Berend-Jan Wever wrote:
If you can't stand the heat, get out of the kitchen!
And btw: if you're not cooking, get the fuck out too!
Yeah - how hard is it to hit delete anyway?
(I don't think I've ever joined a mailing list expecting every post to
be interesting to me... nor even the
Paul Schmehl wrote:
Here's a suggestion for you. Google for Oil for Food. Once you're
done reading, come back here and tell us how Germany, France and
Russia were *not* in bed with Sadaam, buying oil at great discounts in
exchange for weapons sales and other favors - in material violation of
Dean Brooks wrote:
The Oil for Food program, however, was truly a scandal. There would
never have been ANY situation where Germany or France would have voted
to approve the war. No matter how badly Iraq would have been
violating sanctions (which they were doing for years), there would
have been
Paul Schmehl wrote:
Now, PLEASE keep the damn politics off this list, because I assure
you, I will not sit idly by and allow this kind of unadulterated crap
to be spewed on this list without responding.
All replies to /dev/null.
That's kind of contradictory, wouldn't you say? First you'll
Duncan Hill wrote:
On Friday 29 October 2004 11:47, Berend-Jan Wever might have typed:
Hi all,
Want to view www.georgewbush.com from outside the US? You can't: Access
denied. This security measure (!?) can easily be avoided using a proxy in
the US or any anonymous surfing website though.
So,
Joe Hood wrote:
We can only pray that al-quaeda isn't as successful as they were in Spain.
Yeah, have you ever wondered why they haven't attacked?
Hmmm... maybe it's because they want Bush to win? Or, if an attack
occurred, would that bolster Bush in the election?
These issues aren't quite
Paul Schmehl wrote:
Yes, what we need in an American president is a sycophantic,
indecisive appeaser so France, Germany and the UN can continue their
graft, bribery and corruption with the Arab world without interference
from those meddling idiots in America.
And you're advocating that a
Exibar wrote:
Curt,
And what was it that Bush lied to you personally about? or lied to the
American People about? WMD's in Iraq? Just because we haven't found many of
them (YES we have found some, BTW), doesn't mean they didn't exist
Like life on Mars, just because we haven't seem little
Jason Coombs PivX Solutions wrote:
If we're going to allow these electronic voting devices in our elections, then we
the people must be empowered to become the all volunteer quality assurance army that
validates the data output.
Hey there Jason,
I share similar concerns. If we trace the
Paul Schmehl wrote:
--On Friday, October 22, 2004 10:32:34 AM -0400 Barry Fitzgerald
[EMAIL PROTECTED] wrote:
I share similar concerns. If we trace the why of this issue back
to it's root (and discard conspiracy theories - which, given the
attitude
of a certain voting machine company
Harry de Grote wrote:
i have to admit... it's pretty old and useless, but i think this may be a nice
place for spammers to try out some new adresses...
This is *NOT* the major issue that everyone is blowing it out to be.
Lists like this are available on many organization/company websites.
Derek Soeder wrote:
Windows VDM #UD Local Privilege Escalation
Release Date:
October 12, 2004
Date Reported:
March 18, 2004
Severity:
Medium (Local Privilege Escalation to Kernel)
[NOTE: This vulnerability was silently fixed by Microsoft in June,
approximately 90 days after it was reported, with
KF_lists wrote:
ISS would like to have you believe otherwise... when I contacted them
about the Local SYSTEM escalation in BlackICE we went in circles over
the fact that I feel that taking local SYSTEM on a win32 box IS a
problem and they don't. They tryed to say some crap like in all our
Daniel H. Renner wrote:
Daniel,
Could you please point out where you read this data? I would like to
see this one...
I seem to remember that this was one of the caveats with regard to
MSBlast and RPC/DCOM vulnerabilities last year.
