from:"Laurelai"

On 6/10/12 6:23 AM, doc mombasa wrote:
 sure you did
 and i ride a popcicle motorcycle from my palace to the beach every day :)

 2012/6/10 Laurelai laure...@oneechan.org mailto:laure...@oneechan.org

 On 6/10/12 6:14 AM, doc mombasa wrote:
 do you by any chance listen to a lot a lot of nirvana and linkin
 park?


  
 2012/6/8 Laurelai laure...@oneechan.org
 mailto:laure...@oneechan.org

 On 6/8/12 2:14 PM, Григорий Братислава wrote:
  On Fri, Jun 8, 2012 at 2:08 PM, Laurelai
 laure...@oneechan.org mailto:laure...@oneechan.org wrote:
 
  rights? You might want to invest in spell checking
 software by the way.
  Is really show your education is you cannot determine
 reality of is
  lexicon. Maybe is identification masquerade is hide yes?
 Perhaps is
  maybe possible is I maybe tick is you off? Neverisless, you
 sir are is
  troll. Is serious: http://tinyurl.com/laurelaitroll (is
 literalee
  troll)
 
 
 There you have it folks, the best argument the so called
 experts could
 come up with as to why we shouldn't do anything about this is
 name
 calling and half baked attempts at derailing the conversation
 and more
 spelling errors than a 5th graders book report.

 I must have hit a nerve or something, makes me wonder if im
 speaking to
 the very people selling the zero day exploits. You wouldn't
 be having a
 guilty conscience or anything would you all? Worried we might
 put a stop
 to your gravy train perhaps?

 Now back on topic, those of us who actually have a soul
 should work
 together to find a good solution.

 Anyone interested feel free to email me.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


 I dont listen to either. And sorry to burst your bubble but I did
 serve 10 years in the army.


Next I imagine you will insult my gender identity or something equally
silly. For the record you should capitalize the first word of each
sentence and put a punctuation mark at the end, not doing this just
makes you look uneducated and ensures people do not take you seriously.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/9/12 5:10 PM, Mark Shuler wrote:

 Nudging everyone back to the alleged Obama tactics.I'm sure
 everyone has an idea for the big push for cyber warriors in the
 united states. 

 By the arguments I'm hearing and milling through some of the other
 infosec posts.  Who do you believe have more capability of cyber
 terror?  NSA?  Private industry?  Hell maybe there is already cyber
 pmc's running without a leash.



Considering what has been revealed to the public I think it is a safe
assumption the private sector and the NSA has cyber terror capability
and likely uses it on a regular basis.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/10/12 8:22 AM, doc mombasa wrote:
 maybe its because i dont take you seriously
 and who cares what gender you are
 go suck a lemon

 2012/6/10 Laurelai laure...@oneechan.org mailto:laure...@oneechan.org

 On 6/10/12 6:23 AM, doc mombasa wrote:
 sure you did
 and i ride a popcicle motorcycle from my palace to the beach
 every day :)

 2012/6/10 Laurelai laure...@oneechan.org
 mailto:laure...@oneechan.org

 On 6/10/12 6:14 AM, doc mombasa wrote:
 do you by any chance listen to a lot a lot of nirvana and
 linkin park?


  
 2012/6/8 Laurelai laure...@oneechan.org
 mailto:laure...@oneechan.org

 On 6/8/12 2:14 PM, Григорий Братислава wrote:
  On Fri, Jun 8, 2012 at 2:08 PM, Laurelai
 laure...@oneechan.org mailto:laure...@oneechan.org
 wrote:
 
  rights? You might want to invest in spell checking
 software by the way.
  Is really show your education is you cannot determine
 reality of is
  lexicon. Maybe is identification masquerade is hide
 yes? Perhaps is
  maybe possible is I maybe tick is you off?
 Neverisless, you sir are is
  troll. Is serious: http://tinyurl.com/laurelaitroll
 (is literalee
  troll)
 
 
 There you have it folks, the best argument the so called
 experts could
 come up with as to why we shouldn't do anything about
 this is name
 calling and half baked attempts at derailing the
 conversation and more
 spelling errors than a 5th graders book report.

 I must have hit a nerve or something, makes me wonder if
 im speaking to
 the very people selling the zero day exploits. You
 wouldn't be having a
 guilty conscience or anything would you all? Worried we
 might put a stop
 to your gravy train perhaps?

 Now back on topic, those of us who actually have a soul
 should work
 together to find a good solution.

 Anyone interested feel free to email me.

 ___
 Full-Disclosure - We believe in it.
 Charter:
 http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


 I dont listen to either. And sorry to burst your bubble but I
 did serve 10 years in the army.


 Next I imagine you will insult my gender identity or something
 equally silly. For the record you should capitalize the first word
 of each sentence and put a punctuation mark at the end, not doing
 this just makes you look uneducated and ensures people do not take
 you seriously.


I don't want your damn lemons, what am i supposed to do with these?

http://www.youtube.com/watch?v=Dt6iTwVIiMM
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/10/12 12:52 PM, Thor (Hammer of God) wrote:
 And not capitalizing Army when you claim to have spent 10 years of
 your life in service does precisely the same thing. 

 On Jun 10, 2012, at 3:31 AM, Laurelai laure...@oneechan.org
 mailto:laure...@oneechan.org wrote:



 I dont listen to either. And sorry to burst your bubble but I
 did serve 10 years in the army.


 Next I imagine you will insult my gender identity or something
 equally silly. For the record you should capitalize the first word of
 each sentence and put a punctuation mark at the end, not doing this
 just makes you look uneducated and ensures people do not take you
 seriously.
 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
Except i don't like the government.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/10/12 11:29 AM, valdis.kletni...@vt.edu wrote:
 On Sun, 10 Jun 2012 08:58:31 +0300, Georgi Guninski said:
 What about legal windows backdoors (NSA key)?
 It was never confirmed whether the infamous NSAKEY was an actual backdoor, or
 just a hilariously poorly named variable.  In any case, even if it was a
 backdoor, it's certainly not the same legal status as CALEA, where Federal
 law said ISPs Will Provide A Law Enforcement Tap. A lot of universities
 which had just finished positioning themselves as ISPs in order to qualify for
 the 17 USC 512 copyright safe harbor provisions, ended up doing a 180 degree
 turn and said Not An ISP - Private Network so they wouldn't have to meet the
 CALEA requirements. (An amazing number of .edu's ended up a private net' for
 CALEA purposes, but kept things in place for the safe harbor stuff as well.
 Fortunately, nobody's ever pushed the issue).

 If NSAKEY was a backdoor, it was at best a quasi-legal one, and I'm positive
 that everybody at both Microsoft and the NSA would prefer that their roles in
 the story never came to light.



 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
I am a bit surprised by the direction of this conversation and I have
been waiting for someone to say the obvious in regards to protecting
yourself from .gov malware, it really is quite simple if you think about
it. Stuxnet, duqu, flame, ect.. all only run on windows platforms. If
the people you are protecting are concerned about that kind of malware
(and they should be) it would be a great time to tell them about
GNU/Linux, BSD, ect..
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran


  
  
On 6/10/12 5:09 PM, Thor (Hammer of God) wrote:

  
  
  
  
  
OK,
Ill bite this one time. I assert you are blatantly lying
about military service. How about tell me your service
dates? Surely you cant consider that any sort of privacy
breach. 

This
is an easy way for us to be done with the whole thing. Part
of your diatribe is based on your right to bitch because
of your military service. I, again, assert that is complete
fabrication. As someone who actually HAS done work for the
government I know (as you should) that your military service
records are actually public record. I dont need your
service dates, but it will help. All I need do is fax over
form SF-180, and theyll verify your service.

If
you really did serve, Ill apologize publically. If you
didnt (or dont provide the information) then well all
know you are just a lying nutjob and we can ignore you from
now on. Is that fair enough?


  
  
  Timothy
Thor Mullen
  www.hammerofgod.com
  Thors
  Microsoft Security Bible
  



  
From:
full-disclosure-boun...@lists.grok.org.uk
[mailto:full-disclosure-boun...@lists.grok.org.uk]
On Behalf Of Laurelai
Sent: Sunday, June 10, 2012 2:00 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Obama Order Sped
Up Wave of Cyberattacks Against Iran
  


On 6/10/12 12:52 PM, Thor (Hammer of God)
  wrote: 

  And not capitalizing "Army" when you
claim to have spent 10 years of your life in service does
precisely the same thing.


  
On Jun 10, 2012, at 3:31 AM, "Laurelai" laure...@oneechan.org
wrote:


  

  
  

  

  

  

  

  
  I dont listen to either. And
sorry to burst your bubble but I did serve 10 years
in the army.

  


Next I imagine you will insult my
  gender identity or something equally silly. For the record
  you should capitalize the first word of each sentence and
  put a punctuation mark at the end, not doing this just
  makes you look uneducated and ensures people do not take
  you seriously.
  


  
___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/
  


  
  
  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Except i don't like the government.
  

I went to basic in september of 99 and ETS'ed in may of 08. 6 years
were national guard 4 years active duty, i went to basic at FT.
Jackson South Carolina, the base has a lot of fire ants and the
weather was a bit unpredictable. My drill sergeant's names were
Drill Sergeant Hunter and Drill Sergeant Wachowski The unit i ETS'ed
from was HHB 4/5 ADA out of camp carrol South Korea, and right
before i left korea our CSM was relieved of duty (CSM Larkin) for
sexually harassing junior enlisted soldiers under his command. I
worked in the S-6 shop in a 25B slot for a long time even though i
had been trained as a 14E ( patriot systems operator and
maintainer), I went to echo school at FT. Bliss and let me tell you
when I got there I thought the place was just terrible, but there is
nothing like the view of watching the sun set against those desert
mountains, absolutely beautiful. While I was i South Korea I met up
with hubris from backtrace security believe it or not since he was
in the area at the time, ( this was before there ever was a
backtrace security) he showed me all the fun places to hang out away
from the tourist traps and he has seen me in uniform. So stick that
in

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/10/12 5:22 PM, Ian Hayes wrote:

 Then why did you work for them? (or so you claim)

 On Jun 10, 2012 2:01 PM, Laurelai laure...@oneechan.org
 mailto:laure...@oneechan.org wrote:

 On 6/10/12 12:52 PM, Thor (Hammer of God) wrote:
 
  And not capitalizing Army when you claim to h...

 Except i don't like the government.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
I did, i dont any longer.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran


  
  
On 6/10/12 5:09 PM, Thor (Hammer of God) wrote:

  
  
  
  
  
OK,
Ill bite this one time. I assert you are blatantly lying
about military service. How about tell me your service
dates? Surely you cant consider that any sort of privacy
breach. 

This
is an easy way for us to be done with the whole thing. Part
of your diatribe is based on your right to bitch because
of your military service. I, again, assert that is complete
fabrication. As someone who actually HAS done work for the
government I know (as you should) that your military service
records are actually public record. I dont need your
service dates, but it will help. All I need do is fax over
form SF-180, and theyll verify your service.

If
you really did serve, Ill apologize publically. If you
didnt (or dont provide the information) then well all
know you are just a lying nutjob and we can ignore you from
now on. Is that fair enough?


  
  
  Timothy
Thor Mullen
  www.hammerofgod.com
  Thors
  Microsoft Security Bible
  



  
From:
full-disclosure-boun...@lists.grok.org.uk
[mailto:full-disclosure-boun...@lists.grok.org.uk]
On Behalf Of Laurelai
Sent: Sunday, June 10, 2012 2:00 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Obama Order Sped
Up Wave of Cyberattacks Against Iran
  


On 6/10/12 12:52 PM, Thor (Hammer of God)
  wrote: 

  And not capitalizing "Army" when you
claim to have spent 10 years of your life in service does
precisely the same thing.


  
On Jun 10, 2012, at 3:31 AM, "Laurelai" laure...@oneechan.org
wrote:


  

  
  

  

  

  

  

  
  I dont listen to either. And
sorry to burst your bubble but I did serve 10 years
in the army.

  


Next I imagine you will insult my
  gender identity or something equally silly. For the record
  you should capitalize the first word of each sentence and
  put a punctuation mark at the end, not doing this just
  makes you look uneducated and ensures people do not take
  you seriously.
  


  
___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/
  


  
  
  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Except i don't like the government.
  

And i hope those antisec kids own the lot of your frauds, really i
ask a simple question on how to avoid state sponsored malware that
runs exclusively on windows platforms and not a single one of you
said anything about using an alternate OS, some of you insisted in
fact we should just lie down and take it. You aren't security
experts you are scam artists. Makes me wonder if you are paid to act
this way or if you all really just didnt consider it. Either answer
is pretty chilling.
  

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran


  
  
On 6/10/12 5:54 PM, Benji wrote:
Which antisec kids? Unfortunately due to some poeple
  being utterly delued, such as yourself, throwing that word around
  it's rather ambiguous now.
  
  On Sun, Jun 10, 2012 at 10:49 PM,
Laurelai laure...@oneechan.org
wrote:

  

   On 6/10/12 5:09 PM, Thor (Hammer of God)
wrote:

  
OK,

I’ll bite this one time.  I assert you are
blatantly lying about military service.  How
about tell me your service dates?  Surely you
can’t consider that any sort of privacy breach. 
  
 
This

is an easy way for us to be done with the whole
thing.  Part of your diatribe is based on your
“right” to bitch because of your military
service.  I, again, assert that is complete
fabrication.  As someone who actually HAS done
work for the government I know (as you should)
that your military service records are actually
public record.  I don’t need your service dates,
but it will help.  All I need do is fax over
form SF-180, and they’ll verify your service.
 
If

you really did serve, I’ll apologize
publically.  If you didn’t (or don’t provide the
information) then we’ll all know you are just a
lying nutjob and we can ignore you from now on. 
Is that fair enough?
 

  
   
  Timothy

“Thor”  Mullen
  www.hammerofgod.com
  Thor’s Microsoft Security
  Bible
   

 

  
From:
full-disclosure-boun...@lists.grok.org.uk
[mailto:full-disclosure-boun...@lists.grok.org.uk]
On Behalf Of Laurelai
Sent: Sunday, June 10, 2012 2:00 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Obama
Order Sped Up Wave of Cyberattacks Against
Iran
  

 
On 6/10/12 12:52 PM, Thor
  (Hammer of God) wrote: 

  And not capitalizing "Army"
when you claim to have spent 10 years of your
life in service does precisely the same thing. 


  
On Jun 10, 2012, at 3:31 AM, "Laurelai" laure...@oneechan.org
wrote:


  

  


  

  

  
 
  

  
  I dont listen to
either. And sorry to burst your bubble
but I did serve 10 years in the army.

  

 
Next I imagine you will
  insult my gender identity or something equally
  silly. For the record you should capitalize
  the first word of each sentence and put a
  punctuation mark at the end, not doing this
  just makes you look uneducated and ensures
  people do not take you seriously.
  


  
___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran


  
  
On 6/10/12 6:00 PM, Thor (Hammer of God) wrote:

  
  
  
  
  
Awesome.
Ill send er off. Andrew Wallace, correct?


  
  
  Timothy
Thor Mullen
  www.hammerofgod.com
  Thors
  Microsoft Security Bible
  



  
From:
Laurelai [mailto:laure...@oneechan.org]

Sent: Sunday, June 10, 2012 2:26 PM
To: Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Obama Order Sped
Up Wave of Cyberattacks Against Iran
  


On 6/10/12 5:09 PM, Thor (Hammer of God)
  wrote: 
OK,
Ill bite this one time. I assert you are blatantly lying
about military service. How about tell me your service
dates? Surely you cant consider that any sort of privacy
breach. 

This
is an easy way for us to be done with the whole thing. Part
of your diatribe is based on your right to bitch because
of your military service. I, again, assert that is complete
fabrication. As someone who actually HAS done work for the
government I know (as you should) that your military service
records are actually public record. I dont need your
service dates, but it will help. All I need do is fax over
form SF-180, and theyll verify your service.

If
you really did serve, Ill apologize publically. If you
didnt (or dont provide the information) then well all
know you are just a lying nutjob and we can ignore you from
now on. Is that fair enough?


  
  
  Timothy
Thor Mullen
  www.hammerofgod.com
  Thors
  Microsoft Security Bible
  



  
From:
full-disclosure-boun...@lists.grok.org.uk
[mailto:full-disclosure-boun...@lists.grok.org.uk]
On Behalf Of Laurelai
Sent: Sunday, June 10, 2012 2:00 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Obama Order Sped
Up Wave of Cyberattacks Against Iran
  


On 6/10/12 12:52 PM, Thor (Hammer of God)
  wrote: 

  And not capitalizing "Army" when you
claim to have spent 10 years of your life in service does
precisely the same thing.


  
On Jun 10, 2012, at 3:31 AM, "Laurelai" laure...@oneechan.org
wrote:


  

  
  
  

  

  

  

  

  
  I dont listen to either. And
sorry to burst your bubble but I did serve 10 years
in the army.

  


Next I imagine you will insult my
  gender identity or something equally silly. For the record
  you should capitalize the first word of each sentence and
  put a punctuation mark at the end, not doing this just
  makes you look uneducated and ensures people do not take
  you seriously.
  


  
___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/
  


  
  
  
  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Except i don't like the government.
I went to basic in september of 99 and
  ETS'ed in may of 08. 6 years were national guard 4 years
  active duty, i went to basic at FT. Jackson South Carolina,
  the base has a lot of fire ants and the weather was a bit
  unpredictable. My drill sergeant's names were Drill Sergeant
  Hunter and Drill Sergeant Wachowski The unit i ETS'ed from was
  HHB 4/5 ADA out of camp carrol South Korea, and right before i
  left korea our CSM was relieved of duty (CSM Larkin) for

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/10/12 11:10 PM, Thor (Hammer of God) wrote:
 Well no freaking wonder then.  For whatever reason, I keep thinking
 you are Andrew posting under a different name, which always confused
 me.  I know Andrew didn't serve in the Army, which just made me think
 he was losing his mind. (I've actually never had a problem with
 Andrew, though I guess many here have.)

 So yes, my apologies, as I obviously don't know you from Adam.  Now
 everything makes more sense.  
 T

 Sent from my iPad

 On Jun 10, 2012, at 4:21 PM, Laurelai laure...@oneechan.org
 mailto:laure...@oneechan.org wrote:

 On 6/10/12 6:00 PM, Thor (Hammer of God) wrote:

 Awesome.  I’ll send ‘er off.   “Andrew Wallace,” correct?

