Warning, possibly off topic content.
(But doesn't security start with the first lines of code?
or even before?)
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Bill Royds
> Sent: Thursday, 30 October 2003 1:07 p.m.
>
> Actually proveably correct is not that difficult if you
On Wed, 29 Oct 2003 18:55:16 EST, George Capehart <[EMAIL PROTECTED]> said:
> This is why the CA's Certification Practice Statement (CPS) is so
> important . . . and why, if one is going to accept a certificate, they
> *really* should read the CPS and understand exactly what process the CA
> we
On Thu, 30 Oct 2003 10:55:01 +1300, Nick FitzGerald <[EMAIL PROTECTED]> said:
> amount of "trust" a truly good CA can add to the equation, or that MS
> did not understand (or, more likely, was unprepared for marketing
> reasons to admit) that Authenticode is really just a sham adding
> nothing
Hardware that separates code from data has been around since the 60's. The
x86 (486 and above) line can do it with segment registers, but most
compilers find it too difficult and the overhead of switching state too much
for many tasks.
The SPARC has systems monitors built into hardware and so does
If you're looking for a small spesific purpose tool there's one command line
tool from ISS
www.iss.net
- Original Message -
From: "Florian Weimer" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, October 29, 2003 10:00 PM
Subject: [Full-Disclosure] Remote MS03-043 detectio
In an
article(http://msdn.microsoft.com/msdnmag/issues/03/11/SecurityCodeReview/de
fault.aspx) in the Novermber issue of MSDN magazine, Michael Howard (who
wrote building secure code), gives pointers to finding security defects in
code.
"Allocating Time and Effort
I have a ranking system I
I downloaded and looked at Cyclone today and it looks like it would be a
good system to get developers to move to. Its only problem is that it also
adds to the C language (garbage collection, templates like C++ etc.) that
means that one has to edit standard C to compile, even for C that is not
usin
Schmehl, Paul L wrote:
-Original Message-
From: Brett Hutley [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 29, 2003 12:13 AM
To: Bill Royds
Cc: madsaxon; [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Off topic programming thread
I think what you're really saying is that C allows
On Wed, 29 Oct 2003 22:36:21 +0200, Caraciola said:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> That will open a big can of worms to start the exeloader has to supply an
> image of TEXT and CODE segments (x86), feed that to a function which
> fingerprints this ( PoC with gnupg ?), a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
I just wanted to thank you for the response to my questions concerning
IDS evasion so far. I never expected to get so much information so
quickly about the subject. The more the better ;)
- --
Regards,
-simon-
"When a shepherd goes t
On Wednesday 29 October 2003 08:04 am, Nick FitzGerald wrote:
>
> Authenticode is useless as a means of ensuring code is trustworthy
> _independent_ of such an effort from the CAs. _All_ Authenticode
> tells you is that someone was prepared to part with some cash and
> they found a CA they conv
Actually proveably correct is not that difficult if you use a programming
language that is designed to help you write correct code, such as Euclid or
Cyclone.
There is a company in Ottawa Canada calle ORA Canada that specializes in
such things for military and high security software see http://www
Alexandre Dulaunoy wrote:
On Wed, 29 Oct 2003, Bill Royds wrote:
I agree that one can write secure code in C, but I am saying that C doesn't
help in writing it.
Perhaps we need to "deprecate" some C standard library functions and syntax
Various attempts to move to a specific dialect of C ex
> -Original Message-
> From: Florian Weimer [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 29, 2003 9:00 AM
> To: [EMAIL PROTECTED]
> Subject: [Full-Disclosure] Remote MS03-043 detection for Windows NT
>
> Is there a tool that can tell unpatched Windows NT machines
> from those whic
Here's a good start:
fragroute -- http://www.monkey.org/~dugsong/fragroute/
snot -- http://www.stolenshoes.net/sniph/index.html
stick -- http://www.eurocompton.net/stick/projects8.html
whisker and a few IDS evasion papers -- http://www.wiretrip.net/rfp/
--Ben
simon wrote:
-BEGIN PGP SIGNED MES
> -Original Message-
> From: Brett Hutley [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 29, 2003 12:13 AM
> To: Bill Royds
> Cc: madsaxon; [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Off topic programming thread
>
> I think what you're really saying is that C allows
> progr
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
I am interested in learning about IDS evasion tricks and tools for both
host based IDS systems and network based IDS systems. Is there a place
where I can find a list that either gives technoligical details or tools
that I could study to learn
Who cares about credit card numbers, I'm looking for privileged access to
sites. Consider the following:
People use this service as an attempt to obfuscate the usernames and
passwords to protected websites and ftp servers that they email out. I'm
finding a lot of urls that read like:
http://user
On Wed, 29 Oct 2003 14:44:12 -0700, "Joel R. Helgeson" <[EMAIL PROTECTED]> wrote:
> Who cares about credit card numbers, I'm looking for privileged access to
> sites. Consider the following:
>
> People use this service as an attempt to obfuscate the usernames and
> passwords to protected website
"Lan Guy" <[EMAIL PROTECTED]> wrote:
> Some time, like 2 or 3 years ago some group registered their Own Certs in
> the name of Microsoft Corporation.
