Re: [Full-disclosure] Think Drupal was FLOSS and non-profit? Think again.
dru...@hush.com wrote: Thought Drupal was open source and non-profit? Not anymore. This seems like a relatively minor issue. I thought the fact that it is written by newbs in PHP (if they weren't newbs they wouldn't still be coding php) and therefore a remote root server would be enough to keep people away from it, much less any trademark issues. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nipper licensing
On Wed, Sep 2, 2009 at 1:16 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: ouch. a couple of years ago we had some home-brew code doing the job. Nipper came along...was free..and did everything we did + a little more. but now it looks like we'll be picking up our old Perl code and fixing it up to do everything that Nipper does - and a little more. Was Nipper not available as source and licensed so it could be forked in an event such as this? If not, consider it an object lesson in free as in beer vs free as in speech. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Andrew Auerenheimer aka weev gets tree'd
On Wed, Sep 16, 2009 at 9:11 PM, Valdis' Mustache securitas.must...@gmail.com wrote: Dearest waxer and comber of my unruly bits and purger of stray nose hairs in my midst: WTF is up with this mailing list? I signed up a few weeks ago expecting full disclosure of security exploits or at least good security discussion. Instead what I got was full disclosure of how idiotic skr1p7 k1dd13z can be. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] So weev...
On Fri, Oct 2, 2009 at 4:57 PM, GOBBLES gobbles1...@safe-mail.net wrote: There is a strong likelihood chance we can get Andrew into prison for his criminal activity. Sweet! I love to send people to Federal Pound me in the ass Prison! While Bubba is fudgin' this weev character I can be fudgin' his momma! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] So weev...
On Fri, Oct 2, 2009 at 5:14 PM, GOBBLES gobbles1...@safe-mail.net wrote: This is about fighting crime. Not about putting your stuff into the alleged suspect's mother. Please have some sense of courtesy and professionalism. Bwahahahha...someone who posts other peoples dirty laundry and pics of his family and goes by the name GOBBLES (as in gobbles knobs) is lecturing ME on courtesy and professionalism? You don't care one wit about crime or professionalism. Now if you'll excuse me I gotta go beat off to this pic of his momma you posted...say, got any pics of your momma? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] So weev...
On Fri, Oct 2, 2009 at 5:14 PM, GOBBLES gobbles1...@safe-mail.net wrote: Not about putting your stuff into the alleged suspect's mother. Also: Isn't it way late to start using words like alleged? You have already definitively stated that he has done the deeds. What's the point? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft confirms first Windows 7 zero-day bug
On Mon, Nov 16, 2009 at 10:00 PM, Ivan . ivan...@gmail.com wrote: http://computerworld.co.nz/news.nsf/scrt/E9592E1A9719742ACC25766F0066B38D It reminds me of a newborn baby's first poop: You knew it would happen sooner or later. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The cyber security intelligence community will never be the same
On Tue, Nov 17, 2009 at 11:48 AM, Sam Haldorf sahald...@ymail.com wrote: my name is andrew wallace You're a loony. - King Arthur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FREE STEPHEN WATT !!!
FREE THE HYDROXYL RADICALS BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Why
Or Vogon poetry? On Fri, Feb 19, 2010 at 2:09 PM, Christian Sciberras uuf6...@gmail.com wrote: @Jonny - Hmm, talented. Ever thought about writing books? On Fri, Feb 19, 2010 at 10:57 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Vivisected like string cheese? -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full- disclosure-boun...@lists.grok.org.uk] On Behalf Of Jonathan Barningham Sent: Friday, February 19, 2010 1:51 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Why -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello. I used to be online friends with a subject of an FBI investigation. (Not saying who for my safety) I suppose I could be of assistance in his arrest and prosecution, however, they didn't approach me that way. They approached me years after I changed my life, in a very heavy handed way. Steven Hatfill like, but with local cops. (Clearly, I'm being ambiguous to protect my anonymity) Add a little ambiguity and locals with hitlists against me from my younger years, That's all it takes. In truth it's not just MIB, it's local police back where I used to live. I'm not going to be arrested obviously, but the constant bullying, harassment, surveillance, pretexts and entrapment attempts is mind- numbing and painful. I'm