Title: RE: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
Do you really think you could convince the average user that they need to know this much about security? I mean, most users see their computers (and the network, servers, phones, faxes, etc...) as a tool to do busin
--On Monday, September 29, 2003 19:30:24 -0600 Bruce Ediger
<[EMAIL PROTECTED]> wrote:
I realize you're from Texas and everything, but are you nuts?
An 8-year old with a handgun should cause vast feelings of insecurity
in you, with or without proper training on her part.
Hmmm...I am from Texas, an
--On Monday, September 29, 2003 21:49:26 -0300 Rodrigo Barbosa
<[EMAIL PROTECTED]> wrote:
As some may recall, my original statement was an answer to someone that
was points that Unix is more secure then Windows (I agree up to this
point), and gave and example telling that there are still several c
Rodrigo Barbosa wrote:
> > As I said, I also think that Micro$oft is as insecure as my 8
> > y/o daughter playing with a handgun.
And then, On Mon, 29 Sep 2003, Schmehl, Paul L replied:
> Your daughter wouldn't be insecure playing with a handgun if she had had
> proper handgun safety training. W
On Mon, Sep 29, 2003 at 07:27:51PM -0500, Frank Knobbe wrote:
> Don't shift blame to the admins. There are good admins on Windows, and
"Shift blame" ? I'm not doing such a thing. Also, I'm not here
shift blaming from admin. I'm just saying the OS A_L_O_N_E should not
be blammed. There are bugs on
On Mon, 2003-09-29 at 17:24, Rodrigo Barbosa wrote:
> My whole point is: I do think Windows is insecure, but one cannot blame
> Windows alone. There are many, many server still vulnerable to CodeRed,
> and that, these days, is mostly a fault of the server admin.
Don't shift blame to the admins. T
On Mon, Sep 29, 2003 at 12:39:14PM -0500, Schmehl, Paul L wrote:
> > As I said, I also think that Micro$oft is as insecure as my 8
> > y/o daughter playing with a handgun.
> >
> Your daughter wouldn't be insecure playing with a handgun if she had had
> proper handgun safety training. Wouldn't th
-BEGIN PGP SIGNED MESSAGE-
__
SGI Security Advisory
Title: sendmail prescan() vulnerability
Number: 20030903-01-P
Date: September 29, 2003
Reference: CERT CA-2003-25
kses 0.2.1
==
kses is an HTML/XHTML filter written in PHP. It removes all unwanted HTML
elements and attributes, no matter how malformed HTML input you give it.
It also does several checks on attribute values. kses can be used to avoid
Cross-Site Scripting (XSS), Buffer Overflows and Deni
Hate to say it but Roberta Bragg actually wrote something worth reading
on this subject.
Came out here:
September 29, 2003
Security Watch
http://mcpmag.com/security/
http://ENTmag.com
Handled it pretty well for someone who only does MS security.
I myself could care less about the platfrom debat
I have been contacted twice already by experts in the field,
and thought I should be have been more clear in my description
of this "Greeting Card" Social Engineering email I received.
I have NOT investigated this site and do NOT claim it is using
any such Malware. My boss has other work for me a
InfoSec News wrote:
Forwarded from: Paul Robichaux <[EMAIL PROTECTED]>
1. Geer claimed to be speaking for @stake. He wasn't.
I do hope that all of you actually read the report before forming any
opinions about it, the people who wrote it, or the manner in which those
people portrayed themselves a
-BEGIN PGP SIGNED MESSAGE-
__
SGI Security Advisory
Title: sendmail prescan() vulnerability
Number: 20030903-01-P
Date: September 29, 2003
Reference: CERT CA-2003-25
> -Original Message-
> From: Rodrigo Barbosa [mailto:[EMAIL PROTECTED]
> Sent: Monday, September 29, 2003 10:49 AM
> To: Curt Purdy
> Cc: [EMAIL PROTECTED]
> Subject: Re: [inbox] Re: [Full-Disclosure] CyberInsecurity:
> The cost of Monopoly
>
>
> As I said, I also think that Micro$oft i
Geeklog Multiple Versions Vulnerabilities
--
PRODUCT: Geeklog
VENDOR: Geeklog
VULNERABLE VERSIONS:
- 2.x ( TESTED ) (T.I.N.P)
- 1.x ( TESTED ) (T.I.N.P)
- And older versions possible affected too.
NO VULNERABLE VERSIONS
- ?
-
N.TED = Not Tested in a
I got "interesting" email this weekend. Someone is
suggesting that I go to their site to send an email
greeting card to someone and use that to SPY on them:
"Spy on Anyone by sending them an Email-Greeting Card!
Spy Software records their emails, Hotmail, Yahoo,
Outlook,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 392-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Matt Zimmerman
September 29th, 2003
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi ,
I'm testing somethings in Apache about the url parsing of the server
,
i don't now if the Apache server parse completely provided urls when
those urls are in this format:
[PROTOCOL HTTP / HTTPS ][SITE]/[DIR TO OVERRIDE RULES]/../[DIR TO
OVERRIDE
>
> Would that that would really help. I guess maybe in the
> long run it might, but I'm not holding my breath. There's still the
> small matter of connecting cause with effect and then implementing a
> program that will function appropriately at all levels of the
Just did a presentation
On Mon, Sep 29, 2003 at 09:55:18AM -0500, Schmehl, Paul L wrote:
> Furthermore, Unix and Windows don't even agree on what a group is. Or
> how the rights for that group should be configured. (Homogeneous
> environments are fairly easy in comparison but still not without their
> problems.) If, fo
Hi,
For those folks interesting in the ongoing battle against the Verisign SiteFinder
service, the complaint in the class action lawsuit
against Verisign is now online:
http://www.techfirm.com/v-complaint.pdf
Richard M. Smith
http://www.ComputerBytesMan.com
As I said, I also think that Micro$oft is as insecure as my 8 y/o daughter
playing with a handgun.
