RE: Security holes revisited -- reward offered
goto grc.com and have it check your ports.. -Original Message- From: Calvin Ward [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 06, 2000 8:16 AM To: [EMAIL PROTECTED] Subject: Re: Security holes revisited -- reward offered Just for clarification This person would break into a local ISP, post the general information about the hole, smtp port open, etc, etc, go to the next local ISP and do the same thing, all on the same place. He wouldn't remove the information unless it was fixed AND he was informed/happened across it or he was paid to fix it. This was a publicly viewable web site, and in fact the competing ISPs could even see the pointers at each other's holes. Please direct all responses to the newsgroup so that all may benefit from my lack of wisdom! - Original Message - From: "Tim Lieberman" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 05, 2000 6:39 AM Subject: RE: Security holes revisited -- reward offered It's only extortion if there's a threat implied. Think of it this way: 1) If there is an exploitable hole, your box is insecure. 2) Assuming I don't cause any damage[*], all I'm doing is alerting you to a security problem. It's not really ethical to do this, but it's not extortion either. It's more like a locksmith walking into your locked office at night, and leaving a note that says: "Your locks suck - I was able to pick them in under 30 seconds. Call me at number and we'll talk about getting you some real security". Yes he was trespassing, but it's not extortion. Some might call it "breaking and entering", but assuming the lock still functions (in what is now recognized as a limited capacity), I wouldn't agree with the "breaking" part. Extortion would be, for example, if I hacked your box, deleted some unimportant data, and said that if I didn't get paid, I'd come back and delete some important stuff. [*] Some companies try to claim that someone breaking their security causes damage in the form of losses to upgrade/update/fix their security. This is a fallacy, the hole was there before the 'hacker' exploited/called attention to it. At 06:15 PM 00/04/05 -0400, you wrote: Gee sounds like a classic mafia protection racket. Pay us or your business will suddenly have some broken windows. Most places call this extortion. - Steve -Original Message- From: Jennifer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 05, 2000 12:57 PM To: [EMAIL PROTECTED] Subject: Re: Security holes revisited -- reward offered At 08:29 AM 4/5/00 -0500, you wrote: So what do you guys think about part time hackers that attempt a breakin, post general results on a website, and then ask for payment to fix your problems? - -- --- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. Tim Lieberman Take a break and have a listen, Electric Mind Control Do It NOW: Workshop Funk Bakery http://www.mp3.com/emcw -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
Apparently, there is a cross frame security element in the browsers that prevents one frame from scripting another if they are from different domains. If you know of a way around this I would greatly appreciate any help. Well, if there were an easy way around it then it wouldn't be much of a security precaution, would it g? You might want to look into signed scripts... I don't know much about the subject, except that there are a number of security precautions in JS that can only be bypassed with signed scripts. Other than that you may be out of luck. Regards, Seth Petry-Johnson Argo Enterprise and Associates -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
Just for clarification This person would break into a local ISP, post the general information about the hole, smtp port open, etc, etc, go to the next local ISP and do the same thing, all on the same place. He wouldn't remove the information unless it was fixed AND he was informed/happened across it or he was paid to fix it. This was a publicly viewable web site, and in fact the competing ISPs could even see the pointers at each other's holes. Please direct all responses to the newsgroup so that all may benefit from my lack of wisdom! - Original Message - From: "Tim Lieberman" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 05, 2000 6:39 AM Subject: RE: Security holes revisited -- reward offered It's only extortion if there's a threat implied. Think of it this way: 1) If there is an exploitable hole, your box is insecure. 2) Assuming I don't cause any damage[*], all I'm doing is alerting you to a security problem. It's not really ethical to do this, but it's not extortion either. It's more like a locksmith walking into your locked office at night, and leaving a note that says: "Your locks suck - I was able to pick them in under 30 seconds. Call me at number and we'll talk about getting you some real security". Yes he was trespassing, but it's not extortion. Some might call it "breaking and entering", but assuming the lock still functions (in what is now recognized as a limited capacity), I wouldn't agree with the "breaking" part. Extortion would be, for example, if I hacked your box, deleted some unimportant data, and said that if I didn't get paid, I'd come back and delete some important stuff. [*] Some companies try to claim that someone breaking their security causes damage in the form of losses to upgrade/update/fix their security. This is a fallacy, the hole was there before the 'hacker' exploited/called attention to it. At 06:15 PM 00/04/05 -0400, you wrote: Gee sounds like a classic mafia protection racket. Pay us or your business will suddenly have some broken windows. Most places call this extortion. - Steve -Original Message- From: Jennifer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 05, 2000 12:57 PM To: [EMAIL PROTECTED] Subject: Re: Security holes revisited -- reward offered At 08:29 AM 4/5/00 -0500, you wrote: So what do you guys think about part time hackers that attempt a breakin, post general results on a website, and then ask for payment to fix your problems? --- --- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. Tim Lieberman Take a break and have a listen, Electric Mind Control Do It NOW: Workshop Funk Bakery http://www.mp3.com/emcw -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
Pick up a copy of BlackIce Defender from Network Ice. Cost $40. I've read it will prevent just about every type of "kiddy script" attack known and is a must have for cable modem users. http://www.netice.com/ Chris R. Mack Manager, Internet Strategies Lockheed Martin Technology Services [EMAIL PROTECTED] -Original Message- From: Nick Call [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 11:44 AM To: [EMAIL PROTECTED] Subject: Security holes revisited -- reward offered Ok, fellow Listees, here's the deal... My boss's daughter has a boyfriend.. (can you smell the trouble already???). He is bent out of shape over the fact that I did not recommend that we hire him (I interviewed him and gave his skill sets an honest, thorough exam). He is good at A/V stuff, but his web experience/database experience is null. Anyway, back to the situation.. He has convinced the boss to pay him 2 grand to attempt to hack the system I built. He claims to be a super hacker, blah, blah, blah. I am not too confident that he can do it, but there is a small chance Multiple minds are better than one. I have gone over and over all the stuff I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. Thanks in advance. Nick Call [EMAIL PROTECTED] http://www.graphixonline.com -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
Ok, fellow Listees, here's the deal... Or he could have planted a TROJAN while his girlfriend went to the bathroom, etc. (I almost got kicked out of college for doing that to the nosey sysadmin once. :-) Im not sure I understand what your trying to say here :-) Steve Hee. That didn't come out exactly right at all. :) --min -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
Nick, Got to http://grc.com/ and you can run tests on the security of your system. I'd recommend this site to anyone who has a permanent connection. Plus there's a shareware (or is it freeware? can't remember) program that checks your computer for the presence of that snoop program that sends information about your computing habits to varous companies. Cheers Taz -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
Got to http://grc.com/ and you can run tests on the security of your system. I'd recommend this site to anyone who has a permanent connection. Plus there's a shareware (or is it freeware? can't remember) program that checks your computer for the presence of that snoop program that sends information about your computing habits to varous companies. Gibson likes www.ZoneAlarem.com. Len -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
Hi folks Would anyone object if I pulled all of your comments/suggestions/URLs out of your emails in this thread and put them together in a document?? ** Please respond directly to me rather than to the list ** If I get no responses then I'll take that to be a "go for it". Regards Stephen -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