not some bad guy. I feel so deeply hurt. FBI? Stories in specific? A provocateur sent to paint me like a cyberterrorist. My life being vivisected like string cheese. My humble, peaceful lifestyle being sensationalised and scrutinized by ignorant Jack Baeur's and inept bureaucrats. My friends are terrified, it's like they have a knife to their throat -- that is the one's that stook up for me and got threatened. The more gullible one's comply like the milgrim experiment and give oscar winning performances. Never knew my innocuous life could be spun to make me look like a mobster. I just want to be left alone. I can't even make friends or girlfriends because cops will just go to them and take them from me. I am an amicable man and I can't be free without them threatening the one's I love and turning htem against me. I feel so hopeless I'm unsure if they can even articulate a legal reason to justify such harassment. But that's the power of a runaway fishing expedition. I wish I could just sue those bastards. @#$! Appreciate your concern P.S. Any of you whitehats have an idea what I can do here? On Tue, 16 Feb 2010 15:43:46 + ja...@smithwaysecurity.com wrote: Hello, So why are the Feds or and homeland security up your ass so much. What is it you know they want you to keep quite about. Sent from my iPhone -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkt/B6wACgkQwGoky+I7Eotz8AP9G7hxnNGbyhoCdIXUY1oPdVuCY1hc dWDNA9hqeqVgxAVL9+LH6gOLn6VBsZ5R3Yem6VnRu1o4zJvVmNynxJ6kVdQq1T4nFdtU 1gWqHZTyUOw3xnulU5g7mA3xk3t1Xirc7eWXKAY5X645OGRzUfd1Om6Ujaie0Bomq96Y Po4AzrQ= =hs4y -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How I become Vice President of Security at Yahoo! 1999-2005.
Pass the dutchie... On Fri, Feb 19, 2010 at 3:45 PM, John Q Public johndoet...@hush.ai wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings. I've been holding this one back for a while. It's been eating at my skin. I was just an intern at the time, but I'd get the mail, copy the text, delete his mail, and send the mail to my supervisor, authored by me. I still remember the friendships I made at Yahoo. The cute girlfriends I have and how it changed my life. I remember I was just some office kid opening up emails in outlook 2000. But I risen to be so much more. This mysterious person helped me do it. Eventually, I was promoted up Vice President of Security at Yahoo! and made nearly six figures a year. Nearly, eh? I guess six figures sounds like a lot from the point of view of the kind of wanker who would write this. This is what I did. And I told no one. All I know is there is a kid whose advice I took credit for and he is the key factor for my success in life. I live in a $500k condo in Mountain View. Wife, 2 kids, and a Lexus (2009 Hybrid, Italian leather seats, TV in backseat for the kids). $500k isn't much house in a big city in California (although it was even less a couple years ago). I just wanted to let you know that the security tips helped. I feel pretty guilty for flat out taking credit for all his work though. I just had to get it off my chest. Thank you so much, if you read this list. You've touched my life. Your mom. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Going underground, living out of backpack, etc?
I could use a blow. Simon, you are welcome to use my couch. On second thought, nevermind. The sort of douche who would ask for lifestyle advice on an alleged security mailing list which consists almost entirely of trolls and computer illiterates probably couldn't use my couch without hurting himself. Besides, I'd just bruise your palate. On Mon, Mar 8, 2010 at 12:40 AM, Anders Klixbull a...@experian.dk wrote: Learn how to blow old men and live on their couches -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Simon Garfinkle Sent: 1. marts 2010 05:50 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Going underground, living out of backpack, etc? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello. I am interested in getting some advice from you security professionals (white hat and black hat) about going underground. I am sick of big brother, I love independence, I was to experience the world and have no commitments. I am just sick of being held down in one place. It's too easy for people to harass and stalk you. You gotta be mobile. Fancy free and foot loose. You gotta be underground. Have any advice for living out of a bag? Any stories? Any lessons? -BEGIN PGP SIGNATURE- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkuLR3UACgkQRQnwIcxK0rKdJwP9Fbv4ENsN+ouzbn34owsypykpL00+ E1qCZBwZGD4EJ5QK6PKdyR3kc33hOOasqaWn+HQVX1OtdKa/bXwWCJw3b3bEbImPHHoM FSfO7mJsrifYsufZcXtgRgFOI3KA7W+cN1DHncawcBf5/7CNKrjXSVi2NewLsp7beFlM gJrMvYw= =ii33 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Weev's Mugshot
