Hi all,
i've been writing during past week a concept of leak management system
with the following main differences with wikileaks:
* Concentrate on leak amplification to let leaks reach media
* No editing or publishing
* Fully distributed organizations
* Use best of existing
Nice recipe to easily end up in a ton of trouble and ridicule.
My 2 cents...
On Wed, Dec 15, 2010 at 10:21 AM, Fabio Pietrosanti (naif)
li...@infosecurity.ch wrote:
Hi all,
i've been writing during past week a concept of leak management system with
the following main differences
It's a matter of splitting up responsibility among various players and
distributing almost everything.
With the growing number of improvised leak sites and more to come in
future, most doesn't even have a methodology/risk model or fully
understand the level of risks they are taking.
That's just
It's a matter of splitting up responsibility among various players and
distributing almost everything.
Leaking information is not a game, unlike some kids seem to think.
With the growing number of improvised leak sites and more to come in
future, most doesn't even have a methodology/risk
Hi Fabio and others Full-Disclosure readers,
Have you seen how WikiLeaks are editing already released cables?
Seems like WikiLeaks do not believe in Full-Disclosure and WL
partners has already created Ministry of Truth (from Orwell's
final novel 1984).
For example in
On 15/12/10 12.24, Christian Sciberras wrote:
Which kind of trouble you refer to? It's nice to ear about understanding
and risks analysis on that stuff.
Libel, fraud, sharing of illegal material.
Hey, if you're really intent on going along with this, be my guest.
I'll be watching
the
Not to criticitze you but it seems to me that you have not understood
which are the differences.
No problem with that. That's part of the point of discussion.
I did understand the differences. The main issue is that dangerous
material may be published anonymously without verification or
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 15/12/2010 11:34, Fabio Pietrosanti (naif) wrote:
On 15/12/10 12.24, Christian Sciberras wrote:
Which kind of trouble you refer to? It's nice to ear about understanding
and risks analysis on that stuff.
Libel, fraud, sharing of illegal
www.eVuln.com advisory:
BBCode CSS XSS in slickMsg
Summary: http://evuln.com/vulns/162/summary.html
Details: http://evuln.com/vulns/162/description.html
---Summary---
eVuln ID: EV0162
Software: slickMsg
Vendor: n/a
Version: 0.7-alpha
Critical Level: low
Type: Cross Site
On Wed, Dec 15, 2010 at 4:21 AM, Fabio Pietrosanti (naif)
li...@infosecurity.ch wrote:
Hi all,
i've been writing during past week a concept of leak management system with
the following main differences with wikileaks:
Concentrate on leak amplification to let leaks reach media
No editing or
On 15 December 2010 01:35, musnt live musntl...@gmail.com wrote:
Original e-mail is from Theo DeRaadt
Is my question: Why is now Theo cower like rat. Is because his
stance from the beginning: we is audit everything for make me
believe Theo was is also on the payroll. Enjoy everyone.
What is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2010:254
http://www.mandriva.com/security/
Kingcope, Where is the exploit for this? :P
regards,
--
Nahuel Grisolia - C|EH
Information Security Consultant
Bonsai Information Security Project Leader
http://www.bonsai-sec.com/
(+54-11) 4777-3107
___
Full-Disclosure - We believe in it.
Charter:
Dont encourage that weasel.
On Wed, Dec 15, 2010 at 2:33 PM, Nahuel Grisolia nah...@bonsai-sec.comwrote:
Kingcope, Where is the exploit for this? :P
regards,
--
Nahuel Grisolia - C|EH
Information Security Consultant
Bonsai Information Security Project Leader
http://www.bonsai-sec.com/
yeah kingc0pe strut your stuff!
u da b0mb!!111
2010/12/15 Benji m...@b3nji.com
Dont encourage that weasel.
On Wed, Dec 15, 2010 at 2:33 PM, Nahuel Grisolia nah...@bonsai-sec.comwrote:
Kingcope, Where is the exploit for this? :P
regards,
--
Nahuel Grisolia - C|EH
Information Security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
i've been writing during past week a concept of leak management system
Don't people see the irony of systems designed for leaking information
anonymously?
Tillmann
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
I hate it when some one beats me to a bug report.
https://addons.mozilla.org/en-US/firefox/user/5578717/ (this example
will only work against firefox).
The xss occurs due to no filtering / escaping the display name attribute for a
user.
