Re: [Full-disclosure] [MDVSA-2013:11X ] ENTIRE OS
On 4/15/2013 6:24 AM, Alexander Georgiev wrote: +1 ! On Thu, 11 Apr 2013 00:00:18 -0700, Stefan Jon Silverman s...@sjsinc.com wrote: -BEGIN POPEYE (SPINACH) SIGNED MESSAGE- Hash: SHAK's-SHORTS ___ Mandriva Linux Security Advisory MDVSA-2013:ALL ___ Package : Entire F'n OS Date: April 11, 2013 Affected: Entire F'n OS ___ Problem Description: Updated OS packages fail to fix multiple security vulnerabilities: It was discovered that we have absolutely no clue on how to get it right so we issue several hundred security advisories each and every calendar day just to keep the rest of the planet up to date on how totally incompetent we are in managing a fork. We appreciate your tolerance of clogging your inbox w/ alert after alert which reaffirms our stated distribution goal of being the least secure Linux on the planet and hope that you will continue to support us in our endeavors. -END POPEYE (SPINACH) SIGNATURE- -- Regards, Stefan ** *Stefan Jon Silverman* http://www.sjsinc.com/cgi-bin/DoRedirect?sig-google - Founder / President SJS Associates, N.A., Inc. A Technology Strategy Consultancy ** Cell *917 929 1668**s...@sjsinc.com* mailto:s...@sjsinc.com eMail *www.sjsinc.com* http://www.sjsinc.com/?%20eMail%20Sig ** Aim/Skype/GoogleIM: *LazloInSF* Twitter/Yahoo: *sjs_sf* ** Weebles wobble but they don't fall down ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://i.imgur.com/hKk8UcK.gif ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] list patch
On 3/4/2013 9:28 PM, andrew.wallace wrote: After all this time you don't grasp the serious nature of calling me or my organisation a troll and the trouble you will get yourself in legally. After all this time you still persist. Oh and the recent mails have been forwarded to my lawyer. Andrew http://i.imgur.com/phpcZyW.jpg ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how do I know the fbi is followin
Title: Message On 3/2/2013 10:15 PM, Stefan Jon Silverman wrote: === gets out popcorn maker, this is going to be a fun movie. Regards, Stefan ** Weebles wobble but they don't fall down ** On 3/2/2013 7:04 PM, Chris L wrote: If you think they are following, go down a dark rural road that you know has a few loops. You need to have a goat in the back of the van. Deliberately drive down one of these loops, if they're still behind you, they're following you. That doesn't mean they're FBI though, they could just be stalkers or serial killers. STOP randomly in the road. Jump out of the car as fast as you can. Start visibly consuming as many drugs as you can while stripping off your clothes and dancing. Then, pull out the goat and begin to ritually sacrifice it. If they're FBI you'll be arrested, if not you'll have likely scared off the crazies following you by being more crazy then them. Then you'll know. On Sat, Mar 2, 2013 at 6:42 PM, Jeff Kell jeff-k...@utc.edu wrote: On 3/2/2013 9:29 PM, Reed Loden wrote: Check your nearby WiFi SSIDs for "FBI Surveillance Van". That's always a dead giveaway that you're being monitored. Yeah, what is it with those guys? (or the ones that perpetuate the myth...) Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://i.imgur.com/y11K1Wa.gif ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] list patch
On 3/3/2013 2:20 AM, Georgi Guninski wrote: On Sat, Mar 02, 2013 at 12:29:10PM -0500, valdis.kletni...@vt.edu wrote: On Sat, 02 Mar 2013 18:17:46 +0200, Georgi Guninski said: indeed the list headers changed. lightly moderated sounds like likely pregnant to me. i suggest we move somewhere else. seriously. You do realize that what you're *actually* seeing here is the list headers being changed to match the way thing have actually been for over 3 years now? And apparently you've been OK with it for 3 years until somebody pointed it out? (Though I suppose we *could* all move to someplace else where a certain troll is still allowed to post. Let me know how that turns out. :) if certain troll is n3td3v, IIRC i publicly wrote n3td3v should not be banned from the list (probably available in the archives). you appear to give up freedom for a bit of sikurity and a bit of comfort -- let's see how this sorts out. the spam secunia puts in the auto signatures reminds me how aleph1 sold bugtraq. Surely you wouldn't be comparing trolls on an internet mailing list with the complexities of a nation state and the sum of human rights :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 11: ] How much time is appropriate for fixing
On 7/11/2012 8:12 AM, Григорий Братислава wrote: On Tue, Jul 10, 2012 at 6:40 PM, paul.sz...@sydney.edu.au wrote: Are you familiar with Georgi's work? Please look at his website before proffering opinions. Is must be an old man thing. No one is use VAX/VMS is only people like parmaster (oh hai Jason Snitker) is use VAX to make is themselves look three is one three three seven for IRC monkeys. Oh hai, is look I know VAX because is US government is use mind control on me (http://www.raven1.net/mcf/v/snitker.htm) Guninski is washed up. Like is Japanese debris hit California right now. And is you too is washed up. No one is use punch card no more. Georgi is no one special lest is only to himself in mirror. Now is you talking Dan Kaminski, Dan is God! Only when he is not drunk and sappy over is red pill blue pill man. (Rutkowska). You is say Dan, I say all the way! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://www.youtube.com/watch?v=m_mDTLphIVY ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 11: ] How much time is appropriate for fixing
On 7/11/2012 10:56 AM, Григорий Братислава wrote: Obligatory question is to must remain politically correct: When I is respond to you, am I to address is Wesley or Laurelai? Not only is you confused, you is has everyone confused. MusntLive is reserve the right to dish out equal opportunity flames and is not want to address you as Ms. if you are still a he. On Wed, Jul 11, 2012 at 11:48 AM, Laurelai laure...@oneechan.org wrote: http://www.youtube.com/watch?v=m_mDTLphIVY I repeat: http://www.youtube.com/watch?v=m_mDTLphIVY ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
On 7/6/12 1:48 PM, Thor (Hammer of God) wrote: I already covered that -- if they don't fix it, the publish it. Also, if a vendor has a venerability to the community, then they would obviously fix it. There's no responsibility to disclose anything. FD doesn't exist to satisfy some requirement for researchers to publish vulnerability -- it exists so that people can market themselves. The we must disclose this so that people will know and they can protect themselves is simply a justification for the aforementioned.These people don't give a fat fuck about the industry or protecting other people. If they did, they would just post hey, there's a vuln in this product, email me and I'll tell you about it. When no-one emails them (because this limited audience doesn't care) they don't get their deserved cred and post it. Nobody cares, and nobody remembers... his FD will simply be another tit in the peep show. People like 0DayInit and Litchfield did it the SMART way. They have a client base who have purchased a product to protect them from these vulnerabilities. People who purchase the product are protected in the meantime, as the vuln is actually addressed in the product. It actually works in their favor of the vendor to take longer as it makes the product more valuable. Vendors want responsible disclosure so they can assign priority to plan release cadence. Disclosures want recognition, or payment, or both. Each will do what is in their own best interest. But let's not pretend it is anything other than what it is. t From: Peter Dawson slash...@gmail.com mailto:slash...@gmail.com Date: Friday, July 6, 2012 10:24 AM To: Timothy Mullen t...@hammerofgod.com mailto:t...@hammerofgod.com Cc: full-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How much time is appropriate for fixing a bug? Thor (Hammer of God) : If and when they fix it is up to them. so if vendor don't fix it /ack the bug.. then what ?? Responsibility works both ways.. Advise the vendor.. if they say fuck it.. I say fuck u.. and will advise the community ! There is a responsibility to disclose a venerability to the community so that they can take down/block /deactivate a service . .All that is necessary for the triumph of evil is that good men do nothing. -whoever ..fuck it ! /pd On Fri, Jul 6, 2012 at 12:46 PM, Thor (Hammer of God) t...@hammerofgod.com mailto:t...@hammerofgod.com wrote: Well, I have to say, at least he's being honest. If the guy is chomping at the bit to release the info so he can get some attention, then let him. That, of course, is what it is all about. He's not releasing the info so that the community can be safe by forcing the vendor to fix it. He's doing it so people can see how smart he is and that he found some bug. So Joro's reply of fuck em is actually refreshingly honest. Regarding how long does it take, it is completely impossible to tell. If someone fixed it in 10 minutes, good for them. It could take someone else 10 months. Any time I see things like Wikipedia advising things like 5 months I have to lol. They have no freaking idea whatsoever as to the company's dev processes and the extend that the fix could impact legacy code or any number of other factors. I would actually have expected code bug-finders to have a better clue about these things, but apparently they don't. MSFT's process is nuts -- they have SO many dependancies, so many different products with shared code, so many legacy products, so many vendors with drivers and all manner of other stuff that the process is actually quite difficult and time consuming. Oracle is worse -- they have the same but multiplied by x platforms. Apple I think has it the easiest of the big ones, but even OSX is massively complex (and completely awesome). It is all about intent: if you want to be recognized publicly for some fame or whatever, just FD it because chances are you will anyway. If you really care about the security of the industry, then submit it and be done with it. If and when they fix it is up to them. t From: Gary Baribault g...@baribault.net mailto:g...@baribault.net Date: Friday, July 6, 2012 7:59 AM To: full-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How much time is appropriate for fixing a bug? Hey Georgi, Didn't take your happy pill this morning? I would say that the answer depends on how the owner/company answers you, if you feel that their stringing you along and
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/10/12 6:23 AM, doc mombasa wrote: sure you did and i ride a popcicle motorcycle from my palace to the beach every day :) 2012/6/10 Laurelai laure...@oneechan.org mailto:laure...@oneechan.org On 6/10/12 6:14 AM, doc mombasa wrote: do you by any chance listen to a lot a lot of nirvana and linkin park? 2012/6/8 Laurelai laure...@oneechan.org mailto:laure...@oneechan.org On 6/8/12 2:14 PM, Григорий Братислава wrote: On Fri, Jun 8, 2012 at 2:08 PM, Laurelai laure...@oneechan.org mailto:laure...@oneechan.org wrote: rights? You might want to invest in spell checking software by the way. Is really show your education is you cannot determine reality of is lexicon. Maybe is identification masquerade is hide yes? Perhaps is maybe possible is I maybe tick is you off? Neverisless, you sir are is troll. Is serious: http://tinyurl.com/laurelaitroll (is literalee troll) There you have it folks, the best argument the so called experts could come up with as to why we shouldn't do anything about this is name calling and half baked attempts at derailing the conversation and more spelling errors than a 5th graders book report. I must have hit a nerve or something, makes me wonder if im speaking to the very people selling the zero day exploits. You wouldn't be having a guilty conscience or anything would you all? Worried we might put a stop to your gravy train perhaps? Now back on topic, those of us who actually have a soul should work together to find a good solution. Anyone interested feel free to email me. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I dont listen to either. And sorry to burst your bubble but I did serve 10 years in the army. Next I imagine you will insult my gender identity or something equally silly. For the record you should capitalize the first word of each sentence and put a punctuation mark at the end, not doing this just makes you look uneducated and ensures people do not take you seriously. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/9/12 5:10 PM, Mark Shuler wrote: Nudging everyone back to the alleged Obama tactics.I'm sure everyone has an idea for the big push for cyber warriors in the united states. By the arguments I'm hearing and milling through some of the other infosec posts. Who do you believe have more capability of cyber terror? NSA? Private industry? Hell maybe there is already cyber pmc's running without a leash. Considering what has been revealed to the public I think it is a safe assumption the private sector and the NSA has cyber terror capability and likely uses it on a regular basis. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/10/12 8:22 AM, doc mombasa wrote: maybe its because i dont take you seriously and who cares what gender you are go suck a lemon 2012/6/10 Laurelai laure...@oneechan.org mailto:laure...@oneechan.org On 6/10/12 6:23 AM, doc mombasa wrote: sure you did and i ride a popcicle motorcycle from my palace to the beach every day :) 2012/6/10 Laurelai laure...@oneechan.org mailto:laure...@oneechan.org On 6/10/12 6:14 AM, doc mombasa wrote: do you by any chance listen to a lot a lot of nirvana and linkin park? 2012/6/8 Laurelai laure...@oneechan.org mailto:laure...@oneechan.org On 6/8/12 2:14 PM, Григорий Братислава wrote: On Fri, Jun 8, 2012 at 2:08 PM, Laurelai laure...@oneechan.org mailto:laure...@oneechan.org wrote: rights? You might want to invest in spell checking software by the way. Is really show your education is you cannot determine reality of is lexicon. Maybe is identification masquerade is hide yes? Perhaps is maybe possible is I maybe tick is you off? Neverisless, you sir are is troll. Is serious: http://tinyurl.com/laurelaitroll (is literalee troll) There you have it folks, the best argument the so called experts could come up with as to why we shouldn't do anything about this is name calling and half baked attempts at derailing the conversation and more spelling errors than a 5th graders book report. I must have hit a nerve or something, makes me wonder if im speaking to the very people selling the zero day exploits. You wouldn't be having a guilty conscience or anything would you all? Worried we might put a stop to your gravy train perhaps? Now back on topic, those of us who actually have a soul should work together to find a good solution. Anyone interested feel free to email me. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I dont listen to either. And sorry to burst your bubble but I did serve 10 years in the army. Next I imagine you will insult my gender identity or something equally silly. For the record you should capitalize the first word of each sentence and put a punctuation mark at the end, not doing this just makes you look uneducated and ensures people do not take you seriously. I don't want your damn lemons, what am i supposed to do with these? http://www.youtube.com/watch?v=Dt6iTwVIiMM ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/10/12 12:52 PM, Thor (Hammer of God) wrote: And not capitalizing Army when you claim to have spent 10 years of your life in service does precisely the same thing. On Jun 10, 2012, at 3:31 AM, Laurelai laure...@oneechan.org mailto:laure...@oneechan.org wrote: I dont listen to either. And sorry to burst your bubble but I did serve 10 years in the army. Next I imagine you will insult my gender identity or something equally silly. For the record you should capitalize the first word of each sentence and put a punctuation mark at the end, not doing this just makes you look uneducated and ensures people do not take you seriously. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Except i don't like the government. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/10/12 11:29 AM, valdis.kletni...@vt.edu wrote: On Sun, 10 Jun 2012 08:58:31 +0300, Georgi Guninski said: What about legal windows backdoors (NSA key)? It was never confirmed whether the infamous NSAKEY was an actual backdoor, or just a hilariously poorly named variable. In any case, even if it was a backdoor, it's certainly not the same legal status as CALEA, where Federal law said ISPs Will Provide A Law Enforcement Tap. A lot of universities which had just finished positioning themselves as ISPs in order to qualify for the 17 USC 512 copyright safe harbor provisions, ended up doing a 180 degree turn and said Not An ISP - Private Network so they wouldn't have to meet the CALEA requirements. (An amazing number of .edu's ended up a private net' for CALEA purposes, but kept things in place for the safe harbor stuff as well. Fortunately, nobody's ever pushed the issue). If NSAKEY was a backdoor, it was at best a quasi-legal one, and I'm positive that everybody at both Microsoft and the NSA would prefer that their roles in the story never came to light. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I am a bit surprised by the direction of this conversation and I have been waiting for someone to say the obvious in regards to protecting yourself from .gov malware, it really is quite simple if you think about it. Stuxnet, duqu, flame, ect.. all only run on windows platforms. If the people you are protecting are concerned about that kind of malware (and they should be) it would be a great time to tell them about GNU/Linux, BSD, ect.. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/10/12 5:09 PM, Thor (Hammer of God) wrote: OK, Ill bite this one time. I assert you are blatantly lying about military service. How about tell me your service dates? Surely you cant consider that any sort of privacy breach. This is an easy way for us to be done with the whole thing. Part of your diatribe is based on your right to bitch because of your military service. I, again, assert that is complete fabrication. As someone who actually HAS done work for the government I know (as you should) that your military service records are actually public record. I dont need your service dates, but it will help. All I need do is fax over form SF-180, and theyll verify your service. If you really did serve, Ill apologize publically. If you didnt (or dont provide the information) then well all know you are just a lying nutjob and we can ignore you from now on. Is that fair enough? Timothy Thor Mullen www.hammerofgod.com Thors Microsoft Security Bible From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Laurelai Sent: Sunday, June 10, 2012 2:00 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran On 6/10/12 12:52 PM, Thor (Hammer of God) wrote: And not capitalizing "Army" when you claim to have spent 10 years of your life in service does precisely the same thing. On Jun 10, 2012, at 3:31 AM, "Laurelai" laure...@oneechan.org wrote: I dont listen to either. And sorry to burst your bubble but I did serve 10 years in the army. Next I imagine you will insult my gender identity or something equally silly. For the record you should capitalize the first word of each sentence and put a punctuation mark at the end, not doing this just makes you look uneducated and ensures people do not take you seriously. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Except i don't like the government. I went to basic in september of 99 and ETS'ed in may of 08. 6 years were national guard 4 years active duty, i went to basic at FT. Jackson South Carolina, the base has a lot of fire ants and the weather was a bit unpredictable. My drill sergeant's names were Drill Sergeant Hunter and Drill Sergeant Wachowski The unit i ETS'ed from was HHB 4/5 ADA out of camp carrol South Korea, and right before i left korea our CSM was relieved of duty (CSM Larkin) for sexually harassing junior enlisted soldiers under his command. I worked in the S-6 shop in a 25B slot for a long time even though i had been trained as a 14E ( patriot systems operator and maintainer), I went to echo school at FT. Bliss and let me tell you when I got there I thought the place was just terrible, but there is nothing like the view of watching the sun set against those desert mountains, absolutely beautiful. While I was i South Korea I met up with hubris from backtrace security believe it or not since he was in the area at the time, ( this was before there ever was a backtrace security) he showed me all the fun places to hang out away from the tourist traps and he has seen me in uniform. So stick that in