  

 *mime-attachment.png***

 * *

 *Timothy “Thor”  Mullen*

 *www.hammerofgod.com*

 *Thor’s Microsoft Security Bible
 http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727*

  

  

 *From:*Laurelai [mailto:laure...@oneechan.org]
 *Sent:* Sunday, June 10, 2012 2:26 PM
 *To:* Thor (Hammer of God)
 *Cc:* full-disclosure@lists.grok.org.uk
 *Subject:* Re: [Full-disclosure] Obama Order Sped Up Wave of
 Cyberattacks Against Iran

  

 On 6/10/12 5:09 PM, Thor (Hammer of God) wrote:

 OK, I’ll bite this one time.  I assert you are blatantly lying about
 military service.  How about tell me your service dates?  Surely you
 can’t consider that any sort of privacy breach. 

  

 This is an easy way for us to be done with the whole thing.  Part of
 your diatribe is based on your “right” to bitch because of your
 military service.  I, again, assert that is complete fabrication. 
 As someone who actually HAS done work for the government I know (as
 you should) that your military service records are actually public
 record.  I don’t need your service dates, but it will help.  All I
 need do is fax over form SF-180, and they’ll verify your service.

  

 If you really did serve, I’ll apologize publically.  If you didn’t
 (or don’t provide the information) then we’ll all know you are just
 a lying nutjob and we can ignore you from now on.  Is that fair enough?

  

 *mime-attachment.png*

 * *

 *Timothy “Thor”  Mullen*

 *www.hammerofgod.com*

 *Thor’s Microsoft Security Bible
 http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727*

  

  

 *From:*full-disclosure-boun...@lists.grok.org.uk
 mailto:full-disclosure-boun...@lists.grok.org.uk
 [mailto:full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of
 *Laurelai
 *Sent:* Sunday, June 10, 2012 2:00 PM
 *To:* full-disclosure@lists.grok.org.uk
 mailto:full-disclosure@lists.grok.org.uk
 *Subject:* Re: [Full-disclosure] Obama Order Sped Up Wave of
 Cyberattacks Against Iran

  

 On 6/10/12 12:52 PM, Thor (Hammer of God) wrote:

 And not capitalizing Army when you claim to have spent 10 years of
 your life in service does precisely the same thing. 


 On Jun 10, 2012, at 3:31 AM, Laurelai laure...@oneechan.org
 mailto:laure...@oneechan.org wrote:




  

 I dont listen to either. And sorry to burst your bubble but
 I did serve 10 years in the army.

  

 Next I imagine you will insult my gender identity or something
 equally silly. For the record you should capitalize the first
 word of each sentence and put a punctuation mark at the end, not
 doing this just makes you look uneducated and ensures people do
 not take you seriously.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/





 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

 Except i don't like the government.

 I went to basic in september of 99 and ETS'ed in may of 08. 6 years
 were national guard 4 years active duty, i went to basic at FT.
 Jackson South Carolina, the base has a lot of fire ants and the
 weather was a bit unpredictable. My drill sergeant's names were
 Drill Sergeant Hunter and Drill Sergeant Wachowski The unit i ETS'ed
 from was HHB 4/5 ADA out of camp carrol South Korea, and right
 before i left korea our CSM was relieved of duty (CSM Larkin) for
 sexually harassing junior enlisted soldiers under his command. I
 worked in the S-6 shop in a 25B slot for a long time even though i
 had been trained as a 14E ( patriot systems operator and
 maintainer), I went to echo school at FT. Bliss and let me tell you
 when I got there I thought the place was just terrible, but there is
 nothing like the view of watching the sun set against those desert
 mountains, absolutely beautiful. While I was i South Korea I met up
 with hubris from backtrace security believe it or not since he was
 in the area at the time, ( this was before there ever was a
 backtrace security) he showed me all the fun

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran


  
  
On 6/8/12 1:03 PM, Thor (Hammer of God) wrote:

  
  
  
  
  

  finding solutions to countries using cyberwar and using
  innocent peoples machines to carry it out,
 invading peoples privacy and
  generally doing terrible stuff in the name of god and country.
  
  
What
solution? And who exactly is going to find it? The
entire history of mankind is based on the terrible stuff we
do in the name of god and country. We, of course, being
humans. All we need is one of the two and weve got all the
justification we need to go off and kill someone else for
having a different god or different country. Note I said
justification and not motivation. God and country are
just excuses  means to an end. Theres always another
agenda. 

Man
does things for two reasons: to get laid, or to get paid.
Everything else is just a nice fuzzy wrap to make us feel
better about ourselves. Finding some other solution is
nave and a waste of time. We, and everyone else, will do
whatever we want to do, and do whatever it takes to get away
with it. Its as simple as that. Its easy and convenient
for you to bitch about the injustices from behind a keyboard
when men and woman are out there DYING for their country and
the integrity of what they believe in, irrespective of the
basis of the decisions their commanding bodies have for
sending them out there. Its called real life. Grow up
and go get that bleeding heart sewn up at some free clinic,
paid for by the government that has to do the hard work in
order to preserve your right to whine about it.



  
  
  Timothy
Thor Mullen
  www.hammerofgod.com
  Thors
  Microsoft Security Bible
  



  
From:
full-disclosure-boun...@lists.grok.org.uk
[mailto:full-disclosure-boun...@lists.grok.org.uk]
On Behalf Of Laurelai
Sent: Friday, June 08, 2012 9:04 AM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Obama Order Sped
Up Wave of Cyberattacks Against Iran
  


On 6/8/12 11:38 AM, 
valdis.kletni...@vt.edu wrote: 
On Thu, 07 Jun 2012 13:48:33 -0400, Ian Hayes said:

  On Thu, Jun 7, 2012 at 1:40 PM, andrew.wallace andrew.wall...@rocketmail.com wrote:
  
On Tue, Jun 5, 2012 at 8:43 PM, valdis.kletni...@vt.edu wrote:

  One could equally well read that as "We're fed up and about to
  pound North Korea even further back into the Stone Age".


With Stuxnet, it was lucky nobody was seriously injured.

You cannot condone such weapons Valdis, or your hat will start to turn grey,
black.
  
  
  Stuxnet may not have killed anyone, but several Iranian nuclear
  scientists were assassinated in conjunction with Stuxnet's release.


Please don't feed the troll - the only way he can post to full-disclosure is
if somebody quotes him in.

The worst part is that Andrew's reading comprehension is as good as
always - I wasn't commenting on Stuxnet, but the move of naval forces
to the Pacific. China isn't the only reason we might want a naval task
force over there.

And I never said I condoned it, merely pointed out alternate interpretations.

The funny thing is that Andrew was going on for a *long* time that there
is no such thing as cyber-warfare - when in fact it was going on while he
was denying it.


  
  
  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
I think the real question we should all
  think on is what are we going to do about this kind of thing?
  
  Because the way I see it, the infosec industry is part of this
  problem until it finds a way to be a part of the solution, if
  you all even desire this.
  
  If you do then lets talk about finding solutions to countries
  using cyberwar and using innocent peoples machines to carry it
  out, invading peoples privacy and generally doin

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/8/12 1:41 PM, Григорий Братислава wrote:
 On Fri, Jun 8, 2012 at 1:36 PM, Laurelai laure...@oneechan.org
 mailto:laure...@oneechan.org wrote:

 Excuse me but im a veteran who served 10 years in the Army and I
 damn well earned my right to complain about how broken the system
 is, myself and the soldiers around me sacrificed so that we could
 all have a free country and that yes I could whine about it. Its
 called the US Constitution, we took an oath to uphold and defend
 it and everything it stands for. I didnt sign up to get laid or
 paid I did it to serve a cause greater than myself, not that you
 would know anything about that. Oh and that Free clinic paid for
 by the government is called the VA Hospital and I already earned
 the care I can receive there. Want to complain about it now? Feel
 free. You have that right. Its called freedom of speech. You are
 welcome.


 Is this time you serve when you was boy? (Wesley Bailey) Or is after
 you is transform. Is valid question. Yes is Wesley have right to
 complain, Wesley in Army, not Laurelai. Laurelai has no right


 -- 

 `Wherever I is go - there am I routed`


Congress shall make no law respecting an establishment of religion, or
prohibiting the free exercise thereof; or abridging the freedom of
speech, or of the press; or the right of the people peaceably to
assemble, and to petition the Government for a redress of grievances.

I know English isnt your first language so if you need help with the
words let me know. I don't see any part there that says trans people
still don't have that right.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/8/12 1:48 PM, Ian Hayes wrote:
 On Fri, Jun 8, 2012 at 1:36 PM, Laurelai laure...@oneechan.org
 mailto:laure...@oneechan.org wrote:


 All that is necessary /for evil to triumph/ is for good people to
 do nothing.


 The corollary to that argument is that *good people* must not resort
 to the same tactics as the people they are fighting. To lie down in
 the same mud makes you just as dirty.


 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
And that brings us back to what are we going to do about the US Gov
laying down in the same mud as the bad guys
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/8/12 1:51 PM, Григорий Братислава wrote:
 On Fri, Jun 8, 2012 at 1:47 PM, Laurelai laure...@oneechan.org wrote:

 Congress shall make no law respecting an establishment of religion, or
 prohibiting the free exercise thereof; or abridging the freedom of speech,
 or of the press; or the right of the people peaceably to assemble, and to
 petition the Government for a redress of grievances.

 I know English isnt your first language so if you need help with the words
 let me know. I don't see any part there that says trans people still don't
 have that right.
 I am is glad you know lots about my first language maybe too perhaps
 also you perhaps wrong?  Is you see no mention of trans people perhaps
 maybe is because men is have balls back is when constitution written.
 Maybe perhaps yes is you c you can maybe
 perhaps is point us out where it say Adam and heshe or Mahmoud and
 heshe or Menachnem and heshe


Why would I care about the fictional writings of people long dead
(people who may not have even existed)  in regards to modern human
rights? You might want to invest in spell checking software by the way.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/8/12 2:08 PM, Григорий Братислава wrote:
 On Fri, Jun 8, 2012 at 1:58 PM, Laurelai laure...@oneechan.org wrote:

 And that brings us back to what are we going to do about the US Gov laying
 down in the same mud as the bad guys
 I is detect narcissism Wesley. what are we is you ask. Define we. Is
 you has gang behind you? (I is not mean for those actions is we call
 in your pronounce huesos). You are is nobody special don't is kidding
 yourself. You are is home living with mama and papa confused manshe
 who is cannot hold down job because of yours is action is let alone
 start any revolution.


I am having a really hard time reading what you are trying to say behind
all of those horrendous spelling and grammar errors.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/8/12 2:41 PM, Christian Sciberras wrote:
 Perhaps the US Government would gain better results by mass protests
 and chanting peace songs.

 Or perhaps it just doesn't work this way.

 They shouldn't be blamed, everyone knows fighting fire with fire is
 very effective, just as everyone
 knows the people calling the government names are the same ones with
 small botnets lying about.
 Can't blame them, now that someone else is using their own tools
 against them.





 On Fri, Jun 8, 2012 at 8:20 PM, Laurelai laure...@oneechan.org
 mailto:laure...@oneechan.org wrote:

 On 6/8/12 2:14 PM, Григорий Братислава wrote:
  On Fri, Jun 8, 2012 at 2:08 PM, Laurelai laure...@oneechan.org
 mailto:laure...@oneechan.org wrote:
 
  rights? You might want to invest in spell checking software by
 the way.
  Is really show your education is you cannot determine reality of is
  lexicon. Maybe is identification masquerade is hide yes? Perhaps is
  maybe possible is I maybe tick is you off? Neverisless, you sir
 are is
  troll. Is serious: http://tinyurl.com/laurelaitroll (is literalee
  troll)
 
 
 There you have it folks, the best argument the so called experts could
 come up with as to why we shouldn't do anything about this is name
 calling and half baked attempts at derailing the conversation and more
 spelling errors than a 5th graders book report.

 I must have hit a nerve or something, makes me wonder if im
 speaking to
 the very people selling the zero day exploits. You wouldn't be
 having a
 guilty conscience or anything would you all? Worried we might put
 a stop
 to your gravy train perhaps?

 Now back on topic, those of us who actually have a soul should work
 together to find a good solution.

 Anyone interested feel free to email me.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


*adds names to a list of people likely selling zero days*
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/8/12 2:56 PM, Григорий Братислава wrote:
 On Fri, Jun 8, 2012 at 2:52 PM, Laurelai laure...@oneechan.org wrote:
 *adds names to a list of people likely selling zero days*
 Is not surprise me. Is you need know, national security trumps FBI CIS
 http://www.fbi.gov/news/testimony/improving-our-confidential-human-source-program
 every times. You could not is even touch me with ten foot drag queen
 pole. Is thanks for clarifying your role.

You mean where i publicly called out the people selling zero days to the
US gov?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/8/12 3:09 PM, Григорий Братислава wrote:
 On Fri, Jun 8, 2012 at 3:02 PM, Laurelai laure...@oneechan.org wrote:

 You mean where i publicly called out the people selling zero days to the
 US gov?
 No I is meant where you allow is your narcissism is permeate in conversation.

http://www.youtube.com/watch?v=j7jhb8_UPfw

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/8/12 3:12 PM, Ian Hayes wrote:
 On Fri, Jun 8, 2012 at 2:41 PM, Christian Sciberras uuf6...@gmail.com wrote:
 Perhaps the US Government would gain better results by mass protests and
 chanting peace songs.

 Or perhaps it just doesn't work this way.

 They shouldn't be blamed, everyone knows fighting fire with fire is very
 effective, just as everyone
 knows the people calling the government names are the same ones with small
 botnets lying about.
 Can't blame them, now that someone else is using their own tools against
 them.
 I call upon the ghost of Heinlein: Anyone who clings to the
 historically untrue—and thoroughly immoral—doctrine that, ‘violence
 never settles anything’ I would advise to conjure the ghosts of
 Napoleon Bonaparte and the Duke of Wellington and let them debate it.
 The ghost of Hitler could referee, and the jury might well be the
 Dodo, the Great Auk and the Passenger Pigeon. Violence, naked force,
 has settled more issues in history than has any other factor, and the
 contrary opinion is wishful thinking at its worst. Breeds that forget
 this basic truth have always paid for it with their lives and
 freedom.”

 There are those out there in power who only know the language of
 brute, naked force. No amount of cajoling, pleading, bargaining nor
 wheedling will sway them. On appeals to their better nature, no
 brilliant displays of logic and intellect. Pretty words uttered by
 politicians fall on deaf ears. But a punch to the nose, a kick to the
 nuts -the universal language of violence- that's something they
 understand intimately. And they respect that. Of course it's always
 preferable to sit down at the negotiating table and barter out a
 peace. What do we do when they knock over the table and make a mess?

 What separates us from them is the fact that we normally don't speak
 the universal language from the get-go. Is it deplorable? Yes. But
 like having to take a crap every now and then, it's necessary. The
 murder of civilans is certainly a terrible crime, but that and the
 release of some malware that breaks centrifuges is certainly better
 than other options.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
I don't see how Iran developing nuclear power is a threat, I'm sorry to
me this just seems like more fear mongering.

And remember the only nation that has ever shown itself *insane* enough
to actually use nuclear weapons on other human beings is the USA and
history showed the use was completely unwarranted. I don't get why we
can have literally enough nuclear weapons to wipe out all life on the
surface of the planet but Iran developing nuclear *power* is somehow a
national security threat.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/8/12 3:33 PM, James Condron wrote:
 Aand now we degenerate into a political argument nobody but the poster 
 gives a fuck about.

 Ta for that, maybe take it elsewhere. Let's keep on topic (though we may be 
 several posts behind)

 Sent using BlackBerry® from Orange

 -Original Message-
 From: Bzzz lazyvi...@gmx.com
 Sender: full-disclosure-boun...@lists.grok.org.uk
 Date: Fri, 8 Jun 2012 20:03:51 
 To: full-disclosure@lists.grok.org.uk
 Subject: Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks
  Against Iran

 On Fri, 08 Jun 2012 13:36:07 -0400
 Laurelai laure...@oneechan.org wrote:

 Excuse me but im a veteran who served 10 years in the Army and I
 damn well earned my right to complain about how broken the system
 is, myself and the soldiers around me sacrificed so that we could
 all have a free country and that yes I could whine about it. Its
 called the US Constitution, we took an oath to uphold and defend
 it and everything it stands for. 
 And in 10 years you didn't understood how the system is working,
 that you were following orders from people that won't ever take
 any risk (nor their family  friends), that are themselves receiving
 their orders from big money/business/poliotics you'll never see on
 tv nor in any newspaper.

 So while I'm saying here that the civil liberties I swore to
 uphold and defend are eroding away and that evil is triumphing
 over the US, you are telling me this is business as usual.
 You are not lucid, your country has _always_ been a rat lab where
 masters tell you that you're free, but dig a (tiny) bit and you'll
 see that's always been a big fat lie (ie: you pay income taxes?
 but the 19th amendment has never been ratified - and your own
 justice is enforcing sanctions if you don't pay, knowing what they
 do is totally illegal...)

 Just because something evil is the established way of things or is
 becoming the established way of things doesn't mean we have to or
 should accept it. Perhaps *you* should stop being so cold and
 jaded about the evils of the world and put some you know *effort*
 into fixing them instead of trying to shout down anyone who tries
 or talks about trying to make the world better.
 I think he's living in a real world and look at it coldly  without
 any indulgence.

 You are honestly implying that there is absolutely nothing that
 can ever be done ever and we should all just lie down and take it,
 can you understand why I might take issue with that perspective?
 You are saying in essence There is no more room to improve so we
 should never again try.
 Thor missed one thing though: he said people are doing things for 2
 reasons; get laid or get paid, there are 2 more reasons: for fun
 and for ideals; the latest being the most dangerous thing in the
 whole world.

 Jean-Yves
Thank you, lets now discuss how infosec experts are going to deal with
the threat of state sponsored cyberwarfare, and bend over and take it
is not really a good answer.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/8/12 3:46 PM, Ian Hayes wrote:
 On Fri, Jun 8, 2012 at 3:38 PM, Laurelai laure...@oneechan.org wrote:
 Thank you, lets now discuss how infosec experts are going to deal with
 the threat of state sponsored cyberwarfare, and bend over and take it
 is not really a good answer.
 Sure it is, it's just not the answer you want.

 http://www.theonion.com/articles/god-answers-prayers-of-paralyzed-little-boy,475/

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
So your honest view as an information security expert is to just lie
down and take it?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/8/12 3:54 PM, Ian Hayes wrote:
 On Fri, Jun 8, 2012 at 3:49 PM, Laurelai laure...@oneechan.org wrote:
 On 6/8/12 3:46 PM, Ian Hayes wrote:
 On Fri, Jun 8, 2012 at 3:38 PM, Laurelai laure...@oneechan.org wrote:
 Thank you, lets now discuss how infosec experts are going to deal with
 the threat of state sponsored cyberwarfare, and bend over and take it
 is not really a good answer.
 Sure it is, it's just not the answer you want.

 http://www.theonion.com/articles/god-answers-prayers-of-paralyzed-little-boy,475/
 So your honest view as an information security expert is to just lie
 down and take it?
 Never said that. I just said that bend over and take it is an
 acceptable answer.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
And you would be wrong.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/8/12 9:56 PM, Jason Hellenthal wrote:
 Shit, Ill give the NSA a shell on any system... if it means achieving a
 greater goal. Whether its wrong or not... let the bots decide who is the
 better player as long as it brings the US into a primary position of
 power.