___
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2010:255
http://www.mandriva.com/security/
On Wed, Dec 15, 2010 at 9:19 AM, John Bond john.r.b...@gmail.com wrote:
What is wrong with this. The code is audited and for all you know any
back door which was placed in this code has been found and fixed. It
would be arrogant and irresponsible for Theo or anyone else to ignore
a claim of
On 12/13/2010 4:27 PM, Ryan Sears wrote:
Hey Dan,
Freaking THANK YOU first and foremost. I've been waiting for someone to say
that for days now, and was just about to myself.
is snip
Plain and simple. *THEN* there's people who don't even bother to read that
Red Hat does not support
After our Online Binary Planting Exposure Test became defunct as a result of
Microsoft fixing the Windows Address Book binary planting bug, we updated the
test
with two unfixed vulnerabilities. Everyone is welcome to keep testing their
Windows
computers for Internet-based binary planting
On Wed, 15 Dec 2010 12:25:26 EST, musnt live said:
[musntl...@pizda ~]# gcc -o hakaruski fullnullson.c ./hakaruski
[*] Failed to open file descriptors.
'#'. Exploit testing fail.
pgpHly80d0N0r.pgp
Description: PGP signature
___
Full-Disclosure -
wooosshhh, right over Vlads head
On Wed, Dec 15, 2010 at 5:35 PM, valdis.kletni...@vt.edu wrote:
On Wed, 15 Dec 2010 12:25:26 EST, musnt live said:
[musntl...@pizda ~]# gcc -o hakaruski fullnullson.c ./hakaruski
[*] Failed to open file descriptors.
'#'. Exploit testing fail.
On Thu, 2010-12-16 at 02:26 +1100, dave b wrote:
I hate it when some one beats me to a bug report.
https://addons.mozilla.org/en-US/firefox/user/5578717/ (this example
will only work against firefox).
The xss occurs due to no filtering / escaping the display name attribute for a
user.
Cute.
/fixed
On Wed, Dec 15, 2010 at 5:49 PM, Peter Besenbruch p...@lava.net wrote:
On Thu, 2010-12-16 at 02:26 +1100, dave b wrote:
I hate it when some one beats me to a bug report.
https://addons.mozilla.org/en-US/firefox/user/5578717/ (this example
will only work against firefox).
The xss
On Thu, 16 Dec 2010 02:26:57 +1100
dave b db.pub.m...@gmail.com wrote:
I hate it when some one beats me to a bug report.
https://addons.mozilla.org/en-US/firefox/user/5578717/ (this example
will only work against firefox).
The xss occurs due to no filtering / escaping the display name
'Pointter PHP Content Management System' Unauthorized Privilege Escalation
(CVE-2010-4332)
Mark Stanislav - mark.stanis...@gmail.com
I. DESCRIPTION
---
A vulnerability exists in the 'Pointter PHP Content Management System'
authentication system which allows
'Pointter PHP Micro-Blogging Social Network' Unauthorized Privilege Escalation
(CVE-2010-4333)
Mark Stanislav - mark.stanis...@gmail.com
I. DESCRIPTION
---
A vulnerability exists in the 'Pointter PHP Micro-Blogging Social Network'
authentication system which
On Wed, Dec 15, 2010 at 1:04 PM, Greg Whynott greg.whyn...@oicr.on.ca wrote:
funny...
1. you were root when you ran the code! epic elite.
2. he said red hat NOT redhat based. Redhat has no control over what
others do to redhat based efforts.
Is you must not feed the troll. Is proof this
Have a wonderful rest of the week!
You too!
You guys are awesome and fix things wy to fast.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
--On December 14, 2010 8:40:14 PM -0500 b...@fbi.dhs.org wrote:
Hi,
Has anyone read this yet?
http://www.downspout.org/?q=node/3
Seems IPSEC might have a back door written into it by the FBI?
So for 10 years IPSEC has had a backdoor in it and not one person examining
the code has
Please is ignore Schmehl for to he is going senile:
http://www.utdallas.edu/staffcouncil/images/grouppic-05F.jpg
For Theo is technically make fabrication obviously
(http://en.wikipedia.org/wiki/Lie#Fabrication):
Fabrication
A fabrication is a lie told when someone submits a statement as truth,
On Dec 15, 2010, at 10:32 AM, Paul Schmehl wrote:
--On December 14, 2010 8:40:14 PM -0500 b...@fbi.dhs.org wrote:
http://www.downspout.org/?q=node/3
Seems IPSEC might have a back door written into it by the FBI?
So for 10 years IPSEC has had a backdoor in it and not one person
Hey all,
Lots of interesting points so far. I have to respectfully dis-agree with those
saying 'NO POC, NO FOUL' (or however you put it).
Think carefully about the way in which one would go about back-dooring
something like IPSEC under such a scrupulous public eye. You have *very*
The cformsII plugin for WordPress contains a vulnerability within its
Captcha Verification functionality. This vulnerability exists due to an
inherent trust of user controlled input. An attacker could utilise this
vulnerability to completely bypass the captcha security mechanism on any
wordpress
On 12/15/2010 01:32 PM, Paul Schmehl wrote:
--On December 14, 2010 8:40:14 PM -0500 b...@fbi.dhs.org wrote:
So for 10 years IPSEC has had a backdoor in it and not one person
examining
the code has noticed it? Or even questioned it? That's a bit hard to
believe. It's along the same lines as
the exploit are in your ass motherfucker !