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/10/12 5:22 PM, Ian Hayes wrote: Then why did you work for them? (or so you claim) On Jun 10, 2012 2:01 PM, Laurelai laure...@oneechan.org mailto:laure...@oneechan.org wrote: On 6/10/12 12:52 PM, Thor (Hammer of God) wrote: And not capitalizing Army when you claim to h... Except i don't like the government. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I did, i dont any longer. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/10/12 5:09 PM, Thor (Hammer of God) wrote: OK, Ill bite this one time. I assert you are blatantly lying about military service. How about tell me your service dates? Surely you cant consider that any sort of privacy breach. This is an easy way for us to be done with the whole thing. Part of your diatribe is based on your right to bitch because of your military service. I, again, assert that is complete fabrication. As someone who actually HAS done work for the government I know (as you should) that your military service records are actually public record. I dont need your service dates, but it will help. All I need do is fax over form SF-180, and theyll verify your service. If you really did serve, Ill apologize publically. If you didnt (or dont provide the information) then well all know you are just a lying nutjob and we can ignore you from now on. Is that fair enough? Timothy Thor Mullen www.hammerofgod.com Thors Microsoft Security Bible From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Laurelai Sent: Sunday, June 10, 2012 2:00 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran On 6/10/12 12:52 PM, Thor (Hammer of God) wrote: And not capitalizing "Army" when you claim to have spent 10 years of your life in service does precisely the same thing. On Jun 10, 2012, at 3:31 AM, "Laurelai" laure...@oneechan.org wrote: I dont listen to either. And sorry to burst your bubble but I did serve 10 years in the army. Next I imagine you will insult my gender identity or something equally silly. For the record you should capitalize the first word of each sentence and put a punctuation mark at the end, not doing this just makes you look uneducated and ensures people do not take you seriously. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Except i don't like the government. And i hope those antisec kids own the lot of your frauds, really i ask a simple question on how to avoid state sponsored malware that runs exclusively on windows platforms and not a single one of you said anything about using an alternate OS, some of you insisted in fact we should just lie down and take it. You aren't security experts you are scam artists. Makes me wonder if you are paid to act this way or if you all really just didnt consider it. Either answer is pretty chilling. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/10/12 5:54 PM, Benji wrote: Which antisec kids? Unfortunately due to some poeple being utterly delued, such as yourself, throwing that word around it's rather ambiguous now. On Sun, Jun 10, 2012 at 10:49 PM, Laurelai laure...@oneechan.org wrote: On 6/10/12 5:09 PM, Thor (Hammer of God) wrote: OK, I’ll bite this one time. I assert you are blatantly lying about military service. How about tell me your service dates? Surely you can’t consider that any sort of privacy breach. This is an easy way for us to be done with the whole thing. Part of your diatribe is based on your “right” to bitch because of your military service. I, again, assert that is complete fabrication. As someone who actually HAS done work for the government I know (as you should) that your military service records are actually public record. I don’t need your service dates, but it will help. All I need do is fax over form SF-180, and they’ll verify your service. If you really did serve, I’ll apologize publically. If you didn’t (or don’t provide the information) then we’ll all know you are just a lying nutjob and we can ignore you from now on. Is that fair enough? Timothy “Thor” Mullen www.hammerofgod.com Thor’s Microsoft Security Bible From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Laurelai Sent: Sunday, June 10, 2012 2:00 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran On 6/10/12 12:52 PM, Thor (Hammer of God) wrote: And not capitalizing "Army" when you claim to have spent 10 years of your life in service does precisely the same thing. On Jun 10, 2012, at 3:31 AM, "Laurelai" laure...@oneechan.org wrote: I dont listen to either. And sorry to burst your bubble but I did serve 10 years in the army. Next I imagine you will insult my gender identity or something equally silly. For the record you should capitalize the first word of each sentence and put a punctuation mark at the end, not doing this just makes you look uneducated and ensures people do not take you seriously. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/10/12 6:00 PM, Thor (Hammer of God) wrote: Awesome. Ill send er off. Andrew Wallace, correct? Timothy Thor Mullen www.hammerofgod.com Thors Microsoft Security Bible From: Laurelai [mailto:laure...@oneechan.org] Sent: Sunday, June 10, 2012 2:26 PM To: Thor (Hammer of God) Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran On 6/10/12 5:09 PM, Thor (Hammer of God) wrote: OK, Ill bite this one time. I assert you are blatantly lying about military service. How about tell me your service dates? Surely you cant consider that any sort of privacy breach. This is an easy way for us to be done with the whole thing. Part of your diatribe is based on your right to bitch because of your military service. I, again, assert that is complete fabrication. As someone who actually HAS done work for the government I know (as you should) that your military service records are actually public record. I dont need your service dates, but it will help. All I need do is fax over form SF-180, and theyll verify your service. If you really did serve, Ill apologize publically. If you didnt (or dont provide the information) then well all know you are just a lying nutjob and we can ignore you from now on. Is that fair enough? Timothy Thor Mullen www.hammerofgod.com Thors Microsoft Security Bible From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Laurelai Sent: Sunday, June 10, 2012 2:00 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran On 6/10/12 12:52 PM, Thor (Hammer of God) wrote: And not capitalizing "Army" when you claim to have spent 10 years of your life in service does precisely the same thing. On Jun 10, 2012, at 3:31 AM, "Laurelai" laure...@oneechan.org wrote: I dont listen to either. And sorry to burst your bubble but I did serve 10 years in the army. Next I imagine you will insult my gender identity or something equally silly. For the record you should capitalize the first word of each sentence and put a punctuation mark at the end, not doing this just makes you look uneducated and ensures people do not take you seriously. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Except i don't like the government. I went to basic in september of 99 and ETS'ed in may of 08. 6 years were national guard 4 years active duty, i went to basic at FT. Jackson South Carolina, the base has a lot of fire ants and the weather was a bit unpredictable. My drill sergeant's names were Drill Sergeant Hunter and Drill Sergeant Wachowski The unit i ETS'ed from was HHB 4/5 ADA out of camp carrol South Korea, and right before i left korea our CSM was relieved of duty (CSM Larkin) for
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/10/12 11:10 PM, Thor (Hammer of God) wrote: Well no freaking wonder then. For whatever reason, I keep thinking you are Andrew posting under a different name, which always confused me. I know Andrew didn't serve in the Army, which just made me think he was losing his mind. (I've actually never had a problem with Andrew, though I guess many here have.) So yes, my apologies, as I obviously don't know you from Adam. Now everything makes more sense. T Sent from my iPad On Jun 10, 2012, at 4:21 PM, Laurelai laure...@oneechan.org mailto:laure...@oneechan.org wrote: On 6/10/12 6:00 PM, Thor (Hammer of God) wrote: Awesome. I’ll send ‘er off. “Andrew Wallace,” correct? *mime-attachment.png*** * * *Timothy “Thor” Mullen* *www.hammerofgod.com* *Thor’s Microsoft Security Bible http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727* *From:*Laurelai [mailto:laure...@oneechan.org] *Sent:* Sunday, June 10, 2012 2:26 PM *To:* Thor (Hammer of God) *Cc:* full-disclosure@lists.grok.org.uk *Subject:* Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran On 6/10/12 5:09 PM, Thor (Hammer of God) wrote: OK, I’ll bite this one time. I assert you are blatantly lying about military service. How about tell me your service dates? Surely you can’t consider that any sort of privacy breach. This is an easy way for us to be done with the whole thing. Part of your diatribe is based on your “right” to bitch because of your military service. I, again, assert that is complete fabrication. As someone who actually HAS done work for the government I know (as you should) that your military service records are actually public record. I don’t need your service dates, but it will help. All I need do is fax over form SF-180, and they’ll verify your service. If you really did serve, I’ll apologize publically. If you didn’t (or don’t provide the information) then we’ll all know you are just a lying nutjob and we can ignore you from now on. Is that fair enough? *mime-attachment.png* * * *Timothy “Thor” Mullen* *www.hammerofgod.com* *Thor’s Microsoft Security Bible http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727* *From:*full-disclosure-boun...@lists.grok.org.uk mailto:full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *Laurelai *Sent:* Sunday, June 10, 2012 2:00 PM *To:* full-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk *Subject:* Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran On 6/10/12 12:52 PM, Thor (Hammer of God) wrote: And not capitalizing Army when you claim to have spent 10 years of your life in service does precisely the same thing. On Jun 10, 2012, at 3:31 AM, Laurelai laure...@oneechan.org mailto:laure...@oneechan.org wrote: I dont listen to either. And sorry to burst your bubble but I did serve 10 years in the army. Next I imagine you will insult my gender identity or something equally silly. For the record you should capitalize the first word of each sentence and put a punctuation mark at the end, not doing this just makes you look uneducated and ensures people do not take you seriously. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Except i don't like the government. I went to basic in september of 99 and ETS'ed in may of 08. 6 years were national guard 4 years active duty, i went to basic at FT. Jackson South Carolina, the base has a lot of fire ants and the weather was a bit unpredictable. My drill sergeant's names were Drill Sergeant Hunter and Drill Sergeant Wachowski The unit i ETS'ed from was HHB 4/5 ADA out of camp carrol South Korea, and right before i left korea our CSM was relieved of duty (CSM Larkin) for sexually harassing junior enlisted soldiers under his command. I worked in the S-6 shop in a 25B slot for a long time even though i had been trained as a 14E ( patriot systems operator and maintainer), I went to echo school at FT. Bliss and let me tell you when I got there I thought the place was just terrible, but there is nothing like the view of watching the sun set against those desert mountains, absolutely beautiful. While I was i South Korea I met up with hubris from backtrace security believe it or not since he was in the area at the time, ( this was before there ever was a backtrace security) he showed me all the fun
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/8/12 1:03 PM, Thor (Hammer of God) wrote: finding solutions to countries using cyberwar and using innocent peoples machines to carry it out, invading peoples privacy and generally doing terrible stuff in the name of god and country. What solution? And who exactly is going to find it? The entire history of mankind is based on the terrible stuff we do in the name of god and country. We, of course, being humans. All we need is one of the two and weve got all the justification we need to go off and kill someone else for having a different god or different country. Note I said justification and not motivation. God and country are just excuses means to an end. Theres always another agenda. Man does things for two reasons: to get laid, or to get paid. Everything else is just a nice fuzzy wrap to make us feel better about ourselves. Finding some other solution is nave and a waste of time. We, and everyone else, will do whatever we want to do, and do whatever it takes to get away with it. Its as simple as that. Its easy and convenient for you to bitch about the injustices from behind a keyboard when men and woman are out there DYING for their country and the integrity of what they believe in, irrespective of the basis of the decisions their commanding bodies have for sending them out there. Its called real life. Grow up and go get that bleeding heart sewn up at some free clinic, paid for by the government that has to do the hard work in order to preserve your right to whine about it. Timothy Thor Mullen www.hammerofgod.com Thors Microsoft Security Bible From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Laurelai Sent: Friday, June 08, 2012 9:04 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran On 6/8/12 11:38 AM, valdis.kletni...@vt.edu wrote: On Thu, 07 Jun 2012 13:48:33 -0400, Ian Hayes said: On Thu, Jun 7, 2012 at 1:40 PM, andrew.wallace andrew.wall...@rocketmail.com wrote: On Tue, Jun 5, 2012 at 8:43 PM, valdis.kletni...@vt.edu wrote: One could equally well read that as "We're fed up and about to pound North Korea even further back into the Stone Age". With Stuxnet, it was lucky nobody was seriously injured. You cannot condone such weapons Valdis, or your hat will start to turn grey, black. Stuxnet may not have killed anyone, but several Iranian nuclear scientists were assassinated in conjunction with Stuxnet's release. Please don't feed the troll - the only way he can post to full-disclosure is if somebody quotes him in. The worst part is that Andrew's reading comprehension is as good as always - I wasn't commenting on Stuxnet, but the move of naval forces to the Pacific. China isn't the only reason we might want a naval task force over there. And I never said I condoned it, merely pointed out alternate interpretations. The funny thing is that Andrew was going on for a *long* time that there is no such thing as cyber-warfare - when in fact it was going on while he was denying it. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I think the real question we should all think on is what are we going to do about this kind of thing? Because the way I see it, the infosec industry is part of this problem until it finds a way to be a part of the solution, if you all even desire this. If you do then lets talk about finding solutions to countries using cyberwar and using innocent peoples machines to carry it out, invading peoples privacy and generally doin
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/8/12 1:41 PM, Григорий Братислава wrote: On Fri, Jun 8, 2012 at 1:36 PM, Laurelai laure...@oneechan.org mailto:laure...@oneechan.org wrote: Excuse me but im a veteran who served 10 years in the Army and I damn well earned my right to complain about how broken the system is, myself and the soldiers around me sacrificed so that we could all have a free country and that yes I could whine about it. Its called the US Constitution, we took an oath to uphold and defend it and everything it stands for. I didnt sign up to get laid or paid I did it to serve a cause greater than myself, not that you would know anything about that. Oh and that Free clinic paid for by the government is called the VA Hospital and I already earned the care I can receive there. Want to complain about it now? Feel free. You have that right. Its called freedom of speech. You are welcome. Is this time you serve when you was boy? (Wesley Bailey) Or is after you is transform. Is valid question. Yes is Wesley have right to complain, Wesley in Army, not Laurelai. Laurelai has no right -- `Wherever I is go - there am I routed` Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances. I know English isnt your first language so if you need help with the words let me know. I don't see any part there that says trans people still don't have that right. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/8/12 1:48 PM, Ian Hayes wrote: On Fri, Jun 8, 2012 at 1:36 PM, Laurelai laure...@oneechan.org mailto:laure...@oneechan.org wrote: All that is necessary /for evil to triumph/ is for good people to do nothing. The corollary to that argument is that *good people* must not resort to the same tactics as the people they are fighting. To lie down in the same mud makes you just as dirty. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ And that brings us back to what are we going to do about the US Gov laying down in the same mud as the bad guys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/8/12 1:51 PM, Григорий Братислава wrote: On Fri, Jun 8, 2012 at 1:47 PM, Laurelai laure...@oneechan.org wrote: Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances. I know English isnt your first language so if you need help with the words let me know. I don't see any part there that says trans people still don't have that right. I am is glad you know lots about my first language maybe too perhaps also you perhaps wrong? Is you see no mention of trans people perhaps maybe is because men is have balls back is when constitution written. Maybe perhaps yes is you c you can maybe perhaps is point us out where it say Adam and heshe or Mahmoud and heshe or Menachnem and heshe Why would I care about the fictional writings of people long dead (people who may not have even existed) in regards to modern human rights? You might want to invest in spell checking software by the way. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/8/12 2:08 PM, Григорий Братислава wrote: On Fri, Jun 8, 2012 at 1:58 PM, Laurelai laure...@oneechan.org wrote: And that brings us back to what are we going to do about the US Gov laying down in the same mud as the bad guys I is detect narcissism Wesley. what are we is you ask. Define we. Is you has gang behind you? (I is not mean for those actions is we call in your pronounce huesos). You are is nobody special don't is kidding yourself. You are is home living with mama and papa confused manshe who is cannot hold down job because of yours is action is let alone start any revolution. I am having a really hard time reading what you are trying to say behind all of those horrendous spelling and grammar errors. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/8/12 2:41 PM, Christian Sciberras wrote: Perhaps the US Government would gain better results by mass protests and chanting peace songs. Or perhaps it just doesn't work this way. They shouldn't be blamed, everyone knows fighting fire with fire is very effective, just as everyone knows the people calling the government names are the same ones with small botnets lying about. Can't blame them, now that someone else is using their own tools against them. On Fri, Jun 8, 2012 at 8:20 PM, Laurelai laure...@oneechan.org mailto:laure...@oneechan.org wrote: On 6/8/12 2:14 PM, Григорий Братислава wrote: On Fri, Jun 8, 2012 at 2:08 PM, Laurelai laure...@oneechan.org mailto:laure...@oneechan.org wrote: rights? You might want to invest in spell checking software by the way. Is really show your education is you cannot determine reality of is lexicon. Maybe is identification masquerade is hide yes? Perhaps is maybe possible is I maybe tick is you off? Neverisless, you sir are is troll. Is serious: http://tinyurl.com/laurelaitroll (is literalee troll) There you have it folks, the best argument the so called experts could come up with as to why we shouldn't do anything about this is name calling and half baked attempts at derailing the conversation and more spelling errors than a 5th graders book report. I must have hit a nerve or something, makes me wonder if im speaking to the very people selling the zero day exploits. You wouldn't be having a guilty conscience or anything would you all? Worried we might put a stop to your gravy train perhaps? Now back on topic, those of us who actually have a soul should work together to find a good solution. Anyone interested feel free to email me. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ *adds names to a list of people likely selling zero days* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/8/12 2:56 PM, Григорий Братислава wrote: On Fri, Jun 8, 2012 at 2:52 PM, Laurelai laure...@oneechan.org wrote: *adds names to a list of people likely selling zero days* Is not surprise me. Is you need know, national security trumps FBI CIS http://www.fbi.gov/news/testimony/improving-our-confidential-human-source-program every times. You could not is even touch me with ten foot drag queen pole. Is thanks for clarifying your role. You mean where i publicly called out the people selling zero days to the US gov? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/8/12 3:09 PM, Григорий Братислава wrote: On Fri, Jun 8, 2012 at 3:02 PM, Laurelai laure...@oneechan.org wrote: You mean where i publicly called out the people selling zero days to the US gov? No I is meant where you allow is your narcissism is permeate in conversation. http://www.youtube.com/watch?v=j7jhb8_UPfw ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/8/12 3:12 PM, Ian Hayes wrote: On Fri, Jun 8, 2012 at 2:41 PM, Christian Sciberras uuf6...@gmail.com wrote: Perhaps the US Government would gain better results by mass protests and chanting peace songs. Or perhaps it just doesn't work this way. They shouldn't be blamed, everyone knows fighting fire with fire is very effective, just as everyone knows the people calling the government names are the same ones with small botnets lying about. Can't blame them, now that someone else is using their own tools against them. I call upon the ghost of Heinlein: Anyone who clings to the historically untrue—and thoroughly immoral—doctrine that, ‘violence never settles anything’ I would advise to conjure the ghosts of Napoleon Bonaparte and the Duke of Wellington and let them debate it. The ghost of Hitler could referee, and the jury might well be the Dodo, the Great Auk and the Passenger Pigeon. Violence, naked force, has settled more issues in history than has any other factor, and the contrary opinion is wishful thinking at its worst. Breeds that forget this basic truth have always paid for it with their lives and freedom.” There are those out there in power who only know the language of brute, naked force. No amount of cajoling, pleading, bargaining nor wheedling will sway them. On appeals to their better nature, no brilliant displays of logic and intellect. Pretty words uttered by politicians fall on deaf ears. But a punch to the nose, a kick to the nuts -the universal language of violence- that's something they understand intimately. And they respect that. Of course it's always preferable to sit down at the negotiating table and barter out a peace. What do we do when they knock over the table and make a mess? What separates us from them is the fact that we normally don't speak the universal language from the get-go. Is it deplorable? Yes. But like having to take a crap every now and then, it's necessary. The murder of civilans is certainly a terrible crime, but that and the release of some malware that breaks centrifuges is certainly better than other options. