[Full-disclosure] Apple SSL fail

As no-one else seems to have mentioned it, I'll just leave this here: http://www.zdnet.com/major-apple-security-flaw-patch-issued-users-open-to-mitm-attacks-726624/ \a -- wake up the past and tell it to stay away ___ Full-Disclosure - We be

Re: [Full-disclosure] Where are you guys standing re: the (full) disclosure

On 13/12/13 15:06, Mikhail A. Utin wrote: > Answers: [...] > 2. If you keep it for yourself - no problems. If you disclose on Internet before informing M$, there is certain risk, but first of all it is not ethical. Sure it is. It's just a different set of ethics than the ones you (or I) would adhe

Re: [Full-disclosure] XKeyscore sees 'nearly EVERYTHING you do online

On 02/08/13 15:24, valdis.kletni...@vt.edu wrote:> > Well, for a long time, the NSA was legally prohibited from spying on US citizens, > and the British CGHQ was similarly not allowed to spy on Her Majesty's subjects. > > So we'd spy on Brits and they'd spy on our people and we'd have a data swap

Re: [Full-disclosure] [Full Disclosure] Unauthorized Digital Certificates Could Allow Spoofing

> what does this mean? > > m$ inadvertently gave signing rights to lusers, they got rooted or something else? > http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx says: "[..] certificates issued

[Full-disclosure] FW: (no subject)

> Well, you believe that if you want to, but ask yourself... who benefits? -i ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Materials regarding Cyber-war

On 14 March 2011 17:24, bk wrote: > > On Mar 14, 2011, at 10:04 AM, imipak wrote: > > On 14/03/11 16:51, bk wrote: > > >> The point you missed is that almost all the examples we've seen so far > have > >> been closer to espionage than to actual warfa

Re: [Full-disclosure] Materials regarding Cyber-war

On 14/03/11 16:51, bk wrote: >> The point you missed is that almost all the examples we've seen so far have >> been closer to espionage than to actual warfare. [...] > Despite that, I agree. Espionage != War. People hyping "cyberwar" are either trying > to increase their sales, budget, or juri

[Full-disclosure] "Hacker attacks won't hurt your company brand"

"...the idea that a breach is unlikely to kill your organization is spreading, because it’s backed by data." " If you’ve been spreading FUD [..] you’re going to face some harsh questions. By regularly making claims which turn out to be false, people undermine their credibility. If you’re one of th

Re: [Full-disclosure] Cellphone with USB host

valdis.kletni...@vt.edu wrote: > So guys - what would be the ideal corporate-espionage device, > and what's the best approximation currently on the market? > AFAIK, it's a field of one: http://www.immunitysec.com/products-silica.shtml =i ___ Full-Di

Re: [Full-disclosure] iDefense Security Advisory 02.24.09: Adobe Flash Player Invalid Object Reference Vulnerability

Ray P wrote: >> "iDefense has confirmed the existence of this vulnerability in latest >> version of Flash Player, version 9.0.124.0." > > What am I missing here? Flash 9.0.124 has been out since April 2008 and > the version of Flash 9 on my computer is 9.0.154. >From the Adobe advisory at http:

[Full-disclosure] BBC "cyber war" piece

"Nato officials have told the BBC their computers are under constant attack from organisations and individuals bent on trying to hack into their secrets." http://news.bbc.co.uk/go/rss/-/1/hi/world/europe/7851292.stm (NB - the author of that piece, IMNSHO, has a tendency to sound like an uncritica

Re: [Full-disclosure] [inbox] Re: Fwd: Comment on: USB devices spreading viruses

Exibar wrote: > wow, disabling files to run from the root of all drives would never, ever > fly in a corporate environment. Although I do like the idea on stopping > autorun malware, it would work... but oh the calls to the helpdesk! ;-) > Each of those support calls is an opportunity to find o

Re: [Full-disclosure] pause for reflection

> Keep your talentless tripe to yourself > I liked it. Some of the metaphysical imagery was particularly effective... =i -- make way for history flickering like a long-lost memory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.o

Re: [Full-disclosure] DNS spoofing issue. Thoughts on

Hi Paul, >> The attack isn't "impossible", it's more like "1% chance *per hour* that >> your IDS doesn't notice and stop the attempts". Big difference... >> > >The information that I have says it's statistically impossible *if* >you are patched. > It's not statistically impossible; it just tak

Re: [Full-disclosure] Nominate Dan Kaminsky for Most Overhyped BugPwnie Award

mcwidget wrote: > Given how easy it appears to be to redirect a client to a malicious web > server, > The web != the Internet. Think of POP and IMAP.Hmmm. SMTP. All those Cisco devices that still use telnet rather than Ssh... I'm /sure/ there are no SP networks whose routers don't use BGP + MD

[Full-disclosure] DNS and Checkpoint

Hello everyone, I've had a report from someone with clue (and tcpdump) that a properly functioning DNS resolver that correctly uses randomised source ports magically becomes vulnerable once the traffic's passed through a Checkpoint firewall, where Dan Kaminsky's tool shows: x.y.z.155:56978 TX

Re: [Full-disclosure] Fwd: n3td3v has a fan

>> Hate to burst your bubble, but insider threats have been understood as an >> issue since well before you were born. > > > So has the concept of security threater, but that doesn't stop Bruce > Schneier talking about it in essays > > http://www.schneier.com/essay-155.html and at security > http

Re: [Full-disclosure] Standing Up Against German Laws - Project HayNeedle

Florian Echtler wrote: > So it wouldn't make much sense to create connection noise on a TCP or > HTTP basis, as this stuff isn't logged. I think one should rather > concentrate on generating email noise in this regard. > So the FD trolls are protecting us from the surveillance state(s)? Eat your

Re: [Full-disclosure] End of the world?