On Mon, Apr 5, 2010 at 8:36 PM, Scarf Pride Worldwide terdlinkmob...@gmail.com wrote: Allegedly he obstructed justice by giving a false name.. most likely didn't put money in the parking meter at the synagogue He doesn't look very Jewish to me. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On Fri, Apr 23, 2010 at 3:33 PM, Christian Sciberras uuf6...@gmail.com wrote: 4) I've looked into whether it was into our best interest to use PCI. (it was decided that it wasn't worth the trouble) At that time, I knew about PCI but not its details, at which point we got someone to explain in detail for us. This right here screams bullshitter. It isn't as if you get to decide if you want to use PCI or not. If you process credit cards with the major card brands you are going to do PCI either now or eventually. There is no other security standard which you can choose. You also show signs of being a victim of absolutism. Nobody has ever claimed that PCI makes you secure. It is a minimal standard which experience has shown most companies need spelled out for them. There is much more than just the things spelled out by PCI that need to be done. As usual in these situations, your real complaint isn't about PCI but about the people who just don't get the point. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows' future (reprise)
On Sat, May 15, 2010 at 7:40 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: I am constantly amazed at posts like this where you make yourself sound like some sort of statistical genius because you were able to predict that since last year was %243, that this year would be %243. Wow. Really? I agree that the post is a bit pompous...however: And for the record, these claims of 'inherent insecurity' in Windows are simply ignorant. If you are still running Windows 95 that's your problem. Do a little research before post assertions based on 10 or 20 year old issues. This smacks of the classic troll, where you say things like nothing that Microsoft makes is secure and it never will be But...it is true that nothing Microsoft (or anyone, perhaps) makes is secure. And given that Microsoft has a decades long history of far worse than industry average security I think it is pretty reasonable to surmise that Windows will never be secure. and then go on to say how easy it is to migrate, and how it's free, with only a one off cost, and how to move off of .NET. We migrated. With only a one off cost. Been a few years now. Business is looking good. Obvious predictions, ignorant assumptions, and a total lack of any true understanding of business computing. Yep, troll. Trollish but not entirely wrong. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows' future (reprise)
On Sat, May 15, 2010 at 1:22 PM, Jeffrey Walton noloa...@gmail.com wrote: As opposed to crowd sourcing, which some claim is inherently more secure because more [uneducated] eyes review the source code? There are far more educated eyes able to review the Linux source code than the Windows source code. The uneducated people reviewing it don't seem to be hurting anything while the educated people reviewing it are helping a lot if all of the patches I see coming in every day are any measure. This is along the lines of, 'Linux does not get viruses' argument. Well...has it ever? I've been running it on a day to day basis on my desktop since 1994 and have never once gotten a virus. I have been active in the community since then and I have never met anyone who got one. So... BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Stealthier Internet access
On Tue, May 25, 2010 at 3:01 PM, valdis.kletni...@vt.edu wrote: It's not worth worrying about wiping the remapped sectors on a disk - even an older 40G drive has some 80 million sectors on it - so even if you have a few hundred sectors that have remapped due to I/O errors, it's still literally a one-in-a-million shot that anything incriminating is in the sector. If Bipim is storing his nekked self-portraits on the HD it is very possible that something incriminating would be stored entirely within the one bad sector. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] targetted SSH bruteforce attacks
On Thu, Jun 17, 2010 at 5:31 PM, Sebastian Rother sebastian.rot...@jpberlin.de wrote: But OpenBSDs PF could limit the attacks you descripe pretty nicely (and here I have to thanks Henning and others for their free time imho, what you made is imho working at least). Here's how it is done on Linux: iptables -F iptables -t nat -F iptables -t mangle -F iptables -X # Block SSH brute force attacks but not our networks like 1.2.3.0/24 etc. iptables -N SSH_WHITELIST iptables -A SSH_WHITELIST -s 1.2.3.0/24 -m recent --remove --name SSH -j ACCEPT iptables -A SSH_WHITELIST -s 4.5.6.0/24 -m recent --remove --name SSH -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Reliable reports on attacks on medical software and IT-systems available?