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I don't see how Iran developing nuclear power is a threat, I'm sorry to me this just seems like more fear mongering. And remember the only nation that has ever shown itself *insane* enough to actually use nuclear weapons on other human beings is the USA and history showed the use was completely unwarranted. I don't get why we can have literally enough nuclear weapons to wipe out all life on the surface of the planet but Iran developing nuclear *power* is somehow a national security threat. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/8/12 3:33 PM, James Condron wrote: Aand now we degenerate into a political argument nobody but the poster gives a fuck about. Ta for that, maybe take it elsewhere. Let's keep on topic (though we may be several posts behind) Sent using BlackBerry® from Orange -Original Message- From: Bzzz lazyvi...@gmx.com Sender: full-disclosure-boun...@lists.grok.org.uk Date: Fri, 8 Jun 2012 20:03:51 To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran On Fri, 08 Jun 2012 13:36:07 -0400 Laurelai laure...@oneechan.org wrote: Excuse me but im a veteran who served 10 years in the Army and I damn well earned my right to complain about how broken the system is, myself and the soldiers around me sacrificed so that we could all have a free country and that yes I could whine about it. Its called the US Constitution, we took an oath to uphold and defend it and everything it stands for. And in 10 years you didn't understood how the system is working, that you were following orders from people that won't ever take any risk (nor their family friends), that are themselves receiving their orders from big money/business/poliotics you'll never see on tv nor in any newspaper. So while I'm saying here that the civil liberties I swore to uphold and defend are eroding away and that evil is triumphing over the US, you are telling me this is business as usual. You are not lucid, your country has _always_ been a rat lab where masters tell you that you're free, but dig a (tiny) bit and you'll see that's always been a big fat lie (ie: you pay income taxes? but the 19th amendment has never been ratified - and your own justice is enforcing sanctions if you don't pay, knowing what they do is totally illegal...) Just because something evil is the established way of things or is becoming the established way of things doesn't mean we have to or should accept it. Perhaps *you* should stop being so cold and jaded about the evils of the world and put some you know *effort* into fixing them instead of trying to shout down anyone who tries or talks about trying to make the world better. I think he's living in a real world and look at it coldly without any indulgence. You are honestly implying that there is absolutely nothing that can ever be done ever and we should all just lie down and take it, can you understand why I might take issue with that perspective? You are saying in essence There is no more room to improve so we should never again try. Thor missed one thing though: he said people are doing things for 2 reasons; get laid or get paid, there are 2 more reasons: for fun and for ideals; the latest being the most dangerous thing in the whole world. Jean-Yves Thank you, lets now discuss how infosec experts are going to deal with the threat of state sponsored cyberwarfare, and bend over and take it is not really a good answer. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/8/12 3:46 PM, Ian Hayes wrote: On Fri, Jun 8, 2012 at 3:38 PM, Laurelai laure...@oneechan.org wrote: Thank you, lets now discuss how infosec experts are going to deal with the threat of state sponsored cyberwarfare, and bend over and take it is not really a good answer. Sure it is, it's just not the answer you want. http://www.theonion.com/articles/god-answers-prayers-of-paralyzed-little-boy,475/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ So your honest view as an information security expert is to just lie down and take it? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/8/12 3:54 PM, Ian Hayes wrote: On Fri, Jun 8, 2012 at 3:49 PM, Laurelai laure...@oneechan.org wrote: On 6/8/12 3:46 PM, Ian Hayes wrote: On Fri, Jun 8, 2012 at 3:38 PM, Laurelai laure...@oneechan.org wrote: Thank you, lets now discuss how infosec experts are going to deal with the threat of state sponsored cyberwarfare, and bend over and take it is not really a good answer. Sure it is, it's just not the answer you want. http://www.theonion.com/articles/god-answers-prayers-of-paralyzed-little-boy,475/ So your honest view as an information security expert is to just lie down and take it? Never said that. I just said that bend over and take it is an acceptable answer. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ And you would be wrong. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/8/12 9:56 PM, Jason Hellenthal wrote: Shit, Ill give the NSA a shell on any system... if it means achieving a greater goal. Whether its wrong or not... let the bots decide who is the better player as long as it brings the US into a primary position of power. On Wed, Jun 06, 2012 at 11:22:32PM -0400, Laurelai wrote: On 6/6/12 2:23 PM, Peter Dawson wrote: haha..da retrun of da farewell dossier !! On Wed, Jun 6, 2012 at 2:21 PM, coderman coder...@gmail.com mailto:coder...@gmail.com wrote: On Wed, Jun 6, 2012 at 11:16 AM, coderman coder...@gmail.com mailto:coder...@gmail.com wrote: ... uncle sam has been up in yer SCADA for two decades. three decades; too early for maths! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Guys can we focus on the fact that the US Government is en mass accessing computer systems without due process, and trying to prosecute the people who made this known to the public. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Here we have a real life example of someone who is a part of the problem. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/7/12 4:44 AM, doc mombasa wrote: why arent you out on the streets blowing up stuff and taking names? be a rolemodel 2012/6/7 Laurelai laure...@oneechan.org mailto:laure...@oneechan.org On 6/7/12 12:05 AM, Ian Hayes wrote: On Wed, Jun 6, 2012 at 11:49 PM, Laurelai laure...@oneechan.org mailto:laure...@oneechan.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/6/12 11:44 PM, valdis.kletni...@vt.edu mailto:valdis.kletni...@vt.edu wrote: On Wed, 06 Jun 2012 23:22:32 -0400, Laurelai said: Guys can we focus on the fact that the US Government is en mass accessing computer systems without due process, and trying to prosecute the people who made this known to the public. After a decade of unindicted torture of prisoners, renditions, spying on our own citizens, and killing of our own citizens, and a long list of other stuff, all without due process, you really think anybody cares about a little illicit hacking without due process? I'm afraid that ship basically sailed when Pelosi said impeachment was off the table... And why arent people in the streets demanding they all step down? Such naivety. It's charming. You have much to learn about American apathy. There were people in the streets. They were marginalized, and made fun of, pepper sprayed, called entitled dirty socialists and told to get a job. As long as people care more about what happens on American Idol and whoever Kim Kardashian is divorcing this week, they're not going to care one iota about what the government is doing to some country that probably had it coming to them in the first place. You want the masses out in the streets with the torches and pitchforks, you're going to have to overcome decades of being programmed to not care what the government does anymore as long as the TV works, there's beer in the fridge, and porn is still freely available. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I know about the apathy, i see it every day. I see it a lot in the older generations. Its the younger generations out there getting maced and beaten and thrown in jail for standing up for what they think is right. It sickens me that the average person doesnt care. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I prefer non violent solutions. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/7/12 1:48 PM, Ian Hayes wrote: On Thu, Jun 7, 2012 at 1:40 PM, andrew.wallace andrew.wall...@rocketmail.com wrote: On Tue, Jun 5, 2012 at 8:43 PM, valdis.kletni...@vt.edu wrote: One could equally well read that as We're fed up and about to pound North Korea even further back into the Stone Age. With Stuxnet, it was lucky nobody was seriously injured. You cannot condone such weapons Valdis, or your hat will start to turn grey, black. Stuxnet may not have killed anyone, but several Iranian nuclear scientists were assassinated in conjunction with Stuxnet's release. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Civilian scientists at that. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/5/12 2:52 AM, Alexander Georgiev wrote: http://en.wikipedia.org/wiki/Argument_from_ignorance Am 04.06.2012 21:01, schrieb Joel Esler: So, a quote, from a book? Isn't that kinda circular? Also, there are no quotes from anyone in the room and no one is referenced except by association. Not saying it's not true, but there's nothing there that indicates it is. The only people who will know if this is 100% true were in the Oval Office at the time, and those people aren't going to be quoted in a NYTimes article. http://upload.wikimedia.org/wikipedia/commons/1/18/%22Citation_needed%22.jpg -- Joel Esler On Monday, June 4, 2012 at 2:52 PM, Jeffrey Walton wrote: https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html WASHINGTON --- From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran's main nuclear enrichment facilities, significantly expanding America's first sustained use of cyberweapons, according to participants in the program. Hasan Sarbakhshian/Associated Press Mr. Obama decided to accelerate the attacks --- begun in the Bush administration and code-named Olympic Games --- even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran's Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet. At a tense meeting in the White House Situation Room within days of the worm's escape, Mr. Obama, Vice President Joseph R. Biden Jr. and the director of the Central Intelligence Agency at the time, Leon E. Panetta, considered whether America's most ambitious attempt to slow the progress of Iran's nuclear efforts had been fatally compromised. ... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Is anyone else the least bit concerned that stuxnet was carried out by the US Government? I mean lets look at this, the US Government committed an act they themselves would consider cyber terrorism, infecting millions of civilian machines. While they say it got out of control and lets just go with that for simplicity, once it got out of control wouldn't the right thing have been to shut it down instead of trying to evade detection and continuing the project? How many antivirus vendors were kept from doing their jobs during this? And how many were actively cooperating? I know for a fact HBGary was working with the NSA in regards to stuxnet. Was it really worth it to compromise the security and privacy of millions of innocent people just to shut down some power plants? Oh and lets not forget the assassination of civilian scientists. People seem to think that since the US Gov did it that makes it ok, well I do not think it does. Especially when they throw kids with small botnets in jail for being mad at the system cause its crooked. I mean that has to be the largest cyber attack of all time, this makes the shit the lulzsec people carried out look mild in comparison, and those guys are facing a decade in jail and the person who wrote stuxnet probably got a medal and a fat check. Oh and message to the feds im sure watch this list. http://pwnies.com/winners/ You guys might want to go claim that award and present it to Obama, he did earn it after all ;) (and he beat lulzsec for the award) I mean this mailing list is about threats to information security, so lets call a spade a spade. Right now the biggest threat to cyber-security is the US Government, it has proven it can silently infect machines with worms powered by zero day exploits and stolen driver certificates. (they were able to acquire them twice at least with no issue, my bet is they just asked for them) And another thing, I somehow doubt the new york times would publish unless they have reliable sources. Combined with this http://online.wsj.com/article/SB10001424052702303506404577448563517340188.html?utm_source=twitterfeedutm_medium=twitter It pretty much tells me the article was spot on. Can we now discuss the fact the US Gov committed an act of cyber war against its own people, the people of other sovereign nations and *itself* ? ___ Full-Disclosure
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/6/12 11:50 AM, Charles Morris wrote: I know for a fact HBGary was working with the NSA in regards to stuxnet. I've never been all that good at spelling... but am I wrong that HBGary is an anagram for posturing charlatan ? Alternatively: if this is true then we are even worse off than I thought. It was in the leaked HBgary emails, communications with the NSA regarding stuxnet. Why am i the only one who remembers this? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/6/12 12:18 PM, Charles Morris wrote: On Wed, Jun 6, 2012 at 12:13 PM, Laurelai laure...@oneechan.org wrote: On 6/6/12 11:50 AM, Charles Morris wrote: I know for a fact HBGary was working with the NSA in regards to stuxnet. I've never been all that good at spelling... but am I wrong that HBGary is an anagram for posturing charlatan ? Alternatively: if this is true then we are even worse off than I thought. It was in the leaked HBgary emails, communications with the NSA regarding stuxnet. Why am i the only one who remembers this? I don't agree, disagree, or comment in any other way than my surprise, as I want to have respect for the NSA- but I suppose there are bad decisions made in any organization. The fact that it quickly escaped out of control should tell you something. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/6/12 6:08 PM, valdis.kletni...@vt.edu wrote: On Wed, 06 Jun 2012 10:41:24 -0400, Laurelai said: People seem to think that since the US Gov did it that makes it ok, well I do not think it does. Especially when they throw kids with small botnets in jail for being mad at the system cause its crooked. You're a little bit confused here. It doesn't matter what people think. It matters what the people with more rifles, mortars, tanks, and ammo than you think. Unless you come up with a way to level the playing field. So you admit we live in a police state? -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPz/W/AAoJEGVm7Hz5JilhGo8H/2dzANgDUGY17dUW7OL+rPKZ +FWyUudW739recN/Fsvb6XASVSjsDS/lMXsP2yvmFZKhkGRYNJmn4JzBmwgRZdsJ WhaLSAGCX1EP4DiTApsjLWR6MxjpQC9zIK/FT+entCGPsS6/VSeOM778C3JibVnd /zf3J2N0QWR8RxCqoJZ4enYQ7RLVCLm2O720hNRBBFoadM8+OzW31QISGWAsat1l QX3BaCBQfEkGztqZ0+8j90Xz/4Ok+eYVxWE4z/fUCC7eHvY6RG+s3DfYq+Ql0LrU Yku0amyzlB0cowaQUhGrusjBEt5sPWrIOirUPbqosBD6PpQMtwPJf/dKQsPsWvs= =HWmA -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/6/12 6:19 PM, Andrew D Kirch wrote: On 6/6/2012 6:08 PM, valdis.kletni...@vt.edu wrote: You're a little bit confused here. It doesn't matter what people think. It matters what the people with more rifles, mortars, tanks, and ammo than you think. Unless you come up with a way to level the playing field. I think you just identified it. buy rifles (I have, there's a Colt M4 Law Enforcement Carbine sitting next to me), but mortars (a bit difficult but not impossible to get) buy tanks (quite easy to get if you know where to look), and buy ammo. DEMAND that federal firearms laws be revised, and specifically repeals of 18 USC 921-922. Yet again I point out your VT.edu e-mail and your refusal to listen to Jefferson's warnings. The man wrote your state constitution. He wasn't kidding when he did it. Andrew ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I never thought id be agreeing with Andrew , but in this case he is right, that's what the second amendment was written for. However my idea is quite a bit less violent. Stop selling these people 0 days. Just stop. I mean everyone here talks about how much of a threat cybercriminals are and yet some of the people who im sure are on this list are selling exploits to governments and they do quite a bit more harm than these kids do. They have turned the US Gov into the largest script kiddy clans on the net. Until people inside the industry stop doing that i really dont think there is any point *in* the infosec field because at this point you all are not even trying anymore. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/6/12 9:20 PM, valdis.kletni...@vt.edu wrote: On Wed, 06 Jun 2012 18:19:21 -0400, Andrew D Kirch said: I think you just identified it. buy rifles (I have, there's a Colt M4 Law Enforcement Carbine sitting next to me), but mortars (a bit difficult but not impossible to get) buy tanks (quite easy to get if you know where to look), and buy ammo. DEMAND that federal firearms laws be revised, and specifically repeals of 18 USC 921-922. Yet again I point out your VT.edu e-mail and your refusal to listen to Jefferson's warnings. What's this *my* refusal to listen? I suspect you know less of my politics than you think you do. ;) Incidentally, asymmetric warfare does a great job of leveling the field. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ So lets have a serious talk about countering what is clearly the greatest threat to cyber security around right now. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/6/12 2:16 PM, coderman wrote: On Wed, Jun 6, 2012 at 7:41 AM, Laurelai laure...@oneechan.org wrote: ... Is anyone else the least bit concerned that stuxnet was carried out by the US Government? remember the siberian pipeline? uncle sam has been up in yer SCADA for two decades. if this is a surprise, you aren't paying attention. and if you're only concerned _now_, you aren't paying attention. http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage Oh ive been concerned before, it just looks like people as a whole don't even care. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/6/12 2:23 PM, Peter Dawson wrote: haha..da retrun of da farewell dossier !! On Wed, Jun 6, 2012 at 2:21 PM, coderman coder...@gmail.com mailto:coder...@gmail.com wrote: On Wed, Jun 6, 2012 at 11:16 AM, coderman coder...@gmail.com mailto:coder...@gmail.com wrote: ... uncle sam has been up in yer SCADA for two decades. three decades; too early for maths! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Guys can we focus on the fact that the US Government is en mass accessing computer systems without due process, and trying to prosecute the people who made this known to the public. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/6/12 11:44 PM, valdis.kletni...@vt.edu wrote: On Wed, 06 Jun 2012 23:22:32 -0400, Laurelai said: Guys can we focus on the fact that the US Government is en mass accessing computer systems without due process, and trying to prosecute the people who made this known to the public. After a decade of unindicted torture of prisoners, renditions, spying on our own citizens, and killing of our own citizens, and a long list of other stuff, all without due process, you really think anybody cares about a little illicit hacking without due process? I'm afraid that ship basically sailed when Pelosi said impeachment was off the table... And why arent people in the streets demanding they all step down? -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP0CTcAAoJEGVm7Hz5JilhZYEH/1FOBXMs3nT9b4Ci1NQlIw/9 Sp33ub3yBzNZLAYl2p/x3qkvreifNrKQsmxZjUbqYnnh6cnDYtUaHcUFwwJ2FO23 PyO7cBUqruOj6p3+lHOc6wQT9Cd5X1aEklNHm/6Wv0JfoZeHXLSdDcImrVT3Xoys J2eSWGGag2m8rMe9zhk3mNS4aNVlKw4tl3lIJMFbXjcAFQaG7xRhjzuICyDTaBJQ qAo/zNruTD7xavLPpeyw0IZk0ZFMdr95Z+XPWORQ/0SxEwS+nNCWo6xSL2UMIbVa fUB3pMPkvxt8x8XGTgqzznd+/xlADBuZ3rr8HbRq8oO6V1gs70cIUTjsReiy0Z4= =WyEw -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On 6/7/12 12:05 AM, Ian Hayes wrote: On Wed, Jun 6, 2012 at 11:49 PM, Laurelai laure...@oneechan.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/6/12 11:44 PM, valdis.kletni...@vt.edu wrote: On Wed, 06 Jun 2012 23:22:32 -0400, Laurelai said: Guys can we focus on the fact that the US Government is en mass accessing computer systems without due process, and trying to prosecute the people who made this known to the public. After a decade of unindicted torture of prisoners, renditions, spying on our own citizens, and killing of our own citizens, and a long list of other stuff, all without due process, you really think anybody cares about a little illicit hacking without due process? I'm afraid that ship basically sailed when Pelosi said impeachment was off the table... And why arent people in the streets demanding they all step down? Such naivety. It's charming. You have much to learn about American apathy. There were people in the streets. They were marginalized, and made fun of, pepper sprayed, called entitled dirty socialists and told to get a job. As long as people care more about what happens on American Idol and whoever Kim Kardashian is divorcing this week, they're not going to care one iota about what the government is doing to some country that probably had it coming to them in the first place. You want the masses out in the streets with the torches and pitchforks, you're going to have to overcome decades of being programmed to not care what the government does anymore as long as the TV works, there's beer in the fridge, and porn is still freely available. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I know about the apathy, i see it every day. I see it a lot in the older generations. Its the younger generations out there getting maced and beaten and thrown in jail for standing up for what they think is right. It sickens me that the average person doesnt care. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] cDc Created Hong Kong Blondes and 'Hacktivism' as a Media Hack