www.NWPSW.com has a pretty good port scanner in NetScanTools 4.0, which is useful for other Windows tcp/ip tasks, too. For host security, www.zonelarm.com can block ports with "no reponse", ie, no response to probe, and helps out on the DDOS problem by blocking all of a windows machine's OUTBOUND traffic (ie, DDOS agents) unless specifically enabled. http://advice.networkice.com has black ice, a detection intrusion product for windows with graphical real-time displays of attacks in progress, so you know when this and other @ssholes mount their attacks, if not their girlfriends. One of my leased-line customers scared himself white watching as Black Ice expose all the sh|t that was being thrown at his desktop PC. today, the saying should be "as sure as death, taxes, and scanning" www.GRC.com will scan you for free, these people http://www.automatedscanning.com/ will do it for fee, probably more aggressively. http://www.interhack.net/pubs/fwfaq/, if you're new to network security and firewalls. You can build very effective stateful, packet filtering, logging firewall/router with FreeBSD and Darren Reed's ipfilter, both free. For host security, I can email you HP's .pdf of "Building a Windows NT bastion host in practice" written by one of their consultants in Sweden, dated 1999-09. comprehensive. The guy may try to take out your DNS (run BIND 8.2.2 p5) and your mail server, too, never mind your NT turkeys. postfix and qmail claim a lot more mail security than sendmail. postfix on FreeBSD can be an extremely effective mail gateway "in front of" your mail server. I've got a mailing list for the Imail people, but not really restricted to them, for a project I call IMGate, which is postfix on FreeBSD configured as a defensive, relay-only mail gateway. You can join my list join here: mailto:[EMAIL PROTECTED]?subject=subscribe%20IMGate Len still waiting for Michael Dinowitz to fix his broken DNS records for HOF mail server that postfix is warning me of wrong forward/reverse records -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
Not to mention he has access to his boss's house and could just rummage around for a password... -Original Message- From: Reuben King [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Tuesday, April 04, 2000 11:58 PM Subject: RE: Security holes revisited -- reward offered I agree. The fact that this kid so arrogantly made this "wager" highly ...deletia... -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
The OptOut proggie? its free, most of the cool software there is free. They've even got a halfway decent freeware firewall if I remember correctly. Fred Sanders Galveston, Texas The classically-music-minded among us may have noted a new TV ad for Microsoft's Internet Explorer e-mail program which uses the musical theme of the "Confutatis Maledictis" from Mozart's Requiem. -- "Where do you want to go today?" is the cheery line on the screen --- while the chorus sings, "Confutatis maledictis, flammis acribus addictis..." -- This translates to "The damned and accursed are convicted to the flames of hell." Good to know that Microsoft has done its research. - Original Message - From: "Chris Tazewell" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 05, 2000 4:17 AM Subject: Re: Security holes revisited -- reward offered Nick, Got to http://grc.com/ and you can run tests on the security of your system. I'd recommend this site to anyone who has a permanent connection. Plus there's a shareware (or is it freeware? can't remember) program that checks your computer for the presence of that snoop program that sends information about your computing habits to varous companies. Cheers Taz -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
Calvin, A friend of mine summed this kind of thing up when we were discussing this thread earlier today. CF_QUOTE Author="Chris Tazewell" Bedroom boys - very pasty kids who spend all day on the computer and learn programming through hacking - have no background in good programming techniques - create progs cheaply for people but they're cr@p and non-defensive... Pay cr@p - get cr@p /CF_QUOTE Hire someone to do it properly! Regards Stephen PS. Hope you don't mind Chris... ;o) -Original Message- From: Calvin Ward [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 05 April 2000 14:30 To: [EMAIL PROTECTED] Subject: Re: Security holes revisited -- reward offered So what do you guys think about part time hackers that attempt a breakin, post general results on a website, and then ask for payment to fix your problems? Just curious... Please direct all responses to the newsgroup so that all may benefit from my lack of wisdom! - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 04, 2000 9:20 PM Subject: RE: Security holes revisited -- reward offered Mike, While it might not sound like it from my prior post, I agree with you. The issue is why pay someone with an axe to grind to penetrate your system. But whether he gets paid or not, my gut says the kid will try anyway just to get back at the webmaster. Would I pay him? No way. However, should he succeed, or if the threat feels warranted, I would definitely consider hiring a "tiger team" to review my security and as you mention, under a contractual agreement, attempt to infiltrate security. Any team that is worth hiring, will have such agreements to sign when you hire them, because they want to be legally protected should they succeed. This kid, however, is most likely going to break the law in his efforts if he decides to, and manages to succeed in, modifying the web site or mis-using information technology owned by the site. Unfortunately, it sounds like even if he did, he might get a break from the owner, and that's the real injustice here. Best of luck to the webmaster... --Doug -Original Message- From: Mike Sheldon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 3:29 PM To: [EMAIL PROTECTED] Subject: RE: Security holes revisited -- reward offered I have to violently disagree with this. The individual in question is not a reputable security expert, he's a kid with an axe to grind. I would never use any security group who cannot post a bond against any potential damage they may cause in the act of attempting to penetrate the system. Michael J. Sheldon Internet Applications Developer Phone: 480.699.1084 http://www.desertraven.com/ PGP Key Available on Request -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf _talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
So what do you guys think about part time hackers that attempt a breakin, post general results on a website, and then ask for payment to fix your problems? I think that they should be prosecuted to the full extent that the law allows. If someone broke into my house, stole my house key, copied it, distributed copies in front of the post office, and asked me for money to stop, I'd be reluctant to write a check for him. People have got to get over the idea that computer crime is any different than other crime. It's a property violation, just like a burglar. I suspect that the current tolerance shown to computer criminals will shortly disappear, as people become more concerned about the repercussions of computer crime. Furthermore, the current attitude is that computer crime is the fault of the victim; the system administrator didn't secure the system well enough. While that's true from a practical perspective (that is, we have to make security a sysadmin responsibility), it's impossible to follow to its logical extreme. Systems will always have vulnerabilities, and just because I don't lock my door, you don't have a right to trespass. You can't fully secure your house, either - does that mean I should wall up my windows? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
If someone broke into my house, stole my house key, copied it, distributed copies in front of the post office, and asked me for money to stop, I'd be reluctant to write a check for him. Your too nice, Dave. If it were me, I'd probably take a stick to him! ;) Rey... -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
If someone broke into my house, stole my house key, copied it, distributed copies in front of the post office, and asked me for money to stop, I'd be reluctant to write a check for him. Your too nice, Dave. If it were me, I'd probably take a stick to him! ;) My dog does that to me. Never thought of it as being a bad thing. Sorry, thought I'd lighten it up a bit Taz -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
No problem. Just wanted to clarify. I got response all over the board from that post! Nick - Original Message - From: "Fred Sanders" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 04, 2000 7:34 PM Subject: Re: Security holes revisited -- reward offered Sorry, wasn't trying to offend you. - Original Message - From: "Nick Call" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 04, 2000 5:28 PM Subject: Re: Security holes revisited -- reward offered The shirts come out of my own pocket. I am not loaded. The bundle he will pay his daughter's boyfriend will go towards keeping his daughter happy. My boss is a multi-millionaire. The site is not the one in the sig. Graphixonline.com belongs to me. :) Nick - Original Message - From: "Fred Sanders" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 04, 2000 10:31 AM Subject: Re: Security holes revisited -- reward offered 2 grand compared to 5 custom t-shirts, hmmm. Where is the site or is it the one in your SIG? Fred - Original Message - From: "Nick Call" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 04, 2000 10:44 AM Subject: Security holes revisited -- reward offered Ok, fellow Listees, here's the deal... My boss's daughter has a boyfriend.. (can you smell the trouble already???). He is bent out of shape over the fact that I did not recommend that we hire him (I interviewed him and gave his skill sets an honest, thorough exam). He is good at A/V stuff, but his web experience/database experience is null. Anyway, back to the situation.. He has convinced the boss to pay him 2 grand to attempt to hack the system I built. He claims to be a super hacker, blah, blah, blah. I am not too confident that he can do it, but there is a small chance Multiple minds are better than one. I have gone over and over all the stuff I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. Thanks in advance. Nick Call [EMAIL PROTECTED] http://www.graphixonline.com -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