 On Wed, Jun 06, 2012 at 11:22:32PM -0400, Laurelai wrote:
 On 6/6/12 2:23 PM, Peter Dawson wrote:
 haha..da retrun of da farewell dossier !!

 On Wed, Jun 6, 2012 at 2:21 PM, coderman coder...@gmail.com
 mailto:coder...@gmail.com wrote:

 On Wed, Jun 6, 2012 at 11:16 AM, coderman coder...@gmail.com
 mailto:coder...@gmail.com wrote:
  ... uncle sam has been up in yer SCADA for
  two decades.

 three decades; too early for maths!

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/





 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
 Guys can we focus on the fact that the US Government is en mass
 accessing computer systems without due process, and trying to prosecute
 the people who made this known to the public.
 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

Here we have a real life example of someone who is a part of the problem.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

2012-06-07 Thread Laurelai

On 6/7/12 4:44 AM, doc mombasa wrote:
 why arent you out on the streets blowing up stuff and taking names?
 be a rolemodel

 2012/6/7 Laurelai laure...@oneechan.org mailto:laure...@oneechan.org

 On 6/7/12 12:05 AM, Ian Hayes wrote:
  On Wed, Jun 6, 2012 at 11:49 PM, Laurelai laure...@oneechan.org
 mailto:laure...@oneechan.org wrote:
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA1
 
  On 6/6/12 11:44 PM, valdis.kletni...@vt.edu
 mailto:valdis.kletni...@vt.edu wrote:
  On Wed, 06 Jun 2012 23:22:32 -0400, Laurelai said:
 
  Guys can we focus on the fact that the US Government is en mass
  accessing computer systems without due process, and trying to
 prosecute
  the people who made this known to the public.
  After a decade of unindicted torture of prisoners, renditions,
 spying
  on our
  own citizens, and killing of our own citizens, and a long list
 of other
  stuff,
  all without due process, you really think anybody cares about
 a little
  illicit
  hacking without due process? I'm afraid that ship basically
 sailed when
  Pelosi said impeachment was off the table...
 
  And why arent people in the streets demanding they all step down?
  Such naivety. It's charming. You have much to learn about
 American apathy.
 
  There were people in the streets. They were marginalized, and
 made fun
  of, pepper sprayed, called entitled dirty socialists and told
 to get
  a job. As long as people care more about what happens on
 American Idol
  and whoever Kim Kardashian is divorcing this week, they're not going
  to care one iota about what the government is doing to some country
  that probably had it coming to them in the first place. You want the
  masses out in the streets with the torches and pitchforks, you're
  going to have to overcome decades of being programmed to not
 care what
  the government does anymore as long as the TV works, there's beer in
  the fridge, and porn is still freely available.
 
  ___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/
 I know about the apathy, i see it every day. I see it a lot in the
 older
 generations. Its the younger generations out there getting maced and
 beaten and thrown in jail for standing up for what they think is
 right.
 It sickens me that the average person doesnt care.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


I prefer non violent solutions.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

2012-06-07 Thread Laurelai

On 6/7/12 1:48 PM, Ian Hayes wrote:
 On Thu, Jun 7, 2012 at 1:40 PM, andrew.wallace
 andrew.wall...@rocketmail.com wrote:
 On Tue, Jun 5, 2012 at 8:43 PM,  valdis.kletni...@vt.edu wrote:
 One could equally well read that as We're fed up and about to
 pound North Korea even further back into the Stone Age.
 With Stuxnet, it was lucky nobody was seriously injured.

 You cannot condone such weapons Valdis, or your hat will start to turn grey,
 black.
 Stuxnet may not have killed anyone, but several Iranian nuclear
 scientists were assassinated in conjunction with Stuxnet's release.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
Civilian scientists at that.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/5/12 2:52 AM, Alexander Georgiev wrote:
http://en.wikipedia.org/wiki/Argument_from_ignorance

Am 04.06.2012 21:01, schrieb Joel Esler:
So, a quote, from a book? Isn't that kinda circular?

Also, there are no quotes from anyone in the room and no one is
referenced except by association. Not saying it's not true, but
there's nothing there that indicates it is.

The only people who will know if this is 100% true were in the Oval
Office at the time, and those people aren't going to be quoted in a
NYTimes article.

http://upload.wikimedia.org/wikipedia/commons/1/18/%22Citation_needed%22.jpg

--
Joel Esler

On Monday, June 4, 2012 at 2:52 PM, Jeffrey Walton wrote:

https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html

WASHINGTON --- From his first months in office, President Obama secretly
ordered increasingly sophisticated attacks on the computer systems
that run Iran's main nuclear enrichment facilities, significantly
expanding America's first sustained use of cyberweapons, according to
participants in the program.
Hasan Sarbakhshian/Associated Press

Mr. Obama decided to accelerate the attacks --- begun in the Bush
administration and code-named Olympic Games --- even after an element of
the program accidentally became public in the summer of 2010 because
of a programming error that allowed it to escape Iran's Natanz plant
and sent it around the world on the Internet. Computer security
experts who began studying the worm, which had been developed by the
United States and Israel, gave it a name: Stuxnet.

At a tense meeting in the White House Situation Room within days of
the worm's escape, Mr. Obama, Vice President Joseph R. Biden Jr. and
the director of the Central Intelligence Agency at the time, Leon E.
Panetta, considered whether America's most ambitious attempt to slow
the progress of Iran's nuclear efforts had been fatally compromised.
...

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Is anyone else the least bit concerned that stuxnet was carried out by
the US Government? I mean lets look at this, the US Government committed
an act they themselves would consider cyber terrorism, infecting
millions of civilian machines. While they say it got out of control
and lets just go with that for simplicity, once it got out of control
wouldn't the right thing have been to shut it down instead of trying to
evade detection and continuing the project? How many antivirus vendors
were kept from doing their jobs during this? And how many were actively
cooperating? I know for a fact HBGary was working with the NSA in
regards to stuxnet. Was it really worth it to compromise the security
and privacy of millions of innocent people just to shut down some power
plants?

Oh and lets not forget the assassination of civilian scientists.

People seem to think that since the US Gov did it that makes it ok, well
I do not think it does. Especially when they throw kids with small
botnets in jail for being mad at the system cause its crooked.

I mean that has to be the largest cyber attack of all time, this makes
the shit the lulzsec people carried out look mild in comparison, and
those guys are facing a decade in jail and the person who wrote stuxnet
probably got a medal and a fat check.

Oh and message to the feds im sure watch this list.

http://pwnies.com/winners/

You guys might want to go claim that award and present it to Obama, he
did earn it after all ;) (and he beat lulzsec for the award)

I mean this mailing list is about threats to information security, so
lets call a spade a spade.

Right now the biggest threat to cyber-security is the US Government, it
has proven it can silently infect machines with worms powered by zero
day exploits and stolen driver certificates. (they were able to
acquire them twice at least with no issue, my bet is they just asked for
them)

And another thing, I somehow doubt the new york times would publish
unless they have reliable sources.

Combined with this
http://online.wsj.com/article/SB10001424052702303506404577448563517340188.html?utm_source=twitterfeedutm_medium=twitter

It pretty much tells me the article was spot on.

Can we now discuss the fact the US Gov committed an act of cyber war
against its own people, the people of other sovereign nations and *itself* ?

___
Full-Disclosure

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/6/12 11:50 AM, Charles Morris wrote:
 I know for a fact HBGary was working with the NSA in regards to stuxnet.
 I've never been all that good at spelling... but am I wrong that
 HBGary is an anagram for posturing charlatan ?
 Alternatively: if this is true then we are even worse off than I thought.
It was in the leaked HBgary emails, communications with the NSA
regarding stuxnet. Why am i the only one who remembers this?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/6/12 12:18 PM, Charles Morris wrote:
 On Wed, Jun 6, 2012 at 12:13 PM, Laurelai laure...@oneechan.org wrote:
 On 6/6/12 11:50 AM, Charles Morris wrote:
 I know for a fact HBGary was working with the NSA in regards to stuxnet.
 I've never been all that good at spelling... but am I wrong that
 HBGary is an anagram for posturing charlatan ?
 Alternatively: if this is true then we are even worse off than I thought.
 It was in the leaked HBgary emails, communications with the NSA
 regarding stuxnet. Why am i the only one who remembers this?
 I don't agree, disagree, or comment in any other way than my surprise,
 as I want to have respect for the NSA-
 but I suppose there are bad decisions made in any organization.
The fact that it quickly escaped out of control should tell you something.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 6/6/12 6:08 PM, valdis.kletni...@vt.edu wrote:
 On Wed, 06 Jun 2012 10:41:24 -0400, Laurelai said:

 People seem to think that since the US Gov did it that makes it ok, well
 I do not think it does. Especially when they throw kids with small
 botnets in jail for being mad at the system cause its crooked.

 You're a little bit confused here. It doesn't matter what people
think. It
 matters what the people with more rifles, mortars, tanks, and ammo
than you
 think.

 Unless you come up with a way to level the playing field.

So you admit we live in a police state?
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPz/W/AAoJEGVm7Hz5JilhGo8H/2dzANgDUGY17dUW7OL+rPKZ
+FWyUudW739recN/Fsvb6XASVSjsDS/lMXsP2yvmFZKhkGRYNJmn4JzBmwgRZdsJ
WhaLSAGCX1EP4DiTApsjLWR6MxjpQC9zIK/FT+entCGPsS6/VSeOM778C3JibVnd
/zf3J2N0QWR8RxCqoJZ4enYQ7RLVCLm2O720hNRBBFoadM8+OzW31QISGWAsat1l
QX3BaCBQfEkGztqZ0+8j90Xz/4Ok+eYVxWE4z/fUCC7eHvY6RG+s3DfYq+Ql0LrU
Yku0amyzlB0cowaQUhGrusjBEt5sPWrIOirUPbqosBD6PpQMtwPJf/dKQsPsWvs=
=HWmA
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/6/12 6:19 PM, Andrew D Kirch wrote:
 On 6/6/2012 6:08 PM, valdis.kletni...@vt.edu wrote:
 You're a little bit confused here.  It doesn't matter what people think. It
 matters what the people with more rifles, mortars, tanks, and ammo than you
 think.

 Unless you come up with a way to level the playing field.
 I think you just identified it.  buy rifles (I have, there's a Colt M4 
 Law Enforcement Carbine sitting next to me), but mortars (a bit 
 difficult but not impossible to get) buy tanks (quite easy to get if you 
 know where to look), and buy ammo.  DEMAND that federal firearms laws be 
 revised, and specifically repeals of 18 USC 921-922.  Yet again I point 
 out your VT.edu e-mail and your refusal to listen to Jefferson's 
 warnings.  The man wrote your state constitution.  He wasn't kidding 
 when he did it.

 Andrew

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
I never thought id be agreeing with Andrew , but in this case he is
right, that's what the second amendment was written for.

However my idea is quite a bit less violent.


Stop selling these people 0 days.

Just stop.

I mean everyone here talks about how much of a threat cybercriminals are
and yet some of the people who im sure are on this list are selling
exploits to governments and they do quite a bit more harm than these
kids do.

They have turned the US Gov into the largest script kiddy clans on the net.

Until people inside the industry stop doing that i really dont think
there is any point *in* the infosec field because at this point you all
are not even trying anymore.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/6/12 9:20 PM, valdis.kletni...@vt.edu wrote:
 On Wed, 06 Jun 2012 18:19:21 -0400, Andrew D Kirch said:
 I think you just identified it.  buy rifles (I have, there's a Colt M4
 Law Enforcement Carbine sitting next to me), but mortars (a bit
 difficult but not impossible to get) buy tanks (quite easy to get if you
 know where to look), and buy ammo.  DEMAND that federal firearms laws be
 revised, and specifically repeals of 18 USC 921-922.  Yet again I point
 out your VT.edu e-mail and your refusal to listen to Jefferson's
 warnings.
 What's this *my* refusal to listen? I suspect you know less of my politics
 than you think you do. ;)

 Incidentally, asymmetric warfare does a great job of leveling the field. ;)


 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
So lets have a serious talk about countering what is clearly the
greatest threat to cyber security around right now.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/6/12 2:16 PM, coderman wrote:
 On Wed, Jun 6, 2012 at 7:41 AM, Laurelai laure...@oneechan.org wrote:
 ...
 Is anyone else the least bit concerned that stuxnet was carried out by the
 US Government?
 remember the siberian pipeline? uncle sam has been up in yer SCADA for
 two decades.

 if this is a surprise, you aren't paying attention.

 and if you're only concerned _now_, you aren't paying attention.


 http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage
Oh ive been concerned before, it just looks like people as a whole don't
even care.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/6/12 2:23 PM, Peter Dawson wrote:
 haha..da retrun of da farewell dossier !!

 On Wed, Jun 6, 2012 at 2:21 PM, coderman coder...@gmail.com
 mailto:coder...@gmail.com wrote:

 On Wed, Jun 6, 2012 at 11:16 AM, coderman coder...@gmail.com
 mailto:coder...@gmail.com wrote:
  ... uncle sam has been up in yer SCADA for
  two decades.

 three decades; too early for maths!

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/





 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
Guys can we focus on the fact that the US Government is en mass
accessing computer systems without due process, and trying to prosecute
the people who made this known to the public.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 6/6/12 11:44 PM, valdis.kletni...@vt.edu wrote:
 On Wed, 06 Jun 2012 23:22:32 -0400, Laurelai said:

 Guys can we focus on the fact that the US Government is en mass
 accessing computer systems without due process, and trying to prosecute
 the people who made this known to the public.

 After a decade of unindicted torture of prisoners, renditions, spying
on our
 own citizens, and killing of our own citizens, and a long list of other
stuff,
 all without due process, you really think anybody cares about a little
illicit
 hacking without due process? I'm afraid that ship basically sailed when
 Pelosi said impeachment was off the table...

And why arent people in the streets demanding they all step down?
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP0CTcAAoJEGVm7Hz5JilhZYEH/1FOBXMs3nT9b4Ci1NQlIw/9
Sp33ub3yBzNZLAYl2p/x3qkvreifNrKQsmxZjUbqYnnh6cnDYtUaHcUFwwJ2FO23
PyO7cBUqruOj6p3+lHOc6wQT9Cd5X1aEklNHm/6Wv0JfoZeHXLSdDcImrVT3Xoys
J2eSWGGag2m8rMe9zhk3mNS4aNVlKw4tl3lIJMFbXjcAFQaG7xRhjzuICyDTaBJQ
qAo/zNruTD7xavLPpeyw0IZk0ZFMdr95Z+XPWORQ/0SxEwS+nNCWo6xSL2UMIbVa
fUB3pMPkvxt8x8XGTgqzznd+/xlADBuZ3rr8HbRq8oO6V1gs70cIUTjsReiy0Z4=
=WyEw
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

On 6/7/12 12:05 AM, Ian Hayes wrote:
 On Wed, Jun 6, 2012 at 11:49 PM, Laurelai laure...@oneechan.org wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 6/6/12 11:44 PM, valdis.kletni...@vt.edu wrote:
 On Wed, 06 Jun 2012 23:22:32 -0400, Laurelai said:

 Guys can we focus on the fact that the US Government is en mass
 accessing computer systems without due process, and trying to prosecute
 the people who made this known to the public.
 After a decade of unindicted torture of prisoners, renditions, spying
 on our
 own citizens, and killing of our own citizens, and a long list of other
 stuff,
 all without due process, you really think anybody cares about a little
 illicit
 hacking without due process? I'm afraid that ship basically sailed when
 Pelosi said impeachment was off the table...

 And why arent people in the streets demanding they all step down?
 Such naivety. It's charming. You have much to learn about American apathy.

 There were people in the streets. They were marginalized, and made fun
 of, pepper sprayed, called entitled dirty socialists and told to get
 a job. As long as people care more about what happens on American Idol
 and whoever Kim Kardashian is divorcing this week, they're not going
 to care one iota about what the government is doing to some country
 that probably had it coming to them in the first place. You want the
 masses out in the streets with the torches and pitchforks, you're
 going to have to overcome decades of being programmed to not care what
 the government does anymore as long as the TV works, there's beer in
 the fridge, and porn is still freely available.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
I know about the apathy, i see it every day. I see it a lot in the older
generations. Its the younger generations out there getting maced and
beaten and thrown in jail for standing up for what they think is right.
It sickens me that the average person doesnt care.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] cDc Created Hong Kong Blondes and 'Hacktivism' as a Media Hack

2012-05-04 Thread Laurelai

On 5/3/12 2:24 PM, Wei Honker wrote:
 cDc Created Hong Kong Blondes and 'Hacktivism' as a Media Hack

 http://weihonker.tumblr.com/

 Anonymous is a Lie

 Anonymous is a lie. Anonymous is built on a false foundation that
 casts a pale shadow over anything and everything they attempt to
 accomplish. While born out of the trolls and lulz of the /b/ board on
 fourchan Anonymous has quickly become an online activist movement. The
 group has targeted everything from oppressive regimes in the Middle
 East, to opposition about Internet censorship. They have been
 launching DDoS attacks from the comfort of their basements while
 people in the street are literally gunned down and then they have the
 audacity to claim victory for themselves because they managed to take
 a website offline for a few hours. These actions, these minor
 irritations, have given Anonymous the audacity to call themselves
 hacktivists, a term that is itself a lie. By using the term hackivist
 or hacktivism Anonymous is helping to perpetuate one of the biggest
 media hacks of all time and they don’t even know it.

 Pulling pranks on the media has a long history with the computer
 underground. One of the best examples is the entire movie “Hackers”
 which is so full of inside jokes they cease to be funny. Although when
 you examine the list of technical consultants the lack of humor makes
 sense. Hackers, the movie, is such a huge media hack the plot is used
 not once, but twice. The second time with Serena Achtul and the ‘True
 Life” show on MTV. The show supposedly illustrates a so called
 ‘hacker’ who convinces Serena to follow him around while he attempts
 to retrieve a disk before the feds do, which is exactly the same plot
 used in the movie ‘Hackers”. Even after Serena and MTV where told they
 were being trolled they chose to air the footage anyway.