In certain configurations, it was theoretically possible
Giselbert Hinkelmann wrote:
Am 12.10.2004 um 01:33 schrieb Jesse Valentin:
My point is that just because something isnt recognized as incorrect
by a
legal entity this doesnt necessarily indicate that the conclusion
is sound
Which means that future generations may see not giving free/cheap
Jesse Valentin wrote:
My point is that just because something isnt recognized as incorrect
by a legal entity this doesnt necessarily indicate that the
conclusion is sound
I agree with your point here, but you missed one of the nuances of my
argument. The definition of theft isn't just a legal
milw0rm Inc. wrote:
JPEG GDI problem,
Isn't this problem only capable of running if the jpeg was opened via
the users actions?
Is it possible that webpages could be effected with jpegs with
internet explorer viewing them? I wouldn't think so since what I have
read from multiple peoples articles
[EMAIL PROTECTED] wrote:
Berry,
I appreciate the information. I would think newgroup postings would be a
little evil aswell.
Yep - in fact I was reading this morning on http://isc.sans.org/ that
one was just found on an adult newsgroup.
-Barry
Geo. wrote:
far-fetched. Would it be possible to create a jpeg that would copy
itself to other drives on a shared network in an auto-executable
position? I suppose so... however, it would be noisy and probably
wouldn't be amazingly successful.
Picture a company full of users and a worm
joe wrote:
Nod. Some knucklehead used GetTickCount or clock() for their app and had no
clue about datatypes and overflows and range of possible values and some
people go off on Windows.
I was helping someone in the public newsgroups with a similar issue.
Experienced 10 year c coder who didn't
Frank Knobbe wrote:
On Fri, 2004-09-24 at 09:15, Barry Fitzgerald wrote:
The article doesn't make the situation entirely clear. Did the app
intentionally restart the system and foul it? Did the restart occur
because the app crashed?
No, no, the problem was human error because a tech
ASB wrote:
~
Where issues like this relate to the OS is in the fact that the OS
itself shouldn't be brought down by a poorly designed app.
~
And where in that article did you read that the OS was brought down by
a poorly designed app?
Larry Seltzer wrote:
If you don't really believe that the movie Catch me if you can was
based on a true story, check out this site:
http://www.abagnale.com/index2.asp
I don't want to put words in anyone's mouth, but I hope we're not
comparing a genius like Abagnale to vandal like Jaschan,
ktabic wrote:
- Have you ever exceeded 20 mph above the speed limit? If so,
does that make you incapable of driving a big rig truck? If so, I think
we should probably be very wary of our use of the roads. It's much more
difficult to get a commercial license if you've been caught
ktabic wrote:
No, no need to spell it out any clearer. You made my point.
Mr. Abagnale is an expert in and on the finacial institusions and fraud,
who (in return for a reduced sentence) provided that immense knowledge
to the industry and has even worked towards getting the industry to
adopt
Larry Seltzer wrote:
He wrote a worm. Big freaking deal.
Yeah, very big freaking deal. He loosed an attack he had good reason to
believe would do damage to innumerable people all over the world. He
belongs in jail and for a long time, if only to send a message that such
behavior is
pingywon MCSE wrote:
Barry, are you related to Nick by any chance?
Not to my knowledge.
-Barry
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
ktabic wrote:
Well, I vaguely recall laws that state that a convicted criminal isn't
allowed to profit from his crime, even after he has served his sentence.
This does, however, sound like he is profiting from his crime.
Think: would he have been given this job if he hadn't had his named
plastered
Ron DuFresne wrote:
scroll down there and do the custom patching, that will get you the GDI+
scanner, and any other patches you are missing, once that installs it will
scan for M$ apps needing the jpeg patch. Then you are directed to the
windows appplications update page. Of course to get the
Rob Rosenberger wrote:
Vmyths.com Virus Hysteria Alert
Truth About Computer Security Hysteria
{15 September 2004, 01:55 CT}
CATEGORIES: (1) Misconceptions about a real computer security threat
(2) A historical perspective on recent hysteria
Microsoft has issued a critical alert
is security industry gng??
From: [EMAIL PROTECTED]
To: Barry Fitzgerald
Action taken: Logged
Reason: Encrypted/Corrupted
Rule Group:
Copyright 1993-2003, Networks Associates Technology, Inc.