If someone broke into my house, stole my house key, copied it, distributed copies in front of the post office, and asked me for money to stop, I'd be reluctant to write a check for him. Your too nice, Dave. If it were me, I'd probably take a stick to him! ;) Rey... I'd just leave them in two or three dumpsters around town myself. But then I guess we do things a little differently down har in Tex-us. Fred Sanders Galveston, Texas The classically-music-minded among us may have noted a new TV ad for Microsoft's Internet Explorer e-mail program which uses the musical theme of the "Confutatis Maledictis" from Mozart's Requiem. -- "Where do you want to go today?" is the cheery line on the screen --- while the chorus sings, "Confutatis maledictis, flammis acribus addictis..." -- This translates to "The damned and accursed are convicted to the flames of hell." Good to know that Microsoft has done its research. - Original Message - From: "Rey Bango" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 05, 2000 9:28 AM Subject: Re: Security holes revisited -- reward offered -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
At 08:29 AM 4/5/00 -0500, you wrote: So what do you guys think about part time hackers that attempt a breakin, post general results on a website, and then ask for payment to fix your problems? I have a problem with posting any results to a website. If they are the cause of the problems that they want to charge you to fix, I think that's supremely unethical. And all the hackers that I know (even the part time ones) are extremely ethical. I wouldn't trust any hacker that caused damage to my system and then asked for money to fix it-- because what is he going to leave in or put in that isn't covered? If the problems that they want to fix are the security holes and not damage that they cause, that would be a little different. It might be annoying to have somebody send you a bill for that, but it may be a sign of a bigger problem that you're not aware of (like the netadmin being a bozo). In either case, I wouldn't have them fix the problem. There are a lot of full-time hackers/experienced security admins with businesses to fix those problems. People with credentials and such. I'm doing a website for one of those businesses now and there are people working there with 10-15 years of info security experience and military security clearance. With people like that available to work on my system, I certainly wouldn't hire some random hacker to fix it. Just curious... Please direct all responses to the newsgroup so that all may benefit from my lack of wisdom! - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 04, 2000 9:20 PM Subject: RE: Security holes revisited -- reward offered Mike, While it might not sound like it from my prior post, I agree with you. The issue is why pay someone with an axe to grind to penetrate your system. But whether he gets paid or not, my gut says the kid will try anyway just to get back at the webmaster. Would I pay him? No way. However, should he succeed, or if the threat feels warranted, I would definitely consider hiring a "tiger team" to review my security and as you mention, under a contractual agreement, attempt to infiltrate security. Any team that is worth hiring, will have such agreements to sign when you hire them, because they want to be legally protected should they succeed. This kid, however, is most likely going to break the law in his efforts if he decides to, and manages to succeed in, modifying the web site or mis-using information technology owned by the site. Unfortunately, it sounds like even if he did, he might get a break from the owner, and that's the real injustice here. Best of luck to the webmaster... --Doug -Original Message- From: Mike Sheldon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 3:29 PM To: [EMAIL PROTECTED] Subject: RE: Security holes revisited -- reward offered I have to violently disagree with this. The individual in question is not a reputable security expert, he's a kid with an axe to grind. I would never use any security group who cannot post a bond against any potential damage they may cause in the act of attempting to penetrate the system. Michael J. Sheldon Internet Applications Developer Phone: 480.699.1084 http://www.desertraven.com/ PGP Key Available on Request -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
This seems to say that self taught individuals are not as skilled as those who pay for certificates or go to organized classes. I can state without hesitation that this is completely NOT true. I know this from both personal experience and exposure to others. I have taken a limited number of professional courses and I can say, without trying to be cocky, that I have never been challenged by any Allaire or Microsoft Professional class, and I've taken EVERY Allaire course available to the public no offense to Fig Leaf or Allaire and the M$ NT Server/Workstation and SQL Server certification classes. It all depends on the individual. To be fair, I do read TONS of material on everything from networking, security, administration, and programming, to graphic design, database development, and benchmarking. Regards, Steve p.s. I also have a tan :) -Original Message- From: Stephen Moretti [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 05, 2000 9:44 AM To: [EMAIL PROTECTED] Subject: RE: Security holes revisited -- reward offered Calvin, A friend of mine summed this kind of thing up when we were discussing this thread earlier today. CF_QUOTE Author="Chris Tazewell" Bedroom boys - very pasty kids who spend all day on the computer and learn programming through hacking - have no background in good programming techniques - create progs cheaply for people but they're cr@p and non-defensive... Pay cr@p - get cr@p /CF_QUOTE Hire someone to do it properly! Regards Stephen PS. Hope you don't mind Chris... ;o) -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
If someone broke into my house, stole my house key, copied it, distributed copies in front of the post office, and asked me for money to stop, I'd be reluctant to write a check for him. Your too nice, Dave. If it were me, I'd probably take a stick to him! ;) Rey... I'd just leave them in two or three dumpsters around town myself. But then I guess we do things a little differently down har in Tex-us. In Texas, you'd shoot him while he's still in the house, right? After all, that's better than Louisiana, where you'd shoot him on the lawn before he got in. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
I'd just leave them in two or three dumpsters around town myself. But then I guess we do things a little differently down har in Tex-us. In Texas, you'd shoot him while he's still in the house, right? After all, that's better than Louisiana, where you'd shoot him on the lawn before he got in. if i recall correctly from my time in salt lake, 6 of your neighbors would plug him. which we got way beat over here in the big mango, you'd just politely ask him to hold a grenade while you went for your M16. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
Whoa, 2 or 3 dumpsters, huh? You've never burned cats or anything have you :) What part of Texas are you from? I used to live in San Antonio and still visit there so I'll make sure to mind my manners next time I'm down ;) Steve -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 05, 2000 2:31 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Security holes revisited -- reward offered If someone broke into my house, stole my house key, copied it, distributed copies in front of the post office, and asked me for money to stop, I'd be reluctant to write a check for him. Your too nice, Dave. If it were me, I'd probably take a stick to him! ;) Rey... I'd just leave them in two or three dumpsters around town myself. But then I guess we do things a little differently down har in Tex-us. In Texas, you'd shoot him while he's still in the house, right? After all, that's better than Louisiana, where you'd shoot him on the lawn before he got in. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
How's about sending some durian our way! Hmmm, creamy, custardy durian. Steve -Original Message- From: Paul Hastings [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 05, 2000 3:04 PM To: [EMAIL PROTECTED] Subject: Re: Security holes revisited -- reward offered if i recall correctly from my time in salt lake, 6 of your neighbors would plug him. which we got way beat over here in the big mango, you'd just politely ask him to hold a grenade while you went for your M16. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
At 02:30 PM 4/5/00 -0400, you wrote: If someone broke into my house, stole my house key, copied it, distributed copies in front of the post office, and asked me for money to stop, I'd be reluctant to write a check for him. Your too nice, Dave. If it were me, I'd probably take a stick to him! ;) Rey... I'd just leave them in two or three dumpsters around town myself. But then I guess we do things a little differently down har in Tex-us. In Texas, you'd shoot him while he's still in the house, right? After all, that's better than Louisiana, where you'd shoot him on the lawn before he got in. Hey! Are you saying I shoot people for no reason? *mumble mumble* Where's my gun? -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