On 5/3/12 2:24 PM, Wei Honker wrote: cDc Created Hong Kong Blondes and 'Hacktivism' as a Media Hack http://weihonker.tumblr.com/ Anonymous is a Lie Anonymous is a lie. Anonymous is built on a false foundation that casts a pale shadow over anything and everything they attempt to accomplish. While born out of the trolls and lulz of the /b/ board on fourchan Anonymous has quickly become an online activist movement. The group has targeted everything from oppressive regimes in the Middle East, to opposition about Internet censorship. They have been launching DDoS attacks from the comfort of their basements while people in the street are literally gunned down and then they have the audacity to claim victory for themselves because they managed to take a website offline for a few hours. These actions, these minor irritations, have given Anonymous the audacity to call themselves hacktivists, a term that is itself a lie. By using the term hackivist or hacktivism Anonymous is helping to perpetuate one of the biggest media hacks of all time and they don’t even know it. Pulling pranks on the media has a long history with the computer underground. One of the best examples is the entire movie “Hackers” which is so full of inside jokes they cease to be funny. Although when you examine the list of technical consultants the lack of humor makes sense. Hackers, the movie, is such a huge media hack the plot is used not once, but twice. The second time with Serena Achtul and the ‘True Life” show on MTV. The show supposedly illustrates a so called ‘hacker’ who convinces Serena to follow him around while he attempts to retrieve a disk before the feds do, which is exactly the same plot used in the movie ‘Hackers”. Even after Serena and MTV where told they were being trolled they chose to air the footage anyway. I don’t know who from the computer underground was the first to execute a media hack but some of the best have come from the Cult of the Dead Cow. To give you an idea of just how prolific and proficient the cDc is at hacking the media consider that their slogan is ‘World Domination through Media Saturation’. This is nowhere more apparent than the spectacle that was the BO2K release during Defcon in 1999. No software launch in recorded history; including those done by the media savvy Apple Inc., could touch this. Everything from smashing guitars to furry assless chaps to bad rap music with all the cDc members prancing around on stage as if it was the second coming. All that spectacle for nothing more than a remote access tool, something with almost the exact same feature set as PC Anywhere except that it runs on a different port number. Even Microsoft themselves said that BO2K wasn’t a threat but the press ate it up anyway and cDc proved again that they were in fact master media manipulators. Hactivism is another brainchild of cDc designed to fool and trick the media and all who choose to be associated with the term. The creation of the term is supposedly well documented as being first used by cDc member Omega in an IRC chat room in 1996. But close examination of the hacktivism Wikipedia page and that page’s history shows a second possible source for the term, that of techno-culture writer Jason Sack in a piece about media artist Shu Lea Cheang, published in InfoNation in 1995 which pre-dates cDc’s claim to the term. This co-option of the term itself is part of cDc’s plan to execute the biggest media hack of all time encompassing all of ‘hacktivism’. But co-opting the term itself is not enough. cDc felt they needed something to take advantage of the term and to plunge it fully into the media spotlight. They came up with a fictitious international hacking group, a group who would only attack corporations that did not support human rights, and so the Hong Kong Blondes were born. Reading the initial interview between the supposed Hong Kong Blondes leader ‘Blondie Wong’ and the cDc member ‘Oxblood Ruffin’ in cDc #356 now, fourteen years later, makes the entire ruse plainly obvious. Arik Hesseldahl, who ran the initial story in Wired based solely on this interview, with absolutely no corroborating evidence in the first place, has since privately expressed his doubts about the story. By publishing this article he unwittingly became the first rube in a long line of media rubes that the cDc played with ever increasing dexterity. Hesseldahl has most likely not publicly expanded on his misgivings over the story as it would draw attention to his original reservations and expose the fact that he failed to verify even one fact in the article. The first thing that jumps out at me from the initial interview is that it was conducted by cDc member Oxblood Ruffin and published directly by him. No one else was present and no one else spoke to Blondie Wong and so no one can confirm the interview ever took place. Which brings me to the second red flag, the use
Re: [Full-disclosure] cDc Created Hong Kong Blondes and 'Hacktivism' as a Media Hack
On 5/4/12 3:44 AM, PsychoBilly wrote: [[ Laurelai ]] @ [[ 04/05/2012 10:30 ]]-- tl;dr ❤ Should have ❤ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From what i could tell it was yet another long winded rant about whats wrong with Anonymous. The thing is i doubt many anons subscribe to FD, so who is this supposed to reach? Go to voxanon and tell them yourself :p ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Gentoo hardened
On 4/25/12 3:56 AM, Georgi Guninski wrote: On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote: On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... this one appears to be true: http://seclists.org/fulldisclosure/2011/Jul/312 Full disclosure is arrest of Sabu (check the date) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Nope, im still here :p ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Gentoo hardened
On 4/25/12 3:56 AM, Georgi Guninski wrote: On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote: On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... this one appears to be true: http://seclists.org/fulldisclosure/2011/Jul/312 Full disclosure is arrest of Sabu (check the date) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ And thats when sabu was MIA from twitter and everyone knew about that, nobody really knew why though. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Gentoo hardened
On 4/25/12 4:48 AM, Benji wrote: except it was rather obvious why. On Wed, Apr 25, 2012 at 10:27 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 3:56 AM, Georgi Guninski wrote: On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote: On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... this one appears to be true: http://seclists.org/fulldisclosure/2011/Jul/312 Full disclosure is arrest of Sabu (check the date) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ And thats when sabu was MIA from twitter and everyone knew about that, nobody really knew why though. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ In hindsight yes. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Gentoo hardened
On 4/25/12 4:54 AM, Benji wrote: No, with open eyes sight. If you chose not to believe the obvious at the time, that is your own mistake and proof that you (general you, not you specifically) were more interested in being part of the crowd than thinking. On Wed, Apr 25, 2012 at 10:52 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 4:48 AM, Benji wrote: except it was rather obvious why. On Wed, Apr 25, 2012 at 10:27 AM, Laurelailaure...@oneechan.orgwrote: On 4/25/12 3:56 AM, Georgi Guninski wrote: On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote: On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... this one appears to be true: http://seclists.org/fulldisclosure/2011/Jul/312 Full disclosure is arrest of Sabu (check the date) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ And thats when sabu was MIA from twitter and everyone knew about that, nobody really knew why though. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ In hindsight yes. There are any number of reasons why someone, even sabu could have stopped tweeting then started back up again. It just turned out that this was the case this time. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Gentoo hardened
On 4/25/12 4:59 AM, Benji wrote: And choosing to believe any of the other reasons when you think you're an '1337 hacker' and are involved in that world, is a personality problem, end of. On Wed, Apr 25, 2012 at 10:58 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 4:54 AM, Benji wrote: No, with open eyes sight. If you chose not to believe the obvious at the time, that is your own mistake and proof that you (general you, not you specifically) were more interested in being part of the crowd than thinking. On Wed, Apr 25, 2012 at 10:52 AM, Laurelailaure...@oneechan.orgwrote: On 4/25/12 4:48 AM, Benji wrote: except it was rather obvious why. On Wed, Apr 25, 2012 at 10:27 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 3:56 AM, Georgi Guninski wrote: On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote: On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... this one appears to be true: http://seclists.org/fulldisclosure/2011/Jul/312 Full disclosure is arrest of Sabu (check the date) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ And thats when sabu was MIA from twitter and everyone knew about that, nobody really knew why though. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ In hindsight yes. There are any number of reasons why someone, even sabu could have stopped tweeting then started back up again. It just turned out that this was the case this time. I prefer not making assumptions about things i dont have any information on. Sorry you consider that a personality problem :p ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Gentoo hardened
On 4/25/12 5:08 AM, Benji wrote: You should be paranoid if someone could construe what you're doing as illegal. On Wed, Apr 25, 2012 at 11:07 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 4:59 AM, Benji wrote: And choosing to believe any of the other reasons when you think you're an '1337 hacker' and are involved in that world, is a personality problem, end of. On Wed, Apr 25, 2012 at 10:58 AM, Laurelailaure...@oneechan.orgwrote: On 4/25/12 4:54 AM, Benji wrote: No, with open eyes sight. If you chose not to believe the obvious at the time, that is your own mistake and proof that you (general you, not you specifically) were more interested in being part of the crowd than thinking. On Wed, Apr 25, 2012 at 10:52 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 4:48 AM, Benji wrote: except it was rather obvious why. On Wed, Apr 25, 2012 at 10:27 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 3:56 AM, Georgi Guninski wrote: On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote: On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... this one appears to be true: http://seclists.org/fulldisclosure/2011/Jul/312 Full disclosure is arrest of Sabu (check the date) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ And thats when sabu was MIA from twitter and everyone knew about that, nobody really knew why though. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ In hindsight yes. There are any number of reasons why someone, even sabu could have stopped tweeting then started back up again. It just turned out that this was the case this time. I prefer not making assumptions about things i dont have any information on. Sorry you consider that a personality problem :p Well its a good thing I dont do illegal shit, probably why im not paranoid all the time. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS
On 4/22/12 10:56 PM, BMF wrote: Ezekiel 23:20 On Sun, Apr 22, 2012 at 12:59 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: You dropped a FD on the BIBLE?? Dude, you're going straight to Hacker Hell! :) Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Bible -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Thomas Richards Sent: Sunday, April 22, 2012 8:09 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS # Exploit Title: phpMyBible 0.5.1 Mutiple XSS # Date: 04/15/12 # Author: G13 # Twitter: @g13net # Software http://sourceforge.net/projects/phpmybible/?source=directory # Version: 0.5.1 # Category: webapps (php) # # Description # phpMyBible is an online collaborative project to make an e-book of the Holy Bible in as various language as possible. phpMyBible is designed to be flexible to all readers while maintaining the authenticity and originality of the Holy Bible scripture. # Vulnerability # phpMyBible has multiple XSS vulnerabilities. When reading a section of the Bible; both the 'version' and 'chapter' variables are prone to reflective XSS. # Exploit # http://localhost/index.php?book=1version=[XSS]chapter=[XSS] # Vendor Notification # 04/15/12 - Vendor Notified 04/22/12 - No response, disclos ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Its Ezekiel 25:17.. http://www.youtube.com/watch?v=UmvnXKRfdb8 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS
On 4/23/12 12:20 AM, BMF wrote: On Sun, Apr 22, 2012 at 9:32 PM, Laurelailaure...@oneechan.org wrote: On 4/22/12 10:56 PM, BMF wrote: Ezekiel 23:20 Its Ezekiel 25:17.. It sounded cool when he said it in the movie but I've never found any Bible that actually goes anything like what he said. Besides, I'm into donkey dicks and horse jizz so 23:20 is the verse for me. BMF Cool story bro. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On 3/10/2012 4:13 AM, Sanguinarious Rose wrote: Yea, I have been thinking on ideas for that as well, I see no one has thought outside the box yet. I would look into OO'ed C (www.planetpdf.com/codecuts/pdfs/ooc.pdf) as being a possibility. Long before in the time when the mighty C++ was young, it was translated to C code for compilation. I have not had the time to dig into it yet to see how you could code it in OO C style code yet. You can implement much of the functionality of OO parts of C++ including virtual functions and other things. Well, these are my thoughts on it. More speculation at the moment but might be of use to someone. On Fri, Mar 9, 2012 at 11:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. -- -Joe. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ https://twitter.com/#!/nenolod/status/178352865667067904 https://twitter.com/#%21/nenolod/status/178352865667067904 not told [ ] told [x ] Put the crack pipe down. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On 3/10/2012 4:31 AM, Sanguinarious Rose wrote: Not really, it looks like speculation same as I just admitted my idea was. There is no proof as of yet besides for just a single tweet suggesting an idea much in the same mine just was. Unless someone does the proper research into it, it is just that, 140 chars speculation. Told [x] Not Told [ ] umad? On Sat, Mar 10, 2012 at 3:23 AM, Laurelai laure...@oneechan.org wrote: On 3/10/2012 4:13 AM, Sanguinarious Rose wrote: Yea, I have been thinking on ideas for that as well, I see no one has thought outside the box yet. I would look into OO'ed C (www.planetpdf.com/codecuts/pdfs/ooc.pdf) as being a possibility. Long before in the time when the mighty C++ was young, it was translated to C code for compilation. I have not had the time to dig into it yet to see how you could code it in OO C style code yet. You can implement much of the functionality of OO parts of C++ including virtual functions and other things. Well, these are my thoughts on it. More speculation at the moment but might be of use to someone. On Fri, Mar 9, 2012 at 11:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. -- -Joe. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ https://twitter.com/#!/nenolod/status/178352865667067904 https://twitter.com/#%21/nenolod/status/178352865667067904 not told [ ] told [x ] Put the crack pipe down. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ My post was Williams response to Kaspersky, wasn't directed to you. Do try and keep up. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On 3/10/2012 4:36 AM, Sanguinarious Rose wrote: Trying to cover up you being told, that's Cute 3 On Sat, Mar 10, 2012 at 3:34 AM, Laurelai laure...@oneechan.org wrote: On 3/10/2012 4:31 AM, Sanguinarious Rose wrote: Not really, it looks like speculation same as I just admitted my idea was. There is no proof as of yet besides for just a single tweet suggesting an idea much in the same mine just was. Unless someone does the proper research into it, it is just that, 140 chars speculation. Told [x] Not Told [ ] umad? On Sat, Mar 10, 2012 at 3:23 AM, Laurelai laure...@oneechan.org wrote: On 3/10/2012 4:13 AM, Sanguinarious Rose wrote: Yea, I have been thinking on ideas for that as well, I see no one has thought outside the box yet. I would look into OO'ed C (www.planetpdf.com/codecuts/pdfs/ooc.pdf) as being a possibility. Long before in the time when the mighty C++ was young, it was translated to C code for compilation. I have not had the time to dig into it yet to see how you could code it in OO C style code yet. You can implement much of the functionality of OO parts of C++ including virtual functions and other things. Well, these are my thoughts on it. More speculation at the moment but might be of use to someone. On Fri, Mar 9, 2012 at 11:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. -- -Joe. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ https://twitter.com/#!/nenolod/status/178352865667067904 https://twitter.com/#%21/nenolod/status/178352865667067904 not told [ ] told [x ] Put the crack pipe down. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ My post was Williams response to Kaspersky, wasn't directed to you. Do try and keep up. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Did you even read the tweet? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On 3/10/2012 9:00 AM, 夜神 岩男 wrote: On 03/10/2012 03:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. From the description, it looks like someone pushed some code from a Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by GCL, for example, before compilation) into a C++ DLL. Normal in the deper end of Linux dev or Hurd communities, but definitely not standard practice in any established industry that makes use of Windows. I could be wrong, I didn't take the time to walk myself through the decompile with any thoroughness and compare it to code I generate. Anyway, I have no idea the differences between how VC++ and g++ do things -- so my analysis would probably be trash. But from the way the Mr. Soumenkov describes things it seems this, or something similar, could be the case and why the code doesn't conform to what's expected in a C++ binary. -IY 1. [Caveat] I say Lisp but some other languages come to mind as well; maybe Haskell would come out that way. I'm not sure because I'm most familiar with Lisp and know it can be cobbled with C/C++ without complications because of the way most of its C-based implementations work. Anyway, if I were looking for a lock on how this code was produced, I would ignore C-based languages and focus instead on languages that behave this way natively first, because I think that's the least exotic explanation for the features this segment of code exhibits. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Lisp? Are you serious? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On 3/10/12 2:16 PM, William Pitcock wrote: On 3/10/2012 9:00 AM, 夜神 岩男 wrote: On 03/10/2012 03:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. From the description, it looks like someone pushed some code from a Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by GCL, for example, before compilation) into a C++ DLL. Normal in the deper end of Linux dev or Hurd communities, but definitely not standard practice in any established industry that makes use of Windows. I could be wrong, I didn't take the time to walk myself through the decompile with any thoroughness and compare it to code I generate. Anyway, I have no idea the differences between how VC++ and g++ do things -- so my analysis would probably be trash. But from the way the Mr. Soumenkov describes things it seems this, or something similar, could be the case and why the code doesn't conform to what's expected in a C++ binary. LISP would refer to specific constructor/destructor vtable entries as cons and there would be no destructor at all. The structs use vtables which refer to ctor and dtor, which indicates that the vtables were most likely generated using a C++ compiler (since that is standard nomenclature for C++ compiler symbols). It pretty much has to be Microsoft COM. The struct layouts pretty much *reek* of Microsoft COM when used with a detached vtable (such as if the implementation is loaded from a COM object file). The fact that specific vtable entries aren't mangled is also strong evidence of it being Microsoft COM (since there is no need to mangle vtable entries of a COM object due to type information already being known in the COM object). If it looks like COM, smells like COM, and acts like COM, then it's probably COM. It certainly isn't some new programming language like Kaspersky says. That's just the dumbest thing I've heard this year. William ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I think William just told everyone...again. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Stakeout: how the FBI tracked and busted a Chicago Anon