But you do have to agree with me when I say that a great part of the
security problems we find in the wild, expecially regarding bug for which
fixed have been issued for several months, come from bad
There are vendors out there with secure-by-default solutions (EnGarde,
Openna, OpenBSD).
One of the largest problems I see is that the vendors distribute to
business needs, not security needs. In order to maintain market share,
you need to be able to sell something to the administrator who doesn't
> On Mon, 22 Sep 2003 [EMAIL PROTECTED] wrote:
>
> > Charles Darwin and Alfred Wallace independently came up with
> > the concept of natural selection.
>
> The cycle of a vulnerability from discovery to publication (or leak) is
> probably around two weeks to one month on average, which is a fairl
> -Original Message-
> From: George Capehart [mailto:[EMAIL PROTECTED]
> Sent: Monday, September 29, 2003 6:52 AM
> To: Curt Purdy; Schmehl, Paul L; 'Full Disclosure'
> Subject: Re: [Full-Disclosure] Soft-Chewy insides (was:
> CyberInsecurity: The cost of Monopoly)
>
> Paul Schmehl's lam
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
-
GENTOO LINUX SECURITY ANNOUNCEMENT 200309-15
-
PACKAGE : media-video/mplayer
SUMMARY
On Monday 29 September 2003 08:23 am, Michael Scheidell wrote:
>
> These fins and jail time will directly target the C/Board level, and
> only indirectly affect the security teams (they may lose their jobs
> when the company they work for goes bankrupt)
>
> Its only a matter of time before the l
Internet Explorer has an useless feature that allows evaluation of
Javascript expressions in style sheets through the "expression" keyword.
It allows execution of arbitrary javascript as soon as an HTML message is
read in older versions of Outlook and in most webmail systems filtering
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
-
GENTOO LINUX SECURITY ANNOUNCEMENT 200309-16
-
PACKAGE : net-ftp/proftpd
SUMMARY : A
>
>
> The problem is that there is no accountability at the top for allowing
> systems to be run in an insecure manner. It seems that neither Boards
> of Directors nor C-level corporate officers understand that, these
> days, a significant chunk of the risk that they need to manage arises
>
On Sat, 27 Sep 2003, Karl DeBisschop <[EMAIL PROTECTED]> wrote:
> On Fri, 2003-09-26 at 22:57, Paul Schmehl wrote:
>
> > We're working on a "jail vlan" concept now, where "evil" computers go.
>
> Maybe this concept is already widely in use at academia. If it is not,
> it may soon be.
We've been
Hrm. Now that that mentally challenged sack of dribble AKA the great condor is back in
the straight world I was wondering. What ever happened to Jonathan? Seeing as he was
the only publicly involved person with any actual skill, and it's 8 years after the
fact..I think it'd be nice for him to st
On Sunday 28 September 2003 03:39 pm, Curt Purdy wrote:
> When we get this far off-topic, how about putting up a new subject
> line with a was:
I've followed this thread and, especially the recent exchange among
Michael Zalewski, Frank Knobbe and Florian Weimer. My initial response
was to res
= Shattering SEH III
=
= [EMAIL PROTECTED]
= http://www.security-assessment.com
=
= Originally posted: September 29, 2003
== Background ==
Afte
On Mon, 29 Sep 2003, Jay Sulzberger wrote:
> > Yes, that is what I was trying to say, however lamely. The preponderance
> > of discussions and papers on security today focus on the network and how to
> > control the flow of data/packets. But in the final analysis, the problems
> > always come do
On Mon, 29 Sep 2003, Jay Sulzberger wrote:
> Tiny attribution alert: I wrote none of the words above.
Whoops! Sorry, I think that was Paul. Pine picked up the From: line,
Isuppose, and ran with it.
___
Full-Disclosure - We believe in it.
Charter: ht
On Sat, 2003-09-27 at 13:23, Jedi/Sector One wrote:
> Forget the previous mail, I've messed up different versions.
> 1.2.6 is ok, sorry.
As far as we're aware the faulty code was introduced in 1.2.7rc1 so to
the best of our knowledge code earlier than that is not vulnerable (if
anyone has othe
It's late and I am going to bed. However before I do I have to address
this fallacious logic:
On or about 2003.09.29 00:36:42 +, Kristian Hermansen ([EMAIL PROTECTED]) said:
> The reason that MOST people look to exploit software/OS's is so that they
> can gain priviledges [sic] on the system.
On Sun, 28 Sep 2003, [EMAIL PROTECTED] wrote:
> The products like Okena, Entercept, BlackICE... all add another layer of
> protection that is essentially unnecessary when compared to function. I
> am not saying these products have no place but rather they are not the
> solution to this problem.
T
39 matches
Mail list logo