How's about sending some durian our way! Hmmm, creamy, custardy durian. can't. the gov signed the chemical warfare treaty ;-) -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
In Texas, you'd shoot him while he's still in the house, right? After all, that's better than Louisiana, where you'd shoot him on the lawn before he got in. Hey! Are you saying I shoot people for no reason? *mumble mumble* Where's my gun? No, I'm saying that in Louisiana, being on your lawn IS a reason. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
I'm afraid to ask but what is "durian"? Rey... - Original Message - From: "Paul Hastings" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 05, 2000 3:38 PM Subject: Re: Security holes revisited -- reward offered How's about sending some durian our way! Hmmm, creamy, custardy durian. can't. the gov signed the chemical warfare treaty ;-) -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
From Merriam-Webster Dictionary: Main Entry: du·ri·an Pronunciation: 'dur-E-n, -E-"än also 'dyur- Function: noun Etymology: Malay Date: 1588 1 : a large oval tasty but foul-smelling fruit with a prickly rind 2 : an East Indian tree (Durio zibethinus) of the silk-cotton family that bears durians It may not sound that bad, but it's worse than you can imagine :) It does actually taste good, if you're still conscious. Steve -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 05, 2000 3:51 PM To: [EMAIL PROTECTED] Subject: Re: Security holes revisited -- reward offered I'm afraid to ask but what is "durian"? Rey... -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
1 : a large oval tasty but foul-smelling fruit with a prickly rind way too mild a description: imagine a mounted knight's mace though twice the size of your head three times as scary looking hanging from a tree like some kind of dantean nightmare. imagine a hydrogen sulfide reek spewing from it. imagine flies drunkenly circling around it. imagine enough arsenic in this apparition to do you serious damage if you eat too much..and you're about 1/2 way there. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
What kind of protection do you have in place now? thanks, Jeff W Stevens eFinancial Systems 18957 E Crestridge Circle Aurora, CO 80015 303-221-1527 FAX: 303-221-0375 email: [EMAIL PROTECTED] - Original Message - From: "Nick Call" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 04, 2000 9:44 AM Subject: Security holes revisited -- reward offered Ok, fellow Listees, here's the deal... My boss's daughter has a boyfriend.. (can you smell the trouble already???). He is bent out of shape over the fact that I did not recommend that we hire him (I interviewed him and gave his skill sets an honest, thorough exam). He is good at A/V stuff, but his web experience/database experience is null. Anyway, back to the situation.. He has convinced the boss to pay him 2 grand to attempt to hack the system I built. He claims to be a super hacker, blah, blah, blah. I am not too confident that he can do it, but there is a small chance Multiple minds are better than one. I have gone over and over all the stuff I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. Thanks in advance. Nick Call [EMAIL PROTECTED] http://www.graphixonline.com -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
obviously not enough! :) Nick - Original Message - From: "Jeff Stevens" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 05, 2000 2:37 PM Subject: Re: Security holes revisited -- reward offered What kind of protection do you have in place now? thanks, Jeff W Stevens eFinancial Systems 18957 E Crestridge Circle Aurora, CO 80015 303-221-1527 FAX: 303-221-0375 email: [EMAIL PROTECTED] - Original Message - From: "Nick Call" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 04, 2000 9:44 AM Subject: Security holes revisited -- reward offered Ok, fellow Listees, here's the deal... My boss's daughter has a boyfriend.. (can you smell the trouble already???). He is bent out of shape over the fact that I did not recommend that we hire him (I interviewed him and gave his skill sets an honest, thorough exam). He is good at A/V stuff, but his web experience/database experience is null. Anyway, back to the situation.. He has convinced the boss to pay him 2 grand to attempt to hack the system I built. He claims to be a super hacker, blah, blah, blah. I am not too confident that he can do it, but there is a small chance Multiple minds are better than one. I have gone over and over all the stuff I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. Thanks in advance. Nick Call [EMAIL PROTECTED] http://www.graphixonline.com -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
I've seen similar situations where they weren't looking for anything, which was kind of nice. When the CF docs and admin vulnerabilities came out several University owned servers which were hosting CF got compromised. It was done by the same people and all they did was replace the top level page with one that said, "you've been hacked, here's what we did". They even backed up the original files. Of course, I still recommended full rebuilds from backup to make sure, since they didn't have checksummed versions to verify from. Steve -Original Message- From: Steve Pierce [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 05, 2000 6:16 PM To: [EMAIL PROTECTED] Subject: RE: Security holes revisited -- reward offered Gee sounds like a classic mafia protection racket. Pay us or your business will suddenly have some broken windows. Most places call this extortion. - Steve -Original Message- From: Jennifer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 05, 2000 12:57 PM To: [EMAIL PROTECTED] Subject: Re: Security holes revisited -- reward offered At 08:29 AM 4/5/00 -0500, you wrote: So what do you guys think about part time hackers that attempt a breakin, post general results on a website, and then ask for payment to fix your problems? -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
It's only extortion if there's a threat implied. Think of it this way: 1) If there is an exploitable hole, your box is insecure. 2) Assuming I don't cause any damage[*], all I'm doing is alerting you to a security problem. It's not really ethical to do this, but it's not extortion either. It's more like a locksmith walking into your locked office at night, and leaving a note that says: "Your locks suck - I was able to pick them in under 30 seconds. Call me at number and we'll talk about getting you some real security". Yes he was trespassing, but it's not extortion. Some might call it "breaking and entering", but assuming the lock still functions (in what is now recognized as a limited capacity), I wouldn't agree with the "breaking" part. Extortion would be, for example, if I hacked your box, deleted some unimportant data, and said that if I didn't get paid, I'd come back and delete some important stuff. [*] Some companies try to claim that someone breaking their security causes damage in the form of losses to upgrade/update/fix their security. This is a fallacy, the hole was there before the 'hacker' exploited/called attention to it. At 06:15 PM 00/04/05 -0400, you wrote: Gee sounds like a classic mafia protection racket. Pay us or your business will suddenly have some broken windows. Most places call this extortion. - Steve -Original Message- From: Jennifer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 05, 2000 12:57 PM To: [EMAIL PROTECTED] Subject: Re: Security holes revisited -- reward offered At 08:29 AM 4/5/00 -0500, you wrote: So what do you guys think about part time hackers that attempt a breakin, post general results on a website, and then ask for payment to fix your problems? --- --- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. Tim Lieberman Take a break and have a listen, Electric Mind Control Do It NOW: Workshop Funk Bakery http://www.mp3.com/emcw -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
I would have to say yes, especially if you work at a place in Ft. Worth, TX called "Drule on the Floor Publishing " (if she wasn't going for her gun before she should be now...) :) Just playing. Fred Sanders Galveston, Texas The classically-music-minded among us may have noted a new TV ad for Microsoft's Internet Explorer e-mail program which uses the musical theme of the "Confutatis Maledictis" from Mozart's Requiem. -- "Where do you want to go today?" is the cheery line on the screen --- while the chorus sings, "Confutatis maledictis, flammis acribus addictis..." -- This translates to "The damned and accursed are convicted to the flames of hell." Good to know that Microsoft has done its research. - Original Message - From: "Jennifer" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 05, 2000 2:30 PM Subject: RE: Security holes revisited -- reward offered Hey! Are you saying I shoot people for no reason? *mumble mumble* Where's my gun? -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
