Maybe call http://us3.php.net/manual/en/function.is-string.php to
check that the parameter is a string and not an array or anything else
before blindly passing around?
I don't know but if a framework does not do these kind of validations
then they are powerful.not.
___
Too late. I already sent that information to the FBI for prime factorisation.
-r
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
f-absorbed; clumped
corrupted brain tissue.
On that note Valdis, what's your story, what is your education?
Roger C
Cron Enterprises
Jacksonville, FL
--- On Fri, 1/14/11, valdis.kletni...@vt.edu wrote:
From: valdis.kletni...@vt.edu
Subject: Re: [Full-disclosure] Getting Off the Patch
Don't drink and drive.
You might spill your drink.
As opposed to get in a wreck, you may get your shirt wet.
Also, if you're reading this on your cell phone, don't text and drive.
No Full Disclosure mailing list while driving. lol/
Happy new year guys. Good to join you.
Brazilian Hacking Zine released @ H2HC 2010 Security Conference (Portuguese
Language)
http://www.zshare.net/download/83210403aba0740e/
http://rapidshare.com/files/433490263/hbhc1.txt
___
Full-Disclosure - We believe in it.
Charter: http://lists.
I believe that most of the times it is not what you defend but how you
defend it.
I believe in Government transparency but the way WL is going about it
it's not right, in my honest opinion.
So this is good news in my opinion...
-r
___
Full-Disclosure -
>
> And if the author is sincere and it was really his original intent, he
> should refrain from blogging from now on...
>
I have a feeling his employer will see to that for the foreseeable future.
At least in a professional context representing them as a company.
If he really meant it as everyon
>
> The security industry could really benefit from more of Stephen's
> contributions
>
Allow me to clarify. Perhaps the INDUSTRY wouldn't benefit, but the general
public which the security industry is supposed to be looking out for would.
On Wed, May 5, 2010 at 9:47 AM,
[1] Releasing tools to the public COULD help you stay out of jail but isn't
enough on it's own (I never claimed it was BTW)
[2] Gonzales is a rat that would turn on what was at least reported to be
his best friend
I've never met Stephen either online or IRL but from what I've read he
sounds like h
n, May 3, 2010 at 1:36 PM, wrote:
> On Mon, 03 May 2010 13:09:43 PDT, J Roger said:
>
> > A) Why did Gonzales keep logs of incriminating evidence against himself
> and
> > his friends in the first place?
>
> Probably because of...
>
> > C) Another Wired article
wrote:
> There were excerpts in the Wired article, and there are more in the
> court record - I'll see if I can find the link in my browser history.
> Quite interesting reading, actually...
>
> On 5/3/10, J Roger wrote:
> >>
> >> I can see that you have no
>
> I can see that you have no experience with the legal system other than
> what you've seen on TV (which is, to say, none at all).
>
I know this is the Internet but you don't need to be quite so rude. Perhaps
I just haven't been arrested (caught) as many times as you have.
If you read
> the IRC
In the United States the burden of proof is on the prosecution, not the
defense. Stephen was innocent until proven guilty.
I'm suggesting Stephen could have released his tool to the public so anyone
authorized to audit cardholder data environments could have used it.
What he did was the same thin
he jury recused the "not knowing" defense strategy on that base.
>
> [[ J Roger ]] possibly emitted, @Time [[ 28/04/2010 00:48 ]] The
> Following #String
> > jail.
> >
> > According to the following (dated) Wired article,
> > http://www.wired.com/threat
An important lesson from childhood, sharing, could help keep you out of
jail.
According to the following (dated) Wired article,
http://www.wired.com/threatlevel/2009/12/stephen-watt/ Stephen Watt got
screwed because he supplied his friend with a software tool he wrote and his
friend used it to com
Discovered a security flaw in a production system you had no authority or
permission to audit? Afraid to disclose the information for fear of
prosecution? Don't stress too much, you have some protection if you redefine
yourself as a "vulnerability journalist"
According to a recent Wired article on
>
> If a business wants to accept credit cards as a means of payment (based on
> volume) then part of their agreement is that they must undergo compliance to
> a standard implemented by the industry
>
PCI (Payment Card Industry) compliances is what people HAVE to do, as in
> FORCED to do whether t
> If a business wants to accept credit cards as a means of payment (based on
> volume) then part of their agreement is that they must undergo compliance to
> a standard implemented by the industry
>
PCI (Payment Card Industry) compliances is what people HAVE to do, as in
> FORCED to do whether the
That's not entirely the case. Auditors aren't robots. It's their job to make
determinations about your organizations capabilities and how they map
against somewhat loosely defined compliance standards that have lots of
wiggle room and lots of gray areas. All the gray areas are extremely useful
to a
The entire compliance industry has design flaws which cause results to be
skewed such that the intended value is lost.