 I don’t know who from the computer underground was the first to
 execute a media hack but some of the best have come from the Cult of
 the Dead Cow. To give you an idea of just how prolific and proficient
 the cDc is at hacking the media consider that their slogan is ‘World
 Domination through Media Saturation’. This is nowhere more apparent
 than the spectacle that was the BO2K release during Defcon in 1999. No
 software launch in recorded history; including those done by the media
 savvy Apple Inc., could touch this. Everything from smashing guitars
 to furry assless chaps to bad rap music with all the cDc members
 prancing around on stage as if it was the second coming. All that
 spectacle for nothing more than a remote access tool, something with
 almost the exact same feature set as PC Anywhere except that it runs
 on a different port number. Even Microsoft themselves said that BO2K
 wasn’t a threat but the press ate it up anyway and cDc proved again
 that they were in fact master media manipulators.

 Hactivism is another brainchild of cDc designed to fool and trick the
 media and all who choose to be associated with the term. The creation
 of the term is supposedly well documented as being first used by cDc
 member Omega in an IRC chat room in 1996. But close examination of the
 hacktivism Wikipedia page and that page’s history shows a second
 possible source for the term, that of techno-culture writer Jason Sack
 in a piece about media artist Shu Lea Cheang, published in InfoNation
 in 1995 which pre-dates cDc’s claim to the term. This co-option of the
 term itself is part of cDc’s plan to execute the biggest media hack of
 all time encompassing all of ‘hacktivism’.

 But co-opting the term itself is not enough. cDc felt they needed
 something to take advantage of the term and to plunge it fully into
 the media spotlight. They came up with a fictitious international
 hacking group, a group who would only attack corporations that did not
 support human rights, and so the Hong Kong Blondes were born.

 Reading the initial interview between the supposed Hong Kong Blondes
 leader ‘Blondie Wong’ and the cDc member ‘Oxblood Ruffin’ in cDc #356
 now, fourteen years later, makes the entire ruse plainly obvious. Arik
 Hesseldahl, who ran the initial story in Wired based solely on this
 interview, with absolutely no corroborating evidence in the first
 place, has since privately expressed his doubts about the story. By
 publishing this article he unwittingly became the first rube in a long
 line of media rubes that the cDc played with ever increasing
 dexterity. Hesseldahl has most likely not publicly expanded on his
 misgivings over the story as it would draw attention to his original
 reservations and expose the fact that he failed to verify even one
 fact in the article.

 The first thing that jumps out at me from the initial interview is
 that it was conducted by cDc member Oxblood Ruffin and published
 directly by him. No one else was present and no one else spoke to
 Blondie Wong and so no one can confirm the interview ever took place.
 Which brings me to the second red flag, the use

Re: [Full-disclosure] cDc Created Hong Kong Blondes and 'Hacktivism' as a Media Hack

2012-05-04 Thread Laurelai

On 5/4/12 3:44 AM, PsychoBilly wrote:
 [[   Laurelai   ]] @ [[   04/05/2012 10:30   
 ]]--

 tl;dr
 ❤ Should have ❤

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
From what i could tell it was yet another long winded rant about whats
wrong with Anonymous.

The thing is i doubt many anons subscribe to FD, so who is this supposed
to reach? Go to voxanon and tell them yourself :p

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerability in Gentoo hardened

On 4/25/12 3:56 AM, Georgi Guninski wrote:
 On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote:
 On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said:
 if you read his advisories and 0-days you know: It's not a joke...
 I always thought it was misunderstood performance art...


 this one appears to be true:
 http://seclists.org/fulldisclosure/2011/Jul/312
 Full disclosure is arrest of Sabu
 (check the date)

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
Nope, im still here :p

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerability in Gentoo hardened

On 4/25/12 3:56 AM, Georgi Guninski wrote:
 On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote:
 On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said:
 if you read his advisories and 0-days you know: It's not a joke...
 I always thought it was misunderstood performance art...


 this one appears to be true:
 http://seclists.org/fulldisclosure/2011/Jul/312
 Full disclosure is arrest of Sabu
 (check the date)

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
And thats when sabu was MIA from twitter and everyone knew about that, 
nobody really knew why though.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerability in Gentoo hardened

On 4/25/12 4:48 AM, Benji wrote:
 except it was rather obvious why.

 On Wed, Apr 25, 2012 at 10:27 AM, Laurelailaure...@oneechan.org  wrote:
 On 4/25/12 3:56 AM, Georgi Guninski wrote:
 On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote:
 On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said:
 if you read his advisories and 0-days you know: It's not a joke...
 I always thought it was misunderstood performance art...

 this one appears to be true:
 http://seclists.org/fulldisclosure/2011/Jul/312
 Full disclosure is arrest of Sabu
 (check the date)

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
 And thats when sabu was MIA from twitter and everyone knew about that,
 nobody really knew why though.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
In hindsight yes.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerability in Gentoo hardened

On 4/25/12 4:54 AM, Benji wrote:
 No, with open eyes sight. If you chose not to believe the obvious at
 the time, that is your own mistake and proof that you (general you,
 not you specifically) were more interested in being part of the crowd
 than thinking.


 On Wed, Apr 25, 2012 at 10:52 AM, Laurelailaure...@oneechan.org  wrote:
 On 4/25/12 4:48 AM, Benji wrote:
 except it was rather obvious why.

 On Wed, Apr 25, 2012 at 10:27 AM, Laurelailaure...@oneechan.orgwrote:
 On 4/25/12 3:56 AM, Georgi Guninski wrote:
 On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote:
 On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said:
 if you read his advisories and 0-days you know: It's not a joke...
 I always thought it was misunderstood performance art...

 this one appears to be true:
 http://seclists.org/fulldisclosure/2011/Jul/312
 Full disclosure is arrest of Sabu
 (check the date)

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
 And thats when sabu was MIA from twitter and everyone knew about that,
 nobody really knew why though.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
 In hindsight yes.
There are any number of reasons why someone, even sabu could have 
stopped tweeting then started back up again. It just turned out that 
this was the case this time.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerability in Gentoo hardened

On 4/25/12 4:59 AM, Benji wrote:
 And choosing to believe any of the other reasons when you think you're
 an '1337 hacker' and are involved in that world, is a personality
 problem, end of.

 On Wed, Apr 25, 2012 at 10:58 AM, Laurelailaure...@oneechan.org  wrote:
 On 4/25/12 4:54 AM, Benji wrote:
 No, with open eyes sight. If you chose not to believe the obvious at
 the time, that is your own mistake and proof that you (general you,
 not you specifically) were more interested in being part of the crowd
 than thinking.


 On Wed, Apr 25, 2012 at 10:52 AM, Laurelailaure...@oneechan.orgwrote:
 On 4/25/12 4:48 AM, Benji wrote:
 except it was rather obvious why.

 On Wed, Apr 25, 2012 at 10:27 AM, Laurelailaure...@oneechan.org
   wrote:
 On 4/25/12 3:56 AM, Georgi Guninski wrote:
 On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu
 wrote:
 On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said:
 if you read his advisories and 0-days you know: It's not a
 joke...
 I always thought it was misunderstood performance art...

 this one appears to be true:
 http://seclists.org/fulldisclosure/2011/Jul/312
 Full disclosure is arrest of Sabu
 (check the date)

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
 And thats when sabu was MIA from twitter and everyone knew about that,
 nobody really knew why though.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
 In hindsight yes.
 There are any number of reasons why someone, even sabu could have stopped
 tweeting then started back up again. It just turned out that this was the
 case this time.
I prefer not making assumptions about things i dont have any information 
on.  Sorry you consider that a personality problem :p

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerability in Gentoo hardened

On 4/25/12 5:08 AM, Benji wrote:
 You should be paranoid if someone could construe what you're doing as illegal.

 On Wed, Apr 25, 2012 at 11:07 AM, Laurelailaure...@oneechan.org  wrote:
 On 4/25/12 4:59 AM, Benji wrote:
 And choosing to believe any of the other reasons when you think you're
 an '1337 hacker' and are involved in that world, is a personality
 problem, end of.

 On Wed, Apr 25, 2012 at 10:58 AM, Laurelailaure...@oneechan.orgwrote:
 On 4/25/12 4:54 AM, Benji wrote:
 No, with open eyes sight. If you chose not to believe the obvious at
 the time, that is your own mistake and proof that you (general you,
 not you specifically) were more interested in being part of the crowd
 than thinking.


 On Wed, Apr 25, 2012 at 10:52 AM, Laurelailaure...@oneechan.org
   wrote:
 On 4/25/12 4:48 AM, Benji wrote:
 except it was rather obvious why.

 On Wed, Apr 25, 2012 at 10:27 AM, Laurelailaure...@oneechan.org
   wrote:
 On 4/25/12 3:56 AM, Georgi Guninski wrote:
 On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu
 wrote:
 On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said:
 if you read his advisories and 0-days you know: It's not a
 joke...
 I always thought it was misunderstood performance art...

 this one appears to be true:
 http://seclists.org/fulldisclosure/2011/Jul/312
 Full disclosure is arrest of Sabu
 (check the date)

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
 And thats when sabu was MIA from twitter and everyone knew about
 that,
 nobody really knew why though.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
 In hindsight yes.
 There are any number of reasons why someone, even sabu could have stopped
 tweeting then started back up again. It just turned out that this was the
 case this time.
 I prefer not making assumptions about things i dont have any information on.
   Sorry you consider that a personality problem :p
Well its a good thing I dont do illegal shit, probably why im not 
paranoid all the time.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS

2012-04-22 Thread Laurelai

On 4/22/12 10:56 PM, BMF wrote:
 Ezekiel 23:20

 On Sun, Apr 22, 2012 at 12:59 PM, Thor (Hammer of God)
 t...@hammerofgod.com  wrote:
 You dropped a FD on the BIBLE??  Dude, you're going straight to Hacker Hell! 
  :)



 Timothy Thor  Mullen
 www.hammerofgod.com
 Thor's Microsoft Security Bible



 -Original Message-
 From: full-disclosure-boun...@lists.grok.org.uk 
 [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Thomas 
 Richards
 Sent: Sunday, April 22, 2012 8:09 AM
 To: full-disclosure@lists.grok.org.uk
 Subject: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS

 # Exploit Title: phpMyBible 0.5.1 Mutiple XSS # Date: 04/15/12 # Author: G13 
 # Twitter: @g13net # Software 
 http://sourceforge.net/projects/phpmybible/?source=directory
 # Version: 0.5.1
 # Category: webapps (php)
 #

 # Description #

 phpMyBible is an online collaborative project to make an e-book of the Holy 
 Bible in as various language as possible. phpMyBible is designed to be 
 flexible to all readers while maintaining the authenticity and originality 
 of the Holy Bible scripture.

 # Vulnerability #

 phpMyBible has multiple XSS vulnerabilities.

 When reading a section of the Bible; both the 'version' and 'chapter'
 variables are prone to reflective XSS.

 # Exploit #

 http://localhost/index.php?book=1version=[XSS]chapter=[XSS]

 # Vendor Notification #

 04/15/12 - Vendor Notified
 04/22/12 - No response, disclos

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
Its Ezekiel 25:17..

http://www.youtube.com/watch?v=UmvnXKRfdb8

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS

2012-04-22 Thread Laurelai

On 4/23/12 12:20 AM, BMF wrote:
 On Sun, Apr 22, 2012 at 9:32 PM, Laurelailaure...@oneechan.org  wrote:
 On 4/22/12 10:56 PM, BMF wrote:
 Ezekiel 23:20

 Its Ezekiel 25:17..
 It sounded cool when he said it in the movie but I've never found any
 Bible that actually goes anything like what he said. Besides, I'm into
 donkey dicks and horse jizz so 23:20 is the verse for me.

 BMF
Cool story bro.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The Mystery of the Duqu Framework

On 3/10/2012 4:13 AM, Sanguinarious Rose wrote:
 Yea, I have been thinking on ideas for that as well, I see no one has
 thought outside the box yet.

 I would look into OO'ed C (www.planetpdf.com/codecuts/pdfs/ooc.pdf) as
 being a possibility. Long before in the time when the mighty C++ was
 young, it was translated to C code for compilation. I have not had the
 time to dig into it yet to see how you could code it in OO C style
 code yet. You can implement much of the functionality of OO parts of
 C++ including virtual functions and other things.

 Well, these are my thoughts on it. More speculation at the moment but
 might be of use to someone.

 On Fri, Mar 9, 2012 at 11:51 AM,  f...@deserted.net wrote:
 http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework

 Haven't seen this (or much discussion around this) here yet, so I figured
 I'd share.

 --
 -Joe.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
https://twitter.com/#!/nenolod/status/178352865667067904
https://twitter.com/#%21/nenolod/status/178352865667067904

not told [ ]
told [x ]


Put the crack pipe down.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The Mystery of the Duqu Framework

On 3/10/2012 4:31 AM, Sanguinarious Rose wrote:
 Not really, it looks like speculation same as I just admitted my idea
 was. There is no proof as of yet besides for just a single tweet
 suggesting an idea much in the same mine just was. Unless someone does
 the proper research into it, it is just that, 140 chars speculation.

 Told [x]
 Not Told [ ]

 umad?

 On Sat, Mar 10, 2012 at 3:23 AM, Laurelai laure...@oneechan.org wrote:
 On 3/10/2012 4:13 AM, Sanguinarious Rose wrote:
 Yea, I have been thinking on ideas for that as well, I see no one has
 thought outside the box yet.

 I would look into OO'ed C (www.planetpdf.com/codecuts/pdfs/ooc.pdf) as
 being a possibility. Long before in the time when the mighty C++ was
 young, it was translated to C code for compilation. I have not had the
 time to dig into it yet to see how you could code it in OO C style
 code yet. You can implement much of the functionality of OO parts of
 C++ including virtual functions and other things.

 Well, these are my thoughts on it. More speculation at the moment but
 might be of use to someone.

 On Fri, Mar 9, 2012 at 11:51 AM,  f...@deserted.net wrote:
 http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework

 Haven't seen this (or much discussion around this) here yet, so I figured
 I'd share.

 --
 -Joe.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
 https://twitter.com/#!/nenolod/status/178352865667067904
 https://twitter.com/#%21/nenolod/status/178352865667067904

 not told [ ]
 told [x ]


 Put the crack pipe down.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
My post was Williams response to Kaspersky, wasn't directed to you. Do
try and keep up.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The Mystery of the Duqu Framework

On 3/10/2012 4:36 AM, Sanguinarious Rose wrote:
 Trying to cover up you being told, that's Cute 3

 On Sat, Mar 10, 2012 at 3:34 AM, Laurelai laure...@oneechan.org wrote:
 On 3/10/2012 4:31 AM, Sanguinarious Rose wrote:

 Not really, it looks like speculation same as I just admitted my idea
 was. There is no proof as of yet besides for just a single tweet
 suggesting an idea much in the same mine just was. Unless someone does
 the proper research into it, it is just that, 140 chars speculation.

 Told [x]
 Not Told [ ]

 umad?

 On Sat, Mar 10, 2012 at 3:23 AM, Laurelai laure...@oneechan.org wrote:

 On 3/10/2012 4:13 AM, Sanguinarious Rose wrote:

 Yea, I have been thinking on ideas for that as well, I see no one has
 thought outside the box yet.

 I would look into OO'ed C (www.planetpdf.com/codecuts/pdfs/ooc.pdf) as
 being a possibility. Long before in the time when the mighty C++ was
 young, it was translated to C code for compilation. I have not had the
 time to dig into it yet to see how you could code it in OO C style
 code yet. You can implement much of the functionality of OO parts of
 C++ including virtual functions and other things.

 Well, these are my thoughts on it. More speculation at the moment but
 might be of use to someone.

 On Fri, Mar 9, 2012 at 11:51 AM,  f...@deserted.net wrote:

 http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework

 Haven't seen this (or much discussion around this) here yet, so I figured
 I'd share.

 --
 -Joe.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

 https://twitter.com/#!/nenolod/status/178352865667067904
 https://twitter.com/#%21/nenolod/status/178352865667067904

 not told [ ]
 told [x ]


 Put the crack pipe down.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

 My post was Williams response to Kaspersky, wasn't directed to you. Do try
 and keep up.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
Did you even read the tweet?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The Mystery of the Duqu Framework

On 3/10/2012 9:00 AM, 夜神　岩男 wrote:
 On 03/10/2012 03:51 AM, f...@deserted.net wrote:
 http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework

 Haven't seen this (or much discussion around this) here yet, so I
 figured I'd share.
  From the description, it looks like someone pushed some code from a 
 Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by 
 GCL, for example, before compilation) into a C++ DLL. Normal in the 
 deper end of Linux dev or Hurd communities, but definitely not standard 
 practice in any established industry that makes use of Windows.

 I could be wrong, I didn't take the time to walk myself through the 
 decompile with any thoroughness and compare it to code I generate. 
 Anyway, I have no idea the differences between how VC++ and g++ do 
 things -- so my analysis would probably be trash. But from the way the 
 Mr. Soumenkov describes things it seems this, or something similar, 
 could be the case and why the code doesn't conform to what's expected in 
 a C++ binary.

 -IY

 1. [Caveat] I say Lisp but some other languages come to mind as well; 
 maybe Haskell would come out that way. I'm not sure because I'm most 
 familiar with Lisp and know it can be cobbled with C/C++ without 
 complications because of the way most of its C-based implementations 
 work. Anyway, if I were looking for a lock on how this code was 
 produced, I would ignore C-based languages and focus instead on 
 languages that behave this way natively first, because I think that's 
 the least exotic explanation for the features this segment of code exhibits.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
Lisp? Are you serious?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The Mystery of the Duqu Framework

On 3/10/12 2:16 PM, William Pitcock wrote:
 On 3/10/2012 9:00 AM, 夜神　岩男 wrote:
 On 03/10/2012 03:51 AM, f...@deserted.net wrote:

 http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework

 Haven't seen this (or much discussion around this) here yet, so I
 figured I'd share.

  From the description, it looks like someone pushed some code from a
 Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by
 GCL, for example, before compilation) into a C++ DLL. Normal in the
 deper end of Linux dev or Hurd communities, but definitely not standard
 practice in any established industry that makes use of Windows.

 I could be wrong, I didn't take the time to walk myself through the
 decompile with any thoroughness and compare it to code I generate.
 Anyway, I have no idea the differences between how VC++ and g++ do
 things -- so my analysis would probably be trash. But from the way the
 Mr. Soumenkov describes things it seems this, or something similar,
 could be the case and why the code doesn't conform to what's expected in
 a C++ binary.


 LISP would refer to specific constructor/destructor vtable entries as
 cons and there would be no destructor at all.  The structs use vtables
 which refer to ctor and dtor, which indicates that the vtables were
 most likely generated using a C++ compiler (since that is standard
 nomenclature for C++ compiler symbols).  It pretty much has to be
 Microsoft COM.  The struct layouts pretty much *reek* of Microsoft COM
 when used with a detached vtable (such as if the implementation is
 loaded from a COM object file).  The fact that specific vtable entries
 aren't mangled is also strong evidence of it being Microsoft COM (since
 there is no need to mangle vtable entries of a COM object due to type
 information already being known in the COM object).

