-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sorry, what was that? I heard somethng about an exploit or two ... and
you not getting credit? Sorry, I couldn't hear between all of the
useless ranting and that goddamn screaming of yours.
bipin gautam wrote:
|
| [Note: *I HAVEN'T TESTED
Geoincidents said:
Come on Microsoft. How about putting together a single file that
contains all the critical security updates since the last service
pack for a
given
OS?
I'm with you, this is nuts:
to secure 2000 without using the network and windowsupdate:
install 2000
sp4
-Original Message-
From: Nick FitzGerald [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 17 March 2004 02:16
To: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Re: Microsoft Security, baby steps ?
[EMAIL PROTECTED] wrote:
big snip
Come on Microsoft. How about putting together a
opinion
I think this demonstrates that the web design people haven't a clue about
security. They're opening up their webserver to all sorts of potential
expliots. If he can get some simple javascript to run then maybe other
people can also do more sophisticated stuff.
Also, if they're that
This is mainly the case because web design people dont really think about
security, because thats not their job. WEb designers are essentially graphic
designers who work in a specialised field. Their primary concerns are
appearence, usability, and site promotion.
-Original Message-
On Wed, 17 Mar 2004, Daniele Muscetta wrote:
I know, you roughly have some 26 Megabytes of patches to be installed
POST-SP4 and POST IE60SP1 on W2K.
Is any other OS any better lately ?
OpenBSD. FreeBSD. NetBSD. BSD/OS. See the pattern?
I had a BSD/OS box exposed to the Net without a
Andrew Aris [EMAIL PROTECTED] wrote:
This is mainly the case because web design people dont really think about
security, because thats not their job. WEb designers are essentially graphic
designers who work in a specialised field. Their primary concerns are
appearence, usability, and site
Is any other OS any better lately ?
When you want to be the leader, you don't ask questions like that. You
recognize problems and you solve them and one of the problems today for
Windows is that MS is making it very difficult to keep patched if the user
doesn't want to put the machine on the
Dave Horsfall said:
On Wed, 17 Mar 2004, Daniele Muscetta wrote:
I know, you roughly have some 26 Megabytes of patches to be
installed POST-SP4 and POST IE60SP1 on W2K.
Is any other OS any better lately ?
OpenBSD. FreeBSD. NetBSD. BSD/OS. See the pattern?
Yes I do.
Even if patching
-BEGIN PGP SIGNED MESSAGE-
__
SUSE Security Announcement
Package:openssl
Announcement-ID:SuSE-SA:2004:007
Date:
On Tue, 2004-03-16 at 22:58, Paul Schmehl wrote:
As an aside, this is a problem with just about all software. By the time
they freeze the contents, warehouse it, ship it to distributors who ship
it to the retailers, who sell it to the consumer, the first thing they have
to do after installing
hiho full-disclosure!
Microsoft Hotmail still runs on U**x
By Andrew Orlowski
Posted: 12/12/2001 at 13:51 GMT
Microsoft admits it still hasn't upgraded its Hotmail system to
Windows, almost four years after embarking on the task, and fifteen
months after the first load balancing
Geoincidents wrote:
to secure 2000 without using the network and windowsupdate:
install 2000
sp4
Windows2000-KB823559-x86-ENU.exe
unbelievably big snip
Q832894.exe
NT4 is even worse and before they are allowed to completely
drop support for
NT4 they should at least have the decency to
Luke Scharf said:
I've been a lot better about this lately, but I still think it's kind
of absurd that I can't plug a freshly rebuilt Windows XP machine into
the network. You'd think that Microsoft would at least make an
official release of Windows XP.1 or something like that to address this
Using the built-in firewall stops incoming hacks pretty effectively in my
experience.
Perhaps Microsoft can win back some friends and good coverage by releaseing
XP SP2 as a new integrated product and as an add-on disk the same as they
did for Windows '98.
Hey, if I can have an idiot-proof
hiho Andrew!
Wednesday, March 17, 2004, 10:20:26 AM, you wrote:
AA This is mainly the case because web design people dont really think about
AA security, because thats not their job. WEb designers are essentially graphic
AA designers who work in a specialised field. Their primary concerns are
AA
Hi!
On Wed, Mar 17, 2004 at 10:20:26AM -, Andrew Aris wrote:
This is mainly the case because web design people dont really
think about security, because thats not their job.
But it is their job to program web applications? I'd rather think
a web /designer/'s responsibility should be
at
http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml.
Affected Products
The following products have their SSL implementation based on the OpenSSL
code and are affected by this vulnerability.
* Cisco IOS 12.1(11)E and later in the 12.1E release train. Only crypto
Actually most new machines I've seen ship recently have come with XP SP1
pre-installed so at least the big OEMS are doing this much. I have no idea
whether the new retail copies of XP are coming with SP1 or not though.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Hi,
When you want to be the leader, you don't ask questions like that. You
recognize problems and you solve them and one of the problems today for
Windows is that MS is making it very difficult to keep patched if the user
doesn't want to put the machine on the net BEFORE it's fully patched.
On Wed, 17 Mar 2004, Thomas Binder wrote:
Hi!
On Wed, Mar 17, 2004 at 10:20:26AM -, Andrew Aris wrote:
This is mainly the case because web design people dont really
think about security, because thats not their job.
But it is their job to program web applications? I'd rather think
a
[SNIP]
This is not meant as an attempt to diminish BSD strenght.
I also have an OpenBSD box on the internet, and it is awesome.
The choice of shipping LESS software by default is a very wise one (and
many linux distros in this regard are copying windows too much, enabling
Ron DuFresne said:
[SNIP]
This is not meant as an attempt to diminish BSD strenght.
I also have an OpenBSD box on the internet, and it is awesome.