All Rights Reserved.
http://www.mcafeesecurity.com http://www.mcafeesecurity.com
VX Dude wrote:
I have a sad feeling that I am alone about this. If I
am, then I really pity you guys.
Stinny FranCisco, CISSP
Internet Sniper
eDefense Inc.
I tend to agree with you. However, there are a couple of things to
consider:
1) Disclosure tends to refer to information. Now,
Jan Muenther wrote:
Network security - application security - software security -
What do u guys think??
job security?
or insecurity?
POC:
#!/bin/sh
if [ ! $jobsecurity ]; then
export insecurity='high';
else
unset insecurity;
fi;
Raj Mathur wrote:
Remove low-bandwidth from the list of requirements, since ssh can
compress traffic on the fly and reduce bandwidth consumption
significantly.
I would not remove low-bandwidth from the list. Compressing the
connection requires further CPU consumption, and if the requirement
Well, when I first started reading it I thought perhaps I was reading a
trasncript of one of George W. Bush's speeches... :)
..and then I realized that unlike Bush, these are actually coherrent
chunks of text that look like they may have been taken from disparate
web pages.
Does it only
Richard Johnson wrote:
I have personally already discovered most software vulnerabilities,
and just because I have not published information on them, it does
mean that I have not already discovered and successfully exploited
the bugs in question.
snip
Finally, I suggest that you apply you
Dave Ewart wrote:
Quite so, as I suggested.
Are there even any legitimate uses for running a telnet daemon any more?
(That is a genuine question - as far as I can see, SSH is always a
perfect replacement).
Sure - a situation where a system needs a low-bandwidth/low CPU-use
shell-based
Bugtraq Security Systems wrote:
Nick,
You're a moron, and a fake moron at that. If you had the clue god gave the
average scriptkiddie, you'd kill yourself in shame at your own postings.
Cheers,
BUGTRAQ Security Systems
If Nick FitzGerald had a brain cell for every bug we tracked, he'd be
smart and
Stormwalker wrote:
Hi,
It wasn't the general, massive military build up, but the specific
program known as Star Wars under Ronald Raygun. The Soviets believed
that the nonsense was true and tried to fund the research to catch up
until they hit the wall. Unlike real military weapons, a fake weapon
Michel Messerschmidt wrote:
On Fri, Sep 03, 2004 at 10:43:50AM +0530, Aditya Deshmukh wrote:
hey if the binary is infected and does not contain any hardcoded
sencitive info what do u care about the owners of the website ?
Unless for (a purely theretical) example the website would use
yaakov yehudi wrote:
A firewall is more akin to a specialized filter medium, but filter mediums aren't used as the entrance or exit to a military base.
It is probably possible to find analogies between the information security world and
physical - but only on a piecemeal basis, and that is
Do you still have a copy of the file? Have you sent it to the antivirus
companies for analysis?
Can you repeat the experiment with a patched box and replicate the results?
If so, that could be bad. It could just be a reworked exploit, though
-- or perhaps there's a bug in the buffer overflow
Choe Sung Cont. PACAF CSS/SCHP wrote:
The Great Cold War of the last century was not won through military
means. It was not won by US political leaders. It was won by Levi
jeans and bottles of Coke.
Ahhh, I love it when people try to make this argument. I highly doubt that
the denim soft
Peter Swire wrote:
Greetings:
I have been lurking on Full Disclosure for some time, and now would like to
share an academic paper that directly addresses the topic of full
disclosure and computer security:
Hello Peter,
There are some glaring flaws in the the basis of this paper. Though I
James Tucker wrote:
This is not dissimilar from the discussion that, for example:
Walk into the headquarters of a major business firm, you take the
elevator up to the top floor as you don't have a keycard to get you in
a lower level. It's lunchtime and the secretary at reception has left
her desk.
James Tucker wrote:
Sure, but you can only move up a stack which exists.