 If it looks like COM, smells like COM, and acts like COM, then it's
 probably COM.  It certainly isn't some new programming language like
 Kaspersky says.  That's just the dumbest thing I've heard this year.

 William

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
I think William just told everyone...again.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Stakeout: how the FBI tracked and busted a Chicago Anon

2012-03-08 Thread Laurelai

On 3/8/2012 12:23 PM, Elly_Tran_Ha wrote:
A few lessons I learned:

1. Don't use a Mac
2. Don't use wireless
3. Trust no one.

On Wed, Mar 7, 2012 at 6:09 PM, Ivan .Heca ivan...@gmail.com
mailto:ivan...@gmail.com wrote:

/Yesterday, we learned that one of the top members of LulzSec
(Sabu) had been an FBI informant for almost 6 months

http://tech.slashdot.org/story/12/03/06/1437241/lulzsec-leader-sabu-unmasked-arrested-and-caught-collaborating,
and that this confidant of the LulzSec leader 'anarchaos' had
given the feds what they needed to take him down. More details
have come out now

http://arstechnica.com/tech-policy/news/2012/03/stakeout-how-the-fbi-tracked-and-busted-a-chicago-anon.ars,
completing a picture of how the sting took place from start to
finish. It turns out that even the server space given from Sabu to
anarchaos storing the details of 30,000 credit cards (from the
Stratfor hack) had been funded by the FBI.

/http://arstechnica.com/tech-policy/news/2012/03/stakeout-how-the-fbi-tracked-and-busted-a-chicago-anon.ars

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
4. Don't declare open cyberwar on the US government.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Full disclosure is arrest of Sabu

2012-03-06 Thread Laurelai

On 3/6/2012 2:24 PM, Ferenc Kovacs wrote:

 2011/7/25 Laurelai Storm laure...@oneechan.org
 mailto:laure...@oneechan.org

 Oh and im not a part of lulzsec, FYI sabu tweeted 2 minutes ago
 wtf are you on about sir?


 maybe we could resurrect this thread. :)
Sure lets.

http://gizmodo.com/5890825/lulzsec-leader-betrays-all-of-anonymous

Im going to paste my favorite part of this article.

6:12:32 PM virus: I don't have proof of him being a snitch, and he
doesn't have proof of me being a snitch. it's my word against his.
6:15:39 PM virus: he disappeared for a week, I don't recall what day
6:15:52 PM virus: but when he returned he said his grand mother died and
that's why he was MIA
6:16:01 PM virus: after that he started offering me money to own people
6:16:14 PM Sam Biddle: anyone important?
6:16:55 PM virus: backtrace security and laurelai
6:17:22 PM virus: he gave me IPs, asked me to access their accounts with
their IP and asked me to access their emails
6:17:25 PM virus: told me he would pay me
6:17:42 PM Sam Biddle: did you?
6:17:53 PM virus: no, I found that to be suspicious and declined

Sabu tried to pay someone to hack me and it didn't work, sabu also got
caught because he connected to IRC one time with his real IP, so this
proves what i said already, sabu hated me and i didn't know anything
that the feds didn't already. For a supposed ring leader of a group of
master cyber terrorists as the feds like to paint them they couldn't
take down one loud mouthed trans woman on the internet. Hell even their
ddos against my imageboard failed and i didn't even have cloudflare.


And speaking of backtrace security here is Jen giving away government
secrets to win internet points on reddit

http://imgur.com/a/0g9VG http://imgur.com/a/0g9VG

Looks like Jen can't be trusted by anon or the feds.



http://imgur.com/a/0g9VG
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Anon war?- arrests

2012-02-29 Thread Laurelai

On 2/29/2012 8:45 AM, Christian Sciberras wrote:
 And we'd like to add that we are not crooks. - Anonymous.



 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
popcorn.gif
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Eleventh Circuit Finds Fifth Amendment Right Against Self Incrimination Protects Against Being Forced to Decrypt Hard Drive Contents

2012-02-27 Thread Laurelai

On 2/27/2012 12:11 PM, valdis.kletni...@vt.edu wrote:
 On Mon, 27 Feb 2012 01:38:56 MST, Sanguinarious Rose said:
 This isn't anything new
 Yeah, the decision was released all the way back on Feb 23, four whole days
 ago, that's practically last century in Internet time...

 So tell me - what's your definition of new (obviously significantly less 
 than 4 days),
 and how does it affect threads on F-D that last longer than 4 days?




 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
not told [ ]
Told [x]


oh snap
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Eleventh Circuit Finds Fifth Amendment Right Against Self Incrimination Protects Against Being Forced to Decrypt Hard Drive Contents

2012-02-26 Thread Laurelai

http://www.ca11.uscourts.gov/opinions/ops/201112268.pdf

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PHP Gift Registry 1.5.5 SQL Injection

2012-02-24 Thread Laurelai

On 2/24/2012 3:21 PM, ctrun...@christophertruncer.com wrote:
 You only gave them two days to respond?


 Chris



 On 24.02.2012 08:08, Thomas Richards wrote:
 # Exploit Title: PHP Gift Registry 1.5.5 SQL Injection
 # Date: 02/22/12
 # Author: G13
 # Software Link: https://sourceforge.net/projects/phpgiftreg/
 # Version: 1.5.5
 # Category: webapps (php)
 #

 # Vulnerability #

 The userid parameter in the users.php file is vulnerable to SQL 
 Injection.

 A user must be signed in to exploit this.

 # Vendor Notification #

 02/22/12 - Vendor Notified
 02/24/12 - No response, disclosure

 # Exploit #

 http://localhost/phpgiftreg/users.php?action=edituserid=[SQLi]

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
Pretty sure this project is dead the last update to it was made
2009-03-12 see http://sourceforge.net/projects/phpgiftreg/files/ ,
anyone using it at this point needs to switch to another
product.http://sourceforge.net/tracker/?func=detailaid=3491557group_id=110846atid=657564

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Arbitrary DDoS PoC

2012-02-14 Thread Laurelai

On 2/14/2012 2:58 PM, Sanguinarious Rose wrote:
 I do not understand why you are wasting time on an obvious troll to
 downright, and I don't normally call people names but he well deserves
 it, a retard. I think I ironically illustrated the fundamental flaw in
 that you can't possibly generate more bandwidth by using proxies for
 the python code provided due to it violates the laws of physics
 (literally). In fact, if we want to be technical, we could say it is
 less effective due to the handshake required to initiate the proxy
 connection in fact decreasing efficiency of input compared to input.
 If there was something besides making lots of proxy request there
 might be something there but it, in fact, has nothing.

 Taking into account THN retweeted his FD post and his obvious
 inability to understand why everyone is not taking him seriously I
 have concluded he is just trying to seek fame and fortune passing off
 as some kind of sec expert. Maybe get some brownie points with the
 skiddie crowd who wouldn't know better. Throwing fancy terms and
 pretending to know what they are talking about doesn't work up against
 real researchers who understand what they are doing. Poorly written
 scripts also do not impress anyone here considering that I could just
 put into google HTTP Proxy Flooder and a find superior equivalent
 (Even with Point and Click!).

 To this effect, I propose we look into Unicorns as a possible
 unconventional medium of DDoS due to their mythical properties in a
 network environment over-ruled by Pink Lepricons.

 Conclusion: Christian Magick.

 On Tue, Feb 14, 2012 at 10:19 AM, Gage Bystrom themadichi...@gmail.com 
 wrote:
 If the design is broken than the implementation is broken. Have you READ
 your own source code? Do you understand what its actually doing? Rhetorical
 questions of course but still.

 Your poc calls curl multiple times via a list of proxies. No more, no less.
 If you are going to claim that such a thing is an effective general
 technique YOU have to back up that claim, not me or anyone else on this
 list. I never bothered running it because anyone who read that simple python
 code(which was a good thing its simple), can understand what it is doing,
 and do a mental comparison to what they previously knew about the subject of
 dos. Your poc does not demonstrate anything new, it demonstrates existing
 knowledge that is generally known to not be an effective method for dosing
 for all the reasons I explained in my previous mails.

 I think its quite pedantic of you to only criticize me for calling out the
 ineffectiveness of your poc. You did not address anything I or anyone else
 said about your claim. If you think I am wrong or mistaken in my personal
 assessment of your claim than you are the one who must show how and why to
 defend your claim. Belittling someone who criticizes you is not
 professional, not productive, does not give strength to your claim, and does
 not make you right.

 The end of the line is I don't care what you claim your code does, I care
 about what the code does, and your code is not an effective general
 technique for denial of service attacks.

 On Feb 13, 2012 8:48 PM, Lucas Fernando Amorim lf.amo...@yahoo.com.br
 wrote:
 I could argue that an attack targeted at a service, especially HTTP, is
 not measured by the band, but the requests, especially the heavier, could
 argue that a technique is the most inherent characteristic of multiple
 sources of traffic and still relying on trust. I could still say that is an
 implementation that relates only to say - Look, it exists!, I could still
 prolong explaining about overheads, and using about the same time many sites
 that make the requests, thus reducing the wake of a failure, even if you say
 easily diagnosable.

 But I'd rather say that it is actually very pedantic of you label
 something as inefficient, especially when not done a single test, only the
 pedantic observation of someone whose interests it is reprehensible. I will
 not say you're one of those, but this is really an attitude typical of this
 kind, which is certainly not a hacker. Thanks to people like that, do not
 know if you like, there are many flaws yet to be explored.

 If anyone wants more information, obviously I will ask to send an email or
 call me to give a presentation, I will not think about anything. My goal in
 was invited researchers to study DDoS on this model, because anytime someone
 can direct thousands to generate a network congestion.


 On 13-02-2012 11:17, Gage Bystrom wrote:

 Uhh...looks pretty standard boss. You aren't going to DoS a halfway decent
 server with that using a single box. Sending your request through multiple
 proxies does not magically increase the resource usage of the target, its
 still your output power vs their input pipe. Sure it gives a slight boost in
 anonymity and obfuscation but does not actually increase effectiveness. It
 would even decrease effectiveness because you bear the

Re: [Full-disclosure] when did piracy/theft become expression of freedom

On this topic i saw this 
https://thepiratebay.org/torrent/6960965/1970_Chevelle_Hot-Rod_3d_model 
, real question is would you download a car if you could?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] when did piracy/theft become expression of freedom

On 1/28/2012 3:13 PM, Julius Kivimäki wrote:
 Of course I wouldn't, downloading a car would be like stealing a car.
 Piracy is horrible and all the boats used by the pirate scum should be
 taken away.

 2012/1/28 Laurelai laure...@oneechan.org mailto:laure...@oneechan.org

 On this topic i saw this
 https://thepiratebay.org/torrent/6960965/1970_Chevelle_Hot-Rod_3d_model
 , real question is would you download a car if you could?

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


If you took away their boats they would just download more...duh.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] when did piracy/theft become expression of freedom

On 1/28/2012 3:36 PM, Christian Sciberras wrote:
 Sadly you can't download routers and internet connections...especially
 without an internet connection.

 But I suppose you could be the regular joe and steal from your
 neighbours' bandwidth (it's a human right, remember? your
 neighbour doesn't have a right to keep the internets to himself!!!).

 /rant




 On Sat, Jan 28, 2012 at 10:33 PM, Laurelai laure...@oneechan.org
 mailto:laure...@oneechan.org wrote:

 On 1/28/2012 3:13 PM, Julius Kivimäki wrote:
 Of course I wouldn't, downloading a car would be like stealing a car.
 Piracy is horrible and all the boats used by the pirate scum
 should be taken away.


 2012/1/28 Laurelai laure...@oneechan.org
 mailto:laure...@oneechan.org

 On this topic i saw this
 
 https://thepiratebay.org/torrent/6960965/1970_Chevelle_Hot-Rod_3d_model
 , real question is would you download a car if you could?

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


 If you took away their boats they would just download more...duh.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


There are always public hotspots, hell even mcdonalds has them now.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] when did piracy/theft become expression of freedom

On 1/28/2012 6:55 PM, Christian Sciberras wrote:
 Actually, *most* bands that make money do so off the concert tours - tickets 
 and
 tshirts is where the actual money is at, not the album sales.
 So why bother with album sales in the first place?

 This is the same with free/commercial software. At the end of the day
 the creator decides
 the sales strategy.


 The only thing I can see in this is that the recording industry really
 needs to grow up
 to the times, but piracy is not a solution nor the means to one, just
 like DDoSing facebook
 is not the means to the removal of a certain bill/law (arguably, to
 the contrary).

 The recording companies have every right to retaliate just as the FBI
 has every right to
 arrest suspects involved in these childish acts.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
The reasonable man adapts himself to the world: the unreasonable one
persists to adapt the world to himself. Therefore all progress depends
on the unreasonable man. 
-- George Bernard Shaw
http://www.goodreads.com/author/show/5217.George_Bernard_Shaw, /Man
and Superman http://www.goodreads.com/work/quotes/376394/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] when did piracy/theft become expression of freedom

On 1/27/2012 2:24 AM, Jerry dePriest wrote:
 im going to the 'benz dealer in the morning to express my 1st
 amendment right...
  
 The Somalians are learning the hard way that it just isnt so...
  
 bma


 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
Piracy: an act of robbery or criminal violence at sea

Theft:  the illegal taking of another person's property without that
person's permission or consent with the intent to deprive the rightful
owner of it

Software copying: Occurs neither on the high seas and does not deprive
the rightful owner of it.


The more you know.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] when did piracy/theft become expression of freedom

On 1/27/2012 3:01 AM, Robert Kim App and Facebook Marketing wrote:
 HAHAHAA... 

 Well... it's hard to convince people that data piracy is the same as
 physical piracy! The think that if they CAN do somehting... they have
 the RIGHT to DO IT!

 As a content producer... I can't stand this sense of entitlement...
 but oh well... I've just gotta tranform with the times i guess!

 On Fri, Jan 27, 2012 at 5:51 PM, Laurelai laure...@oneechan.org
 mailto:laure...@oneechan.org wrote:

 On 1/27/2012 2:24 AM, Jerry dePriest wrote:
 im going to the 'benz dealer in the morning to express my 1st
 amendment right...
  
 The Somalians are learning the hard way that it just isnt so...
  
 bma



 Theft:  the illegal taking of another person's property without
 that person's permission or consent with the intent to deprive the
 rightful owner of it

 Software copying: Occurs neither on the high seas and does not
 deprive the rightful owner of it.


 The more you know.


 -- 
 Robert Q Kim
 Technical Chinese Korean English Translator
 http://www.youtube.com/watch?v=QozAHbUS-VU 
 2611 S Coast Highway
 San Diego, CA 92007
 310 598 1606
Let's not kid ourselves here, you all would download a car if you could
and you know it ;)


That being said I would prefer people *widely use* my software and
donate money to me if they think its worth something, the humble indy
bundles profits are telling in this case. Perhaps if content producers
would change their business model to adapt to modern times instead of
trying to force the world to live in the past software copying wouldn't
be so popular.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] when did piracy/theft become expression of freedom

On 1/27/2012 3:29 AM, Vipul Agarwal wrote:
 Let's keep FD and Reddit apart!

 Regards,
 Vipul

 Sent from my HTC

 - Reply message -
 From: Kai k...@rhynn.net
 To: full-disclosure@lists.grok.org.uk
 Subject: [Full-disclosure] when did piracy/theft become expression of
 freedom
 Date: Fri, Jan 27, 2012 09:15


 Hello,

 http://img256.imageshack.us/img256/2527/1282302008370.jpg

 know the difference.

 -- 
 Cheers,

 Kai

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
Posting to /r/netsec now...
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fw: when did piracy/theft become expression of freedom


On 1/27/12 4:12 AM, Jerry dePriest wrote:
software piracy has been around for ever. I remember copying punch 
cards. It took forever and if you made one mistake hours of work was 
down the tubes. I had an apple II that we used Disk Pirate 1-11 to 
copy games, peach tree accounting software, etc. In the time it took 
to load the 5 1/4 floppy you could make a copy. From that you could 
make as many copies as you deemed fit. I must of made $100 from Dig 
Dug alone.
Then came cad or ? with a software lock it was a piece of hardware 
that connected to a serial port on your computer. Without the lock the 
software was dead. You were free to use the software on any computer 
but you had to have the lock. More computers simply buy more locks. It 
has been so long I forget the details but it was effective. If you 
tried to reverse engineer the lock you rendered it dead. No one 
wanted to buy the locks so it went with the dodo...
In this day and age piracy is simply a game that is quite profitable. 
We used to copy and share over bbs' or even mail each other copies. 
Shareware was the cats ass. Now I have to buy a new OS every frickin 
year. New version of Office, Photoshop, etc. Frick that! I love Win 
98SE, it still serves my purpose. I love win 2k pro, it serves my 
purpose. Vista, Win 7, MAc OSes... Crap, pure crap. Photoshop 5 does 
all I need. Office 97 works great and has a nifty flight sim in it. 
Win 7 is still frickin Dos... I still have my copies of Dos versions 
3- 6.2 and it serves its purpose.
Do I use dvd decrypter? Yes. Dvd shrink? Hell yes. Do I sell the 
copies or profit from it? Whenever I can. Boldly doing it over the 
internet is just stupid and anyone who does it deserves the full penalty.

bma
- Original Message -
*From:* Jerry dePriest mailto:jerr...@mc.net
*To:* full-disclosure@lists.grok.org.uk 
mailto:full-disclosure@lists.grok.org.uk

*Sent:* Friday, January 27, 2012 2:24 AM
*Subject:* [Full-disclosure] when did piracy/theft become expression 
of freedom


im going to the 'benz dealer in the morning to express my 1st 
amendment right...

The Somalians are learning the hard way that it just isnt so...
bma


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Except that you just posted about it in public on the internet...
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] when did piracy/theft become expression of freedom

On 1/27/2012 12:06 PM, Michael Schmidt wrote:

 You want to be very careful with that line of thought. You are taking
 the creator the rightful owners profits, which they are entitled to if
 it is a product they created to be sold. You are confusing what you
 want -- with what the law states. Theft is typically very widely
 defined in the law, not just what the dictionary states.

  

 When you make a copy, you are performing a step that the manufacturer
 takes with physical products. Just because copying software is easy
 does not mean the laws are so cut and dried around what is theft and
 what is not. If you take something by making yourself a copy, when the
 producer is the only authorized authority to make copies then you have
 committed theft.

  

 You also cannot steal electricity, check out Abstracting
 Electricity, but bypassing the meter is wrong in most jurisdictions.

  

 In the US you can be arrested and charged for riding in a stolen car,
 even if you really didn't know it was stolen, known as taking without
 consent or TWOC.