> http://slashdot.org/articles/01/03/22/1947233.shtml
Yeah, I know.
That's why I take anything with a Verisign cert with two grains of salt
-- at
On Wed, 29 Oct 2003 08:30:17 -0600, "David Klotz" <[EMAIL PROTECTED]> wrote:
> I don't agree. First, you shouldn't be using a service like this to send
> sensitive information in the first place, and if you are, you get what you
> deserve. If I leave my bank account number in my mailbox so I'll
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
That will open a big can of worms to start the exeloader has to supply an
image of TEXT and CODE segments (x86), feed that to a function which
fingerprints this ( PoC with gnupg ?), a daemon has to check every
process/thread each ? second or so,
Hello, I've created a non-profit, open, website to
track and collect reviews and ratings for
security-related training. I recently achieved the
CISSP, but I had a very hard time selecting a review
course. Some people said the ISC2 course was best,
others said the Shon Harris course was best. I ende
hehehe
It appears that people use this service as an attempt to obfuscate the
usernames and passwords to protected websites and ftp servers that they
email out. I'm finding a lot of urls that read like:
http://username:[EMAIL PROTECTED]/members
ftp://user:[EMAIL PROTECTED]/private/sourcecode
Look
I would say if your passing sensitive information you shouldn't use this
service anyway. Even if they randomized it, there's nothing stopping
someone from just randomly entering URL's. I'd stumble upon your
sensitive information eventually. It's fine for passing news stories and
Ebay links, but I w
The mind boggles...
On Wed, Oct 29, 2003 at 09:11:37AM -0600, Bassett, Mark wrote:
> Anyone want an Asus Motherboard from newegg? :)
>
> http://www.tinyurl/boob
Continuing to apply random, four-character strings, I offer this:
For those of you based in the US and who dislike the current,
Republ
On Wed, 29 Oct 2003 10:23:58 EST, "Discini, Sonny" <[EMAIL PROTECTED]> said:
> hurt to mention that most of the triggers here are identifying this as
> W32.Welchia while others are identifying it as Nachia.
Two names for the same beast.
pgp0.pgp
Description: PGP signature
It makes me wonder, what legacy software needs local admin to function. In
my experience it is more common that the admins don't know or don't care how
to make ' strange ' software work under W2k, and generally it is software
considered not-supported and non-standardized. The last part usually give
Can we now agree that this is not an ideal medium for passing sensitive
information?
Surely anyone with an iota of common sense would realise that this would not
be a 'good thing(tm)'?
Hence, we veer wildly into the 'mostly irrelevant' category ;-)
Cheer all,
--
Ricky Blaikie - Server City Ltd
T
Nick FitzGerald <[EMAIL PROTECTED]> wrote:
> Does their AUP/ToS/etc require that their certs not be used for such
> things??
I believe - and I haven't seen the agreement myself - that it says the
signer's code may not be 'malicious'.
This is of course difficult to define. If the software install
That reminds me of a joke:
What do you call a prostitute with a runny nose?
...
Full!
> Another from Tinyurl...
>
> From News.COM.AU:
> "War stress wears out prostitutes"
> http://tinyurl.com/49b
>
> And we thought we had it hard...
___
Full-Disc
Can someone forward the original email about this to me? I'm away from my
system till tomorrow.
