 5:15 PM, Dan Kaminsky wrote:
>
> Again, the clicker can't differentiate word (the document) from word (the
> executable). The clicker also can't differentiate word (the document) from
> word (the code equivalent script).
>
> The security model people keep presuming exists
>
>> ... Don't run applications from untrusted locations ...
>
> You got it wrong. Only trusted applications are run. - The attacker
> prepares a WORD.DOC (and a RICHED20.DLL) file in some place. The
> victim clicks on the WORD.DOC file, using his own installed MSWord.
>
Aaah, well if that is the
On Fri, Aug 27, 2010 at 11:27 AM, matt wrote:
> Dan,
> While I agree with most of what you're saying, I do find this to be a pretty
> serious issue, and here's why.
> 1) The file doesn't have to be fake. It could be a legitimately real ppt,
> vcf, eml, html, whatever. The program(s) load the rog
is there anyone?? vulnerabilities found, off-list replies sought.
fall students approach; standard contact methods give: just disappointment.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted an
On Wed, Aug 4, 2010 at 2:44 PM, Marsh Ray wrote:
> On 08/04/2010 09:44 AM, Paul Schmehl wrote:
>> --On Monday, August 02, 2010 12:36:37 -0400 Elazar Broad
>>>
>>> Spot on. I know of one large accounting/ERP system(which shall
>>> remain nameless, though I am sure there are those out there who
>>>
n. That could detect
a Cat spoofing and/or brute-force attack with a bust or cardboard
cut-outs. With any biometric authentication it's going to be expensive
and have all kinds of bugs and quirks... just teach him a password..
sheesh.
--
Charles Morris
cmor...@cs.odu.edu,
cmor..
TLMv2 only
>
In reality, every machine I've ever built here at ODU (production
included) has had NTLM turned off.
No complaints yet.
--
Charles Morris
[EMAIL PROTECTED],
[EMAIL PROTECTED]
Network Security Administrator,
Software Developer
Office of Computing and Communi
http://www.sowela.edu/elearning.html
... comments?
--
Charles Morris
[EMAIL PROTECTED],
[EMAIL PROTECTED]
Network Security Administrator,
Software Developer
Office of Computing and Communications Services,
CS Systems Group Old Dominion University
http://www.cs.odu.edu/~cmorris
Dear full-disclosure, please forever archive and cherish these
beautiful RIPEMD160 & SHA1 sums.
a26a3bc9210ea737111477df501d9f9235d94d46
3c5b90c8b6fcc65122da864931f76e0e39f0c384
Sincerely,
--
Charles Morris
[EMAIL PROTECTED],
[EMAIL PROTECTED]
Network Security Administrator,
Soft
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
--
Charles Morris
[EMAIL PROTECTED]
Network Security Administrator,
Software Developer
Office of Computing and C
t's a well known issue and is documented at
http://msdn.microsoft.com/library/default.asp?url=""
Andres tarasco2006/5/21, Charles Morris <[EMAIL PROTECTED]
>:
Microsoft Explorer (iexplore.exe) calls CreateProcess() withlpApplicationName = NULL. Instead, the lpCommandLine var
:\Program.exe" exists, it does not check any other paths,
therefore it is not nearly a sufficient workaround.
--
Charles Morris
[EMAIL PROTECTED]
Network Administrator
CS Systems GroupOld Dominion University
http://15037760514/~cmorris
_
50 matches
Mail list logo