Given that there should be no applications on the other end of the
RS232 apart from the CAD/CAM control program (one would hope, this
would be considered 'normal'), the only hackable device should be that
program. It's not
VX Dude wrote:
snip
You're not illegaly subscribed, but you may have
subscribed to an illegal mailing list. Due to the
laws in our nation (USA), much of what is discussed
here is (or will be) violating some form of DMCA type
laws. (please check your state laws for further
deatils)
It is a shame
Ron DuFresne wrote:
If your uasers are not trustable, then they should not have access to
local systems of yours. Once a person has a shell, then they are 95% to
root.
I'm not sure I entirely agree with what you're saying.
Scratch that - I'm sure I don't agree with what you're actually saying
joe wrote:
The client is required. I have sent a complaint to MS though concerning the
idea that the service set to manual but started doesn't allow the updates to
occur. That, I agree, is a bad design choice.
If the service is set to automatic but not started, it will get started as
soon as you
Michael Schaefer wrote:
It looks like windows update requires Automated Updates to be set to
automatic startup, but does not require the process to actually be
running...
So the statement that they are required is obviously false.
As a work around, I can manually change the startup status, do
Todd Towles wrote:
Sounds like it about as easy to shutdown as Microsoft's SP2 firewall...
Overwrite a file, it fails integrity checks and the firewall will fail
closed. There is something to add to a dropper program.
This by itself would make an effective short-term DoS of a consumer PC.
Clairmont, Jan M wrote:
Glenn:
Not to take issue with the performance of encryption, but
what good is performance when it's all spent processing spam, malware, trojans, spyware and all the other cr*p that downloads.
Even things like spybot, zone alarm etc. do not prevent any
of the junk that
joe wrote:
Since you cut out every piece that had anything to do remotely with this
list, I will respond very briefly and then fail to respond to any more list
posts on this from you unless you come back to the subject of security and
away from OSS vs proprietary code.
Hey - you've had at
joe wrote:
If only a #define statement were copied they wouldn't
be obligated to disclose it's source.
I did not say that the only use was a #define, what I said was that would be
enough to get MS to document it if they didn't otherwise outright own the
rights. If you pick up a #define
KF_lists wrote:
OK - put your money where your mouth is. Pretend I'm a consumer. I
have 2000 USD to spend and want a good PC with a good warranty with
GNU/Linux on it. Find me a link to a major OEM that will ship me a
PC within those specs with decent hardware and a generally recognized
joe wrote:
I didn't say that they didn't use BSD pieces, I said that he wasn't as
accurate as he likes to think for the statement where he was naming specific
tools and pieces. Use of BSD pieces doesn't mean that it was used in its
entirety or even a lot, just that it was used in some manner, it
Harlan Carvey wrote:
Forget the whole naming thing...it's been bandied
about before, ad nauseum, and things haven't changed.
What *I* would like to see is some real analysis of
what they find. Too many times, weeks after
something's come out, some A/V company still has
modifies/updates some
Harlan Carvey wrote:
Barry,
One other thing I'd like to throw into the mix. This
whole discussion is being viewed, it seems to me from
the wrong perspective. The attitude that the entire
A/V industry should have a common naming convention
seems to be coming from the open source camp...while
James Patterson Wicks wrote:
James,
Don't take this the wrong way, you've got a point in your e-mail
here, but I'm going to call you on some FUD in your message.
The business world cannot afford to start from zero and retrain tens
of millions of workers who use Windows desktops every day.
Todd Towles wrote:
How is naming a virus with @mm or a W32 in the front slow the process
down? Naming has nothing to do with AV venders making money IMO. If it
does, McAfee should change its name to Norton before tries to buy it
out. =)
It doesn't have a direct impact -- however, you're not
Todd Towles wrote:
As my orginial post started, I wouldn't let it up to the AV companies at
all. Have a separate entity (group of people like us), gain the backing
of big compaines and other entities and come up with some standards.
You don't even need big companies to approve or back you --
Aditya, ALD [Aditya Lalit Deshmukh] wrote:
The whitehouse website was also compromised. Look www.whitehouse.com
=)
Wasn't fedora.org home to a page of useful fedora information? I am not at
home and don't have all my links.
guys can we please discuss defaced websites on some other list ?