2010/12/15 Nahuel Grisolia nah...@bonsai-sec.com
Kingcope, Where is the exploit for this? :P
regards,
--
Nahuel Grisolia - C|EH
Information Security Consultant
Bonsai Information Security Project Leader
http://www.bonsai-sec.com/
(+54-11)
--On December 15, 2010 10:55:39 AM -0800 bk cho...@gmail.com wrote:
On Dec 15, 2010, at 10:32 AM, Paul Schmehl wrote:
--On December 14, 2010 8:40:14 PM -0500 b...@fbi.dhs.org wrote:
http://www.downspout.org/?q=node/3
Seems IPSEC might have a back door written into it by the FBI?
So for
On 12/15/2010 1:55 PM, bk wrote:
On Dec 15, 2010, at 10:32 AM, Paul Schmehl wrote:
--On December 14, 2010 8:40:14 PM -0500 b...@fbi.dhs.org wrote:
http://www.downspout.org/?q=node/3
Seems IPSEC might have a back door written into it by the FBI?
So for 10 years IPSEC has had a backdoor in
Hi,
You can get the full manual here: www.osstmm.org
Reports, reviews, and background osstmm info available at
www.infosecisland.com/osstmm.html
Also, mark your calendars because the OSSTMM Forum will be on Feb. 17
to 18 in Barcelona, Spain!
Sincerely,
-pete.
--
Pete Herzog - Managing
So for 10 years IPSEC has had a backdoor in it and not one person examining
the code has noticed it? Or even questioned it? That's a bit hard to
believe.
Yeah, this totally never happens in the FOSS world.
http://www.theregister.co.uk/2009/08/14/critical_linux_bug/
/mz
funny...
1. you were root when you ran the code! epic elite.
2. he said red hat NOT redhat based. Redhat has no control over what
others do to redhat based efforts.
you need more coffee! 8)
-g
musnt live spewed:
[musntl...@pizda ~]# awk '/rel/' /etc/issue
Scientific Linux SL release 5.5
On Wed, 15 Dec 2010 12:32:47 CST, Paul Schmehl said:
So for 10 years IPSEC has had a backdoor in it and not one person examining
the code has noticed it? Or even questioned it?
Debian/Ubuntu/etc SSL/SSH key vuln FTW. That backdoor with a commit
message of 'shut up valgrind' managed to hide
-g musnt live is a parody of must live... humor this =)
// rancor
2010/12/15 Greg Whynott gwhyn...@gmail.com
funny...
1. you were root when you ran the code! epic elite.
2. he said red hat NOT redhat based. Redhat has no control over what
others do to redhat based efforts.
you need
использовать свой мозг! Is we think with our brain and ask: how is
team OpenBSD lying to is public well then is the proof is in the
каша!
We has OpenBSD tell us:
We have never allowed US citizens or foreign citizens working in the
US to hack on crypto code
On Wed, Dec 15, 2010 at 3:22 PM, Theo de Raadt dera...@cvs.openbsd.org wrote:
We has OpenBSD tell us:
We have never allowed US citizens or foreign citizens working in the
US to hack on crypto code
http://marc.info/?l=3Dopenbsd-techm=3D129237675106730w=3D2
That statement remains true.
Our
ZDI-10-291: Symantec Endpoint Protection Manager Reporting Server fw_charts.php
Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-291
December 15, 2010
-- CVE ID:
CVE-2010-0114
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- Affected Vendors:
Symantec
--
2010/12/15 musnt live musntl...@gmail.com:
What is this time to stop the press!
This fake broken English schtick is really stupid and annoying. Knock
it off. In the meantime you are kill filed. I suggest everyone else do
the same as nothing useful has ever come of this person.
BMF
In my own opinion, when the code hit the stable release, I doubt that
after the code is audited at 100% unless someone add a new feature to that
part or a bug is found in that code part. All that due to the complexity
to understand the code, all that energy is better invested to make new
features
On Wed, 15 Dec 2010 10:55:39 -0800 bk cho...@gmail.com wrote
I call bullshit on all the people claiming this couldn't possibly have
existed because anyone can read the source. How many of you understand
crypto. OK, now how many of you _actually_ understand crypto? And of those,
how many
We has OpenBSD tell us:
We have never allowed US citizens or foreign citizens working in the
US to hack on crypto code
http://marc.info/?l=3Dopenbsd-techm=3D129237675106730w=3D2
That statement remains true.
IPSEC isn't 100% crypto; it is a complex layered subsystem with many
other elements
he has some cool root exploits. but you have to run them as root.