On 3/8/2012 12:23 PM, Elly_Tran_Ha wrote: A few lessons I learned: 1. Don't use a Mac 2. Don't use wireless 3. Trust no one. On Wed, Mar 7, 2012 at 6:09 PM, Ivan .Heca ivan...@gmail.com mailto:ivan...@gmail.com wrote: /Yesterday, we learned that one of the top members of LulzSec (Sabu) had been an FBI informant for almost 6 months http://tech.slashdot.org/story/12/03/06/1437241/lulzsec-leader-sabu-unmasked-arrested-and-caught-collaborating, and that this confidant of the LulzSec leader 'anarchaos' had given the feds what they needed to take him down. More details have come out now http://arstechnica.com/tech-policy/news/2012/03/stakeout-how-the-fbi-tracked-and-busted-a-chicago-anon.ars, completing a picture of how the sting took place from start to finish. It turns out that even the server space given from Sabu to anarchaos storing the details of 30,000 credit cards (from the Stratfor hack) had been funded by the FBI. /http://arstechnica.com/tech-policy/news/2012/03/stakeout-how-the-fbi-tracked-and-busted-a-chicago-anon.ars ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ 4. Don't declare open cyberwar on the US government. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full disclosure is arrest of Sabu
On 3/6/2012 2:24 PM, Ferenc Kovacs wrote: 2011/7/25 Laurelai Storm laure...@oneechan.org mailto:laure...@oneechan.org Oh and im not a part of lulzsec, FYI sabu tweeted 2 minutes ago wtf are you on about sir? maybe we could resurrect this thread. :) Sure lets. http://gizmodo.com/5890825/lulzsec-leader-betrays-all-of-anonymous Im going to paste my favorite part of this article. 6:12:32 PM virus: I don't have proof of him being a snitch, and he doesn't have proof of me being a snitch. it's my word against his. 6:15:39 PM virus: he disappeared for a week, I don't recall what day 6:15:52 PM virus: but when he returned he said his grand mother died and that's why he was MIA 6:16:01 PM virus: after that he started offering me money to own people 6:16:14 PM Sam Biddle: anyone important? 6:16:55 PM virus: backtrace security and laurelai 6:17:22 PM virus: he gave me IPs, asked me to access their accounts with their IP and asked me to access their emails 6:17:25 PM virus: told me he would pay me 6:17:42 PM Sam Biddle: did you? 6:17:53 PM virus: no, I found that to be suspicious and declined Sabu tried to pay someone to hack me and it didn't work, sabu also got caught because he connected to IRC one time with his real IP, so this proves what i said already, sabu hated me and i didn't know anything that the feds didn't already. For a supposed ring leader of a group of master cyber terrorists as the feds like to paint them they couldn't take down one loud mouthed trans woman on the internet. Hell even their ddos against my imageboard failed and i didn't even have cloudflare. And speaking of backtrace security here is Jen giving away government secrets to win internet points on reddit http://imgur.com/a/0g9VG http://imgur.com/a/0g9VG Looks like Jen can't be trusted by anon or the feds. http://imgur.com/a/0g9VG ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Anon war?- arrests
On 2/29/2012 8:45 AM, Christian Sciberras wrote: And we'd like to add that we are not crooks. - Anonymous. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ popcorn.gif ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Eleventh Circuit Finds Fifth Amendment Right Against Self Incrimination Protects Against Being Forced to Decrypt Hard Drive Contents
On 2/27/2012 12:11 PM, valdis.kletni...@vt.edu wrote: On Mon, 27 Feb 2012 01:38:56 MST, Sanguinarious Rose said: This isn't anything new Yeah, the decision was released all the way back on Feb 23, four whole days ago, that's practically last century in Internet time... So tell me - what's your definition of new (obviously significantly less than 4 days), and how does it affect threads on F-D that last longer than 4 days? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ not told [ ] Told [x] oh snap ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Eleventh Circuit Finds Fifth Amendment Right Against Self Incrimination Protects Against Being Forced to Decrypt Hard Drive Contents
http://www.ca11.uscourts.gov/opinions/ops/201112268.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PHP Gift Registry 1.5.5 SQL Injection
On 2/24/2012 3:21 PM, ctrun...@christophertruncer.com wrote: You only gave them two days to respond? Chris On 24.02.2012 08:08, Thomas Richards wrote: # Exploit Title: PHP Gift Registry 1.5.5 SQL Injection # Date: 02/22/12 # Author: G13 # Software Link: https://sourceforge.net/projects/phpgiftreg/ # Version: 1.5.5 # Category: webapps (php) # # Vulnerability # The userid parameter in the users.php file is vulnerable to SQL Injection. A user must be signed in to exploit this. # Vendor Notification # 02/22/12 - Vendor Notified 02/24/12 - No response, disclosure # Exploit # http://localhost/phpgiftreg/users.php?action=edituserid=[SQLi] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Pretty sure this project is dead the last update to it was made 2009-03-12 see http://sourceforge.net/projects/phpgiftreg/files/ , anyone using it at this point needs to switch to another product.http://sourceforge.net/tracker/?func=detailaid=3491557group_id=110846atid=657564 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Arbitrary DDoS PoC
On 2/14/2012 2:58 PM, Sanguinarious Rose wrote: I do not understand why you are wasting time on an obvious troll to downright, and I don't normally call people names but he well deserves it, a retard. I think I ironically illustrated the fundamental flaw in that you can't possibly generate more bandwidth by using proxies for the python code provided due to it violates the laws of physics (literally). In fact, if we want to be technical, we could say it is less effective due to the handshake required to initiate the proxy connection in fact decreasing efficiency of input compared to input. If there was something besides making lots of proxy request there might be something there but it, in fact, has nothing. Taking into account THN retweeted his FD post and his obvious inability to understand why everyone is not taking him seriously I have concluded he is just trying to seek fame and fortune passing off as some kind of sec expert. Maybe get some brownie points with the skiddie crowd who wouldn't know better. Throwing fancy terms and pretending to know what they are talking about doesn't work up against real researchers who understand what they are doing. Poorly written scripts also do not impress anyone here considering that I could just put into google HTTP Proxy Flooder and a find superior equivalent (Even with Point and Click!). To this effect, I propose we look into Unicorns as a possible unconventional medium of DDoS due to their mythical properties in a network environment over-ruled by Pink Lepricons. Conclusion: Christian Magick. On Tue, Feb 14, 2012 at 10:19 AM, Gage Bystrom themadichi...@gmail.com wrote: If the design is broken than the implementation is broken. Have you READ your own source code? Do you understand what its actually doing? Rhetorical questions of course but still. Your poc calls curl multiple times via a list of proxies. No more, no less. If you are going to claim that such a thing is an effective general technique YOU have to back up that claim, not me or anyone else on this list. I never bothered running it because anyone who read that simple python code(which was a good thing its simple), can understand what it is doing, and do a mental comparison to what they previously knew about the subject of dos. Your poc does not demonstrate anything new, it demonstrates existing knowledge that is generally known to not be an effective method for dosing for all the reasons I explained in my previous mails. I think its quite pedantic of you to only criticize me for calling out the ineffectiveness of your poc. You did not address anything I or anyone else said about your claim. If you think I am wrong or mistaken in my personal assessment of your claim than you are the one who must show how and why to defend your claim. Belittling someone who criticizes you is not professional, not productive, does not give strength to your claim, and does not make you right. The end of the line is I don't care what you claim your code does, I care about what the code does, and your code is not an effective general technique for denial of service attacks. On Feb 13, 2012 8:48 PM, Lucas Fernando Amorim lf.amo...@yahoo.com.br wrote: I could argue that an attack targeted at a service, especially HTTP, is not measured by the band, but the requests, especially the heavier, could argue that a technique is the most inherent characteristic of multiple sources of traffic and still relying on trust. I could still say that is an implementation that relates only to say - Look, it exists!, I could still prolong explaining about overheads, and using about the same time many sites that make the requests, thus reducing the wake of a failure, even if you say easily diagnosable. But I'd rather say that it is actually very pedantic of you label something as inefficient, especially when not done a single test, only the pedantic observation of someone whose interests it is reprehensible. I will not say you're one of those, but this is really an attitude typical of this kind, which is certainly not a hacker. Thanks to people like that, do not know if you like, there are many flaws yet to be explored. If anyone wants more information, obviously I will ask to send an email or call me to give a presentation, I will not think about anything. My goal in was invited researchers to study DDoS on this model, because anytime someone can direct thousands to generate a network congestion. On 13-02-2012 11:17, Gage Bystrom wrote: Uhh...looks pretty standard boss. You aren't going to DoS a halfway decent server with that using a single box. Sending your request through multiple proxies does not magically increase the resource usage of the target, its still your output power vs their input pipe. Sure it gives a slight boost in anonymity and obfuscation but does not actually increase effectiveness. It would even decrease effectiveness because you bear the
Re: [Full-disclosure] when did piracy/theft become expression of freedom
On this topic i saw this https://thepiratebay.org/torrent/6960965/1970_Chevelle_Hot-Rod_3d_model , real question is would you download a car if you could? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
On 1/28/2012 3:13 PM, Julius Kivimäki wrote: Of course I wouldn't, downloading a car would be like stealing a car. Piracy is horrible and all the boats used by the pirate scum should be taken away. 2012/1/28 Laurelai laure...@oneechan.org mailto:laure...@oneechan.org On this topic i saw this https://thepiratebay.org/torrent/6960965/1970_Chevelle_Hot-Rod_3d_model , real question is would you download a car if you could? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ If you took away their boats they would just download more...duh. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
On 1/28/2012 3:36 PM, Christian Sciberras wrote: Sadly you can't download routers and internet connections...especially without an internet connection. But I suppose you could be the regular joe and steal from your neighbours' bandwidth (it's a human right, remember? your neighbour doesn't have a right to keep the internets to himself!!!). /rant On Sat, Jan 28, 2012 at 10:33 PM, Laurelai laure...@oneechan.org mailto:laure...@oneechan.org wrote: On 1/28/2012 3:13 PM, Julius Kivimäki wrote: Of course I wouldn't, downloading a car would be like stealing a car. Piracy is horrible and all the boats used by the pirate scum should be taken away. 2012/1/28 Laurelai laure...@oneechan.org mailto:laure...@oneechan.org On this topic i saw this https://thepiratebay.org/torrent/6960965/1970_Chevelle_Hot-Rod_3d_model , real question is would you download a car if you could? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ If you took away their boats they would just download more...duh. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ There are always public hotspots, hell even mcdonalds has them now. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
On 1/28/2012 6:55 PM, Christian Sciberras wrote: Actually, *most* bands that make money do so off the concert tours - tickets and tshirts is where the actual money is at, not the album sales. So why bother with album sales in the first place? This is the same with free/commercial software. At the end of the day the creator decides the sales strategy. The only thing I can see in this is that the recording industry really needs to grow up to the times, but piracy is not a solution nor the means to one, just like DDoSing facebook is not the means to the removal of a certain bill/law (arguably, to the contrary). The recording companies have every right to retaliate just as the FBI has every right to arrest suspects involved in these childish acts. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ The reasonable man adapts himself to the world: the unreasonable one persists to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw http://www.goodreads.com/author/show/5217.George_Bernard_Shaw, /Man and Superman http://www.goodreads.com/work/quotes/376394/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
On 1/27/2012 2:24 AM, Jerry dePriest wrote: im going to the 'benz dealer in the morning to express my 1st amendment right... The Somalians are learning the hard way that it just isnt so... bma ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Piracy: an act of robbery or criminal violence at sea Theft: the illegal taking of another person's property without that person's permission or consent with the intent to deprive the rightful owner of it Software copying: Occurs neither on the high seas and does not deprive the rightful owner of it. The more you know. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
On 1/27/2012 3:01 AM, Robert Kim App and Facebook Marketing wrote: HAHAHAA... Well... it's hard to convince people that data piracy is the same as physical piracy! The think that if they CAN do somehting... they have the RIGHT to DO IT! As a content producer... I can't stand this sense of entitlement... but oh well... I've just gotta tranform with the times i guess! On Fri, Jan 27, 2012 at 5:51 PM, Laurelai laure...@oneechan.org mailto:laure...@oneechan.org wrote: On 1/27/2012 2:24 AM, Jerry dePriest wrote: im going to the 'benz dealer in the morning to express my 1st amendment right... The Somalians are learning the hard way that it just isnt so... bma Theft: the illegal taking of another person's property without that person's permission or consent with the intent to deprive the rightful owner of it Software copying: Occurs neither on the high seas and does not deprive the rightful owner of it. The more you know. -- Robert Q Kim Technical Chinese Korean English Translator http://www.youtube.com/watch?v=QozAHbUS-VU 2611 S Coast Highway San Diego, CA 92007 310 598 1606 Let's not kid ourselves here, you all would download a car if you could and you know it ;) That being said I would prefer people *widely use* my software and donate money to me if they think its worth something, the humble indy bundles profits are telling in this case. Perhaps if content producers would change their business model to adapt to modern times instead of trying to force the world to live in the past software copying wouldn't be so popular. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
On 1/27/2012 3:29 AM, Vipul Agarwal wrote: Let's keep FD and Reddit apart! Regards, Vipul Sent from my HTC - Reply message - From: Kai k...@rhynn.net To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] when did piracy/theft become expression of freedom Date: Fri, Jan 27, 2012 09:15 Hello, http://img256.imageshack.us/img256/2527/1282302008370.jpg know the difference. -- Cheers, Kai ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Posting to /r/netsec now... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fw: when did piracy/theft become expression of freedom
On 1/27/12 4:12 AM, Jerry dePriest wrote: software piracy has been around for ever. I remember copying punch cards. It took forever and if you made one mistake hours of work was down the tubes. I had an apple II that we used Disk Pirate 1-11 to copy games, peach tree accounting software, etc. In the time it took to load the 5 1/4 floppy you could make a copy. From that you could make as many copies as you deemed fit. I must of made $100 from Dig Dug alone. Then came cad or ? with a software lock it was a piece of hardware that connected to a serial port on your computer. Without the lock the software was dead. You were free to use the software on any computer but you had to have the lock. More computers simply buy more locks. It has been so long I forget the details but it was effective. If you tried to reverse engineer the lock you rendered it dead. No one wanted to buy the locks so it went with the dodo... In this day and age piracy is simply a game that is quite profitable. We used to copy and share over bbs' or even mail each other copies. Shareware was the cats ass. Now I have to buy a new OS every frickin year. New version of Office, Photoshop, etc. Frick that! I love Win 98SE, it still serves my purpose. I love win 2k pro, it serves my purpose. Vista, Win 7, MAc OSes... Crap, pure crap. Photoshop 5 does all I need. Office 97 works great and has a nifty flight sim in it. Win 7 is still frickin Dos... I still have my copies of Dos versions 3- 6.2 and it serves its purpose. Do I use dvd decrypter? Yes. Dvd shrink? Hell yes. Do I sell the copies or profit from it? Whenever I can. Boldly doing it over the internet is just stupid and anyone who does it deserves the full penalty. bma - Original Message - *From:* Jerry dePriest mailto:jerr...@mc.net *To:* full-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk *Sent:* Friday, January 27, 2012 2:24 AM *Subject:* [Full-disclosure] when did piracy/theft become expression of freedom im going to the 'benz dealer in the morning to express my 1st amendment right... The Somalians are learning the hard way that it just isnt so... bma ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Except that you just posted about it in public on the internet... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
On 1/27/2012 12:06 PM, Michael Schmidt wrote: You want to be very careful with that line of thought. You are taking the creator the rightful owners profits, which they are entitled to if it is a product they created to be sold. You are confusing what you want -- with what the law states. Theft is typically very widely defined in the law, not just what the dictionary states. When you make a copy, you are performing a step that the manufacturer takes with physical products. Just because copying software is easy does not mean the laws are so cut and dried around what is theft and what is not. If you take something by making yourself a copy, when the producer is the only authorized authority to make copies then you have committed theft. You also cannot steal electricity, check out Abstracting Electricity, but bypassing the meter is wrong in most jurisdictions. In the US you can be arrested and charged for riding in a stolen car, even if you really didn't know it was stolen, known as taking without consent or TWOC. In some jurisdictions you can be arrested and charged for going equipped for burglary mean you have implements of the trade on you -- crowbars, lock picks etc. So I suppose in the US we are fortunate that having a copy of some previously defined hacking tools on a computer in our possession will not get us arrested -- yet. The more you know... *From:*full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *Laurelai *Sent:* Friday, January 27, 2012 12:51 AM *To:* full-disclosure@lists.grok.org.uk *Subject:* Re: [Full-disclosure] when did piracy/theft become expression of freedom On 1/27/2012 2:24 AM, Jerry dePriest wrote: im going to the 'benz dealer in the morning to express my 1st amendment right... The Somalians are learning the hard way that it just isnt so... bma ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Piracy: an act of robbery or criminal violence at sea Theft: the illegal taking of another person's property without that person's permission or consent with the intent to deprive the rightful owner of it Software copying: Occurs neither on the high seas and does not deprive the rightful owner of it. The more you know. Yeah and the US is becoming a police state, so using US law as examples of morality is pretty shaky ground. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] UFC.com
On 1/23/12 7:14 AM, Ian Hayes wrote: On Mon, Jan 23, 2012 at 4:37 AM, Julius Kivimäki julius.kivim...@gmail.com wrote: Wat 2012/1/23 RandallMranda...@fidmail.com Piracy retaliation taken on UFC.com Pinging ufc.com [50.116.87.24] with 32 bytes of data: Reply from 50.116.87.24: bytes=32 time=48ms TTL=52 Reply from 50.116.87.24: bytes=32 time=49ms TTL=52 Reply from 50.116.87.24: bytes=32 time=48ms TTL=52 Reply from 50.116.87.24: bytes=32 time=48ms TTL=52 http://network-tools.com/default.asp?prog=dnsrechost=ufc.com It's a one man crime wave! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Look out hes got ping! Hide your servers! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] UFC.com