BTW,
http://tinyurl.com/beer
I need a hug
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
OK: wait a minute, wait a minute..
On Wed, Oct 29, 2003 at 09:11:37AM -0600, Bassett, Mark wrote:
> Anyone want an Asus Motherboard from newegg? :)
>
> http://www.tinyurl/boob
Following hot (hmm.. interesting choice of words..) on the heels of my
previous research (http://www.tinyurl.com/c*nt) i
hah!
On Wed, Oct 29, 2003 at 09:11:37AM -0600, Bassett, Mark wrote:
> Anyone want an Asus Motherboard from newegg? :)
>
> http://www.tinyurl/boob
What thought process caused you to choose that specific string?
- John
--
"Most people don't type their own logfiles; but, what do I care?"
-
Joh
Haha,
Interesting behavior here. How is that http://www.tinyrul.com/dick
takes you to the home page of Dick Cheney?
-Jimmy
On Wed, Oct 29, 2003 at 09:11:37AM -0600, Bassett, Mark wrote:
> Anyone want an Asus Motherboard from newegg? :)
>
> http://www.tinyurl/boob
>
>
> Mark Bassett
> Netw
It's actually very easy to prevent any policies from coming down to your
system if you have local admin rights. What you do is first, delete the
policies from the registry, then deny everyone (except for a locally created
user) access to the policy key. You'll see the failures in the event log
wh
I tried that and as I expected that doesn't work , it just prompts for
download.if you redirect to that file
I think your confused with the object-tag-in-localzone type of
vulnerabilities we had a while back, you could execute programs without
parameters with that. but thats nothing like this, o
Nick FitzGerald <[EMAIL PROTECTED]> wrote:
> Does their AUP/ToS/etc require that their certs not be used for such
> things??
I believe - and I haven't seen the agreement myself - that it says the
signer's code may not be 'malicious'.
This is of course difficult to define. If the software install
All -
In working up a scheme to authenticate one program to another, it occurred to
me that it might
be useful to be able to be assured a piece of code has not been altered during
its running, on
the basis of occasional probes. If something bashed a program in mem
sorry,
how to monitor/discover ... sukit was send/receive commands? Any tips ?
[] sgab
Alvaro Gomes Sobral Barcellos wrote:
Hi,
Someone can explain how the 'Suckit' rootkit , send logs or
receive commands ?
[]s agsb
___
Full-Disclosure -
On Wed, 29 Oct 2003 12:08:20 GMT, Ben Laurie said:
> Duh. That's a complete misunderstanding of the halting problem - which
> is, in essence, that you can't write a program which can predict, in
> general, whether another program will halt. Its perfectly possible to
> write programs that are guara
On Wed, 29 Oct 2003 06:27:45 PST, somebody said:
> 3. microsoft knowledge base states clearly that there is a maximum URL
> length which you could just respect.
So if Microsoft published the maximum length of everything, we'd have no
more buffer overflows? :)
(Sorry, couldn't resist.. ;)
pgp00
Hi Bipin,
what we are asking is that you post clearer messages without
shouting.
The 3 last posts I saw from you were not really exact. We are not
interested in stuff like
- maybe it is a bug
- could be a security issue
- this is strange isnt it
- can anyone try clicking 1000 times on this an
On Wed, 29 Oct 2003 13:58:11 +0100, Sebastian Herbst <[EMAIL PROTECTED]> said:
> The statement was: "There is no programming language that prevents you
> from writing insecure code". And that is true, as long as "insecure
> code" means vulnerability to DoS. IMHO that would be "incorrect" not
> "i
On Wed, 2003-10-29 at 14:29, Bipin Gautam wrote:
> try this ...
>
> its dam strange to see WINXP LOGOFF WITHOUT ASKING MY PERMISSION
>
> file://c:\windows\system32\logoff.exe
please, please stfu already about you playing with your technical self
and running stuff in winxp/system32. Noone wants
Another from Tinyurl...
>From News.COM.AU:
"War stress wears out prostitutes"
http://tinyurl.com/49b
And we thought we had it hard...
-Original Message-
From: Bassett, Mark [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 29, 2003 9:12 AM
To: Joel R. Helgeson; [EMAIL PROTECTED]
Subjec
I just said "it is possible", i never said "it is a good idea" oder "it
is well worth the expenses".