On Dec 15, 2010, at 5:00 PM, BMF wrote:
2010/12/15 musnt live musntl...@gmail.com:
What is this time to stop the press!
This fake broken English schtick is really stupid and annoying. Knock
it off. In the meantime you are
Theo,
How would one go about getting the code that was worked on at the time? I
don't see it at openbsd.org.
Also, do you have a sense of what other projects used that code?
Presumably at least some of them did audits as well.
LJS
___
Full-Disclosure
i second that...yet we obviously need to figure out better ways to audit the
code...maybe some kind of security-oriented unit-test framework ? ( dont'know
if it exists already, and if it does, maybe that it's already employed for the
OpenBSD project...dunno )
WintermeW
Le 15 déc. 2010 à
On Wed, Dec 15, 2010 at 3:46 PM, clément Game clem...@digi-nation.com wrote:
i second that...yet we obviously need to figure out better ways to audit the
code...maybe some kind of security-oriented unit-test framework ? ( dont'know
if it exists already, and if it does, maybe that it's already
On Wed, Dec 15, 2010 at 6:53 PM, Larry Seltzer la...@larryseltzer.com wrote:
Theo,
How would one go about getting the code that was worked on at the time? I
don't see it at openbsd.org.
Theo would be is person to ask, he is after all person who is make change:
Out-of-troll-mode;
Although I do see that it is probably all FUD, musnt live makes some valid
points.
At the moment OpenBSD just lost a few (more, if you count cvs's being
rooted) trustworthyness-points, which can only be rectified with an audit of
IPSEC coden (initially). Until this is done,
On 12/15/2010 5:00 PM, BMF wrote:
2010/12/15 musnt live musntl...@gmail.com:
What is this time to stop the press!
This fake broken English schtick is really stupid and annoying. Knock
it off. In the meantime you are kill filed. I suggest everyone else do
the same as nothing useful has ever
Has anyone read this yet?
http://www.downspout.org/?q=node/3
Seems IPSEC might have a back door written into it by the FBI?
Surely the thing to do now is not to audit *your own* OpenBSD code, but to
audit the OpenBSD code from about 8 years ago. If there's nothing there,
then the claim is
On 16 December 2010 09:50, Larry Seltzer la...@larryseltzer.com wrote:
Has anyone read this yet?
http://www.downspout.org/?q=node/3
Seems IPSEC might have a back door written into it by the FBI?
Surely the thing to do now is not to audit *your own* OpenBSD code, but to
audit the OpenBSD
Ok, so there is suspicion that IPSEC and maybe some related code has
been backdoored. How to validate? We have some smart folks on this
board, what methods do the gurus have to impart to the little people?
We are not stupid either, but sometimes a clue can help a brother
out...
-Rob
On Wed,
On Dec 15, 2010, at 5:23 PM, Graham Gower wrote:
On 16 December 2010 09:50, Larry Seltzer la...@larryseltzer.com wrote:
Has anyone read this yet?
http://www.downspout.org/?q=node/3
Seems IPSEC might have a back door written into it by the FBI?
Surely the thing to do now is not to
On Wed, Dec 15, 2010 at 7:40 PM, Rob Wilcox robertwil...@gmail.com wrote:
Ok, so there is suspicion that IPSEC and maybe some related code has
been backdoored. How to validate? We have some smart folks on this
board, what methods do the gurus have to impart to the little people?
We are not
sci.crypt would probably be the best place to ask. I imagine there's a
discussion already, but have not visited lately.
Have you been to the Usenet recently?;-)
/mz
___
Full-Disclosure - We believe in it.
Charter:
I've been using Gmail and thought you might like to try it out. Here's an
invitation to create an account.
You're Invited to Gmail!
Rockey Killer has invited you to open a Gmail account.
Gmail is Google's free email service, built on the idea that email can be
intuitive, efficient, and fun.
On Wed, Dec 15, 2010 at 11:28 PM, Michal Zalewski lcam...@coredump.cx wrote:
sci.crypt would probably be the best place to ask. I imagine there's a
discussion already, but have not visited lately.
Have you been to the Usenet recently?;-)
One stop shopping: get your crypto questions answered,
Where we you all those years ago when I was dying for an invite...
On 16 December 2010 15:41, Rockey Killer skg...@gmail.com wrote:
I've been using Gmail and thought you might like to try it out. Here's an
invitation to create an account.
--
Shaineel Singh
e: shain.si...@gmail.com
p: +61
I should have sent the invitation carefully and should not have disturbed
such
a nice mailing list with some stupid invitation .. I apologize .. for that
..
Cheers,
Rockey
On Thu, Dec 16, 2010 at 11:09 AM, Shain Singh shain.si...@gmail.com wrote:
Where we you all those years ago when I was
68 matches
Mail list logo