So what do you guys think about part time hackers that attempt a breakin, post general results on a website, and then ask for payment to fix your problems? ... Gee sounds like a classic mafia protection racket. Pay us or your business will suddenly have some broken windows. Most places call this extortion. ... It's only extortion if there's a threat implied. Think of it this way: 1) If there is an exploitable hole, your box is insecure. 2) Assuming I don't cause any damage[*], all I'm doing is alerting you to a security problem. It's not really ethical to do this, but it's not extortion either. It's more like a locksmith walking into your locked office at night, and leaving a note that says: "Your locks suck - I was able to pick them in under 30 seconds. Call me at number and we'll talk about getting you some real security". Yes he was trespassing, but it's not extortion. Some might call it "breaking and entering", but assuming the lock still functions (in what is now recognized as a limited capacity), I wouldn't agree with the "breaking" part. Unfortunately, computer crime seems so harmless and unreal for the most part, that we sometimes fail to see the obvious analogies between it and "real" crime. If someone hacks your site, puts the results on a website, and asks for money to fix the problem, they have committed a crime. They have violated the property and privacy of you or your business, made your business secrets public, and have put you in a position where it is in your interest to pay them money to prevent others from committing the same crime. That is extortion, among other things. Let's go back to your locksmith example. Someone defeats your security mechanism by picking the lock, then they leave a note offering their services to fix the weak lock. First of all, it's not an exact analogy; it would be closer to the hacking example if the "locksmith" put a big sign on your lawn instead. Leaving that aside, how should we interpret that note? Did we ask the "locksmith" to do this for us? What else has he done, beside leave a note? What will he do if I don't pay him to fix the lock? If nothing else, I'm going to feel a bit violated. If what he's doing is really all right, am I wrong to drop him with the 12-gauge when he comes in? It's really quite simple. If it's not your server, then you are completely in the wrong if you violate its security, even if you don't have malicious intent. There are limitations to acceptable business solicitation practices. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
Nick, You should check out the following URL : http://www.allaire.com/security You'll find all the bulletins from February 1999 through to today, plus links and information on how to patch these issues. Regards Stephen -Original Message- From: Nick Call [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 04 April 2000 16:44 To: [EMAIL PROTECTED] Subject: Security holes revisited -- reward offered Ok, fellow Listees, here's the deal... My boss's daughter has a boyfriend.. (can you smell the trouble already???). He is bent out of shape over the fact that I did not recommend that we hire him (I interviewed him and gave his skill sets an honest, thorough exam). He is good at A/V stuff, but his web experience/database experience is null. Anyway, back to the situation.. He has convinced the boss to pay him 2 grand to attempt to hack the system I built. He claims to be a super hacker, blah, blah, blah. I am not too confident that he can do it, but there is a small chance Multiple minds are better than one. I have gone over and over all the stuff I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. Thanks in advance. Nick Call [EMAIL PROTECTED] http://www.graphixonline.com -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf _talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
I am kinda in the same situation. except this guy says thar cold fusion can not be made to be secure at all. But he is trying to sabatageme and any work i do and he knows nothing about cf and he admins the nt and IIS and SQL servers -Original Message- From: Steve Pierce [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 9:31 AM To: [EMAIL PROTECTED] Subject: RE: Security holes revisited -- reward offered How about just turn off the system. Seriously, is this for an unlimited period and did your boss be stupid and pay in advance or will pay upon success. Make sure you are not vulnerable to social engineering where the guy calls and gets passwords from another employee. - Steve -Original Message- From: Nick Call [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 11:44 AM To: [EMAIL PROTECTED] Subject: Security holes revisited -- reward offered Ok, fellow Listees, here's the deal... My boss's daughter has a boyfriend.. (can you smell the trouble already???). He is bent out of shape over the fact that I did not recommend that we hire him (I interviewed him and gave his skill sets an honest, thorough exam). He is good at A/V stuff, but his web experience/database experience is null. Anyway, back to the situation.. He has convinced the boss to pay him 2 grand to attempt to hack the system I built. He claims to be a super hacker, blah, blah, blah. I am not too confident that he can do it, but there is a small chance Multiple minds are better than one. I have gone over and over all the stuff I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. Thanks in advance. Nick Call [EMAIL PROTECTED] http://www.graphixonline.com -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
Nick, If your boss was willing to do this, I'd seriously consider quitting if I were you. There are tones of jobs out there. Duane -Original Message- From: Nick Call [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 11:44 AM To: [EMAIL PROTECTED] Subject: Security holes revisited -- reward offered Ok, fellow Listees, here's the deal... My boss's daughter has a boyfriend.. (can you smell the trouble already???). He is bent out of shape over the fact that I did not recommend that we hire him (I interviewed him and gave his skill sets an honest, thorough exam). He is good at A/V stuff, but his web experience/database experience is null. Anyway, back to the situation.. He has convinced the boss to pay him 2 grand to attempt to hack the system I built. He claims to be a super hacker, blah, blah, blah. I am not too confident that he can do it, but there is a small chance Multiple minds are better than one. I have gone over and over all the stuff I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. Thanks in advance. Nick Call [EMAIL PROTECTED] http://www.graphixonline.com -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
Quite frankly, if this kid has an ounce of brains, or has a friend who does, you're screwed. Due to the fact that he has a friendly agent (boss's daughter) he should be able to get into the network using a legitimate account. This may sound harsh, but disable your boss's account. Chances are he doesn't use it himself, and he'll have a grand time explaining how he found out it was disabled because someone was trying to use it to break into the system. Michael J. Sheldon Internet Applications Developer Phone: 480.699.1084 http://www.desertraven.com/ PGP Key Available on Request -Original Message- From: Nick Call [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 08:44 To: [EMAIL PROTECTED] Subject: Security holes revisited -- reward offered Ok, fellow Listees, here's the deal... My boss's daughter has a boyfriend.. (can you smell the trouble already???). He is bent out of shape over the fact that I did not recommend that we hire him (I interviewed him and gave his skill sets an honest, thorough exam). He is good at A/V stuff, but his web experience/database experience is null. Anyway, back to the situation.. He has convinced the boss to pay him 2 grand to attempt to hack the system I built. He claims to be a super hacker, blah, blah, blah. I am not too confident that he can do it, but there is a small chance Multiple minds are better than one. I have gone over and over all the stuff I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. Thanks in advance. Nick Call [EMAIL PROTECTED] http://www.graphixonline.com -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
Wrap CFTRY and CFCATCH Type="ANY" around your CF applications so he can't view partial "source code" through error messages. Not a physical bug but I think it can lead to more serious intrusions. Xing Ok, fellow Listees, here's the deal... My boss's daughter has a boyfriend.. (can you smell the trouble already???). He is bent out of shape over the fact that I did not recommend that we hire him (I interviewed him and gave his skill sets an honest, thorough exam). He is good at A/V stuff, but his web experience/database experience is null. Anyway, back to the situation.. He has convinced the boss to pay him 2 grand to attempt to hack the system I built. He claims to be a super hacker, blah, blah, blah. I am not too confident that he can do it, but there is a small chance Multiple minds are better than one. I have gone over and over all the stuff I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. Thanks in advance. Nick Call [EMAIL PROTECTED] http://www.graphixonline.com -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
I would check your logs too. if you can find out where he is coming from, just sitebanish him. -Original Message- From: Craig M. Rosenblum [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Tuesday, April 04, 2000 3:00 PM Subject: RE: Security holes revisited -- reward offered i would check out grc.com and zonelabs.com they have some security checking systems... And it can do a full scan of your system and give you free software... -Original Message- From: Nick Call [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 10:44 AM To: [EMAIL PROTECTED] Subject: Security holes revisited -- reward offered Ok, fellow Listees, here's the deal... -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