On Tue, Aug 10, 2010 at 2:03 PM, halfdog m...@halfdog.net wrote: Possible answers might be (sorted by probability): * There is no money in harming or killing patients. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [GOATSE SECURITY] Clench: Goatse's way to say screw you to certificate authorities
On Wed, Sep 8, 2010 at 9:24 AM, Andrew Auernheimer glutt...@gmail.com wrote: un-tl;dr abstract: SSL is broken. Certificate authorities only exist to let the US, Chinese, Turkish, Brazilian etc etc government or Russian mob spy on you (whichever is interested first). Well, I guess they also exist to line the pockets of assholes who want $10-50 for pushing a button. Amen. This is why we should use and support web of trust style systems. CA Cert for SSL. GPG for most other things. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [GOATSE SECURITY] Clench: Goatse's way to say screw you to certificate authorities
On Wed, Sep 8, 2010 at 12:12 PM, Christian Sciberras uuf6...@gmail.com wrote: Call me paranoid, but I stick to the #1 rule of never ever trusting the public. That is what is good about WoT. You can set the policy on who to trust. You can trust only yourself, certain people, or $BIGCORP if that is what you want. Right now your browser by default trusts one of over 600 different groups, some of which are governments: http://www.slate.com/id/2265204 I'd rather have a company pay some good bucks to get their hands on a highly trusted certificate than kids who's aim in life is wiping as much hard disks as possible. highly trusted? You're joking, right? Which also answers why those $10-$20 assholes does a better job than the kids we all know about... kids aren't trusted unless that is who you decide to trust. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gödel and kernel backdoors
On Sat, Sep 18, 2010 at 3:30 PM, Giuseppe Fuggiano giuseppe.fuggi...@gmail.com wrote: On Sat, 2010-09-18 at 22:51 +0300, Georgi Guninski wrote: all programs that do. In other words, no program can find all the viruses on your computer, unless it interferes with *and alters* the operating system. Interesting, especially because actually Antiviruses do alter my operating system, usually making it unstable. That's why I don't use them. It modifies and interferes with your operating system and it STILL doesn't find ALL the viruses! Only known ones and even that is hit and miss. Antivirus as a protection method is dead. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] wikileaks still under attack, pressure revved up
On Thu, Oct 21, 2010 at 11:32 AM, Charles Timko charles.ti...@hotmail.com wrote: Agreed. I am all for the transparency, but WL is possibly putting our troops at risk by releasing military strategy. I wouldn't expect JA to think that From: http://articles.cnn.com/2010-10-16/us/wikileaks.assessment_1_julian-assange-wikileaks-documents?_s=PM:US The online leak of thousands of secret military documents from the war in Afghanistan by the website WikiLeaks did not disclose any sensitive intelligence sources or methods, the Department of Defense concluded. So some are playing it up but the top dude at the Pentagon is playing it down. Who ya gonna believe? Unless someone can point to a verified leaked document online which says Mohammed Jihad Dirka Dirka who lives at lat/long told us Osama is in that house over there or some such I can't believe such information is being distributed. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenBSD Paradox
2010/12/15 musnt live musntl...@gmail.com: What is this time to stop the press! This fake broken English schtick is really stupid and annoying. Knock it off. In the meantime you are kill filed. I suggest everyone else do the same as nothing useful has ever come of this person. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Allegations regarding OpenBSD IPSEC
On Wed, Dec 15, 2010 at 3:46 PM, clément Game clem...@digi-nation.com wrote: i second that...yet we obviously need to figure out better ways to audit the code...maybe some kind of security-oriented unit-test framework ? ( dont'know if it exists already, and if it does, maybe that it's already employed for the OpenBSD project...dunno ) We're likely talking potential side-channel key leakage here...that sort of thing will be very hard to find. Unit-testing is not applicable. The worst thing about this sort of allegation is that it is impossible to prove that it isn't true. All we will ever be able to say is We haven't found it yet. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Default SSL Keys in Multiple Routers
On Sat, Dec 18, 2010 at 7:13 PM, Craig Heffner cheff...@devttys0.com wrote: The LittleBlackBox project contains a database of over 2,000 (and growing) private SSL keys that are correlated with their respective public certificates, and hardware/firmware versions. While most of these certificates are from DD-WRT firmware, there are also private keys from other vendors including Cisco, Linksys, D-Link and Netgear. Most of what I have read so far indicates that these secret keys can be used to sniff only administrative traffic to the device itself. I have a client who uses a bunch of WRV200's for corp VPN access. They are configured with a shared secret. Wouldn't they use DH with the built in private key to exchange the shared secret which would make the VPN traffic itself vulnerable? Looks like you have the 210 but not the 200 but I bet your tool could pull out the key for wrv200. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On Fri, Dec 24, 2010 at 4:27 PM, coderman coder...