But if you see open source software analogous to math, it would perhaps
make sense to do this with some smaller OS-independent libraries.
--
/~\ The ASCII Sebastian Herbst
-Original Message-
From: James Exim [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 29, 2003 11:51 AM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] W2k users, local admin rights and GPOs
>It has been pointed out several times recently on the SF mailing lists
that
>a W2k user with lo
I also wouldn't exactly say it's falling... incidents has almost 700,000
today, and it's only 10:00 AM. We're on track to have a heavier day
today than yesterday...
Maybe I'll set up a sacrificial machine later today. Our supernet is
being scanned like crazy...
On Wed, 2003-10-29 at 00:28, SPAM
On the hosts that are infected, are you seeing TCP port 707 open? This
is one of the consistant things that we are seeing. I guess it wouldn't
hurt to mention that most of the triggers here are identifying this as
W32.Welchia while others are identifying it as Nachia.
Sonny Discini
Network Securi
So, I got an idea.
Everybody, who can drop pings, or SMB commutations, from his local
machine to DC can prevent GPO updates!
User can use IPSec policy (sic!) to do it :-)
So, Laura right :-)
And I'm wrong :-(
___
Full-Disclosure - We believe in it.
Chart
Is there a tool that can tell unpatched Windows NT machines from those
which have the MS03-043 fix applied?
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Title: Nachricht
Hi
there,
anybody any details
on the xng patch against the "memory steal"...
ms03-046
anybody got problems
using the patch? will need to run the patch on an old xng 5.5 (nt
4.0)
thx
rgds
Thorsten
Kitcon
GmbH
Sysadmin
mailto:[EMAIL PROTECTED]
Anyone want an Asus Motherboard from newegg? :)
http://www.tinyurl/boob
Mark Bassett
Network Administrator
World media company
Omaha.com
402-898-2079
-Original Message-
From: Joel R. Helgeson [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 29, 2003 5:19 AM
To: [EMAIL PROTECTED]
Sub
Children, Children more and more OT...
--
Ricky Blaikie - Server City Ltd
TEL: 0871 2601000 : FAX: 0871 2601001 : http://www.servercity.co.uk
Visit our website for latest offers and pricing or e-mail me.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Bi
try this ...
its dam strange to see WINXP LOGOFF WITHOUT ASKING MY PERMISSION
file://c:\windows\system32\logoff.exe
_
Secure mail ---> http://www.blackcode.com
___
Full-Disclosure - We be
Thoughts?
Great. A litle perl-script does the dirty work.
Get EBay-Passwords, website-Logins, trojans, MP3s, warez,
strange pictures and tons of more or less funny stuff.
Strange, that noone noticed this lovely behaviour before.
--
Thomas Springer
TUEV ICS - IT-Security
_
try this ...
its dam strange to see WINXP LOGOFF WITHOUT ASKING MY PERMISSION
file://c:\windows\system32\logoff.exe
_
Secure mail ---> http://www.blackcode.com
___
Full-Disclosure - We beli
I don't agree. First, you shouldn't be using a service like this to send
sensitive information in the first place, and if you are, you get what you
deserve. If I leave my bank account number in my mailbox so I'll know where
to get it, I shouldn't blame the post office if someone comes along and
s
ya... i have admitted it!!! LOOK AT my OLD EMAIL BEFORE SHOUTING nasty... AT ANYONE
DUDE...
---
--- flatline <[EMAIL PROTECTED]> wrote:
WHY DONT YOU SHUT THE FUCK UP ABOUT STUFF YOU HAVEN'T A CLUE ABOUT?
1. how is this a security issue?
2. is this an exploit?
3.
The IDS sensors I have outside the firewall only detected SYN packets
since the ports were blocked by the firewall.
On Wed, 2003-10-29 at 00:28, SPAM wrote:
> Same here.. but now it's dropping as fast as it raises.. did anyone manage
> to capture what's inside?
>
>
> - Original Message -
On Wed, 29 Oct 2003, Bill Royds wrote:
> I agree that one can write secure code in C, but I am saying that C doesn't
> help in writing it.
> Perhaps we need to "deprecate" some C standard library functions and syntax
Various attempts to move to a specific dialect of C exists, I don't
really kn
Helmut Springer wrote:
> Has anyone seen any evidence besides this and the two postings on
> public lists? No real trace after more than 24h it seems...