Of all the suggestions ... I think this one is the winner. Shut him down before he can get close. heh heh. From: "Richard Fantini" [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Security holes revisited -- reward offered Date: Tue, 4 Apr 2000 14:24:05 -0400 Well, you could always call up this individuals ISP, tell them that he's been trying to hack your site, emailing pornography to your employees and such... heh. Play dirty, that's my suggestion. You are at an amazing advantage knowing who is going to be attacking you. -Rich __ Get Your Private, Free Email at http://www.hotmail.com -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. That's kind of a cool situation. I love drama. :) I would say with your application, make sure if you're passing variables in the URL string that they can't do anything super bad by tinkering with the URL. As well.. that if they save a form to their PC, and then alter values, and hit submit. When I worked at PSINet, we had an E-Commerce solution. And WorldPay was saying their solution is better. So they had my evaluate it. This was 2 years ago, so I'm sure it's secure now (our solution was using Open Market, which md5 encrypts the URL so that it can tell if the URL was tinkered). But I went to one of their profile stores, saved the ordering form. Changed how much some item was from ~$180.00 to $1.50, hit submit and a few days later got my present. :) Don't know about NT security but along the lines of UNIX security, turn off anything you don't absolutely need (ie services). If he's been watching the news he'll probably download the denial of service attack software. Tariq Ahmed - [EMAIL PROTECTED] - ICQ 6308515 TIBCO Finance Technology - Web Group - Senior Web Engineer Work: 650-461-3472 Pager: 800-759-x1702632 Fax: 650-461-3003 3375 Hillview Avenue. Palo Alto, CA. 94304. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
You could run a shareware firewall on your system, and block off the machines that you suspect he might use if he visits the boss or the bosses daughter. On Tue, 4 Apr 2000, Brook Davies wrote: Hmm..the bosses daughter eh? I'd keep a close I on that girl. What sort of user rights does daddy have? Have you looked at www.trustedsystems.com they have an excellent WIn NT Security Guideline... At 12:30 PM 04/04/00 -0400, you wrote: How about just turn off the system. Seriously, is this for an unlimited period and did your boss be stupid and pay in advance or will pay upon success. Make sure you are not vulnerable to social engineering where the guy calls and gets passwords from another employee. - Steve -Original Message- From: Nick Call [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 11:44 AM To: [EMAIL PROTECTED] Subject: Security holes revisited -- reward offered Ok, fellow Listees, here's the deal... My boss's daughter has a boyfriend.. (can you smell the trouble already???). He is bent out of shape over the fact that I did not recommend that we hire him (I interviewed him and gave his skill sets an honest, thorough exam). He is good at A/V stuff, but his web experience/database experience is null. Anyway, back to the situation.. He has convinced the boss to pay him 2 grand to attempt to hack the system I built. He claims to be a super hacker, blah, blah, blah. I am not too confident that he can do it, but there is a small chance Multiple minds are better than one. I have gone over and over all the stuff I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. Thanks in advance. Nick Call [EMAIL PROTECTED] http://www.graphixonline.com -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. Tariq Ahmed - [EMAIL PROTECTED] - ICQ 6308515 TIBCO Finance Technology - Web Group - Senior Web Engineer Work: 650-461-3472 Pager: 800-759-x1702632 Fax: 650-461-3003 3375 Hillview Avenue. Palo Alto, CA. 94304. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
Agreed.. boss sounds like an idiot. 1) Cover up the traditional security holes -- FTP, telnet.. Make sure that only specific accounts, if any, have access to your CF directory. 2) Make sure that all IIS hotfixes and NT service packs are installed. 3) Like that other guy said -- chances are he's going to try and exploit his relationship to your boss' daughter to get at a password. Perhaps he has access to your boss' machine at home. 4) Set up some anti-hacker counter measures within CF. Track bad logon attempts for a particular account -- when consecutive password failures reach a certain point, lock the account. You can also track based on the CGI.REMOTE_ADDR header. Consecutive failed logons from a single IP .. block it for x minutes. 5) You got a firewall? Use it. 6) Any of your users who use stupid passwords (like their name, "password", etc) are definitely a risk. If your passwords are stored in a database, do a "select count(*),password from users group by password" (modify as needed) to see if there are some particuarly generic passwords everyone is using. Security is security. The openings hackers typically exploit are 99% of the time general failures in your security infrastructure. This guy sounds like a retard, though. If I were you, I'd have fun toying with his tiny brain. You can do a reverse lookup on his IP address and alert him "The FBI has been notified of unauthorized entry attempts originating from PPP30150.01.ix.netcom.com" or other such silly messages that might make a newbie get a little sweaty. :-) -Original Message- From: Duane Boudreau [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 1:07 PM To: [EMAIL PROTECTED] Subject: RE: Security holes revisited -- reward offered Nick, If your boss was willing to do this, I'd seriously consider quitting if I were you. There are tones of jobs out there. Duane -Original Message- From: Nick Call [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 11:44 AM To: [EMAIL PROTECTED] Subject: Security holes revisited -- reward offered Ok, fellow Listees, here's the deal... My boss's daughter has a boyfriend.. (can you smell the trouble already???). He is bent out of shape over the fact that I did not recommend that we hire him (I interviewed him and gave his skill sets an honest, thorough exam). He is good at A/V stuff, but his web experience/database experience is null. Anyway, back to the situation.. He has convinced the boss to pay him 2 grand to attempt to hack the system I built. He claims to be a super hacker, blah, blah, blah. I am not too confident that he can do it, but there is a small chance Multiple minds are better than one. I have gone over and over all the stuff I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. Thanks in advance. Nick Call [EMAIL PROTECTED] http://www.graphixonline.com -- -- -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf _talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
Good lord. If your site is that open and you're the webmaster, you deserve to be hacked and don't whine when you get your butt burned. This is my opinion, at least. -R -Original Message- From: John N Westerlund [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 2:02 PM To: [EMAIL PROTECTED] Subject: Re: Security holes revisited -- reward offered graphixonline.com ip: 166.70.129.232 I was able to ftp to it, enter, download index.htm upload test.doc Good thing that's not the ftp for the corporate site. there is also another dns server for graphixonline.com you'd need some other toys to fully see all the open ftp ports, etc. -Original Message- From: Fred Sanders [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Tuesday, April 04, 2000 2:35 PM Subject: Re: Security holes revisited -- reward offered 2 grand compared to 5 custom t-shirts, hmmm. Where is the site or is it the one in your SIG? Fred - Original Message - From: "Nick Call" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 04, 2000 10:44 AM Subject: Security holes revisited -- reward offered Ok, fellow Listees, here's the deal... My boss's daughter has a boyfriend.. (can you smell the trouble already???). He is bent out of shape over the fact that I did not recommend that we hire him (I interviewed him and gave his skill sets an honest, thorough exam). He is good at A/V stuff, but his web experience/database experience is null. Anyway, back to the situation.. He has convinced the boss to pay him 2 grand to attempt to hack the system I built. He claims to be a super hacker, blah, blah, blah. I am not too confident that he can do it, but there is a small chance Multiple minds are better than one. I have gone over and over all the stuff I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. Thanks in advance. Nick Call [EMAIL PROTECTED] http://www.graphixonline.com -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- -- -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf _talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
At 11:50 AM 4/4/00 -0500, you wrote: How I would love / hate to be in your shoes. Change you administor account name on NT. -Remake an account with the name "administrator" with no access. Logs all attemps. I just have to say that this is really clever. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