  

 In some jurisdictions you can be arrested and charged for going
 equipped for burglary mean you have implements of the trade on you --
 crowbars, lock picks etc. So I suppose in the US we are fortunate that
 having a copy of some previously defined hacking tools on a computer
 in our possession will not get us arrested -- yet.

  

 The more you know...

  

  

 *From:*full-disclosure-boun...@lists.grok.org.uk
 [mailto:full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *Laurelai
 *Sent:* Friday, January 27, 2012 12:51 AM
 *To:* full-disclosure@lists.grok.org.uk
 *Subject:* Re: [Full-disclosure] when did piracy/theft become
 expression of freedom

  

 On 1/27/2012 2:24 AM, Jerry dePriest wrote:

 im going to the 'benz dealer in the morning to express my 1st
 amendment right...

  

 The Somalians are learning the hard way that it just isnt so...

  

 bma




 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

 Piracy: an act of robbery or criminal violence at sea

 Theft:  the illegal taking of another person's property without that
 person's permission or consent with the intent to deprive the rightful
 owner of it

 Software copying: Occurs neither on the high seas and does not deprive
 the rightful owner of it.


 The more you know.

Yeah and the US is becoming a police state, so using US law as examples
of morality is pretty shaky ground.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] UFC.com

2012-01-23 Thread Laurelai

On 1/23/12 7:14 AM, Ian Hayes wrote:
 On Mon, Jan 23, 2012 at 4:37 AM, Julius Kivimäki
 julius.kivim...@gmail.com  wrote:
 Wat


 2012/1/23 RandallMranda...@fidmail.com
 Piracy retaliation taken on UFC.com

 Pinging ufc.com [50.116.87.24] with 32 bytes of data:

 Reply from 50.116.87.24: bytes=32 time=48ms TTL=52
 Reply from 50.116.87.24: bytes=32 time=49ms TTL=52
 Reply from 50.116.87.24: bytes=32 time=48ms TTL=52
 Reply from 50.116.87.24: bytes=32 time=48ms TTL=52

 http://network-tools.com/default.asp?prog=dnsrechost=ufc.com
 It's a one man crime wave!

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
Look out hes got ping! Hide your servers!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] UFC.com

2012-01-23 Thread Laurelai


On 1/23/12 9:34 AM, Julius Kivimäki wrote:
He is a god-tier hecker, like better than Chippy1337. ICMP remote root 
0day imo.


2012/1/23 Laurelai laure...@oneechan.org mailto:laure...@oneechan.org

On 1/23/12 7:14 AM, Ian Hayes wrote:
 On Mon, Jan 23, 2012 at 4:37 AM, Julius Kivimäki
 julius.kivim...@gmail.com mailto:julius.kivim...@gmail.com
 wrote:
 Wat


 2012/1/23 RandallMranda...@fidmail.com
mailto:randa...@fidmail.com
 Piracy retaliation taken on UFC.com

 Pinging ufc.com http://ufc.com [50.116.87.24] with 32 bytes
of data:

 Reply from 50.116.87.24 http://50.116.87.24: bytes=32
time=48ms TTL=52
 Reply from 50.116.87.24 http://50.116.87.24: bytes=32
time=49ms TTL=52
 Reply from 50.116.87.24 http://50.116.87.24: bytes=32
time=48ms TTL=52
 Reply from 50.116.87.24 http://50.116.87.24: bytes=32
time=48ms TTL=52

 http://network-tools.com/default.asp?prog=dnsrechost=ufc.com
http://network-tools.com/default.asp?prog=dnsrechost=ufc.com
 It's a one man crime wave!

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
Look out hes got ping! Hide your servers!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Truly a god among blackhats has graced the mailing list.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] UFC.com

2012-01-23 Thread Laurelai


On 1/23/12 9:43 AM, Julius Kivimäki wrote:
Oh god, my linux server buried underground with five feet of concrete 
just got rooted. This box has no internet connection, coincidence? I 
think not.

(Also I'm a derpcat and can't into mailinglists with gmail)
2012/1/23 Laurelai laure...@oneechan.org mailto:laure...@oneechan.org

On 1/23/12 9:34 AM, Julius Kivimäki wrote:

He is a god-tier hecker, like better than Chippy1337. ICMP remote
root 0day imo.

2012/1/23 Laurelai laure...@oneechan.org
mailto:laure...@oneechan.org

On 1/23/12 7:14 AM, Ian Hayes wrote:
 On Mon, Jan 23, 2012 at 4:37 AM, Julius Kivimäki
 julius.kivim...@gmail.com
mailto:julius.kivim...@gmail.com  wrote:
 Wat


 2012/1/23 RandallMranda...@fidmail.com
mailto:randa...@fidmail.com
 Piracy retaliation taken on UFC.com

 Pinging ufc.com http://ufc.com [50.116.87.24] with 32
bytes of data:

 Reply from 50.116.87.24 http://50.116.87.24: bytes=32
time=48ms TTL=52
 Reply from 50.116.87.24 http://50.116.87.24: bytes=32
time=49ms TTL=52
 Reply from 50.116.87.24 http://50.116.87.24: bytes=32
time=48ms TTL=52
 Reply from 50.116.87.24 http://50.116.87.24: bytes=32
time=48ms TTL=52


http://network-tools.com/default.asp?prog=dnsrechost=ufc.com
http://network-tools.com/default.asp?prog=dnsrechost=ufc.com
 It's a one man crime wave!

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
Look out hes got ping! Hide your servers!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Truly a god among blackhats has graced the mailing list.



no u r a derpcat
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Rate Stratfor's Incident Response

2012-01-13 Thread Laurelai

On 1/13/12 1:24 PM, Paul Schmehl wrote:
 --On January 13, 2012 12:03:22 PM -0500 Benjamin Kreuter
 ben.kreu...@gmail.com  wrote:

 On Fri, 13 Jan 2012 10:37:31 -0600
 Paul Schmehlpschmehl_li...@tx.rr.com  wrote:

 --On January 12, 2012 3:16:19 PM -0500 Benjamin Kreuter
 ben.kreu...@gmail.com  wrote:

 The law is not going to stop the really bad people
 from attacking your system, nor is it going to stop them from
 profiting from whatever access they gain; sending law enforcement
 after someone who reports problems to you accomplishes little and
 only discourages people who might try to help you.

 Assuming everyone's motives are as pure as the driven snow is a bit
 naive, don't you think?
 Are there lingering doubts about the motives of someone who is
 reporting a vulnerability to you?  They could have just profited from
 their discovery and never bothered to tell you.  In any case, what have
 you accomplished by sending the cops after *someone who is helping you*?

 Unless you're a complete fool, yes.  You say you're helping me, but you
 broke in to my server.  How do I know you didn't help yourself to a
 permanent back door?

 Again, it's naive to think that most people are motivated purely by a
 desire to help others, especially when they are actively intruding into
 other people's assets.

 YOU might say thank you, but I'll be taking the server offline, grabbing
 forensic images and rebuilding it long before I get around to saying thank
 you.

Well just remember they could have *not* told you and helped themselves 
to a backdoor. If they wanted to door you they probably wouldn't have 
told you.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response


On 1/12/12 3:27 AM, doc mombasa wrote:

just one question
why should they hire the skiddies if most of them only know how to 
fire up sqlmap or whatever current app is hot right now?

doesnt really seem like enough reason to hire anyone
besides im not buying the whole they do it because they are angry at 
society plop

ive been there.. they do it for the lulz

Den 11. jan. 2012 06.18 skrev Laurelai laure...@oneechan.org 
mailto:laure...@oneechan.org:


On 1/10/12 10:18 PM, Byron Sonne wrote:
 Don't piss off a talented adolescent with computer skills.
 Amen! I love me some stylin' pwnage :)

 Whether they were skiddies or actual hackers, it's still amusing
(and
 frightening to some) that companies who really should know
better, in
 fact, don't.

And again, if companies hired these people, most of whom come from
disadvantaged backgrounds and are self taught they wouldn't have
as much
a reason to be angry anymore. Most of them feel like they don't
have any
real opportunities for a career and they are often right. Microsoft
hired some kid who hacked their network, it is a safe bet he isn't
going
to be causing any trouble anymore. Talking about the trust issue, who
would you trust more the person who has all the certs and experience
that told you your network was safe or the 14 year old who proved him
wrong? We all know if that kid had approached microsoft with his
exploit
in a responsible manner they would have outright ignored him,
that's why
this mailing list exists, because companies will ignore security
issues
until it bites them in the ass to save a buck.

People are way too obsessed with having certifications that don't
actually teach practical intrusion techniques. If a system is so
fragile
that teenagers can take it down with minimal effort then there is a
serious problem with the IT security industry. Think about it how long
has sql injection been around? There is absolutely no excuse for being
vulnerable to it. None what so ever. These kids are showing people the
truth about the state of security online and that is whats making
people
afraid of them. They aren't writing 0 days every week, they are using
vulnerabilities that are publicly available. Using tools that are
publicly available, tools that were meant to be used by the people
protecting the systems. Clearly the people in charge of protecting
these
system aren't using these tools to scan their systems or else they
would
have found the weaknesses first.

The fact that government organizations and large name companies and
government contractors fall prey to these types of attacks just
goes to
show the level of hypocrisy inherent to the situation. Especially when
their solution to the problem is to just pass more and more
restrictive
laws (as if that's going to stop them). These kids are showing people
that the emperor has no clothes and that's whats making people angry,
they are putting someones paycheck in danger. Why don't we solve the
problem by actually addressing the real problem and fixing systems
that
need to be fixed? Why not hire these kids with the time and energy on
their hands to probe for these weaknesses on a large scale? The ones
currently in the job slots to do this clearly aren't doing it.  I
bet if
they started replacing these people with these kids it would shake the
lethargy out of the rest of them and you would see a general
increase in
competence and security. Knowing that if you get your network
owned by a
teenager will not only get you fired, but replaced with said
teenager is
one hell of an incentive to make sure you get it right.


Yes they would have to be taught additional skills to round out what
they know, but every job requires some level of training and there are
quite a few workplaces that will help their employees continue their
education because it benefits the company to do so. This would be no
different except that the employees would be younger, and younger
people
do tend to learn faster so it would likely take less time to teach
these
kids the needed skills to round out what they already know than it
would
to teach someone older the same thing. It is the same principal behind
teaching young children multiple languages, they learn them better
than
adults.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Because the ones in charge right now can't even seem to fire up sqlmap 
now and then to see if they are vuln. And if you really believe that 
they just do it for the lulz line

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response


On 1/12/12 3:34 AM, doc mombasa wrote:

i dont know if you ever worked for a big corporate entity?
like kovacs wrote its not about whether you can do it or not as an 
employee its more about if your manager allows you the time to do it

pentesting doesnt change anything on the profits excel sheet
we can agree it looks bad when shit happens but they usually dont 
think that far ahead
i tried once reporting a very simple sql injection flaw to my manager 
and including a proposed fix which would take all of 5 minutes to 
implement
18 months went by before that flaw was fixed because there was no 
profits in allocating resources to fix it

and that webapp was the #1 money generator for that company

Den 12. jan. 2012 10.29 skrev Laurelai laure...@oneechan.org 
mailto:laure...@oneechan.org:


On 1/12/12 3:27 AM, doc mombasa wrote:

just one question
why should they hire the skiddies if most of them only know how
to fire up sqlmap or whatever current app is hot right now?
doesnt really seem like enough reason to hire anyone
besides im not buying the whole they do it because they are
angry at society plop
ive been there.. they do it for the lulz

Den 11. jan. 2012 06.18 skrev Laurelai laure...@oneechan.org
mailto:laure...@oneechan.org:

On 1/10/12 10:18 PM, Byron Sonne wrote:
 Don't piss off a talented adolescent with computer skills.
 Amen! I love me some stylin' pwnage :)

 Whether they were skiddies or actual hackers, it's still
amusing (and
 frightening to some) that companies who really should know
better, in
 fact, don't.

And again, if companies hired these people, most of whom come
from
disadvantaged backgrounds and are self taught they wouldn't
have as much
a reason to be angry anymore. Most of them feel like they
don't have any
real opportunities for a career and they are often right.
Microsoft
hired some kid who hacked their network, it is a safe bet he
isn't going
to be causing any trouble anymore. Talking about the trust
issue, who
would you trust more the person who has all the certs and
experience
that told you your network was safe or the 14 year old who
proved him
wrong? We all know if that kid had approached microsoft with
his exploit
in a responsible manner they would have outright ignored him,
that's why
this mailing list exists, because companies will ignore
security issues
until it bites them in the ass to save a buck.

People are way too obsessed with having certifications that don't
actually teach practical intrusion techniques. If a system is
so fragile
that teenagers can take it down with minimal effort then
there is a
serious problem with the IT security industry. Think about it
how long
has sql injection been around? There is absolutely no excuse
for being
vulnerable to it. None what so ever. These kids are showing
people the
truth about the state of security online and that is whats
making people
afraid of them. They aren't writing 0 days every week, they
are using
vulnerabilities that are publicly available. Using tools that are
publicly available, tools that were meant to be used by the
people
protecting the systems. Clearly the people in charge of
protecting these
system aren't using these tools to scan their systems or else
they would
have found the weaknesses first.

The fact that government organizations and large name
companies and
government contractors fall prey to these types of attacks
just goes to
show the level of hypocrisy inherent to the situation.
Especially when
their solution to the problem is to just pass more and more
restrictive
laws (as if that's going to stop them). These kids are
showing people
that the emperor has no clothes and that's whats making
people angry,
they are putting someones paycheck in danger. Why don't we
solve the
problem by actually addressing the real problem and fixing
systems that
need to be fixed? Why not hire these kids with the time and
energy on
their hands to probe for these weaknesses on a large scale?
The ones
currently in the job slots to do this clearly aren't doing
it.  I bet if
they started replacing these people with these kids it would
shake the
lethargy out of the rest of them and you would see a general
increase in
competence and security. Knowing that if you get your network
owned by a
teenager will not only get you

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response


On 1/12/12 3:47 AM, doc mombasa wrote:

ok obviously you never worked for a big corporate entity :)
sure standing up to them is fine
after shouting about the bug for 4 months i thought bah why bother its 
their asses not mine
just going in and fixing a bug without the mandate is usually not a 
good idea (if you want to keep your job so you can pay your bills that 
is..)


Den 12. jan. 2012 10.41 skrev Laurelai laure...@oneechan.org 
mailto:laure...@oneechan.org:


On 1/12/12 3:34 AM, doc mombasa wrote:

i dont know if you ever worked for a big corporate entity?
like kovacs wrote its not about whether you can do it or not as
an employee its more about if your manager allows you the time to
do it
pentesting doesnt change anything on the profits excel sheet
we can agree it looks bad when shit happens but they usually dont
think that far ahead
i tried once reporting a very simple sql injection flaw to my
manager and including a proposed fix which would take all of 5
minutes to implement
18 months went by before that flaw was fixed because there was no
profits in allocating resources to fix it
and that webapp was the #1 money generator for that company

Den 12. jan. 2012 10.29 skrev Laurelai laure...@oneechan.org
mailto:laure...@oneechan.org:

On 1/12/12 3:27 AM, doc mombasa wrote:

just one question
why should they hire the skiddies if most of them only
know how to fire up sqlmap or whatever current app is hot
right now?
doesnt really seem like enough reason to hire anyone
besides im not buying the whole they do it because they are
angry at society plop
ive been there.. they do it for the lulz

Den 11. jan. 2012 06.18 skrev Laurelai
laure...@oneechan.org mailto:laure...@oneechan.org:

On 1/10/12 10:18 PM, Byron Sonne wrote:
 Don't piss off a talented adolescent with computer
skills.
 Amen! I love me some stylin' pwnage :)

 Whether they were skiddies or actual hackers, it's
still amusing (and
 frightening to some) that companies who really should
know better, in
 fact, don't.

And again, if companies hired these people, most of whom
come from
disadvantaged backgrounds and are self taught they
wouldn't have as much
a reason to be angry anymore. Most of them feel like
they don't have any
real opportunities for a career and they are often
right. Microsoft
hired some kid who hacked their network, it is a safe
bet he isn't going
to be causing any trouble anymore. Talking about the
trust issue, who
would you trust more the person who has all the certs
and experience
that told you your network was safe or the 14 year old
who proved him
wrong? We all know if that kid had approached microsoft
with his exploit
in a responsible manner they would have outright ignored
him, that's why
this mailing list exists, because companies will ignore
security issues
until it bites them in the ass to save a buck.

People are way too obsessed with having certifications
that don't
actually teach practical intrusion techniques. If a
system is so fragile
that teenagers can take it down with minimal effort then
there is a
serious problem with the IT security industry. Think
about it how long
has sql injection been around? There is absolutely no
excuse for being
vulnerable to it. None what so ever. These kids are
showing people the
truth about the state of security online and that is
whats making people
afraid of them. They aren't writing 0 days every week,
they are using
vulnerabilities that are publicly available. Using tools
that are
publicly available, tools that were meant to be used by
the people
protecting the systems. Clearly the people in charge of
protecting these
system aren't using these tools to scan their systems or
else they would
have found the weaknesses first.

The fact that government organizations and large name
companies and
government contractors fall prey to these types of
attacks just goes to
show the level of hypocrisy inherent to the situation.
Especially when
their solution to the problem is to just pass more and
more restrictive
laws (as if that's going to stop

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response


On 1/12/12 3:49 AM, Ferenc Kovacs wrote:





Well that's what you get when you let profit margins dictate
security policy. You guys act pretty tough when you argue with
each other online but you can't stand up to some corporate idiots?
Sounds like this industry could benefit from these kids even more
since they are driving home the points you all are supposed to be
warning them about.


Maybe you should try out at your company to hire a kiddie, and tell us 
how it turned out.

Usually the ones shittalking here are those without a decent job imo...

--
Ferenc Kovács
@Tyr43l - http://tyrael.hu

I have a great job.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response


On 1/12/12 3:54 AM, doc mombasa wrote:
and you are obviously blindly stuck on a point and has no idea how it 
actually works out there in the real world

in small companies you have freedom and ability to execute
in big companies not so much..

Den 12. jan. 2012 10.52 skrev Laurelai laure...@oneechan.org 
mailto:laure...@oneechan.org:


On 1/12/12 3:47 AM, doc mombasa wrote:

ok obviously you never worked for a big corporate entity :)
sure standing up to them is fine
after shouting about the bug for 4 months i thought bah why
bother its their asses not mine
just going in and fixing a bug without the mandate is usually not
a good idea (if you want to keep your job so you can pay your
bills that is..)