CompanyA hires a PCI auditor for their annual PCI audit. It is in the
auditors best interest to make sure CompanyA has a pleasant enough
experience with them through the audit up
ng to happen soon. All I can
> do
> is sit back and watch while the Big Boys get their headlines.
>
> BTW, I don't consider myself "bitter". I'm what you might call "tangy".
>
> Thanks for your support,
>
> Hinky
>
> - Original
This reads as "waaa i noticed this first and didn't think much of it but now
that someone else is making a big deal, i want my credit". Maybe you
reported on it first on your blog, with a single sentence that wasn't even
the primary focus of the post. Regardless if an up rise in koobface is
signifi
andrew,
what happened to not wanting to be part of FD anymore? what happened to
moving on with your life? with your girlfriend you wanted to move in with?
you said you only returned to defend your amazing reputation that was being
spoiled by imposters who have nothing better to do with their time t
keep on the old,
criminally-owned Internet, or have your traffic and content subjected to
higher levels of scrutiny.
But we will do nothing of substance until a tipping point event happens
and more blood is on the ground than need
client-side threats into my security defense
consideration. For example, if users begin installing unauthorized P2P
programs, it's part of my risk management strategy to reduce the risk
from this sort of threat, regardless of whether it is a true security
vulnerability...because
ers, regardless of the OS, are ready as ever to click
on interesting content, malicious or not. We've got to design our
defenses to pay more attention to client-side attacks, but it is the
weak point now, not in the future.
Roger
***
I appreciate everyone's replies. Thanks for the replies and the
explanations. I'm not a Microsoft developer, I'm just a security
consultant. I didn't understand the nature of the central issue, at
first, but now I do.
no problem with the character(s) in
question?
What is the solution? The easy answer is to block the % character in this
particular instance...but that's just a whack-a-mole fix.
I'm asking, with genuine interest and a listening ear, what is the best long
term sol
nt using Active Directory group
policies to a granular level.
Roger
***
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, C
subfolders permission.
c. Change the Creator Owner SID's default permissions for that
folder.
d. Make them separate folders.
Roger
*
*Roger A. Grimes, InfoWorld, Security Columnist
*CPA, CISSP, MCSE: Security (2000
buy software or be a security genius. I just have to not place
a "secure" folder in an insecure folder.
Roger
*****
*Roger A. Grimes, InfoWorld, Security Columnist
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yad
ke
it more secure, but I can't do the same in Windows...and that makes it a
Windows problem??
--See my other replies below.
Roger
*******
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineerin
issue?
Sounds like a developer issue to me.
Roger
-Original Message-
From: Tim [mailto:[EMAIL PROTECTED]
Sent: Friday, March 09, 2007 11:20 AM
To: Roger A. Grimes
Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Microsoft Windows Vista/2003/XP
e it isn't news.
With that said, you have something valid to say, but so far it just isn't a
"security vulnerability" that people need to be aware of.
You're a smart person, concentrate on issues that will really give us bang for
the buck discussions and issues.
Roger
realistic scenarios with more real-world use?
There's plenty of them for us to focus on and to try and solve.
Roger
*****
*Roger A. Grimes, InfoWorld, Security Columnist
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yad
back
out of telnet, and get back in, to begin again.
Roger
***
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP,
-Original Message-
From: [EMAIL PROTECTED]
To: full-disclosure@lists.grok.org.uk
Sent: 12/12/06 12:00
Subject: [SPAM-1] Full-Disclosure Digest, Vol 22, Issue 17
Send Full-Disclosure mailing list submissions to
full-disclosure@lists.grok.org.uk
To subscribe or unsubscribe via the
ng at straws. At least tell us something new, and not
something that's been documented for years.
Roger
-Original Message-
From: Eliah Kagan [mailto:[EMAIL PROTECTED]
Sent: Friday, November 03, 2006 9:26 PM
To: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: Re:
exploit (or social
engineering attack) to copy up and place the malicious dll. And if the
exploit requires another exploit and admin access to be successful, why
stop there? Anything can be accomplished.
Roger
*****
*Roger A. Grimes, InfoW
This has been publically known and disclosed for many years, since XP
Pro was first released.
-Original Message-
From: 3APA3A [mailto:[EMAIL PROTECTED]
Sent: Friday, June 09, 2006 4:05 AM
To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
Subject: Windows Software Restricti
the hping2 example, you'll need the -k parameter to
make sure the source port stays at port 80, else it will increment up
(80, 81, 82, etc.)
Roger
***
*Roger A. Grimes, Banneret Computer Security, Consultant
*CPA, CISSP, MCSE: Secu
41 matches
Mail list logo