@gmail.com wrote: how many of you have a competent userspace entropy daemon funneling hardware sources into host pool? It would be nice if there were inexpensive hardware sources available and a means to distribute the entropy among hosts in one's own trusted infrastructure. I have a mail server, a name server, an ntp server (usually several), among various other sorts of pieces of infrastructure which serve hundreds or even thousands of servers. Why not an entropy server? It would be nice if I could setup an entropy generating black box somewhere and attach it via USB to my entropy server host then install a package with a config file on all of my machines pointing to the entropy host. But so far I know of no such thing. Do you? BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On Fri, Dec 24, 2010 at 5:08 PM, Dan Kaminsky d...@doxpara.com wrote: Don't we have hardware RNG in most motherboard chipsets nowadays? Do we? By what mechanism do they operate? Thermal noise seems the easiest way to go although I have always preferred the idea of sampling random radioactive decay simply for the purity of the immediate result. What is the quality of the entropy of the devices you speak of? How fast do they generate entropy? I have heard nothing about this. How could I tell if my machine had hw rng built in? Some i810 series chipsets have hw rng. There is also the Intel 80802 Firmware Hub chip that nobody seems to use anymore. I have heard of people pointing webcams at lava lamps and such to get random numbers. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On Sat, Dec 25, 2010 at 2:12 PM, cpol...@surewest.net wrote: Check out Markus Jacobsson et al, A Practical Secure Physical Random Bit Generator, 1998, using the turbulence of airflow inside the drive as the source of randomness. Can't do much better than that. I read that when it came out. I am quite familiar with turbulent boundary layers. Nobody sells hardware (hard drives, in this case) which actually implements the technique. All of my original queries still stand. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 83, Issue 21
On Tue, Jan 17, 2012 at 11:23 AM, valdis.kletni...@vt.edu wrote: Yes, people *have* been prosecuted for playing twiddle the URL games before. I'd have to go dig up a cite, but it's happened (hacker was basically abusing a site's predictable URL scheme). Here is one relatively recent incident of twiddle the URL which got someone prosecuted and will be familiar to some here... http://simonhunt.wordpress.com/2011/01/19/two-charged-with-data-theft-from-june-10s-att-hack/ BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS
Ezekiel 23:20 On Sun, Apr 22, 2012 at 12:59 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: You dropped a FD on the BIBLE?? Dude, you're going straight to Hacker Hell! :) Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Bible -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Thomas Richards Sent: Sunday, April 22, 2012 8:09 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS # Exploit Title: phpMyBible 0.5.1 Mutiple XSS # Date: 04/15/12 # Author: G13 # Twitter: @g13net # Software http://sourceforge.net/projects/phpmybible/?source=directory # Version: 0.5.1 # Category: webapps (php) # # Description # phpMyBible is an online collaborative project to make an e-book of the Holy Bible in as various language as possible. phpMyBible is designed to be flexible to all readers while maintaining the authenticity and originality of the Holy Bible scripture. # Vulnerability # phpMyBible has multiple XSS vulnerabilities. When reading a section of the Bible; both the 'version' and 'chapter' variables are prone to reflective XSS. # Exploit # http://localhost/index.php?book=1version=[XSS]chapter=[XSS] # Vendor Notification # 04/15/12 - Vendor Notified 04/22/12 - No response, disclos ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS
On Sun, Apr 22, 2012 at 9:32 PM, Laurelai laure...@oneechan.org wrote: On 4/22/12 10:56 PM, BMF wrote: Ezekiel 23:20 Its Ezekiel 25:17.. It sounded cool when he said it in the movie but I've never found any Bible that actually goes anything like what he said. Besides, I'm into donkey dicks and horse jizz so 23:20 is the verse for me. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FW: Curso online - Profesional pentesting - Promocion ( 25% de descuento )
Actually, this Juan Sacco assclown has been pissing me off too. I'm in some group with him on linkedin and getting his messages. I keep flagging them as spam. I wish I knew how to get him to stop emailing and messaging me. Juan: Knock it off, you disaffected deleterious douchenozzle. On Sat, May 19, 2012 at 10:44 AM, Charles Morris cmor...@cs.odu.edu wrote: I request your permission to test any and all of your facilities in any way I deem appropriate including (by not limited to) your personal machines, the machines of your coworkers and family, and any other device I deem within scope of my testing. Further, I request you to grant full, unlimited access and authorization for me to test these devices in any way I see fit with full unadulterated impunity. stop flexing ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SECURITY] [DSA 2502-1] python-crypto security update
On Sun, Jun 24, 2012 at 7:35 PM, coderman coder...@gmail.com wrote: how many of you fools mix a hw entropy source into your crypto keying? ever hear of 82802? XSTORE? RDRAND? lava lamps? I have a server with one of these in it: http://www.entropykey.co.uk/ although I still need to find a reasonably secure way to share the entropy with all of my VMs where it is really needed. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/