We see increased scanning activity, but it doesn't look like a
widespread worm:
date| sources | targets | flows
+-
Title: NAV 2003 vuln
Hi there ! Source: http://www.digitalpranksters.com/advisories/symantec/InternetSec2003.html
RISK: LOW
PRODUCT: Norton Internet Security 2003 v6.0.4.34 (Maybe others we only tested this version)
PRODUCT URL: http://www.symantec.com/sabu/nis/nis_pe/index.html
DP PUBLIC
Hi,
Someone can explain how the 'Suckit' rootkit , send logs or
receive commands ?
[]s agsb
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Steve is not asking that a language be less than Turing-complete, only that
insecure operations are difficult and that one would need to work hard to
write insecure code. One could still implement anything if needed but it
would need to be explicit.
This can be achieved in many ways by language
I agree that one can write secure code in C, but I am saying that C doesn't
help in writing it.
Perhaps we need to "deprecate" some C standard library functions and syntax
and have the compiler warn us at least when using them, as well as adding
syntax that tells the compiler better the intent of c
Andrew Clover <[EMAIL PROTECTED]> to me:
> > FWIW, I think the biggest "problem" here is that a CA (Thawte in this
> > case) allows code-signing certificates with such ambiguous "names" as
> > "Browser Plugin"
>
> They also have a very limited interpretation of "malicious code". Thawte
> have r
> Duh. That's a complete misunderstanding of the halting problem - which
> is, in essence, that you can't write a program which can predict, in
> general, whether another program will halt. Its perfectly possible to
> write programs that are guaranteed to halt.
The statement was: "There is no pro
[EMAIL PROTECTED] wrote:
> On Tue, 28 Oct 2003 17:44:55 +1300, Steve Wray <[EMAIL PROTECTED]> said:
>
>
>>Is it beyond all possibility that there exist languages in which
>>the very reverse is true? ie Languages in which one would have to
>>reimplement data types and so forth in order to be abl
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -
Red Hat Security Advisory
Synopsis: Updated pam_smb packages fix remote buffer overflow.
Advisory ID: RHSA-2003:261-01
Issue date:2003-08
This is an information leak rather than a real vulnerability. I thought it
might be of interest to others...
www.tinyurl.com is a website that will convert a long url to a short one. If
you want to email a link to say, driving directions on mapquest, the url is
rather long and will get broken up.
It has been pointed out several times recently on the SF mailing lists that
a W2k user with local administrator rights can prevent group policy
application on his/her machine and there is apparently nothing the domain
administrator(s) can do about it (see
http://www.derkeiler.com/Mailing-Lists/secu
Nick FitzGerald <[EMAIL PROTECTED]> wrote:
> FWIW, I think the biggest "problem" here is that a CA (Thawte in this
> case) allows code-signing certificates with such ambiguous "names" as
> "Browser Plugin"
They also have a very limited interpretation of "malicious code". Thawte
have refused to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -
Red Hat Security Advisory
Synopsis: Updated unzip packages fix trojan vulnerability
Advisory ID: RHSA-2003:199-02
Issue date:2003-07-01
U
On Tue, 28 Oct 2003 19:45:33 PST, Gregory Steuck said:
> > "Valdis" == Valdis Kletnieks <[EMAIL PROTECTED]> writes:
>
> Valdis> All programming languages that are Turing-complete
> Valdis> (basically, anything that has a conditional loop) are prone
> Valdis> to the Turing Halting P
Some time, like 2 or 3 years ago some group registered their Own Certs in
the name of Microsoft Corporation.
http://slashdot.org/articles/01/03/22/1947233.shtml
LG
- Original Message -
From: "Nick FitzGerald" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, October 29, 2003 8:
Hi,
On 29 Oct 2003 at 12:54 +0100, KF wrote:
> https://gtoc.iss.net/issEn/delivery/gtoc/index.jsp
>
> hreat Forecast
>
> Our analysts are aware of a worm actively exploiting flaws
> addressed under Microsoft Security Bulletin MS03-026 and MS03-039.
> This worm activity is consistent with a vari
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 396-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
October 29th, 2003
79 matches
Mail list logo