[EMAIL PROTECTED] wrote:
On Fri, 06 Aug 2004 15:39:45 CDT, John Creegan [EMAIL PROTECTED] said:
I thought this list was originally meant to focus primarily on computer
hardware/software types of security issues. Malware, discovered exploitables,
etc
OK, you need a tie-in to computers?
Security List wrote:
Appointed? If you do not believe in the U.S.
constitution and the supreme court then I could see
how one might suggest that Mr. Bush was appointed. If
you do believe in it then you must know that his
appointment was the only legal solution to the
issue. Many major papers
[EMAIL PROTECTED] wrote:
On Thursday, 5 August 2004, hellNbak wrote:
The Internet is no longer a world of hippie hacker idealists, but quite simply
a global market. Because of lack of centralized authority overseeing it
(wasn't that what you fought for?), it is a wild style economy, often
Paul Schmehl wrote:
No, it's not excellent. There are tons of places on the web to spread
this crap. This is not one of them.
And why does this have anything to do with security? Well a few things
come to mind.
I has *nothing* to do with security. Take to alt.i.hate.bush.
Normally, I'd
to try to
clearify the issue. Nice move, showing your true colors like this.
Barry Fitzgerald wrote:
Justin Polazzo wrote:
5 Years to fix a vuln? I am not sure if even Microsoft has been that
slow to confront a security flaw. Has anyone heard an explanation as
to why this was kept confidential
Frank Knobbe wrote:
(After all, why fix it if they file Chapter 11 by end of the year
anyway?)
We can only hope... maybe if we get lucky they'll be forced to file in
September. Or, perhaps, just fall off the end of the earth... Yeah,
that'd be a good thing.
-Barry
Stephen Taylor wrote:
Is this a moderated list or is this a venue for anti-semitic diatribes?
Please let me know because I want to drop out if the totally biased,
off-topic comments can't be controlled.
SteveTaylor
Being opposed to Israeli political policies is about as anti-semitic as
being
J.A. Terranson wrote:
We are just going to have to agree to disagree, since neither of our camps
seems willing to move, and really, this is getting pointless: to make
further [rehash] arguments likely wont help.
We have divergent world views, and likely different foundational
indoctrination which
J.A. Terranson wrote:
Oh, I get it. So if root executes sshd -p 45522 --this is not
*technically* ssh, right?
If sshd is running on 45522 it's a back door Marty :-) And no, in this
case, pedantic or not, it's not ssh as is commonly accepted.
(Responding to essentially the only on-topic
J.A. Terranson wrote:
Agreed. It is the SSH protocol, but it is not the SSH *service*. It
violates the standard (as you note).
If I write a trojan that uses HTTP to process requests, then park it on
31337, I do not have an HTTP serv(er|ice). I have a trojan which happens
to use the HTTP
Seth Alan Woolley wrote:
Is it just me or is that behavior idiotic? I've seen this bug in
_multiple_ scripts I've audited. For that reason, I feel much less safe
signing up for cookies on websites that I haven't audited myself for
this problem. Since it is a script tag, that could open many a
Nick FitzGerald wrote:
Nope -- _VERY_ bad idea.
I'm not sure I'd call it a *very* bad idea... it's better than silently
finishing incomplete tags.
Idiot users want to blow both their feet off.
Asking them do you want a chance to blow your feet off? only slows
the inevitable slightly, never
Nick Eoannidis wrote:
Larry Seltzer
eWEEK.com Security Center Editor --
buddy, the shell:windows URI handler was disabled in IE ages ago!
The fact it can be crafted into an exploit for Mozilla! is the issue
here.
Of course it wont work on your IE your probably patched to the max!
Mozilla just
Larry Seltzer wrote:
meaningful problem either, then we can agree to disagree on the scope. I'll agree that
getting this issue to run code of the choosing of the attacker is more difficult than
some other unpatched IE holes, but it is not impossible.
I disagree completely. The Mozilla problem,
Interesting... I was trying to determine if the shell: exploit could be
used to execute remote code on a known web server but hadn't approached
it from the SMB angle.
