Ahah, I don't want to loose my time with public bug bounties, it's not even cost-effective.
Sei proprio un nabbo Nicholas Lemonias. wrote: > You can't even find a cross site scripting on google. > > Find a vuln on Google seems like a dream to some script kiddies. > > > On Fri, Mar 14, 2014 at 6:00 PM, Nicholas Lemonias. > <lem.niko...@googlemail.com <mailto:lem.niko...@googlemail.com>> wrote: > > The full-disclosure mailing list has really changed. It's full of > lamers nowdays aiming high. > > > > > > On Fri, Mar 14, 2014 at 5:58 PM, Nicholas Lemonias. > <lem.niko...@googlemail.com <mailto:lem.niko...@googlemail.com>> > wrote: > > Says the script kiddie... Beg for some publicity. My customers > are FTSE 100. > > ---------- Forwarded message ---------- > From: *Nicholas Lemonias.* <lem.niko...@googlemail.com > <mailto:lem.niko...@googlemail.com>> > Date: Fri, Mar 14, 2014 at 5:58 PM > Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities > with PoC > To: antisnatchor <antisnatc...@gmail.com > <mailto:antisnatc...@gmail.com>> > > > Says the script kiddie... Beg for some publicity. My customers > are FTSE 100. > > > > > On Fri, Mar 14, 2014 at 5:55 PM, antisnatchor > <antisnatc...@gmail.com <mailto:antisnatc...@gmail.com>> wrote: > > LOL you're hopeless. > Good luck with your business. Brave customers! > > Cheers > antisnatchor > > Nicholas Lemonias. wrote: >> >> People can read the report if they like. Can't you even >> do basic things like reading a vulnerability report? >> >> Can't you see that the advisory is about writing >> arbitrary files. If I was your boss I would fire you. >> ---------- Forwarded message ---------- >> From: *Nicholas Lemonias.* <lem.niko...@googlemail.com >> <mailto:lem.niko...@googlemail.com>> >> Date: Fri, Mar 14, 2014 at 5:43 PM >> Subject: Re: [Full-disclosure] Google vulnerabilities >> with PoC >> To: Mario Vilas <mvi...@gmail.com <mailto:mvi...@gmail.com>> >> >> >> People can read the report if they like. Can't you even >> do basic things like reading a vulnerability report? >> >> Can't you see that the advisory is about writing >> arbitrary files. If I was your boss I would fire you, >> with a good kick outta the door. >> >> >> >> >> >> >> On Fri, Mar 14, 2014 at 3:55 PM, Mario Vilas >> <mvi...@gmail.com <mailto:mvi...@gmail.com>> wrote: >> >> On Fri, Mar 14, 2014 at 12:38 PM, Nicholas Lemonias. >> <lem.niko...@googlemail.com >> <mailto:lem.niko...@googlemail.com>> wrote: >> >> Jerome of Mcafee has made a very valid point on >> revisiting separation of duties in this security >> instance. >> >> Happy to see more professionals with some >> skills. Some others have also mentioned the >> feasibility for Denial of Service attacks. Remote >> code execution by Social Engineering is also a >> prominent scenario. >> >> >> Actually, people have been pointing out exactly the >> opposite. But if you insist on believing you can DoS >> an EC2 by uploading files, good luck to you then... >> >> >> >> If you can't tell that that is a vulnerability >> (probably coming from a bunch of CEH's), I feel >> sorry for those consultants. >> >> >> You're the only one throwing around certifications >> here. I can no longer tell if you're being serious or >> this is a massive prank. >> >> >> >> Nicholas. >> >> >> On Fri, Mar 14, 2014 at 10:45 AM, Nicholas >> Lemonias. <lem.niko...@googlemail.com >> <mailto:lem.niko...@googlemail.com>> wrote: >> >> We are on a different level perhaps. We do >> certainly disagree on those points. >> I wouldn't hire you as a consultant, if you >> can't tell if that is a valid vulnerability.. >> >> >> Best Regards, >> Nicholas Lemonias. >> >> On Fri, Mar 14, 2014 at 10:10 AM, Mario Vilas >> <mvi...@gmail.com <mailto:mvi...@gmail.com>> >> wrote: >> >> But do you have all the required EH >> certifications? Try this one from the >> Institute for >> Certified Application Security >> Specialists: http://www.asscert.com/ >> >> >> On Fri, Mar 14, 2014 at 7:41 AM, Nicholas >> Lemonias. <lem.niko...@googlemail.com >> <mailto:lem.niko...@googlemail.com>> wrote: >> >> Thanks Michal, >> >> We are just trying to improve >> Google's security and contribute to >> the research community after all. If >> you are still on EFNet give me a >> shout some time. >> >> We have done so and consulted to >> hundreds of clients including >> Microsoft, Nokia, Adobe and some of >> the world's biggest corporations. We >> are also strict supporters of the ACM >> code of conduct. >> >> Regards, >> Nicholas Lemonias. >> AISec >> >> >> On Fri, Mar 14, 2014 at 6:29 AM, >> Nicholas Lemonias. >> <lem.niko...@googlemail.com >> <mailto:lem.niko...@googlemail.com>> >> wrote: >> >> Hi Jerome, >> >> Thank you for agreeing on access >> control, and separation of duties. >> >> However successful exploitation >> permits arbitrary write() of any >> file of choice. >> >> I could release an exploit code >> in C Sharp or Python that permits >> multiple file uploads of any >> file/types, if the Google >> security team feels that this >> would be necessary. This is >> unpaid work, so we are not so >> keen on that job. >> || >> >> >> On Fri, Mar 14, 2014 at 6:04 AM, >> Jerome Athias >> <athiasjer...