The choice of shipping LESS software by default is a very wise one
(and many linux distros in this regard are copying windows too much,
Hrm, how about inventing an option (at install time) that places a very
restrictive firewall on the network connection by default, say, only
outgoing port 80 to windowsupdate.com (or even better, only let it
establish a secure tunnel there), so you can patch and then loosen the
firewall settings
It doesn't address the issue. The requirement is that some MS customers need
to patch without putting the machine on the internet. For whatever reasons.
Is that such an unreasonable request?
Geo.
Sorry to sound incredibly dense, but if the machine in question is never being
connected to a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandrakelinux Security Update Advisory
___
Package name: openssl
Advisory ID:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wednesday 17 March 2004 08:19, Jos Osborne wrote:
It doesn't address the issue. The requirement is that some MS customers
need to patch without putting the machine on the internet. For whatever
reasons.
Is that such an unreasonable request?
-Original Message-
From: Geo. [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 17 March 2004 16:12
To: Simon Richter; Geoincidents
Cc: Daniele Muscetta; [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Re: Microsoft Security, baby steps ?
Hrm, how about inventing an option (at install
Who are these people who install 'desktop trinkets' and X window managers?
You sound as though you're speaking from direct experience.
Give us some examples of desktop trinkets installed on webservers.
You sound a bit too smug to me.
--
On Wed, 17 Mar 2004 16:19:36 GMT, Jos Osborne [EMAIL PROTECTED] said:
It doesn't address the issue. The requirement is that some MS customers need
to patch without putting the machine on the internet. For whatever reasons.
Is that such an unreasonable request?
Geo.
Sorry to sound
From experience, you can't just lock down to that one server. You need to
allow port 80 and 443 access to different servers. Each day the list of
servers changes because of the Akamai caching that is used. I spend some
time configuring locked down systems to be able to talk to them. So yes, it
is
Sorry to sound incredibly dense, but if the machine in question is never
being connected to a network does it really need securing/patching?
I never said a machine is never being connected to a network. There are lots
of places that in the interests of security require a machine to be fully
On Wed, 2004-03-17 at 09:10, Random Letters wrote:
Using the built-in firewall stops incoming hacks pretty effectively in my
experience.
Yes, it's great, but there's two problems with it:
1. It's not available on Windows 2000, and we still have machines that
should continue to run Windows
On Wed, 17 Mar 2004 16:46:58 GMT, [EMAIL PROTECTED] said:
From experience, you can't just lock down to that one server. You need to
allow port 80 and 443 access to different servers. Each day the list of
servers changes because of the Akamai caching that is used. I spend some
time
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
=
FreeBSD-SA-04:05.opensslSecurity Advisory
The FreeBSD Project
Topic:
Luke Scharf [EMAIL PROTECTED] wrote:
big snip
I've been a lot better about this lately, but I still think it's kind of
absurd that I can't plug a freshly rebuilt Windows XP machine into the
network. You'd think that Microsoft would at least make an official
release of Windows XP.1 or
Geo. [EMAIL PROTECTED] wrote:
... Even the stupid check tools assume you have the thing on the
net before it's patched.
Yep, yet there are still MS apologists who refuse to open their eyes so
as to understand that Microsoft still shows little hint that it 'gets'
security.
Regards,
Nick
Geo. [EMAIL PROTECTED] wrote:
It doesn't address the issue. The requirement is that some MS customers need
to patch without putting the machine on the internet. For whatever reasons.
Absolutely.
Much _worse_ though, is that _FAR TOO FEW_ MS customers actually seem
to practice something like
This is a bit of ancient trivia that came up over lunch today. I
thought maybe y'all could offer some insight.
As the old BBS'ers and even older folks know, the string +++ath0 will
disconnect a modem. Once upon a time, I had this string in my e-mail
signature. Some folks using Windows and a
On Wed, Mar 17, 2004 at 08:42:55PM -0500, Luke Scharf wrote:
As the old BBS'ers and even older folks know, the string +++ath0 will
disconnect a modem. Once upon a time, I had this string in my e-mail
signature. Some folks using Windows and a dialup line couldn't respond
to my e-mail, even
Luke Scharf [EMAIL PROTECTED] wrote:
As the old BBS'ers and even older folks know, the string +++ath0 will
disconnect a modem. ...
Does anyone know what versions of windows had this particular bug in the
PPP implementation? Were any other systems affected?
I guess that the problem is not so
LOL, How do you really feel then? ;-)
*
* You're probably the sort that would appreciate this page then...
*
*http://tinyurl.com/2c9no
*
*
* Regards,
*
* Nick FitzGerald
--
Harry Hoffman
[EMAIL PROTECTED]
--
Luke Scharf [EMAIL PROTECTED] wrote:
This is a bit of ancient trivia that came up over lunch today. I
thought maybe y'all could offer some insight.
snip drivel
Have you not heard of Google?
Some judicious Googling should have fairly quickly found you one or
other of the various copies of
+++ATH0,,,DT911 was done plenty of times I am sure.
http://www.packetstormsecurity.org/9906-exploits/gin.c
-KF
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
++
| Guardian Digital Security Advisory March 17, 2004 |
| http://www.guardiandigital.comESA-20040317-003
-BEGIN PGP SIGNED MESSAGE-
OpenSSL Security Advisory [17 March 2004]
Updated versions of OpenSSL are now available which correct two
security issues:
1. Null-pointer assignment during SSL handshake
===
Testing performed by the OpenSSL group
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 465-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Matt Zimmerman
March 17th, 2004
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -
Red Hat Security Advisory
Synopsis: Updated OpenSSL packages fix vulnerabilities
Advisory ID: RHSA-2004:121-01
Issue date:2004-03-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200403-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org
- - - - -
49 matches
Mail list logo