You might try to download and use Hackershield from BindView Development at www.bindview.com. It does a pretty thorough job of finding many of the holes in system. The trial download will work on one machine (just install it on that one). It does require that you be logged in as Administrator and that it can use the system account. I just used it and was pleasantly surprised. It found MANY of the MOST common problems. Easy install, but does require rebooting. Can even fix many problems, just make sure it isn't fixing something that you really need. (BTW, this is not a plug, even though I was employee number 30 something when they were young and struggling. lol) Gary McNeel, Jr. Project Manager - DAC-Net, Research Graduate Studies Rice University - Houston [Lovett Hall] 713-348-6266 (Primary) [DAC] 713-348-5184 [M] 713-962-0885 [H] 713-723-9240 "The genius of our ruling class is that it has kept a majority of the people from ever questioning the inequity of a system where most people drudge along, paying heavy taxes for which they get nothing in return." -Gore Vidal -Original Message- From: Steve Pierce [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 11:31 AM To: [EMAIL PROTECTED] Subject: RE: Security holes revisited -- reward offered How about just turn off the system. Seriously, is this for an unlimited period and did your boss be stupid and pay in advance or will pay upon success. Make sure you are not vulnerable to social engineering where the guy calls and gets passwords from another employee. - Steve -Original Message- From: Nick Call [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 11:44 AM To: [EMAIL PROTECTED] Subject: Security holes revisited -- reward offered Ok, fellow Listees, here's the deal... My boss's daughter has a boyfriend.. (can you smell the trouble already???). He is bent out of shape over the fact that I did not recommend that we hire him (I interviewed him and gave his skill sets an honest, thorough exam). He is good at A/V stuff, but his web experience/database experience is null. Anyway, back to the situation.. He has convinced the boss to pay him 2 grand to attempt to hack the system I built. He claims to be a super hacker, blah, blah, blah. I am not too confident that he can do it, but there is a small chance Multiple minds are better than one. I have gone over and over all the stuff I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. Thanks in advance. Nick Call [EMAIL PROTECTED] http://www.graphixonline.com -- -- -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
Did you just admit on a public forum to committing fraud , or were you just using that as a hypothetical example? grin Chris Evans [EMAIL PROTECTED] http://www.fuseware.com -Original Message- From: Tariq Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 3:34 PM To: [EMAIL PROTECTED] Subject: Re: Security holes revisited -- reward offered I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. That's kind of a cool situation. I love drama. :) I would say with your application, make sure if you're passing variables in the URL string that they can't do anything super bad by tinkering with the URL. As well.. that if they save a form to their PC, and then alter values, and hit submit. When I worked at PSINet, we had an E-Commerce solution. And WorldPay was saying their solution is better. So they had my evaluate it. This was 2 years ago, so I'm sure it's secure now (our solution was using Open Market, which md5 encrypts the URL so that it can tell if the URL was tinkered). But I went to one of their profile stores, saved the ordering form. Changed how much some item was from ~$180.00 to $1.50, hit submit and a few days later got my present. :) Don't know about NT security but along the lines of UNIX security, turn off anything you don't absolutely need (ie services). If he's been watching the news he'll probably download the denial of service attack software. Tariq Ahmed - [EMAIL PROTECTED] - ICQ 6308515 TIBCO Finance Technology - Web Group - Senior Web Engineer Work: 650-461-3472 Pager: 800-759-x1702632 Fax: 650-461-3003 3375 Hillview Avenue. Palo Alto, CA. 94304. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
I hope you get everything worked out, but this is one of the most seriously f**ked up things I have ever heard of. If anyone ever hears of me wasting time on any such tasks, please shoot me. All he's doing right now is the same thing you are... Trying to get his friend to help him hack your system. Total waste of time for all parties involved. Hacking a system to make it better is one thing, that is not what this represents. Seriously Nick, sounds like you need a new employer. Come out to Atlanta where the CF jobs are plentiful. I'll hook you up I've got to say, I agree with Cameron. Your boss's daughter's boyfriend isn't a security professional, and if your boss is naive enough to go along with this, you need a new boss. To illustrate the ludicrous nature of this whole thing, do you think that if you approached your boss, and offered, in exchange for $2000, to test whether his car could be stolen, he would go for that? In addition, you're not a security professional, and if that's what your boss is looking for, he should hire one. You're a CF developer, for crying out loud. All that the boyfriend would probably need to do is send an email virus to your boss, (who sounds like the kind of guy who would see an email attachment like HAPPY99.EXE and think, "Cool - let's check this out!") and get his password. Now, I'd be the first to tell you that you should know as much about application server security as you can, but this is ridiculous. If you're a qualified, experienced CF developer, tell your boss where to put his t-shirts and hit the road. If you're interested in learning basic hacking stuff, there's a decent book out, "Hacking Exposed", by two guys who run a course on the subject for Ernst Young. It's fun stuff, but it doesn't take you too far beyond the basics. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
Ok, fellow Listees, here's the deal... In this case social engineering is probably your _WORST_ problem. He's most likely already got several account names and passwords just from hanging around the office. Or he could have planted a TROJAN while his girlfriend went to the bathroom, etc. (I almost got kicked out of college for doing that to the nosey sysadmin once. :-) I'd suggest, if using NT security, to immediately force everyone to change passwords at next logon and to disable all accounts that haven't been used in the last month. Also, with NT you can btw, restrict the hours that logons can take place. If you haven't already, make it so everyone who doesn't need to can't get in outside of reg biz hours. Also, if possible, initiate an anti-viral scan across the network. (Ie, make sure you've not already been compromised before the test *officially* starts. He _HAS_ had actual physical contact with the network after all.) Disable the girl friends account. :) Or force an immediate password change and the day before the test. Disable the bosses account. :) Or force an immediate password change and the day before the test. Watch them both very closey. almost certainly Girl knows both passwords. So does boy friend most likely. Watch the accounts of anyone he was "chummy" with in the office. Most likely his first attempts will be through those. Aside from that and all the normal iis/cf security notices/alerts, setting up firewalls/proxies, etc, etc grab a copy of.. um... sam spade. Grab that and do some port scanning, etc against your system and see what's sticking out and needs to be turned off. Or if backorfice or anything else ODD shows up. ;-) --min -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
Here are a few less-obvious things to watch out for: 1. InterNIC Do you have password protection on your InterNIC accounts? If they are only e-mail authentication, it's "possible" for someone to do mail spoofing and trick the InterNIC into thinking the request came from the e-mail account that has rights to it. What can happen? Well in "theory" you could change the administrative DNS servers to point to someone else's DNS and thereby re-route traffic anywhere. It's also possible to modify the account and prevent the original user from changing it. Sure, you could tell the InterNIC to fix it, but for 12+ hrs you're still screwed. I've never heard of this being done, but it is "theoretically possible" ... 2. SQL password Make sure you put security on your SQL server. The SA password should not be blank or easily guessable. Let's face it, someone can create DSNs via CF scripts, so if the hacker can create a .cfm page on your server, they can get in. If they run SQL administrative sp's, they can see all the databases and start doing things you don't want them to. Even if they can create a DSN, if you've secured your database server, it won't do them any good because it won't validate. 3. Bandwidth Attacks How fast is your pipeline? If the hacker has access to a T1, T3, fast DSL, cable modem, etc. and you're on a small DSL circuit, have a poor ISP or a slow box, hackers can use tools like load testing tools, to push a lot of traffic at your server. 4. Bandwidth and Data Overload See #3 above, but consider that the hacker has found pages on your site that are very data intensive and do not use caching. You have also set your simultaneous requests to a low number (let's say five). If they could generate enough requests for these high load pages and swamp the server, they could make it temporarily appear "unavailable" to real users. Make sure you have enough capacity for big spurts of traffic and set your firewalls and other devices to compensate. Also consider putting caching in pages that require a lot of data work and don't change frequently. Remember that you might not be able to catch this type of attack by using session variables as the hacker has probably picked a tool that doesn't support cookies. 