[EMAIL PROTECTED] wrote: > Check this out... > > http://www.rollingstone.com/politics/story/16956300/the_prophet_of_c > limate_change_james_lovelock > Yeah,.. hey, this one seems to work, too: http://www.rollingstone.com/politics/story/16956300/turnips-galore-at-the-CNN-feast-of-burbling-

Re: [Full-disclosure] The Death of Defence in Depth ? - Aninvitation to Hack.lu

Hi Thierry, wandering off-topic, but this is FD, where There Is No Topic...: > What currently is being done in the industry is to ADD more layers of > defence to protect against one failing, this is being done by adding > one parsing engine after the other. Again nobody said Defence in Depth > i

[Full-disclosure] secure listserv config

What? A security company sets up a mailing list, but allows any tom, dick or J.Random Hacker Jr. III to post to it? Then fails to notice the storm of people saying "unsubscribe!", "me, too!", "shut up!", "stop sending me all this crap!" and "No, you stop!"?? Inconceivable! ___

Re: [Full-disclosure] [WEB SECURITY] Re: comparing information security to other industries

Krainium wrote: > How long would a pharmaceutical company > exist if it's drugs were known to be poisonous? Would the patient buy and > take the antidote so they could continue using the drug, much like we now buy > and use all kinds of antivirus, anti-trojan, anti-spyware, etc? Adverse drug re

Re: [Full-disclosure] Austin Decking 512-385-5334 Austin decking wholesale

Alan J. Wylie wrote: > On Tue, 14 Nov 2006 00:46:24 -0800 (PST), William Stanley <[EMAIL PROTECTED]> > said: > ^^^ > > > Joe Job? What makes yo

Re: [Full-disclosure] Microsoft Firefox?

Simon Smith wrote: > > http://www.msfirefox.com/microsoft-firefox/index.html > Probably some joker playing mind games.; still -- Technical Contact: Whois Privacy Protection Service, Inc. Whois Agent ([EMAIL PROTECTED]) +1.4252740657 Fax: +1.4256960234 PMB 368, 14150 NE 20th St

Re: [Full-disclosure] Security as an Enabler - Virtual Trust: An Open Challenge to All InfoSec Professionals

Kenneth F. Belva wrote: > How creative are you in arguing for and against the VT theory as well as > envisioning the impact? > How creative would you like us to be? /i -- And what exactly is a dream? And what exactly is a joke? - Syd Barrett _

[Full-disclosure] Re: Bypassing of web filters by using ASCII

Hi, 2. affected software Only the InternetExplorer displays ASCII encoded web pages as 7 bit. We checked several hardware router and antivirus solutions, all of which failed to detect malicious JavaScript in manipulated web pages. Ethereal (I can't bring myself to call it 'wireshark' yet) se

Re: [Full-disclosure] Re: Gary McKinnon

n3td3v wrote: > Gary McKinnon To Speak At Infosecurity Europe Hacking Panel > So, will anyone else from FD be there to see him? I'll be in the pub across the road /i -- And what exactly is a dream? And what exactly is a joke? - Syd Barrett _

Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotaged hosts-file lookup

Nick FitzGerald wrote: > So, the exception is not that the IP is hard-coded, but that the DNS resolver > skips looking in hosts for that _domain_ and necessarily does a network DNS > lookup... > Presumably, it uses whichever DNS server the local OS thinks it should use, no differently than any

RE: [Full-disclosure] Disney Down?

Larry Seltzer wrote: > none of the current attacks will directly infect Windows XP systems, > including consumer systems, and therefore will not linger there. To > illustrate the point, it's a long time now since the RPC/DCOM bug > was patched and still there are lots of infected systems out there

Re: [Full-disclosure] Re: Hack Your Credit Card Company (OT)

Kristian Hermansen wrote: >> I think I look pretty hot in that picture actually, but you sickly >> emaciated Russian bastards must know it all. >> > > I kinda agree with the comment from my fellow comrade. > Young spotty gay beatch playing kewl hax0rzz games, ha? > What's the matter? gay people

Re: [Full-disclosure] Not even the NSA can get it right

James Tucker wrote: > You forgot again, that we know nohting, and this means we > can also make no inferences. Speak for yourself. Seems to me that a lot is known about these things... purpose & function of NSA is well known (sigint.) Nature of XSS attack scenarios is well understood, too. >Fro

[Full-disclosure] MS launch subscription-based security service

http://news.com.com/Security+gripes+Microsoft+feels+your+pain/2100-7355_3-5705430.html?tag=nefd.top Security gripes? Microsoft feels your pain Published: May 12, 2005, 9:00 PM PDT By John Borland Staff Writer, CNET News.com It's not news to Microsoft that many, if not most, average Windows users

Re: [Full-disclosure] PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too)

Day Jay wrote: > Please teach me to be like you, I'm striving to be as > good as you Steve. You obviously are my master. > > I bow to you. > > Please teach me! Your code is sooo l33t! > Have you read this? http://www.unixwiz.net/about/#security So what exactly have _you_ contributed to the