On 1/23/12 9:34 AM, Julius Kivimäki wrote: He is a god-tier hecker, like better than Chippy1337. ICMP remote root 0day imo. 2012/1/23 Laurelai laure...@oneechan.org mailto:laure...@oneechan.org On 1/23/12 7:14 AM, Ian Hayes wrote: On Mon, Jan 23, 2012 at 4:37 AM, Julius Kivimäki julius.kivim...@gmail.com mailto:julius.kivim...@gmail.com wrote: Wat 2012/1/23 RandallMranda...@fidmail.com mailto:randa...@fidmail.com Piracy retaliation taken on UFC.com Pinging ufc.com http://ufc.com [50.116.87.24] with 32 bytes of data: Reply from 50.116.87.24 http://50.116.87.24: bytes=32 time=48ms TTL=52 Reply from 50.116.87.24 http://50.116.87.24: bytes=32 time=49ms TTL=52 Reply from 50.116.87.24 http://50.116.87.24: bytes=32 time=48ms TTL=52 Reply from 50.116.87.24 http://50.116.87.24: bytes=32 time=48ms TTL=52 http://network-tools.com/default.asp?prog=dnsrechost=ufc.com http://network-tools.com/default.asp?prog=dnsrechost=ufc.com It's a one man crime wave! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Look out hes got ping! Hide your servers! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Truly a god among blackhats has graced the mailing list. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] UFC.com
On 1/23/12 9:43 AM, Julius Kivimäki wrote: Oh god, my linux server buried underground with five feet of concrete just got rooted. This box has no internet connection, coincidence? I think not. (Also I'm a derpcat and can't into mailinglists with gmail) 2012/1/23 Laurelai laure...@oneechan.org mailto:laure...@oneechan.org On 1/23/12 9:34 AM, Julius Kivimäki wrote: He is a god-tier hecker, like better than Chippy1337. ICMP remote root 0day imo. 2012/1/23 Laurelai laure...@oneechan.org mailto:laure...@oneechan.org On 1/23/12 7:14 AM, Ian Hayes wrote: On Mon, Jan 23, 2012 at 4:37 AM, Julius Kivimäki julius.kivim...@gmail.com mailto:julius.kivim...@gmail.com wrote: Wat 2012/1/23 RandallMranda...@fidmail.com mailto:randa...@fidmail.com Piracy retaliation taken on UFC.com Pinging ufc.com http://ufc.com [50.116.87.24] with 32 bytes of data: Reply from 50.116.87.24 http://50.116.87.24: bytes=32 time=48ms TTL=52 Reply from 50.116.87.24 http://50.116.87.24: bytes=32 time=49ms TTL=52 Reply from 50.116.87.24 http://50.116.87.24: bytes=32 time=48ms TTL=52 Reply from 50.116.87.24 http://50.116.87.24: bytes=32 time=48ms TTL=52 http://network-tools.com/default.asp?prog=dnsrechost=ufc.com http://network-tools.com/default.asp?prog=dnsrechost=ufc.com It's a one man crime wave! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Look out hes got ping! Hide your servers! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Truly a god among blackhats has graced the mailing list. no u r a derpcat ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rate Stratfor's Incident Response
On 1/13/12 1:24 PM, Paul Schmehl wrote: --On January 13, 2012 12:03:22 PM -0500 Benjamin Kreuter ben.kreu...@gmail.com wrote: On Fri, 13 Jan 2012 10:37:31 -0600 Paul Schmehlpschmehl_li...@tx.rr.com wrote: --On January 12, 2012 3:16:19 PM -0500 Benjamin Kreuter ben.kreu...@gmail.com wrote: The law is not going to stop the really bad people from attacking your system, nor is it going to stop them from profiting from whatever access they gain; sending law enforcement after someone who reports problems to you accomplishes little and only discourages people who might try to help you. Assuming everyone's motives are as pure as the driven snow is a bit naive, don't you think? Are there lingering doubts about the motives of someone who is reporting a vulnerability to you? They could have just profited from their discovery and never bothered to tell you. In any case, what have you accomplished by sending the cops after *someone who is helping you*? Unless you're a complete fool, yes. You say you're helping me, but you broke in to my server. How do I know you didn't help yourself to a permanent back door? Again, it's naive to think that most people are motivated purely by a desire to help others, especially when they are actively intruding into other people's assets. YOU might say thank you, but I'll be taking the server offline, grabbing forensic images and rebuilding it long before I get around to saying thank you. Well just remember they could have *not* told you and helped themselves to a backdoor. If they wanted to door you they probably wouldn't have told you. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On 1/12/12 3:27 AM, doc mombasa wrote: just one question why should they hire the skiddies if most of them only know how to fire up sqlmap or whatever current app is hot right now? doesnt really seem like enough reason to hire anyone besides im not buying the whole they do it because they are angry at society plop ive been there.. they do it for the lulz Den 11. jan. 2012 06.18 skrev Laurelai laure...@oneechan.org mailto:laure...@oneechan.org: On 1/10/12 10:18 PM, Byron Sonne wrote: Don't piss off a talented adolescent with computer skills. Amen! I love me some stylin' pwnage :) Whether they were skiddies or actual hackers, it's still amusing (and frightening to some) that companies who really should know better, in fact, don't. And again, if companies hired these people, most of whom come from disadvantaged backgrounds and are self taught they wouldn't have as much a reason to be angry anymore. Most of them feel like they don't have any real opportunities for a career and they are often right. Microsoft hired some kid who hacked their network, it is a safe bet he isn't going to be causing any trouble anymore. Talking about the trust issue, who would you trust more the person who has all the certs and experience that told you your network was safe or the 14 year old who proved him wrong? We all know if that kid had approached microsoft with his exploit in a responsible manner they would have outright ignored him, that's why this mailing list exists, because companies will ignore security issues until it bites them in the ass to save a buck. People are way too obsessed with having certifications that don't actually teach practical intrusion techniques. If a system is so fragile that teenagers can take it down with minimal effort then there is a serious problem with the IT security industry. Think about it how long has sql injection been around? There is absolutely no excuse for being vulnerable to it. None what so ever. These kids are showing people the truth about the state of security online and that is whats making people afraid of them. They aren't writing 0 days every week, they are using vulnerabilities that are publicly available. Using tools that are publicly available, tools that were meant to be used by the people protecting the systems. Clearly the people in charge of protecting these system aren't using these tools to scan their systems or else they would have found the weaknesses first. The fact that government organizations and large name companies and government contractors fall prey to these types of attacks just goes to show the level of hypocrisy inherent to the situation. Especially when their solution to the problem is to just pass more and more restrictive laws (as if that's going to stop them). These kids are showing people that the emperor has no clothes and that's whats making people angry, they are putting someones paycheck in danger. Why don't we solve the problem by actually addressing the real problem and fixing systems that need to be fixed? Why not hire these kids with the time and energy on their hands to probe for these weaknesses on a large scale? The ones currently in the job slots to do this clearly aren't doing it. I bet if they started replacing these people with these kids it would shake the lethargy out of the rest of them and you would see a general increase in competence and security. Knowing that if you get your network owned by a teenager will not only get you fired, but replaced with said teenager is one hell of an incentive to make sure you get it right. Yes they would have to be taught additional skills to round out what they know, but every job requires some level of training and there are quite a few workplaces that will help their employees continue their education because it benefits the company to do so. This would be no different except that the employees would be younger, and younger people do tend to learn faster so it would likely take less time to teach these kids the needed skills to round out what they already know than it would to teach someone older the same thing. It is the same principal behind teaching young children multiple languages, they learn them better than adults. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Because the ones in charge right now can't even seem to fire up sqlmap now and then to see if they are vuln. And if you really believe that they just do it for the lulz line
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On 1/12/12 3:34 AM, doc mombasa wrote: i dont know if you ever worked for a big corporate entity? like kovacs wrote its not about whether you can do it or not as an employee its more about if your manager allows you the time to do it pentesting doesnt change anything on the profits excel sheet we can agree it looks bad when shit happens but they usually dont think that far ahead i tried once reporting a very simple sql injection flaw to my manager and including a proposed fix which would take all of 5 minutes to implement 18 months went by before that flaw was fixed because there was no profits in allocating resources to fix it and that webapp was the #1 money generator for that company Den 12. jan. 2012 10.29 skrev Laurelai laure...@oneechan.org mailto:laure...@oneechan.org: On 1/12/12 3:27 AM, doc mombasa wrote: just one question why should they hire the skiddies if most of them only know how to fire up sqlmap or whatever current app is hot right now? doesnt really seem like enough reason to hire anyone besides im not buying the whole they do it because they are angry at society plop ive been there.. they do it for the lulz Den 11. jan. 2012 06.18 skrev Laurelai laure...@oneechan.org mailto:laure...@oneechan.org: On 1/10/12 10:18 PM, Byron Sonne wrote: Don't piss off a talented adolescent with computer skills. Amen! I love me some stylin' pwnage :) Whether they were skiddies or actual hackers, it's still amusing (and frightening to some) that companies who really should know better, in fact, don't. And again, if companies hired these people, most of whom come from disadvantaged backgrounds and are self taught they wouldn't have as much a reason to be angry anymore. Most of them feel like they don't have any real opportunities for a career and they are often right. Microsoft hired some kid who hacked their network, it is a safe bet he isn't going to be causing any trouble anymore. Talking about the trust issue, who would you trust more the person who has all the certs and experience that told you your network was safe or the 14 year old who proved him wrong? We all know if that kid had approached microsoft with his exploit in a responsible manner they would have outright ignored him, that's why this mailing list exists, because companies will ignore security issues until it bites them in the ass to save a buck. People are way too obsessed with having certifications that don't actually teach practical intrusion techniques. If a system is so fragile that teenagers can take it down with minimal effort then there is a serious problem with the IT security industry. Think about it how long has sql injection been around? There is absolutely no excuse for being vulnerable to it. None what so ever. These kids are showing people the truth about the state of security online and that is whats making people afraid of them. They aren't writing 0 days every week, they are using vulnerabilities that are publicly available. Using tools that are publicly available, tools that were meant to be used by the people protecting the systems. Clearly the people in charge of protecting these system aren't using these tools to scan their systems or else they would have found the weaknesses first. The fact that government organizations and large name companies and government contractors fall prey to these types of attacks just goes to show the level of hypocrisy inherent to the situation. Especially when their solution to the problem is to just pass more and more restrictive laws (as if that's going to stop them). These kids are showing people that the emperor has no clothes and that's whats making people angry, they are putting someones paycheck in danger. Why don't we solve the problem by actually addressing the real problem and fixing systems that need to be fixed? Why not hire these kids with the time and energy on their hands to probe for these weaknesses on a large scale? The ones currently in the job slots to do this clearly aren't doing it. I bet if they started replacing these people with these kids it would shake the lethargy out of the rest of them and you would see a general increase in competence and security. Knowing that if you get your network owned by a teenager will not only get you
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On 1/12/12 3:47 AM, doc mombasa wrote: ok obviously you never worked for a big corporate entity :) sure standing up to them is fine after shouting about the bug for 4 months i thought bah why bother its their asses not mine just going in and fixing a bug without the mandate is usually not a good idea (if you want to keep your job so you can pay your bills that is..) Den 12. jan. 2012 10.41 skrev Laurelai laure...@oneechan.org mailto:laure...@oneechan.org: On 1/12/12 3:34 AM, doc mombasa wrote: i dont know if you ever worked for a big corporate entity? like kovacs wrote its not about whether you can do it or not as an employee its more about if your manager allows you the time to do it pentesting doesnt change anything on the profits excel sheet we can agree it looks bad when shit happens but they usually dont think that far ahead i tried once reporting a very simple sql injection flaw to my manager and including a proposed fix which would take all of 5 minutes to implement 18 months went by before that flaw was fixed because there was no profits in allocating resources to fix it and that webapp was the #1 money generator for that company Den 12. jan. 2012 10.29 skrev Laurelai laure...@oneechan.org mailto:laure...@oneechan.org: On 1/12/12 3:27 AM, doc mombasa wrote: just one question why should they hire the skiddies if most of them only know how to fire up sqlmap or whatever current app is hot right now? doesnt really seem like enough reason to hire anyone besides im not buying the whole they do it because they are angry at society plop ive been there.. they do it for the lulz Den 11. jan. 2012 06.18 skrev Laurelai laure...@oneechan.org mailto:laure...@oneechan.org: On 1/10/12 10:18 PM, Byron Sonne wrote: Don't piss off a talented adolescent with computer skills. Amen! I love me some stylin' pwnage :) Whether they were skiddies or actual hackers, it's still amusing (and frightening to some) that companies who really should know better, in fact, don't. And again, if companies hired these people, most of whom come from disadvantaged backgrounds and are self taught they wouldn't have as much a reason to be angry anymore. Most of them feel like they don't have any real opportunities for a career and they are often right. Microsoft hired some kid who hacked their network, it is a safe bet he isn't going to be causing any trouble anymore. Talking about the trust issue, who would you trust more the person who has all the certs and experience that told you your network was safe or the 14 year old who proved him wrong? We all know if that kid had approached microsoft with his exploit in a responsible manner they would have outright ignored him, that's why this mailing list exists, because companies will ignore security issues until it bites them in the ass to save a buck. People are way too obsessed with having certifications that don't actually teach practical intrusion techniques. If a system is so fragile that teenagers can take it down with minimal effort then there is a serious problem with the IT security industry. Think about it how long has sql injection been around? There is absolutely no excuse for being vulnerable to it. None what so ever. These kids are showing people the truth about the state of security online and that is whats making people afraid of them. They aren't writing 0 days every week, they are using vulnerabilities that are publicly available. Using tools that are publicly available, tools that were meant to be used by the people protecting the systems. Clearly the people in charge of protecting these system aren't using these tools to scan their systems or else they would have found the weaknesses first. The fact that government organizations and large name companies and government contractors fall prey to these types of attacks just goes to show the level of hypocrisy inherent to the situation. Especially when their solution to the problem is to just pass more and more restrictive laws (as if that's going to stop
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On 1/12/12 3:49 AM, Ferenc Kovacs wrote: Well that's what you get when you let profit margins dictate security policy. You guys act pretty tough when you argue with each other online but you can't stand up to some corporate idiots? Sounds like this industry could benefit from these kids even more since they are driving home the points you all are supposed to be warning them about. Maybe you should try out at your company to hire a kiddie, and tell us how it turned out. Usually the ones shittalking here are those without a decent job imo... -- Ferenc Kovács @Tyr43l - http://tyrael.hu I have a great job. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On 1/12/12 3:54 AM, doc mombasa wrote: and you are obviously blindly stuck on a point and has no idea how it actually works out there in the real world in small companies you have freedom and ability to execute in big companies not so much.. Den 12. jan. 2012 10.52 skrev Laurelai laure...@oneechan.org mailto:laure...@oneechan.org: On 1/12/12 3:47 AM, doc mombasa wrote: ok obviously you never worked for a big corporate entity :) sure standing up to them is fine after shouting about the bug for 4 months i thought bah why bother its their asses not mine just going in and fixing a bug without the mandate is usually not a good idea (if you want to keep your job so you can pay your bills that is..) Den 12. jan. 2012 10.41 skrev Laurelai laure...@oneechan.org mailto:laure...@oneechan.org: On 1/12/12 3:34 AM, doc mombasa wrote: i dont know if you ever worked for a big corporate entity? like kovacs wrote its not about whether you can do it or not as an employee its more about if your manager allows you the time to do it pentesting doesnt change anything on the profits excel sheet we can agree it looks bad when shit happens but they usually dont think that far ahead i tried once reporting a very simple sql injection flaw to my manager and including a proposed fix which would take all of 5 minutes to implement 18 months went by before that flaw was fixed because there was no profits in allocating resources to fix it and that webapp was the #1 money generator for that company Den 12. jan. 2012 10.29 skrev Laurelai laure...@oneechan.org mailto:laure...@oneechan.org: On 1/12/12 3:27 AM, doc mombasa wrote: just one question why should they hire the skiddies if most of them only know how to fire up sqlmap or whatever current app is hot right now? doesnt really seem like enough reason to hire anyone besides im not buying the whole they do it because they are angry at society plop ive been there.. they do it for the lulz Den 11. jan. 2012 06.18 skrev Laurelai laure...@oneechan.org mailto:laure...@oneechan.org: On 1/10/12 10:18 PM, Byron Sonne wrote: Don't piss off a talented adolescent with computer skills. Amen! I love me some stylin' pwnage :) Whether they were skiddies or actual hackers, it's still amusing (and frightening to some) that companies who really should know better, in fact, don't. And again, if companies hired these people, most of whom come from disadvantaged backgrounds and are self taught they wouldn't have as much a reason to be angry anymore. Most of them feel like they don't have any real opportunities for a career and they are often right. Microsoft hired some kid who hacked their network, it is a safe bet he isn't going to be causing any trouble anymore. Talking about the trust issue, who would you trust more the person who has all the certs and experience that told you your network was safe or the 14 year old who proved him wrong? We all know if that kid had approached microsoft with his exploit in a responsible manner they would have outright ignored him, that's why this mailing list exists, because companies will ignore security issues until it bites them in the ass to save a buck. People are way too obsessed with having certifications that don't actually teach practical intrusion techniques. If a system is so fragile that teenagers can take it down with minimal effort then there is a serious problem with the IT security industry. Think about it how long has sql injection been around? There is absolutely no excuse for being vulnerable to it. None what so ever. These kids are showing people the truth about the state of security online and that is whats making people afraid of them. They aren't writing 0 days every week, they are using vulnerabilities that are publicly available. Using tools that are publicly available, tools that were meant
Re: [Full-disclosure] Rate Stratfor's Incident Response