The obvious mitigating factor for this exploit is that someone would
need to have prior knowledge of which SMB shares had been
Ron DuFresne wrote:
[snip]
This is not security through obscurity. This is security through
incompatibility. The point of the idea is to make it necessary for an
attacker to rewrite an exploit for my system specifically. This is
something that over 99% of the potential attackers would
Darren Reed wrote:
A simple solution would be to add the shell protocol to this list.
Personally I think a secure blacklist is hard to maintain as new
dangerous external protocols could be invented by third-parties leaving
Mozilla vulnerable again.
Completely agreed.
There should be a
joe wrote:
It is a core component of the current Windows UI, this is not the same as
being a core component of Windows. Explorer is simply a UI shell that sits
on the operating system known as Windows. The entire shell is replaceable
and has been for a long time, since at least Win3.1.
I
I just verified this in Mozilla 1.7 on Windows XP pro.
(I know -- no reason why it shouldn't work on 1.7 if it worked on firefox)
In any case, it does appear to be an issue with MS Windows and not
Mozilla, but the Mozilla project should still, IMO, filter out the
shell: scheme type and other
Maarten wrote:
On Friday 02 July 2004 23:33, Barry Fitzgerald wrote:
No, I'm not wrong.
The discussion is about who's responsible for support of said software.
There's no obligation through the GNU GPL that support is required if
money changes hands, however the point of the discussion is who's
joe wrote:
Couple of things.
1. The conversation you are referring to was a conversation about issues
with core base components that necessitated a complete redesign. You kept
bringing up items that were NOT core base components - they were UI
components. IE being one of them. The very fact that
Frank Knobbe wrote:
On Tue, 2004-07-06 at 09:27, Barry Fitzgerald wrote:
Is it impossible to remove easily and difficult to remove cleanly? Yes...
Heh... I just noticed (by chance) that there is an option in |Control
Panel - Add/Remove Programs - Windows Components| to remove Internet
Denis Dimick wrote:
Barry,
I have to agree with you one once a company changes the code then they own
it. However wrapping the same old software in an RPM to me does not change
it enough to have someone else own the code.
Per the Free Software model it does. The key point here is that Red
Alerta Redsegura wrote:
The story is available at:
http://www.computerweekly.com/articles/article.asp?liArticleID=131708liArticleTypeID=1liCategoryID=2liChannelID=22liFlavourID=1sSearch=nPage=1
Heh.
The article has the following quote:
On other platforms, such as Linux, Unix and the Mac,
Denis Dimick wrote:
Per the Free Software model it does. The key point here is that Red Hat
is redistributing the code and making a profit off of it. It's Red
Hat's choice regarding whether to redistribute said code. Since they're
making the money off of it, they have to support it.
Matthew Murphy wrote:
Actually, you're both wrong, in my opinion. :-)
Overall market share has some to do with the success of worm propagation,
but the real problem is market share diversity at all levels. IIS is
plagued by worms because one piece of code targeting whatever version of IIS
is
Denis Dimick wrote:
Did M$ write ftp.exe? If so then they own it, they own the sources and
all rights to the code. Redhat owns very little of the code you get on
there CD.
Denis
I think that the demarcation line for this is where money changed hands.
First of all, ftp.exe is a common example
Harlan Carvey wrote:
Problems with electronic voting; FYI
I'm familiar with some of the issues regarding
electronic voting...what I'm not seeing is the
connection between that and this draft issue you
raised.
From what I recall, the reason that the draft bill was put forth in
congress
Frank Knobbe wrote:
On Thu, 2004-07-01 at 10:48, Jordan Klein wrote:
Oh yes, and there should be a checksum of the unique number assigned to each
vote to ensure that someone couldn't just reverse engineer the barcode and
make up a bunch of bogus votes. I'm not sure exactly how that part would
Drew Copley wrote:
Conclusion: Mozilla may be better. I think there is some strong
chance of that. But only marginally. It has had bugs. It has a lot
of features, which means a lot of potential for security issues. They
have kept their browser more conservative then Microsoft has kept
Internet
92 matches
Mail list logo