Den 12. jan. 2012 10.41 skrev Laurelai laure...@oneechan.org
mailto:laure...@oneechan.org:

On 1/12/12 3:34 AM, doc mombasa wrote:

i dont know if you ever worked for a big corporate entity?
like kovacs wrote its not about whether you can do it or not
as an employee its more about if your manager allows you the
time to do it
pentesting doesnt change anything on the profits excel sheet
we can agree it looks bad when shit happens but they usually
dont think that far ahead
i tried once reporting a very simple sql injection flaw to
my manager and including a proposed fix which would take all
of 5 minutes to implement
18 months went by before that flaw was fixed because there
was no profits in allocating resources to fix it
and that webapp was the #1 money generator for that company

Den 12. jan. 2012 10.29 skrev Laurelai
laure...@oneechan.org mailto:laure...@oneechan.org:

On 1/12/12 3:27 AM, doc mombasa wrote:

just one question
why should they hire the skiddies if most of them
only know how to fire up sqlmap or whatever current app
is hot right now?
doesnt really seem like enough reason to hire anyone
besides im not buying the whole they do it because
they are angry at society plop
ive been there.. they do it for the lulz

Den 11. jan. 2012 06.18 skrev Laurelai
laure...@oneechan.org mailto:laure...@oneechan.org:

On 1/10/12 10:18 PM, Byron Sonne wrote:
 Don't piss off a talented adolescent with
computer skills.
 Amen! I love me some stylin' pwnage :)

 Whether they were skiddies or actual hackers,
it's still amusing (and
 frightening to some) that companies who really
should know better, in
 fact, don't.

And again, if companies hired these people, most of
whom come from
disadvantaged backgrounds and are self taught they
wouldn't have as much
a reason to be angry anymore. Most of them feel
like they don't have any
real opportunities for a career and they are often
right. Microsoft
hired some kid who hacked their network, it is a
safe bet he isn't going
to be causing any trouble anymore. Talking about
the trust issue, who
would you trust more the person who has all the
certs and experience
that told you your network was safe or the 14 year
old who proved him
wrong? We all know if that kid had approached
microsoft with his exploit
in a responsible manner they would have outright
ignored him, that's why
this mailing list exists, because companies will
ignore security issues
until it bites them in the ass to save a buck.

People are way too obsessed with having
certifications that don't
actually teach practical intrusion techniques. If a
system is so fragile
that teenagers can take it down with minimal effort
then there is a
serious problem with the IT security industry.
Think about it how long
has sql injection been around? There is absolutely
no excuse for being
vulnerable to it. None what so ever. These kids are
showing people the
truth about the state of security online and that
is whats making people
afraid of them. They aren't writing 0 days every
week, they are using
vulnerabilities that are publicly available. Using
tools that are
publicly available, tools that were meant

Re: [Full-disclosure] Rate Stratfor's Incident Response


On 1/12/12 11:12 AM, valdis.kletni...@vt.edu wrote:

On Wed, 11 Jan 2012 12:57:48 EST, Benjamin Kreuter said:


The problem is that we have criminalized too much here.  If some 14
year old comes to you and hands you supposedly secret documents, he is
behaving very ethically -- he is telling you that you have a
vulnerability, rather than simply trying to sell your secrets to a
competitor.  That sounds like a person who can be trusted to work for
you -- someone who could have easily betrayed you, but did not, and who
knew when and how to do the right thing.

No, the person I *want* to hire doesn't come to me with a secret document,
he comes to me and says There's a hole in this web page that will leak
secret documents, but I didn't actually download one to fully verify it.


And if they do that they will get told Well how do you know it will 
actually leak secret documents since you didn't verify that it actually 
leaks them, stop wasting our time We have all seen companies ignore 
vulnerabilities because the company claimed it was not exploitable when 
it was. Right now the FBI is claiming that they knew about the Stratfor 
hack and had informed people that their personal data was compromised, 
but we know this isnt true because live credit cards from the data leak 
were actually used after it became public, so again who are you going to 
trust the people who have been proven over and over to lie to the public 
about the state of their security or the people showing the world they 
are liars?

The people who are going to attack your system and then sell your
secrets on the black market are people who are not going to think in
the structured way that your engineers think.  They are going to do
things that your IT staff did not expect anyone to do.  They are going
to do things your IT staff did not even think about.  If the people in
your organization were not creative enough to do what the teenage
hacker did, then the teenage hacker has skills that are missing from
your team -- which can be restated as the teenager is someone you
should hire.

No, it can be restated as you want to hire someone with a skillset similar
to that teenager.

Would you hire that teenager to take several tens of thousands of cash to the
bank unescorted?  No?  Then why are you hiring them into a position where
they'll have basically unescorted access to similar amounts of valuables?


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Rate Stratfor's Incident Response

On 1/12/12 11:21 AM, Ian Hayes wrote:
 On Wed, Jan 11, 2012 at 9:57 AM, Benjamin Kreuterben.kreu...@gmail.com  
 wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512

 On Tue, 10 Jan 2012 21:39:07 -0800
 Ian Hayescthulhucall...@gmail.com  wrote:

 On Tue, Jan 10, 2012 at 9:18 PM, Laurelailaure...@oneechan.org
 wrote:
 On 1/10/12 10:18 PM, Byron Sonne wrote:
 Don't piss off a talented adolescent with computer skills.
 Amen! I love me some stylin' pwnage :)

 Whether they were skiddies or actual hackers, it's still amusing
 (and frightening to some) that companies who really should know
 better, in fact, don't.

 And again, if companies hired these people, most of whom come from
 disadvantaged backgrounds and are self taught they wouldn't have as
 much a reason to be angry anymore. Most of them feel like they
 don't have any real opportunities for a career and they are often
 right.
 [citation needed]

 Microsoft hired some kid who hacked their network, it is a safe bet
 he isn't going to be causing any trouble anymore.
 Are you proposing that we reward all such behavior with jobs? I've
 always wanted to be a firefighter. Forget resumes, job applications
 and interviews, I'm going to set people's houses on fire.
 No, it is more like you see a house on fire, call 911, then clear the
 road so that firefighters can get to the house.  You know, someone who
 is helping the professionals do their job?
 Yes. But by Larueli's logic, since I know how to use a Bic lighter,
 I'm infinitely more qualified that a trained firefighter. By setting
 fire to other people's houses, I'm announcing my intention to join
 their ranks, and deserve a job at the nearest station. Nevermind, that
 20 people died and hundreds of thousands of dollars of property
 damage- if the firemen were true professionals, they would have made
 the houses completely fireproof a long time ago, or at the very least
 responded and put out the fire before any real damage was done.

 Plus, I have a Zippo, which makes me uber-leet.

*Laurelai* I know its a strange spelling but it is spelled correctly in 
my email address, and its than not that. Committing arson is not 
comparable to a digital intrusion, no lives are lost and any enterprise 
system worth speaking of has backup systems so very little real damage 
is done, the most damage that occurs is to their reputation, it injures 
peoples pride and causes humiliation.  The people being humiliated have 
created reputations as experts in infosec, reputations that as its being 
shown they don't deserve. Lets be honest here if it wasn't anon/antisec 
doing it someone else would have eventually (perhaps they already were) 
and they probably wouldn't have made the incident public, they would 
have just quietly stolen user data and credit card information and sold 
them off to the highest bidder for as long as they possibly could. Or 
used stolen credentials to gain access to even more data. You seem to be 
missing the point that anon/antisec is using methods for the most part 
that are simple attacks that any company has absolutely no excuse to be 
vulnerable to. This is more like owning a large store and leaving the 
doors unlocked at night and finding that some kids walked in and put all 
of your stock outside of the store and pinned your internal finance 
documents that show you have been embezzling to the windows, plus they 
drew penises on the pictures in your office just to pour salt on the 
wound. In this case you have nobody to blame but yourself. My suggestion 
that they should hire these kids was meant to imply that as bad as they 
are they probably are more ethical than the people they are attacking 
since they aren't storing all sorts of sensitive user data in plain text 
and telling people its all safe.
 By your
 logic, an arsonist is not only the best person to combat other
 arsonists, but due to his obviously unique insight into the nature of
 fire, simply must know how best to fight a fire as opposed to someone
 who went to school for years to learn the trade.
 Unless you are going to give me a proof that no attack on my network
 could be successful, you need people who can find their way through the
 cracks to evaluate the efficacy of your security system.  If the people
 you already hired to maintain your security are not able to identify
 threats and design systems that are resilient to those threats, then
 you need to hire someone else.  A security team will benefit from
 having someone poke holes in their design.
 Anyone who says you are secure, you are hacker-proof should be shown
 the door. But this is reality. Companies don't WANT to know that the
 Emperor is naked. All they want is to fill in the checkbox that says
 that they did their due diligence, so they pass their annual audit. If
 holes are found, now they have to spend time, money and effort fixing
 them, or they lose their insurance/merchant status/some kind of
 accreditation. That's why most organizations are happy

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response


On 1/12/12 2:00 PM, Elazar Broad wrote:
Sounds like this industry could benefit from these kids even more 
since they are driving home the points you all are supposed to be 
warning them about.


That's because these kids don't have mouths to feed and a paycheck to 
worry about. Ethics and ethos are all very nice when you have nothing 
to lose, all to gain and no one depending on you...


On Thursday, January 12, 2012 at 4:43 AM, Laurelai 
laure...@oneechan.org wrote:


On 1/12/12 3:34 AM, doc mombasa wrote:

i dont know if you ever worked for a big corporate entity?
like kovacs wrote its not about whether you can do it or not
as an employee its more about if your manager allows you the
time to do it
pentesting doesnt change anything on the profits excel sheet
we can agree it looks bad when shit happens but they usually
dont think that far ahead
i tried once reporting a very simple sql injection flaw to my
manager and including a proposed fix which would take all of 5
minutes to implement
18 months went by before that flaw was fixed because there was
no profits in allocating resources to fix it
and that webapp was the #1 money generator for that company

Den 12. jan. 2012 10.29 skrev Laurelai laure...@oneechan.org:

On 1/12/12 3:27 AM, doc mombasa wrote:

just one question
why should they hire the skiddies if most of them
only know how to fire up sqlmap or whatever current
app is hot right now?
doesnt really seem like enough reason to hire anyone
besides im not buying the whole they do it because
they are angry at society plop
ive been there.. they do it for the lulz

Den 11. jan. 2012 06.18 skrev Laurelai
laure...@oneechan.org:

On 1/10/12 10:18 PM, Byron Sonne wrote:
 Don't piss off a talented adolescent with
computer skills.
 Amen! I love me some stylin' pwnage :)

 Whether they were skiddies or actual hackers,
it's still amusing (and
 frightening to some) that companies who really
should know better, in
 fact, don't.

And again, if companies hired these people, most
of whom come from
disadvantaged backgrounds and are self taught they
wouldn't have as much
a reason to be angry anymore. Most of them feel
like they don't have any
real opportunities for a career and they are often
right. Microsoft
hired some kid who hacked their network, it is a
safe bet he isn't going
to be causing any trouble anymore. Talking about
the trust issue, who
would you trust more the person who has all the
certs and experience
that told you your network was safe or the 14 year
old who proved him
wrong? We all know if that kid had approached
microsoft with his exploit
in a responsible manner they would have outright
ignored him, that's why
this mailing list exists, because companies will
ignore security issues
until it bites them in the ass to save a buck.

People are way too obsessed with having
certifications that don't
actually teach practical intrusion techniques. If
a system is so fragile
that teenagers can take it down with minimal
effort then there is a
serious problem with the IT security industry.
Think about it how long
has sql injection been around? There is absolutely
no excuse for being
vulnerable to it. None what so ever. These kids
are showing people the
truth about the state of security online and that
is whats making people
afraid of them. They aren't writing 0 days every
week, they are using
vulnerabilities that are publicly available. Using
tools that are
publicly available, tools that were meant to be
used by the people
protecting the systems. Clearly the people in
charge of protecting these
system aren't

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

2012-01-11 Thread Laurelai

On 1/10/12 11:39 PM, Ian Hayes wrote:
 On Tue, Jan 10, 2012 at 9:18 PM, Laurelailaure...@oneechan.org  wrote:
 On 1/10/12 10:18 PM, Byron Sonne wrote:
 Don't piss off a talented adolescent with computer skills.
 Amen! I love me some stylin' pwnage :)

 Whether they were skiddies or actual hackers, it's still amusing (and
 frightening to some) that companies who really should know better, in
 fact, don't.

 And again, if companies hired these people, most of whom come from
 disadvantaged backgrounds and are self taught they wouldn't have as much
 a reason to be angry anymore. Most of them feel like they don't have any
 real opportunities for a career and they are often right.
 [citation needed]

 Microsoft hired some kid who hacked their network, it is a safe bet he isn't 
 going
 to be causing any trouble anymore.
 Are you proposing that we reward all such behavior with jobs? I've
 always wanted to be a firefighter. Forget resumes, job applications
 and interviews, I'm going to set people's houses on fire. By your
 logic, an arsonist is not only the best person to combat other
 arsonists, but due to his obviously unique insight into the nature of
 fire, simply must know how best to fight a fire as opposed to someone
 who went to school for years to learn the trade.

 Talking about the trust issue, who
 would you trust more the person who has all the certs and experience
 that told you your network was safe or the 14 year old who proved him
 wrong?
 This is asinine. WHY would I want to hire someone for a position of
 trust that just committed a crime, or at the very least acted in an
 unethical manner? More than anything, that person has proven that
 while he *might* have the technical chops, he certainly lacks the
 ethics and decision making skills to operate in the grown-up world.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
Because the ones with the so called ethics either lack the technical 
chops or lack the enthusiasm to find simple vulnerabilities. Not very 
ethical to take a huge paycheck and not do your job if you ask me.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

2012-01-11 Thread Laurelai


On 1/11/12 8:39 AM, Ferenc Kovacs wrote:



Because the ones with the so called ethics either lack the technical
chops or lack the enthusiasm to find simple vulnerabilities. Not very
ethical to take a huge paycheck and not do your job if you ask me.


If the only thing missing to secure those systems was somebody being 
able to use sqlmap and xss-me, then that could be fixing without 
hiring people who already proved that they aren't trustworthy.
from my experience, the lack of security comes from the management, 
you can save money on that (and qa) on the short run.
so companies tend to hire QSA companies to buy the paper which says 
that they are good, when in fact they aren't.
most of them don't wanna hear that they are vulnerable and take the 
risks too lightly.
if they would take it-security seriously it simply couldn't be owned 
through trivial, well-known attack vectors.


--
Ferenc Kovács
@Tyr43l - http://tyrael.hu

:D at least one person here gets it.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

On 1/10/12 10:18 PM, Byron Sonne wrote:
 Don't piss off a talented adolescent with computer skills.
 Amen! I love me some stylin' pwnage :)

 Whether they were skiddies or actual hackers, it's still amusing (and
 frightening to some) that companies who really should know better, in
 fact, don't.

And again, if companies hired these people, most of whom come from 
disadvantaged backgrounds and are self taught they wouldn't have as much 
a reason to be angry anymore. Most of them feel like they don't have any 
real opportunities for a career and they are often right. Microsoft 
hired some kid who hacked their network, it is a safe bet he isn't going 
to be causing any trouble anymore. Talking about the trust issue, who 
would you trust more the person who has all the certs and experience 
that told you your network was safe or the 14 year old who proved him 
wrong? We all know if that kid had approached microsoft with his exploit 
in a responsible manner they would have outright ignored him, that's why 
this mailing list exists, because companies will ignore security issues 
until it bites them in the ass to save a buck.

People are way too obsessed with having certifications that don't 
actually teach practical intrusion techniques. If a system is so fragile 
that teenagers can take it down with minimal effort then there is a 
serious problem with the IT security industry. Think about it how long 
has sql injection been around? There is absolutely no excuse for being 
vulnerable to it. None what so ever. These kids are showing people the 
truth about the state of security online and that is whats making people 
afraid of them. They aren't writing 0 days every week, they are using 
vulnerabilities that are publicly available. Using tools that are 
publicly available, tools that were meant to be used by the people 
protecting the systems. Clearly the people in charge of protecting these 
system aren't using these tools to scan their systems or else they would 
have found the weaknesses first.

The fact that government organizations and large name companies and 
government contractors fall prey to these types of attacks just goes to 
show the level of hypocrisy inherent to the situation. Especially when 
their solution to the problem is to just pass more and more restrictive 
laws (as if that's going to stop them). These kids are showing people 
that the emperor has no clothes and that's whats making people angry, 
they are putting someones paycheck in danger. Why don't we solve the 
problem by actually addressing the real problem and fixing systems that 
need to be fixed? Why not hire these kids with the time and energy on 
their hands to probe for these weaknesses on a large scale? The ones 
currently in the job slots to do this clearly aren't doing it.  I bet if 
they started replacing these people with these kids it would shake the 
lethargy out of the rest of them and you would see a general increase in 
competence and security. Knowing that if you get your network owned by a 
teenager will not only get you fired, but replaced with said teenager is 
one hell of an incentive to make sure you get it right.


Yes they would have to be taught additional skills to round out what 
they know, but every job requires some level of training and there are 
quite a few workplaces that will help their employees continue their 
education because it benefits the company to do so. This would be no 
different except that the employees would be younger, and younger people 
do tend to learn faster so it would likely take less time to teach these 
kids the needed skills to round out what they already know than it would 
to teach someone older the same thing. It is the same principal behind 
teaching young children multiple languages, they learn them better than 
adults.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

On 1/10/12 11:32 PM, James Smith wrote:
 Well I do agree with what you are stating. As I have seen incidents 
 like this happen to many times.
 This mailing list is a big part of the IT Security community.



 -Original Message- From: Laurelai
 Sent: Wednesday, January 11, 2012 1:18 AM
 To: full-disclosure@lists.grok.org.uk
 Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

 On 1/10/12 10:18 PM, Byron Sonne wrote:
 Don't piss off a talented adolescent with computer skills.
 Amen! I love me some stylin' pwnage :)

 Whether they were skiddies or actual hackers, it's still amusing (and
 frightening to some) that companies who really should know better, in
 fact, don't.

 And again, if companies hired these people, most of whom come from
 disadvantaged backgrounds and are self taught they wouldn't have as much
 a reason to be angry anymore. Most of them feel like they don't have any
 real opportunities for a career and they are often right. Microsoft
 hired some kid who hacked their network, it is a safe bet he isn't going
 to be causing any trouble anymore. Talking about the trust issue, who
 would you trust more the person who has all the certs and experience
 that told you your network was safe or the 14 year old who proved him
 wrong? We all know if that kid had approached microsoft with his exploit
 in a responsible manner they would have outright ignored him, that's why
 this mailing list exists, because companies will ignore security issues
 until it bites them in the ass to save a buck.