On 1/12/12 11:12 AM, valdis.kletni...@vt.edu wrote: On Wed, 11 Jan 2012 12:57:48 EST, Benjamin Kreuter said: The problem is that we have criminalized too much here. If some 14 year old comes to you and hands you supposedly secret documents, he is behaving very ethically -- he is telling you that you have a vulnerability, rather than simply trying to sell your secrets to a competitor. That sounds like a person who can be trusted to work for you -- someone who could have easily betrayed you, but did not, and who knew when and how to do the right thing. No, the person I *want* to hire doesn't come to me with a secret document, he comes to me and says There's a hole in this web page that will leak secret documents, but I didn't actually download one to fully verify it. And if they do that they will get told Well how do you know it will actually leak secret documents since you didn't verify that it actually leaks them, stop wasting our time We have all seen companies ignore vulnerabilities because the company claimed it was not exploitable when it was. Right now the FBI is claiming that they knew about the Stratfor hack and had informed people that their personal data was compromised, but we know this isnt true because live credit cards from the data leak were actually used after it became public, so again who are you going to trust the people who have been proven over and over to lie to the public about the state of their security or the people showing the world they are liars? The people who are going to attack your system and then sell your secrets on the black market are people who are not going to think in the structured way that your engineers think. They are going to do things that your IT staff did not expect anyone to do. They are going to do things your IT staff did not even think about. If the people in your organization were not creative enough to do what the teenage hacker did, then the teenage hacker has skills that are missing from your team -- which can be restated as the teenager is someone you should hire. No, it can be restated as you want to hire someone with a skillset similar to that teenager. Would you hire that teenager to take several tens of thousands of cash to the bank unescorted? No? Then why are you hiring them into a position where they'll have basically unescorted access to similar amounts of valuables? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rate Stratfor's Incident Response
On 1/12/12 11:21 AM, Ian Hayes wrote: On Wed, Jan 11, 2012 at 9:57 AM, Benjamin Kreuterben.kreu...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Tue, 10 Jan 2012 21:39:07 -0800 Ian Hayescthulhucall...@gmail.com wrote: On Tue, Jan 10, 2012 at 9:18 PM, Laurelailaure...@oneechan.org wrote: On 1/10/12 10:18 PM, Byron Sonne wrote: Don't piss off a talented adolescent with computer skills. Amen! I love me some stylin' pwnage :) Whether they were skiddies or actual hackers, it's still amusing (and frightening to some) that companies who really should know better, in fact, don't. And again, if companies hired these people, most of whom come from disadvantaged backgrounds and are self taught they wouldn't have as much a reason to be angry anymore. Most of them feel like they don't have any real opportunities for a career and they are often right. [citation needed] Microsoft hired some kid who hacked their network, it is a safe bet he isn't going to be causing any trouble anymore. Are you proposing that we reward all such behavior with jobs? I've always wanted to be a firefighter. Forget resumes, job applications and interviews, I'm going to set people's houses on fire. No, it is more like you see a house on fire, call 911, then clear the road so that firefighters can get to the house. You know, someone who is helping the professionals do their job? Yes. But by Larueli's logic, since I know how to use a Bic lighter, I'm infinitely more qualified that a trained firefighter. By setting fire to other people's houses, I'm announcing my intention to join their ranks, and deserve a job at the nearest station. Nevermind, that 20 people died and hundreds of thousands of dollars of property damage- if the firemen were true professionals, they would have made the houses completely fireproof a long time ago, or at the very least responded and put out the fire before any real damage was done. Plus, I have a Zippo, which makes me uber-leet. *Laurelai* I know its a strange spelling but it is spelled correctly in my email address, and its than not that. Committing arson is not comparable to a digital intrusion, no lives are lost and any enterprise system worth speaking of has backup systems so very little real damage is done, the most damage that occurs is to their reputation, it injures peoples pride and causes humiliation. The people being humiliated have created reputations as experts in infosec, reputations that as its being shown they don't deserve. Lets be honest here if it wasn't anon/antisec doing it someone else would have eventually (perhaps they already were) and they probably wouldn't have made the incident public, they would have just quietly stolen user data and credit card information and sold them off to the highest bidder for as long as they possibly could. Or used stolen credentials to gain access to even more data. You seem to be missing the point that anon/antisec is using methods for the most part that are simple attacks that any company has absolutely no excuse to be vulnerable to. This is more like owning a large store and leaving the doors unlocked at night and finding that some kids walked in and put all of your stock outside of the store and pinned your internal finance documents that show you have been embezzling to the windows, plus they drew penises on the pictures in your office just to pour salt on the wound. In this case you have nobody to blame but yourself. My suggestion that they should hire these kids was meant to imply that as bad as they are they probably are more ethical than the people they are attacking since they aren't storing all sorts of sensitive user data in plain text and telling people its all safe. By your logic, an arsonist is not only the best person to combat other arsonists, but due to his obviously unique insight into the nature of fire, simply must know how best to fight a fire as opposed to someone who went to school for years to learn the trade. Unless you are going to give me a proof that no attack on my network could be successful, you need people who can find their way through the cracks to evaluate the efficacy of your security system. If the people you already hired to maintain your security are not able to identify threats and design systems that are resilient to those threats, then you need to hire someone else. A security team will benefit from having someone poke holes in their design. Anyone who says you are secure, you are hacker-proof should be shown the door. But this is reality. Companies don't WANT to know that the Emperor is naked. All they want is to fill in the checkbox that says that they did their due diligence, so they pass their annual audit. If holes are found, now they have to spend time, money and effort fixing them, or they lose their insurance/merchant status/some kind of accreditation. That's why most organizations are happy
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On 1/12/12 2:00 PM, Elazar Broad wrote: Sounds like this industry could benefit from these kids even more since they are driving home the points you all are supposed to be warning them about. That's because these kids don't have mouths to feed and a paycheck to worry about. Ethics and ethos are all very nice when you have nothing to lose, all to gain and no one depending on you... On Thursday, January 12, 2012 at 4:43 AM, Laurelai laure...@oneechan.org wrote: On 1/12/12 3:34 AM, doc mombasa wrote: i dont know if you ever worked for a big corporate entity? like kovacs wrote its not about whether you can do it or not as an employee its more about if your manager allows you the time to do it pentesting doesnt change anything on the profits excel sheet we can agree it looks bad when shit happens but they usually dont think that far ahead i tried once reporting a very simple sql injection flaw to my manager and including a proposed fix which would take all of 5 minutes to implement 18 months went by before that flaw was fixed because there was no profits in allocating resources to fix it and that webapp was the #1 money generator for that company Den 12. jan. 2012 10.29 skrev Laurelai laure...@oneechan.org: On 1/12/12 3:27 AM, doc mombasa wrote: just one question why should they hire the skiddies if most of them only know how to fire up sqlmap or whatever current app is hot right now? doesnt really seem like enough reason to hire anyone besides im not buying the whole they do it because they are angry at society plop ive been there.. they do it for the lulz Den 11. jan. 2012 06.18 skrev Laurelai laure...@oneechan.org: On 1/10/12 10:18 PM, Byron Sonne wrote: Don't piss off a talented adolescent with computer skills. Amen! I love me some stylin' pwnage :) Whether they were skiddies or actual hackers, it's still amusing (and frightening to some) that companies who really should know better, in fact, don't. And again, if companies hired these people, most of whom come from disadvantaged backgrounds and are self taught they wouldn't have as much a reason to be angry anymore. Most of them feel like they don't have any real opportunities for a career and they are often right. Microsoft hired some kid who hacked their network, it is a safe bet he isn't going to be causing any trouble anymore. Talking about the trust issue, who would you trust more the person who has all the certs and experience that told you your network was safe or the 14 year old who proved him wrong? We all know if that kid had approached microsoft with his exploit in a responsible manner they would have outright ignored him, that's why this mailing list exists, because companies will ignore security issues until it bites them in the ass to save a buck. People are way too obsessed with having certifications that don't actually teach practical intrusion techniques. If a system is so fragile that teenagers can take it down with minimal effort then there is a serious problem with the IT security industry. Think about it how long has sql injection been around? There is absolutely no excuse for being vulnerable to it. None what so ever. These kids are showing people the truth about the state of security online and that is whats making people afraid of them. They aren't writing 0 days every week, they are using vulnerabilities that are publicly available. Using tools that are publicly available, tools that were meant to be used by the people protecting the systems. Clearly the people in charge of protecting these system aren't
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On 1/10/12 11:39 PM, Ian Hayes wrote: On Tue, Jan 10, 2012 at 9:18 PM, Laurelailaure...@oneechan.org wrote: On 1/10/12 10:18 PM, Byron Sonne wrote: Don't piss off a talented adolescent with computer skills. Amen! I love me some stylin' pwnage :) Whether they were skiddies or actual hackers, it's still amusing (and frightening to some) that companies who really should know better, in fact, don't. And again, if companies hired these people, most of whom come from disadvantaged backgrounds and are self taught they wouldn't have as much a reason to be angry anymore. Most of them feel like they don't have any real opportunities for a career and they are often right. [citation needed] Microsoft hired some kid who hacked their network, it is a safe bet he isn't going to be causing any trouble anymore. Are you proposing that we reward all such behavior with jobs? I've always wanted to be a firefighter. Forget resumes, job applications and interviews, I'm going to set people's houses on fire. By your logic, an arsonist is not only the best person to combat other arsonists, but due to his obviously unique insight into the nature of fire, simply must know how best to fight a fire as opposed to someone who went to school for years to learn the trade. Talking about the trust issue, who would you trust more the person who has all the certs and experience that told you your network was safe or the 14 year old who proved him wrong? This is asinine. WHY would I want to hire someone for a position of trust that just committed a crime, or at the very least acted in an unethical manner? More than anything, that person has proven that while he *might* have the technical chops, he certainly lacks the ethics and decision making skills to operate in the grown-up world. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Because the ones with the so called ethics either lack the technical chops or lack the enthusiasm to find simple vulnerabilities. Not very ethical to take a huge paycheck and not do your job if you ask me. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On 1/11/12 8:39 AM, Ferenc Kovacs wrote: Because the ones with the so called ethics either lack the technical chops or lack the enthusiasm to find simple vulnerabilities. Not very ethical to take a huge paycheck and not do your job if you ask me. If the only thing missing to secure those systems was somebody being able to use sqlmap and xss-me, then that could be fixing without hiring people who already proved that they aren't trustworthy. from my experience, the lack of security comes from the management, you can save money on that (and qa) on the short run. so companies tend to hire QSA companies to buy the paper which says that they are good, when in fact they aren't. most of them don't wanna hear that they are vulnerable and take the risks too lightly. if they would take it-security seriously it simply couldn't be owned through trivial, well-known attack vectors. -- Ferenc Kovács @Tyr43l - http://tyrael.hu :D at least one person here gets it. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On 1/10/12 10:18 PM, Byron Sonne wrote: Don't piss off a talented adolescent with computer skills. Amen! I love me some stylin' pwnage :) Whether they were skiddies or actual hackers, it's still amusing (and frightening to some) that companies who really should know better, in fact, don't. And again, if companies hired these people, most of whom come from disadvantaged backgrounds and are self taught they wouldn't have as much a reason to be angry anymore. Most of them feel like they don't have any real opportunities for a career and they are often right. Microsoft hired some kid who hacked their network, it is a safe bet he isn't going to be causing any trouble anymore. Talking about the trust issue, who would you trust more the person who has all the certs and experience that told you your network was safe or the 14 year old who proved him wrong? We all know if that kid had approached microsoft with his exploit in a responsible manner they would have outright ignored him, that's why this mailing list exists, because companies will ignore security issues until it bites them in the ass to save a buck. People are way too obsessed with having certifications that don't actually teach practical intrusion techniques. If a system is so fragile that teenagers can take it down with minimal effort then there is a serious problem with the IT security industry. Think about it how long has sql injection been around? There is absolutely no excuse for being vulnerable to it. None what so ever. These kids are showing people the truth about the state of security online and that is whats making people afraid of them. They aren't writing 0 days every week, they are using vulnerabilities that are publicly available. Using tools that are publicly available, tools that were meant to be used by the people protecting the systems. Clearly the people in charge of protecting these system aren't using these tools to scan their systems or else they would have found the weaknesses first. The fact that government organizations and large name companies and government contractors fall prey to these types of attacks just goes to show the level of hypocrisy inherent to the situation. Especially when their solution to the problem is to just pass more and more restrictive laws (as if that's going to stop them). These kids are showing people that the emperor has no clothes and that's whats making people angry, they are putting someones paycheck in danger. Why don't we solve the problem by actually addressing the real problem and fixing systems that need to be fixed? Why not hire these kids with the time and energy on their hands to probe for these weaknesses on a large scale? The ones currently in the job slots to do this clearly aren't doing it. I bet if they started replacing these people with these kids it would shake the lethargy out of the rest of them and you would see a general increase in competence and security. Knowing that if you get your network owned by a teenager will not only get you fired, but replaced with said teenager is one hell of an incentive to make sure you get it right. Yes they would have to be taught additional skills to round out what they know, but every job requires some level of training and there are quite a few workplaces that will help their employees continue their education because it benefits the company to do so. This would be no different except that the employees would be younger, and younger people do tend to learn faster so it would likely take less time to teach these kids the needed skills to round out what they already know than it would to teach someone older the same thing. It is the same principal behind teaching young children multiple languages, they learn them better than adults. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On 1/10/12 11:32 PM, James Smith wrote: Well I do agree with what you are stating. As I have seen incidents like this happen to many times. This mailing list is a big part of the IT Security community. -Original Message- From: Laurelai Sent: Wednesday, January 11, 2012 1:18 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response On 1/10/12 10:18 PM, Byron Sonne wrote: Don't piss off a talented adolescent with computer skills. Amen! I love me some stylin' pwnage :) Whether they were skiddies or actual hackers, it's still amusing (and frightening to some) that companies who really should know better, in fact, don't. And again, if companies hired these people, most of whom come from disadvantaged backgrounds and are self taught they wouldn't have as much a reason to be angry anymore. Most of them feel like they don't have any real opportunities for a career and they are often right. Microsoft hired some kid who hacked their network, it is a safe bet he isn't going to be causing any trouble anymore. Talking about the trust issue, who would you trust more the person who has all the certs and experience that told you your network was safe or the 14 year old who proved him wrong? We all know if that kid had approached microsoft with his exploit in a responsible manner they would have outright ignored him, that's why this mailing list exists, because companies will ignore security issues until it bites them in the ass to save a buck. People are way too obsessed with having certifications that don't actually teach practical intrusion techniques. If a system is so fragile that teenagers can take it down with minimal effort then there is a serious problem with the IT security industry. Think about it how long has sql injection been around? There is absolutely no excuse for being vulnerable to it. None what so ever. These kids are showing people the truth about the state of security online and that is whats making people afraid of them. They aren't writing 0 days every week, they are using vulnerabilities that are publicly available. Using tools that are publicly available, tools that were meant to be used by the people protecting the systems. Clearly the people in charge of protecting these system aren't using these tools to scan their systems or else they would have found the weaknesses first. The fact that government organizations and large name companies and government contractors fall prey to these types of attacks just goes to show the level of hypocrisy inherent to the situation. Especially when their solution to the problem is to just pass more and more restrictive laws (as if that's going to stop them). These kids are showing people that the emperor has no clothes and that's whats making people angry, they are putting someones paycheck in danger. Why don't we solve the problem by actually addressing the real problem and fixing systems that need to be fixed? Why not hire these kids with the time and energy on their hands to probe for these weaknesses on a large scale? The ones currently in the job slots to do this clearly aren't doing it. I bet if they started replacing these people with these kids it would shake the lethargy out of the rest of them and you would see a general increase in competence and security. Knowing that if you get your network owned by a teenager will not only get you fired, but replaced with said teenager is one hell of an incentive to make sure you get it right. Yes they would have to be taught additional skills to round out what they know, but every job requires some level of training and there are quite a few workplaces that will help their employees continue their education because it benefits the company to do so. This would be no different except that the employees would be younger, and younger people do tend to learn faster so it would likely take less time to teach these kids the needed skills to round out what they already know than it would to teach someone older the same thing. It is the same principal behind teaching young children multiple languages, they learn them better than adults. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Yes I am aware they are, the ones who cry out that they are just script kiddies and such are the ones who are most likely to be vulnerable in my experience. Point is they still got owned, doesn't matter if the method was easy. In fact because it was easy should be an even greater concern to everyone here. The fact that Stratfor got owned like they did shows they were beyond negligent, HBGary was the same as was Sony. They shouldn't be trying to prosecute these kids they should go after these companies for grossly mishandling peoples personal