@gmail.com >> <mailto:athiasjer...@gmail.com>> >> wrote: >> >> Hi >> >> I concur that we are mainly >> discussing a terminology problem. >> >> In the context of a >> Penetration Test or WAPT, >> this is a Finding. >> Reporting this finding makes >> sense in this context. >> >> As a professional, you would >> have to explain if/how this >> finding is a >> Weakness*, a Violation >> (/Regulations, Compliance, >> Policies or >> Requirements[1]) >> * I would say Weakness + >> Exposure = Vulnerability. >> Vulnerability + >> Exploitability (PoC) = >> Confirmed Vulnerability that >> needs Business >> Impact and Risk Analysis >> >> So I would probably have >> reported this Finding as a >> Weakness (and not >> Vulnerability. See: OWASP, >> WASC-TC, CWE), explaining >> that it is not >> Best Practice (your OWASP >> link and Cheat Sheets), and >> even if >> mitigative/compensative >> security controls (Ref Orange >> Book), security >> controls like white listing >> (or at least black listing. >> see also >> ESAPI) should be 1) part of >> the [1]security requirements >> of a proper >> SDLC (Build security in) as >> per Defense-in-Depth security >> principles >> and 2) used and implemented >> correctly. >> NB: A simple Threat Model >> (i.e. list of CAPEC) would be >> a solid >> support to your report >> This would help to >> evaluate/measure the risk >> (e.g. CVSS). >> Helping the decision/actions >> around this risk >> >> PS: interestingly, in this >> case, I'm not sure that the >> Separation of >> Duties security principle was >> applied correctly by Google >> in term of >> Risk Acceptance (which could >> be another Finding) >> >> So in few words, be careful >> with the terminology. (don't >> always say >> vulnerability like the media >> say hacker, see RFC1392) Use >> a CWE ID >> (e.g. CWE-434, CWE-183, >> CWE-184 vs. CWE-616) >> >> My 2 bitcents >> Sorry if it is not edible :) >> Happy Hacking! >> >> /JA >> >> https://github.com/athiasjerome/XORCISM >> >> 2014-03-14 7:19 GMT+03:00 >> Michal Zalewski >> <lcam...@coredump.cx >> <mailto:lcam...@coredump.cx>>: >> > Nicholas, >> > >> > I remember my early years >> in the infosec community - >> and sadly, so do >> > some of the more seasoned >> readers of this list :-) Back >> then, I >> > thought that the only thing >> that mattered is the ability >> to find bugs. >> > But after some 18 years in >> the industry, I now know that >> there's an >> > even more important and >> elusive skill. >> > >> > That skill boils down to >> having a robust mental model >> of what >> > constitutes a security flaw >> - and being able to explain >> your thinking >> > to others in a precise and >> internally consistent manner >> that convinces >> > others to act. We need this >> because the security of a >> system can't be >> > usefully described using >> abstract terms: even the >> academic definitions >> > ultimately boil down to >> saying "the system is secure >> if it doesn't do >> > the things we *really* >> don't want it to do". >> > >> > In this spirit, the term >> "vulnerability" is generally >> reserved for >> > behaviors that meet all of >> the following criteria: >> > >> > 1) The behavior must have >> negative consequences for at >> least one of >> > the legitimate stakeholders >> (users, service owners, etc), >> > >> > 2) The consequences must be >> widely seen as unexpected and >> unacceptable, >> > >> > 3) There must be a >> realistic chance of such a >> negative outcome, >> > >> > 4) The behavior must >> introduce substantial new >> risks that go beyond >> > the previously accepted >> trade-offs. >> > >> > If we don't have that, we >> usually don't have a case, no >> matter how >> > clever the bug is. >> > >> > Cheers (and happy hunting!), >> > /mz >> > >> > >> >> _______________________________________________ >> > Full-Disclosure - We >> believe in it. >> > Charter: >> >> http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by >> Secunia - http://secunia.com/ >> >> >> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: >> >> http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - >> http://secunia.com/ >> >> >> >> >> -- >> "There's a reason we separate military >> and the police: one fights the enemy of >> the state, the other serves and protects >> the people. When the military becomes >> both, then the enemies of the state tend >> to become the people." >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: >> >> http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - >> http://secunia.com/ >> >> >> >> >> >> >> -- >> "There's a reason we separate military and the >> police: one fights the enemy of the state, the other >> serves and protects the people. When the military >> becomes both, then the enemies of the state tend to >> become the people." >> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > -- > Cheers > Michele > > > > > -- Cheers Michele
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