 People are way too obsessed with having certifications that don't
 actually teach practical intrusion techniques. If a system is so fragile
 that teenagers can take it down with minimal effort then there is a
 serious problem with the IT security industry. Think about it how long
 has sql injection been around? There is absolutely no excuse for being
 vulnerable to it. None what so ever. These kids are showing people the
 truth about the state of security online and that is whats making people
 afraid of them. They aren't writing 0 days every week, they are using
 vulnerabilities that are publicly available. Using tools that are
 publicly available, tools that were meant to be used by the people
 protecting the systems. Clearly the people in charge of protecting these
 system aren't using these tools to scan their systems or else they would
 have found the weaknesses first.

 The fact that government organizations and large name companies and
 government contractors fall prey to these types of attacks just goes to
 show the level of hypocrisy inherent to the situation. Especially when
 their solution to the problem is to just pass more and more restrictive
 laws (as if that's going to stop them). These kids are showing people
 that the emperor has no clothes and that's whats making people angry,
 they are putting someones paycheck in danger. Why don't we solve the
 problem by actually addressing the real problem and fixing systems that
 need to be fixed? Why not hire these kids with the time and energy on
 their hands to probe for these weaknesses on a large scale? The ones
 currently in the job slots to do this clearly aren't doing it.  I bet if
 they started replacing these people with these kids it would shake the
 lethargy out of the rest of them and you would see a general increase in
 competence and security. Knowing that if you get your network owned by a
 teenager will not only get you fired, but replaced with said teenager is
 one hell of an incentive to make sure you get it right.


 Yes they would have to be taught additional skills to round out what
 they know, but every job requires some level of training and there are
 quite a few workplaces that will help their employees continue their
 education because it benefits the company to do so. This would be no
 different except that the employees would be younger, and younger people
 do tend to learn faster so it would likely take less time to teach these
 kids the needed skills to round out what they already know than it would
 to teach someone older the same thing. It is the same principal behind
 teaching young children multiple languages, they learn them better than
 adults.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
Yes I am aware they are, the ones who cry out that they are just script 
kiddies and such are the ones who are most likely to be vulnerable in my 
experience. Point is they still got owned, doesn't matter if the method 
was easy. In fact because it was easy should be an even greater concern 
to everyone here. The fact that Stratfor got owned like they did shows 
they were beyond negligent, HBGary was the same as was Sony. They 
shouldn't be trying to prosecute these kids they should go after these 
companies for grossly mishandling peoples personal

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response


On 1/11/12 1:15 AM, Kyle Creyts wrote:


How many of those engaged in these attacks _could_ actually fix the 
vulns they exploit? What is a good rough estimate in your opinion?


On Jan 11, 2012 12:47 AM, Laurelai laure...@oneechan.org 
mailto:laure...@oneechan.org wrote:


On 1/10/12 11:32 PM, James Smith wrote:
 Well I do agree with what you are stating. As I have seen incidents
 like this happen to many times.
 This mailing list is a big part of the IT Security community.



 -Original Message- From: Laurelai
 Sent: Wednesday, January 11, 2012 1:18 AM
 To: full-disclosure@lists.grok.org.uk
mailto:full-disclosure@lists.grok.org.uk
 Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident
Response

 On 1/10/12 10:18 PM, Byron Sonne wrote:
 Don't piss off a talented adolescent with computer skills.
 Amen! I love me some stylin' pwnage :)

 Whether they were skiddies or actual hackers, it's still
amusing (and
 frightening to some) that companies who really should know
better, in
 fact, don't.

 And again, if companies hired these people, most of whom come from
 disadvantaged backgrounds and are self taught they wouldn't have
as much
 a reason to be angry anymore. Most of them feel like they don't
have any
 real opportunities for a career and they are often right. Microsoft
 hired some kid who hacked their network, it is a safe bet he
isn't going
 to be causing any trouble anymore. Talking about the trust
issue, who
 would you trust more the person who has all the certs and experience
 that told you your network was safe or the 14 year old who
proved him
 wrong? We all know if that kid had approached microsoft with his
exploit
 in a responsible manner they would have outright ignored him,
that's why
 this mailing list exists, because companies will ignore security
issues
 until it bites them in the ass to save a buck.

 People are way too obsessed with having certifications that don't
 actually teach practical intrusion techniques. If a system is so
fragile
 that teenagers can take it down with minimal effort then there is a
 serious problem with the IT security industry. Think about it
how long
 has sql injection been around? There is absolutely no excuse for
being
 vulnerable to it. None what so ever. These kids are showing
people the
 truth about the state of security online and that is whats
making people
 afraid of them. They aren't writing 0 days every week, they are
using
 vulnerabilities that are publicly available. Using tools that are
 publicly available, tools that were meant to be used by the people
 protecting the systems. Clearly the people in charge of
protecting these
 system aren't using these tools to scan their systems or else
they would
 have found the weaknesses first.

 The fact that government organizations and large name companies and
 government contractors fall prey to these types of attacks just
goes to
 show the level of hypocrisy inherent to the situation.
Especially when
 their solution to the problem is to just pass more and more
restrictive
 laws (as if that's going to stop them). These kids are showing
people
 that the emperor has no clothes and that's whats making people
angry,
 they are putting someones paycheck in danger. Why don't we solve the
 problem by actually addressing the real problem and fixing
systems that
 need to be fixed? Why not hire these kids with the time and
energy on
 their hands to probe for these weaknesses on a large scale? The ones
 currently in the job slots to do this clearly aren't doing it.
 I bet if
 they started replacing these people with these kids it would
shake the
 lethargy out of the rest of them and you would see a general
increase in
 competence and security. Knowing that if you get your network
owned by a
 teenager will not only get you fired, but replaced with said
teenager is
 one hell of an incentive to make sure you get it right.


 Yes they would have to be taught additional skills to round out what
 they know, but every job requires some level of training and
there are
 quite a few workplaces that will help their employees continue their
 education because it benefits the company to do so. This would be no
 different except that the employees would be younger, and
younger people
 do tend to learn faster so it would likely take less time to
teach these
 kids the needed skills to round out what they already know than
it would
 to teach someone older the same thing. It is the same principal
behind
 teaching young children multiple languages, they learn them
better than

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

On 1/11/12 1:21 AM, valdis.kletni...@vt.edu wrote:
 On Tue, 10 Jan 2012 23:18:40 CST, Laurelai said:

 real opportunities for a career and they are often right. Microsoft
 hired some kid who hacked their network, it is a safe bet he isn't going
 to be causing any trouble anymore.
 How safe a bet, exactly?  Safe enough to bet your business on it? Microsoft 
 has
 $40B in cash handy to survive on if something goes wrong.  What's *your* Plan 
 B
 if the kid you hired blabs about his gig and one of his buddies rapes your 
 net using
 the credentials you gave the kid to do the pen test?

  Talking about the trust 
 issue, who
 would you trust more the person who has all the certs and experience
 that told you your network was safe or the 14 year old who proved him
 wrong?
 A really clever guy by the name of Edsgar Dyjkstra once said Testing can 
 prove
 the presence of bugs, but not their absence.  If you're getting a pen test
 done by somebody who says your network is safe, you're being ripped off. 
 First,
 all networks have holes - if the pen tester comes up empty, it doesn't mean
 your net is secure, it means finding the holes needs somebody with better
 skills. Second, any pen tester who says the net is safe is a rip-off artist.
 At best, they can say we did not find any of the following vulnerabilities we
 tested for. There may be vulnerabilities present that we were unable to find
 under the rules of engagement, which limit the scope and total time and money
 spent.

 Also, It's not just about who do you trust more to find the holes, it's who 
 you
 trust to be professional while they do it.

 Or the put your money where your mouth is (literally) version - which one
 would you rather have working for your bank when they find a security hole 
 that
 allows them access to your checking account?

If you guys cant scan for basic sql injection and these kids can then 
theres a real problem, thats my point here. The attacks are so simple 
children can do it and the so called experts arent finding them or just 
arent looking so im not sure if its incompetence or apathy behind these 
high profile hacks, you can teach these kids the same skillsets the so 
called experts have, but you cant teach incompetent people to be 
competent as its a willful mindset to not learn new things, and theres 
no solution for apathy other than hiring someone who cares.  These kids 
have the motivation to learn new things and the energy to apply them. 
Something the people they are owning lack sorely. As the ancient proverb 
says Set a thief to catch a thief


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fwd: Fw: Who is behind Stratfor hack?

2012-01-08 Thread Laurelai

I don't know why you emailed this to me, perhaps you were looking for 
attention or something, so ive forwarded it to the FD list so you can 
get all the attention you want.

Cheers.

 Original Message 
Subject:Fw: Who is behind Stratfor hack?
Date:   Sun, 8 Jan 2012 00:06:23 -0800 (PST)
From:   andrew.wallace andrew.wall...@rocketmail.com
Reply-To:   andrew.wallace andrew.wall...@rocketmail.com
To: Laurelai laure...@oneechan.org

- Forwarded Message -
*From:* andrew.wallace andrew.wall...@rocketmail.com
*To:* feedb...@stratfor.com feedb...@stratfor.com
*Sent:* Saturday, December 31, 2011 1:50 AM
*Subject:* Who is behind Stratfor hack?

If this turns out to be the person who hacked your web site, I would 
like a cash reward.

Andrew

---

http://pastebin.com/f7jYf5Wd

46.  lol xD

---

Should we read into this too much?

Andrew

---

48. We almost have sympathy for those poor DHS employees and australian 
billionaires who had their bank accounts looted by the lulz (orly? i 
just fapped).

---

The guy we know is australian...

Andrew

---

51. We call upon all allied battleships, all armies from darkness, to 
use and abuse these password lists and credit card information to wreak 
unholy havok upon the systems and personal email accounts of these rich 
and powerful oppressors. Kill, kitties, kill and burn them down... 
peacefully. XD XD

---

Signed as XD again.

Andrew

---

Last email I have from him is 23rd December... same kind of grammar as 
the Stratfor pastebin.

It seems he disappeared just as the Stratfor news broke just before 
Christmas.

Andrew

- Forwarded Message -
*From:* xD 0x41 sec...@gmail.com
*To:* Larry W. Cashdollar lar...@me.com
*Cc:* full-disclosure@lists.grok.org.uk
*Sent:* Friday, December 23, 2011 1:26 PM
*Subject:* Re: [Full-disclosure] Mobile Prank Hacktool

hi Larry!
Hope your doing well mate ;) , anyhow, here.. i did manage to get
it via windows..maybe megaupload.com http://megaupload.com/ has blocks 
for lynx or other

linux ? notsure and, not caring to test,..lol...anyhow, sanme
file..enjoy, cheers.
(Oh, id always run this with atleast a basic Sandbox, like sanboxie
,wich would makesure that never loose our data incase there is
malws,wich,usually tools like this always do..but, anyhow, it is not
from me, altho, many would probably wish it was :s sad...

 Looks like the link is unavailable.

 -- Larry C$

Oh, i was able to download what looks like, a very interesting
application and files..very cool...well, to look atm, atm :P
I did browse the src, just then directly upped it to hotfile.com..i
think lynx is abit better with hotfile...anyhow, here is a working
link:

http://hotfile.com/dl/138283571/f9ef676/Mobile_Prank_Hacktool.rar.html

anyhow, cheers larry, letme know if worked, ifnot, ill put it ion a
ftp or sumthin :s but, then id be checking my own cobnnection :P~
lol...tc buddy!
XD // hax...@haxshells.us mailto:hax...@haxshells.us @ crazycoders.com 
http://crazycoders.com/ crazycoders.us

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Fw: Who is behind Stratfor hack?

2012-01-08 Thread Laurelai

On 1/8/12 2:06 PM, valdis.kletni...@vt.edu wrote:
 On Sun, 08 Jan 2012 11:16:59 CST, Laurelai said:

 He sent a copy to you too?  My condolences.  He comes up with the most
 interesting conclusions sometimes.

 If this turns out to be the person who hacked your web site, I would
 like a cash reward.

 Andrew

 ---

 http://pastebin.com/f7jYf5Wd

 46.  lol xD
 Should we read into this too much?
 You just did, Andrew.  There's 2 possibilities. Either it's a frikkin 
 *SMILEY*,
 or I'm actually a Microsoft hacker that goes by the name 'XP Vista'.  Hint - 
 in a few
 places, we find the string 'xD xD'.  Do you sign your name Andrew Andrew? No?
 Then which is more likely, it's 2 smileys in a row, or the person's tag twice
 in a row?

 Last email I have from him is 23rd December... same kind of grammar as
 the Stratfor pastebin.
 This is *so* amusing, coming from the person who's *still* threatening legal
 action against me for suggesting n3td3v to Neal Krawetz, which resulted in
 a nice presentation at Black Hat on linguistic analysis.  At least Neal 
 actually
 measured percentages of words and syllable lengths and tenses and stuff
 like that. ;)

 It seems he disappeared just as the Stratfor news broke just before
 Christmas.
 Andrew? Hate to break it to you, but a lot of people go on actual multi-week
 vacations around Christmastime. Heck, something like 57% of the entire 
 population
 of the town I live in left around Dec 16, and won't be back till next week.  
 The streets
 are deserted.  Maybe one of those 20,000 people is the *real* hacker and left
 just before the news broke, not on Christmas vacation?

 lol XP XP
His logic reminds me of Jen Emerick

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

On 1/7/12 8:51 AM, Ed Carp wrote:
 ROFL!!!

 -- Forwarded message --
 From:george.fried...@stratfor.com
 Date: Sat, Jan 7, 2012 at 2:33 AM
 Subject: Rate Stratfor's Incident Response
 To: e...@pobox.com

 For the video announcement, please see
 http://www.youtube.com/watch?v=oHg5SJYRHA0
 Read full press release: http://bolt.thexfil.es/84e9h!t
 Rate Stratfor's incident response:
 http://img855.imageshack.us/img855/9055/butthurtreportform.jpg

 Hello loyal Stratfor clients,

 We are still working to get our website secure and back up and running
 again as soon as possible.

 To show our appreciation for your continued support, we will be making
 available all of our premium content *as a free service* from now on.

 We would like to hear from our loyal client base as to our handling of
 the recent intrusion by those deranged, sexually deviant criminal
 hacker terrorist masterminds. Please fill out the following form and
 return it to me

 My mobile: 512-658-3152
 My home phone: 512-894-0125

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
I still find this kind of thing hilarious.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response


On 1/7/12 2:48 PM, Ferenc Kovacs wrote:



On Sat, Jan 7, 2012 at 8:10 PM, Jeffrey Walton noloa...@gmail.com 
mailto:noloa...@gmail.com wrote:


http://bolt.thexfil.es/84e9h!t http://bolt.thexfil.es/84e9h%21t
was an interesting link - it
demonstrated the pwnage.

It looks like these folks gained access via PHP. Stratfor was using a
Linux based system system, but PHP was version 1.8
from 2009 (perhaps with some back patches). Current version of PHP is
5.3.8 (http://www.php.net/).


O really? PHP 1.8? how would you compile that on a modern linux distro?
how would you run drupal on top of it?

// $Id: default.settings.php,v 1.8.2.4 2009/09/14 12:59:18 goba Exp $
that is a line from the default drupal config file.

I agree that the php app was the most likely source of the intrusion, 
I would guess that they didn't kept the drupal core and the contrib 
modules up-to-date, and they were owned through some old vulnerability.


--
Ferenc Kovács
@Tyr43l - http://tyrael.hu


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
And again it makes me wonder how many other so called security companies 
are just as vulnerable.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response


On 1/7/12 3:50 PM, valdis.kletni...@vt.edu wrote:

On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said:


Although, once they have gained popularity and to a stage where a garage
office becomes a shop floor and a @home biz becomes a rent-a-million$-building
office, it is time to shift priorities.

If finding people who are competent enough to secure a payroll system for a
company of 10 people is difficult, what makes you think that it's easy to find
people who can secure the systems for a company of 1,000?

As Stratfor has demonstrated, the talent pool of *really* competent security
people is shallow enough that there's not even enough to secure the security
companies. And it's not just Stratfor - when was the last time this list went a
week without mocking a security company for its lack of clue?  It's an 
industry-wide
problem - there's a *severe* shortage of experts.

And even though schools like DeVry and ITT are churning out lots of people with
entry level certifications, I'm not at all sure that helps the situation - we
end up with a lot of people who are entry level, and don't realize how much
they don't know. That makes them almost more dangerous than not having anybody
at all. Sort of like if you walk alone through a scary part of town, you
actually stand a good chance because you *know* you're alone and will act
accordingly - but if you have a bodyguard with you, you're likely to act
differently, and end up totally screwed when you find out said bodyguard has a
belt in martial arts, but zero experience in street fighting...



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Perhaps these companies should try to hire the kids owning them instead 
of crying to the feds.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response


On 1/7/12 5:31 PM, Ferenc Kovacs wrote:



On Sun, Jan 8, 2012 at 12:03 AM, Laurelai laure...@oneechan.org 
mailto:laure...@oneechan.org wrote:


On 1/7/12 3:50 PM, valdis.kletni...@vt.edu
mailto:valdis.kletni...@vt.edu wrote:

On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said:


Although, once they have gained popularity and to a stage where a garage
office becomes a shop floor and a @home biz becomes a 
rent-a-million$-building
office, it is time to shift priorities.

If finding people who are competent enough to secure a payroll system for a
company of 10 people is difficult, what makes you think that it's easy to 
find
people who can secure the systems for a company of 1,000?

As Stratfor has demonstrated, the talent pool of *really* competent security
people is shallow enough that there's not even enough to secure the security
companies. And it's not just Stratfor - when was the last time this list 
went a
week without mocking a security company for its lack of clue?  It's an 
industry-wide
problem - there's a *severe* shortage of experts.

And even though schools like DeVry and ITT are churning out lots of people 
with
entry level certifications, I'm not at all sure that helps the situation - 
we
end up with a lot of people who are entry level, and don't realize how much
they don't know. That makes them almost more dangerous than not having 
anybody
at all. Sort of like if you walk alone through a scary part of town, you
actually stand a good chance because you *know* you're alone and will act
accordingly - but if you have a bodyguard with you, you're likely to act
differently, and end up totally screwed when you find out said bodyguard 
has a
belt in martial arts, but zero experience in street fighting...



___
Full-Disclosure - We believe in it.
Charter:http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -http://secunia.com/

Perhaps these companies should try to hire the kids owning them
instead of crying to the feds.


why do you think that kiddies using tools like sqlmap would be able to 
defend them from other kids?



--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
Because they pay the kids to own them in a safe manner to show that 
their so called expertsd are full of shit, then they fire said experts 
and hire competent people saving time money and resources, try and 
remember the guys with the certs are the ones getting owned by the 
skiddies with sqlmap so that should show you how broken the infosec 
industry is, want to fix it? Start by hiring the skids because they are 
still more competent than the guys they are owning. If that one gets 
owned you hire the guy who owned him ect... until you actually have to 
know what the hell your doing to be in infosec. Use a Darwinian approach 
to the industry.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response