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On 1/11/12 1:15 AM, Kyle Creyts wrote: How many of those engaged in these attacks _could_ actually fix the vulns they exploit? What is a good rough estimate in your opinion? On Jan 11, 2012 12:47 AM, Laurelai laure...@oneechan.org mailto:laure...@oneechan.org wrote: On 1/10/12 11:32 PM, James Smith wrote: Well I do agree with what you are stating. As I have seen incidents like this happen to many times. This mailing list is a big part of the IT Security community. -Original Message- From: Laurelai Sent: Wednesday, January 11, 2012 1:18 AM To: full-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response On 1/10/12 10:18 PM, Byron Sonne wrote: Don't piss off a talented adolescent with computer skills. Amen! I love me some stylin' pwnage :) Whether they were skiddies or actual hackers, it's still amusing (and frightening to some) that companies who really should know better, in fact, don't. And again, if companies hired these people, most of whom come from disadvantaged backgrounds and are self taught they wouldn't have as much a reason to be angry anymore. Most of them feel like they don't have any real opportunities for a career and they are often right. Microsoft hired some kid who hacked their network, it is a safe bet he isn't going to be causing any trouble anymore. Talking about the trust issue, who would you trust more the person who has all the certs and experience that told you your network was safe or the 14 year old who proved him wrong? We all know if that kid had approached microsoft with his exploit in a responsible manner they would have outright ignored him, that's why this mailing list exists, because companies will ignore security issues until it bites them in the ass to save a buck. People are way too obsessed with having certifications that don't actually teach practical intrusion techniques. If a system is so fragile that teenagers can take it down with minimal effort then there is a serious problem with the IT security industry. Think about it how long has sql injection been around? There is absolutely no excuse for being vulnerable to it. None what so ever. These kids are showing people the truth about the state of security online and that is whats making people afraid of them. They aren't writing 0 days every week, they are using vulnerabilities that are publicly available. Using tools that are publicly available, tools that were meant to be used by the people protecting the systems. Clearly the people in charge of protecting these system aren't using these tools to scan their systems or else they would have found the weaknesses first. The fact that government organizations and large name companies and government contractors fall prey to these types of attacks just goes to show the level of hypocrisy inherent to the situation. Especially when their solution to the problem is to just pass more and more restrictive laws (as if that's going to stop them). These kids are showing people that the emperor has no clothes and that's whats making people angry, they are putting someones paycheck in danger. Why don't we solve the problem by actually addressing the real problem and fixing systems that need to be fixed? Why not hire these kids with the time and energy on their hands to probe for these weaknesses on a large scale? The ones currently in the job slots to do this clearly aren't doing it. I bet if they started replacing these people with these kids it would shake the lethargy out of the rest of them and you would see a general increase in competence and security. Knowing that if you get your network owned by a teenager will not only get you fired, but replaced with said teenager is one hell of an incentive to make sure you get it right. Yes they would have to be taught additional skills to round out what they know, but every job requires some level of training and there are quite a few workplaces that will help their employees continue their education because it benefits the company to do so. This would be no different except that the employees would be younger, and younger people do tend to learn faster so it would likely take less time to teach these kids the needed skills to round out what they already know than it would to teach someone older the same thing. It is the same principal behind teaching young children multiple languages, they learn them better than
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On 1/11/12 1:21 AM, valdis.kletni...@vt.edu wrote: On Tue, 10 Jan 2012 23:18:40 CST, Laurelai said: real opportunities for a career and they are often right. Microsoft hired some kid who hacked their network, it is a safe bet he isn't going to be causing any trouble anymore. How safe a bet, exactly? Safe enough to bet your business on it? Microsoft has $40B in cash handy to survive on if something goes wrong. What's *your* Plan B if the kid you hired blabs about his gig and one of his buddies rapes your net using the credentials you gave the kid to do the pen test? Talking about the trust issue, who would you trust more the person who has all the certs and experience that told you your network was safe or the 14 year old who proved him wrong? A really clever guy by the name of Edsgar Dyjkstra once said Testing can prove the presence of bugs, but not their absence. If you're getting a pen test done by somebody who says your network is safe, you're being ripped off. First, all networks have holes - if the pen tester comes up empty, it doesn't mean your net is secure, it means finding the holes needs somebody with better skills. Second, any pen tester who says the net is safe is a rip-off artist. At best, they can say we did not find any of the following vulnerabilities we tested for. There may be vulnerabilities present that we were unable to find under the rules of engagement, which limit the scope and total time and money spent. Also, It's not just about who do you trust more to find the holes, it's who you trust to be professional while they do it. Or the put your money where your mouth is (literally) version - which one would you rather have working for your bank when they find a security hole that allows them access to your checking account? If you guys cant scan for basic sql injection and these kids can then theres a real problem, thats my point here. The attacks are so simple children can do it and the so called experts arent finding them or just arent looking so im not sure if its incompetence or apathy behind these high profile hacks, you can teach these kids the same skillsets the so called experts have, but you cant teach incompetent people to be competent as its a willful mindset to not learn new things, and theres no solution for apathy other than hiring someone who cares. These kids have the motivation to learn new things and the energy to apply them. Something the people they are owning lack sorely. As the ancient proverb says Set a thief to catch a thief ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fwd: Fw: Who is behind Stratfor hack?
I don't know why you emailed this to me, perhaps you were looking for attention or something, so ive forwarded it to the FD list so you can get all the attention you want. Cheers. Original Message Subject:Fw: Who is behind Stratfor hack? Date: Sun, 8 Jan 2012 00:06:23 -0800 (PST) From: andrew.wallace andrew.wall...@rocketmail.com Reply-To: andrew.wallace andrew.wall...@rocketmail.com To: Laurelai laure...@oneechan.org - Forwarded Message - *From:* andrew.wallace andrew.wall...@rocketmail.com *To:* feedb...@stratfor.com feedb...@stratfor.com *Sent:* Saturday, December 31, 2011 1:50 AM *Subject:* Who is behind Stratfor hack? If this turns out to be the person who hacked your web site, I would like a cash reward. Andrew --- http://pastebin.com/f7jYf5Wd 46. lol xD --- Should we read into this too much? Andrew --- 48. We almost have sympathy for those poor DHS employees and australian billionaires who had their bank accounts looted by the lulz (orly? i just fapped). --- The guy we know is australian... Andrew --- 51. We call upon all allied battleships, all armies from darkness, to use and abuse these password lists and credit card information to wreak unholy havok upon the systems and personal email accounts of these rich and powerful oppressors. Kill, kitties, kill and burn them down... peacefully. XD XD --- Signed as XD again. Andrew --- Last email I have from him is 23rd December... same kind of grammar as the Stratfor pastebin. It seems he disappeared just as the Stratfor news broke just before Christmas. Andrew - Forwarded Message - *From:* xD 0x41 sec...@gmail.com *To:* Larry W. Cashdollar lar...@me.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Friday, December 23, 2011 1:26 PM *Subject:* Re: [Full-disclosure] Mobile Prank Hacktool hi Larry! Hope your doing well mate ;) , anyhow, here.. i did manage to get it via windows..maybe megaupload.com http://megaupload.com/ has blocks for lynx or other linux ? notsure and, not caring to test,..lol...anyhow, sanme file..enjoy, cheers. (Oh, id always run this with atleast a basic Sandbox, like sanboxie ,wich would makesure that never loose our data incase there is malws,wich,usually tools like this always do..but, anyhow, it is not from me, altho, many would probably wish it was :s sad... Looks like the link is unavailable. -- Larry C$ Oh, i was able to download what looks like, a very interesting application and files..very cool...well, to look atm, atm :P I did browse the src, just then directly upped it to hotfile.com..i think lynx is abit better with hotfile...anyhow, here is a working link: http://hotfile.com/dl/138283571/f9ef676/Mobile_Prank_Hacktool.rar.html anyhow, cheers larry, letme know if worked, ifnot, ill put it ion a ftp or sumthin :s but, then id be checking my own cobnnection :P~ lol...tc buddy! XD // hax...@haxshells.us mailto:hax...@haxshells.us @ crazycoders.com http://crazycoders.com/ crazycoders.us ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Fw: Who is behind Stratfor hack?
On 1/8/12 2:06 PM, valdis.kletni...@vt.edu wrote: On Sun, 08 Jan 2012 11:16:59 CST, Laurelai said: He sent a copy to you too? My condolences. He comes up with the most interesting conclusions sometimes. If this turns out to be the person who hacked your web site, I would like a cash reward. Andrew --- http://pastebin.com/f7jYf5Wd 46. lol xD Should we read into this too much? You just did, Andrew. There's 2 possibilities. Either it's a frikkin *SMILEY*, or I'm actually a Microsoft hacker that goes by the name 'XP Vista'. Hint - in a few places, we find the string 'xD xD'. Do you sign your name Andrew Andrew? No? Then which is more likely, it's 2 smileys in a row, or the person's tag twice in a row? Last email I have from him is 23rd December... same kind of grammar as the Stratfor pastebin. This is *so* amusing, coming from the person who's *still* threatening legal action against me for suggesting n3td3v to Neal Krawetz, which resulted in a nice presentation at Black Hat on linguistic analysis. At least Neal actually measured percentages of words and syllable lengths and tenses and stuff like that. ;) It seems he disappeared just as the Stratfor news broke just before Christmas. Andrew? Hate to break it to you, but a lot of people go on actual multi-week vacations around Christmastime. Heck, something like 57% of the entire population of the town I live in left around Dec 16, and won't be back till next week. The streets are deserted. Maybe one of those 20,000 people is the *real* hacker and left just before the news broke, not on Christmas vacation? lol XP XP His logic reminds me of Jen Emerick ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On 1/7/12 8:51 AM, Ed Carp wrote: ROFL!!! -- Forwarded message -- From:george.fried...@stratfor.com Date: Sat, Jan 7, 2012 at 2:33 AM Subject: Rate Stratfor's Incident Response To: e...@pobox.com For the video announcement, please see http://www.youtube.com/watch?v=oHg5SJYRHA0 Read full press release: http://bolt.thexfil.es/84e9h!t Rate Stratfor's incident response: http://img855.imageshack.us/img855/9055/butthurtreportform.jpg Hello loyal Stratfor clients, We are still working to get our website secure and back up and running again as soon as possible. To show our appreciation for your continued support, we will be making available all of our premium content *as a free service* from now on. We would like to hear from our loyal client base as to our handling of the recent intrusion by those deranged, sexually deviant criminal hacker terrorist masterminds. Please fill out the following form and return it to me My mobile: 512-658-3152 My home phone: 512-894-0125 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I still find this kind of thing hilarious. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On 1/7/12 2:48 PM, Ferenc Kovacs wrote: On Sat, Jan 7, 2012 at 8:10 PM, Jeffrey Walton noloa...@gmail.com mailto:noloa...@gmail.com wrote: http://bolt.thexfil.es/84e9h!t http://bolt.thexfil.es/84e9h%21t was an interesting link - it demonstrated the pwnage. It looks like these folks gained access via PHP. Stratfor was using a Linux based system system, but PHP was version 1.8 from 2009 (perhaps with some back patches). Current version of PHP is 5.3.8 (http://www.php.net/). O really? PHP 1.8? how would you compile that on a modern linux distro? how would you run drupal on top of it? // $Id: default.settings.php,v 1.8.2.4 2009/09/14 12:59:18 goba Exp $ that is a line from the default drupal config file. I agree that the php app was the most likely source of the intrusion, I would guess that they didn't kept the drupal core and the contrib modules up-to-date, and they were owned through some old vulnerability. -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ And again it makes me wonder how many other so called security companies are just as vulnerable. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On 1/7/12 3:50 PM, valdis.kletni...@vt.edu wrote: On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said: Although, once they have gained popularity and to a stage where a garage office becomes a shop floor and a @home biz becomes a rent-a-million$-building office, it is time to shift priorities. If finding people who are competent enough to secure a payroll system for a company of 10 people is difficult, what makes you think that it's easy to find people who can secure the systems for a company of 1,000? As Stratfor has demonstrated, the talent pool of *really* competent security people is shallow enough that there's not even enough to secure the security companies. And it's not just Stratfor - when was the last time this list went a week without mocking a security company for its lack of clue? It's an industry-wide problem - there's a *severe* shortage of experts. And even though schools like DeVry and ITT are churning out lots of people with entry level certifications, I'm not at all sure that helps the situation - we end up with a lot of people who are entry level, and don't realize how much they don't know. That makes them almost more dangerous than not having anybody at all. Sort of like if you walk alone through a scary part of town, you actually stand a good chance because you *know* you're alone and will act accordingly - but if you have a bodyguard with you, you're likely to act differently, and end up totally screwed when you find out said bodyguard has a belt in martial arts, but zero experience in street fighting... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Perhaps these companies should try to hire the kids owning them instead of crying to the feds. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On 1/7/12 5:31 PM, Ferenc Kovacs wrote: On Sun, Jan 8, 2012 at 12:03 AM, Laurelai laure...@oneechan.org mailto:laure...@oneechan.org wrote: On 1/7/12 3:50 PM, valdis.kletni...@vt.edu mailto:valdis.kletni...@vt.edu wrote: On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said: Although, once they have gained popularity and to a stage where a garage office becomes a shop floor and a @home biz becomes a rent-a-million$-building office, it is time to shift priorities. If finding people who are competent enough to secure a payroll system for a company of 10 people is difficult, what makes you think that it's easy to find people who can secure the systems for a company of 1,000? As Stratfor has demonstrated, the talent pool of *really* competent security people is shallow enough that there's not even enough to secure the security companies. And it's not just Stratfor - when was the last time this list went a week without mocking a security company for its lack of clue? It's an industry-wide problem - there's a *severe* shortage of experts. And even though schools like DeVry and ITT are churning out lots of people with entry level certifications, I'm not at all sure that helps the situation - we end up with a lot of people who are entry level, and don't realize how much they don't know. That makes them almost more dangerous than not having anybody at all. Sort of like if you walk alone through a scary part of town, you actually stand a good chance because you *know* you're alone and will act accordingly - but if you have a bodyguard with you, you're likely to act differently, and end up totally screwed when you find out said bodyguard has a belt in martial arts, but zero experience in street fighting... ___ Full-Disclosure - We believe in it. Charter:http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia -http://secunia.com/ Perhaps these companies should try to hire the kids owning them instead of crying to the feds. why do you think that kiddies using tools like sqlmap would be able to defend them from other kids? -- Ferenc Kovács @Tyr43l - http://tyrael.hu Because they pay the kids to own them in a safe manner to show that their so called expertsd are full of shit, then they fire said experts and hire competent people saving time money and resources, try and remember the guys with the certs are the ones getting owned by the skiddies with sqlmap so that should show you how broken the infosec industry is, want to fix it? Start by hiring the skids because they are still more competent than the guys they are owning. If that one gets owned you hire the guy who owned him ect... until you actually have to know what the hell your doing to be in infosec. Use a Darwinian approach to the industry. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On 1/7/12 6:20 PM, valdis.kletni...@vt.edu wrote: On Sat, 07 Jan 2012 17:37:44 CST, Laurelai said: Because they pay the kids to own them in a safe manner to show that It's not as simple as all that. A good pen-tester needs more skills than just how to pwn a server. You need some business smarts, and you need to be *very* careful about writing the rules of engagement (some pen tests that involve physical attacks can literally get you shot at if you screw this part up), and then *sticking with them* (you find a major social engineering problem while doing a black-box test of some front-end servers, you better re-negotiate those rules of engagement before you do anything else). Also, once a pen test starts, you can't take your time and poke it with the 3 or 4 types of attacks that you're good at - you have 3 weeks starting at 8AM Monday to hit it with 37 different classes of attacks they're likely to see and another 61 types of attacks they're not likely to see and aren't expecting. And be prepared to work any one of those 94 from looks like might be an issue to something you can put in a report and say You Have A Problem. Almost no company is stupid enough to hire a pen testing team without that team posting a good-sized performance bond in case of a screw-up taking out a server, or a rogue pentester stealing the data. (ESPECIALLY in this case, you *already* caught them stealing the data once :) And the kids are going to land a $1M performance bond, how? (Hint - think this through. Really good pentesters make *really* good bucks. If those kiddies had what it took to be good pentesters, they'd already be making bucks as pentesters, not as kiddies) their so called expertsd are full of shit, then they fire said experts and hire competent people saving time money and resources, try and Doesn't scale, because there's not enough competent people out there. There's 140 million .coms, there aren't 140 million security experts out there. It's not a new idea - I've heard it every year or two since probably before most of the people on this list were born. The fact that almost no companies actually *do* it, and that those hackers who have successfully crossed over to consulting are rare enough that you can name most of them, should tell you something about how well it ends up working in practice. Well enjoy your doomed industry then. Ill continue to take great pleasure as the so called experts get owned by teenagers. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NEVER AGAIN
On 11/23/2011 8:08 AM, Kain, Rebecca (.) wrote: I ask myself that all the time when I see andrew's posts -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of valdis.kletni...@vt.edu Sent: Tuesday, November 22, 2011 7:38 PM To: Mario Vilas Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] NEVER AGAIN On Wed, 23 Nov 2011 01:12:56 +0100, Mario Vilas said: I'd love to know what number he called. Or at least what country+area code. Somewhere, a computer-illiterate great-grandmother is asking herself What the blazes was *that* all about? :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Yeah i have to admit im lost on this one ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/