5. Remote Access Tools If you're using remote access tools like VNC, PC Anywhere, Reach Out, make sure that you properly create and rotate your passwords. Make them a mix of case and alphanumeric symbols (always include one or two numbers) and make sure it's long. The only person inconvenienced by a 12 character password is you. URLs are longer than 12 characters, so it's not that bad. But let's face it. These tools use standard ports and people guess them to see if you have it. Once they get it, all they have to do is guess. 6. Backups Let's face it. If someone does hack in and screws up your site, how will you restore it? Make sure each time you deploy a new site version, that you keep a copy of the site on a disk somewhere. CD-ROM burners are cheap. 7. NT / OS Security What do your NT guest accounts have access to? Do you co-locate your servers? If others can see your server information, there is a risk. Lock your server(s) down. There is no reason for everyone in the company or in the co-location facility to see your server farm. Create a production domain for your web farm and deny your office domain access to it except for authorized IT personnel. Everyone else will get there via HTTP, so this won't hurt them. Free access to the system... that hurts. 8. Past Employees Anytime someone leaves the company, it's time to change passwords. Most companies think this is a good policy, but I've seen too many people ignore this. Not all of these are easy ideas, but they're worth considering. Proper security management can help prevent disasters or at least make them easier to recover from. --Doug -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
I disagree (somewhat). While I think the boss is throwing money away if he paid before success, lots of highly successful companies pay "Tiger Teams" to break into their networks. It's a VERY lucrative talent if you can do it. What's worse is these teams usually get in. Many sites are built on servers that aren't properly secured. Whether it's because they were in a hurry or just learned HTML and now CFML and don't have time to learn system security, the doors are there. You'll also be amazed how many employees will actually give things out over the phone. It's scary. So it's actually a good idea for the boss to want this tested . . . but if he's going to invite this, he should only pay a bounty if the "hacker" can successfully document the attack, and give extra if he can give guidance as to how to prevent it. --Doug -Original Message- From: Duane Boudreau [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 11:07 AM To: [EMAIL PROTECTED] Subject: RE: Security holes revisited -- reward offered Nick, If your boss was willing to do this, I'd seriously consider quitting if I were you. There are tones of jobs out there. Duane -Original Message- From: Nick Call [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 11:44 AM To: [EMAIL PROTECTED] Subject: Security holes revisited -- reward offered Ok, fellow Listees, here's the deal... My boss's daughter has a boyfriend.. (can you smell the trouble already???). He is bent out of shape over the fact that I did not recommend that we hire him (I interviewed him and gave his skill sets an honest, thorough exam). He is good at A/V stuff, but his web experience/database experience is null. Anyway, back to the situation.. He has convinced the boss to pay him 2 grand to attempt to hack the system I built. He claims to be a super hacker, blah, blah, blah. I am not too confident that he can do it, but there is a small chance Multiple minds are better than one. I have gone over and over all the stuff I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. Thanks in advance. Nick Call [EMAIL PROTECTED] http://www.graphixonline.com -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
Here's a scary thought. What if the following communication happened, instituted by a "hacker". Hacker calls MyCompany.com's ISP... "Hi, this is Joe at MyCompany.com. We're VERY displeased with your service and want to move our site immediately to NewISP.com. We don't want to discuss it, our CEO has already decided. Just do it. The new InterNIC contact handle is XYZ123 and the DNS are xxx.xxx.xxx.xxx and xxx.xxx.xxx.xxx . Our web developers will have a new site tomorrow, so you won't see it today, but we'll have if ready by the time the InterNIC changes this. Please do this now." If you have a reputable ISP, this isn't enough. But some ISPs would do this even if they just got an angry e-mail. Having total InterNIC control of your domain, could prevent this, although there are some situations where having your ISP be the technical contact is good. Just another "what if..." Not likely, but ... --Doug -Original Message- From: Richard Fantini [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 11:24 AM To: [EMAIL PROTECTED] Subject: Re: Security holes revisited -- reward offered Well, you could always call up this individuals ISP, tell them that he's been trying to hack your site, emailing pornography to your employees and such... heh. Play dirty, that's my suggestion. You are at an amazing advantage knowing who is going to be attacking you. -Rich -Original Message- From: Nick Call [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 11:44 AM To: [EMAIL PROTECTED] Subject: Security holes revisited -- reward offered Ok, fellow Listees, here's the deal... My boss's daughter has a boyfriend.. (can you smell the trouble already???). He is bent out of shape over the fact that I did not recommend that we hire him (I interviewed him and gave his skill sets an honest, thorough exam). He is good at A/V stuff, but his web experience/database experience is null. Anyway, back to the situation.. He has convinced the boss to pay him 2 grand to attempt to hack the system I built. He claims to be a super hacker, blah, blah, blah. I am not too confident that he can do it, but there is a small chance Multiple minds are better than one. I have gone over and over all the stuff I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. Thanks in advance. Nick Call [EMAIL PROTECTED] http://www.graphixonline.com -- -- -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
This may sound harsh, but disable your boss's account. Chances are he doesn't use it himself, and he'll have a grand time explaining how he found out it was disabled because someone was trying to use it to break into the system. If it's NT, you can restrict the times where the account is active. Disable the account from 7pm - 6am, and nearly all day on weekends. Your boss isn't likely to be on the company network then, unless you have dial-in access. This is the time frame when most amateur hackers play. --Doug -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
I have to violently disagree with this. The individual in question is not a reputable security expert, he's a kid with an axe to grind. I would never use any security group who cannot post a bond against any potential damage they may cause in the act of attempting to penetrate the system. Michael J. Sheldon Internet Applications Developer Phone: 480.699.1084 http://www.desertraven.com/ PGP Key Available on Request -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 14:58 To: [EMAIL PROTECTED] Subject: RE: Security holes revisited -- reward offered I disagree (somewhat). While I think the boss is throwing money away if he paid before success, lots of highly successful companies pay "Tiger Teams" to break into their networks. It's a VERY lucrative talent if you can do it. What's worse is these teams usually get in. Many sites are built on servers that aren't properly secured. Whether it's because they were in a hurry or just learned HTML and now CFML and don't have time to learn system security, the doors are there. You'll also be amazed how many employees will actually give things out over the phone. It's scary. So it's actually a good idea for the boss to want this tested . . . but if he's going to invite this, he should only pay a bounty if the "hacker" can successfully document the attack, and give extra if he can give guidance as to how to prevent it. --Doug -Original Message- From: Duane Boudreau [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 11:07 AM To: [EMAIL PROTECTED] Subject: RE: Security holes revisited -- reward offered Nick, If your boss was willing to do this, I'd seriously consider quitting if I were you. There are tones of jobs out there. Duane -Original Message- From: Nick Call [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 11:44 AM To: [EMAIL PROTECTED] Subject: Security holes revisited -- reward offered Ok, fellow Listees, here's the deal... My boss's daughter has a boyfriend.. (can you smell the trouble already???). He is bent out of shape over the fact that I did not recommend that we hire him (I interviewed him and gave his skill sets an honest, thorough exam). He is good at A/V stuff, but his web experience/database experience is null. Anyway, back to the situation.. He has convinced the boss to pay him 2 grand to attempt to hack the system I built. He claims to be a super hacker, blah, blah, blah. I am not too confident that he can do it, but there is a small chance Multiple minds are better than one. I have gone over and over all the stuff I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. Thanks in advance. Nick Call [EMAIL PROTECTED] http://www.graphixonline.com -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
The shirts come out of my own pocket. I am not loaded. The bundle he will pay his daughter's boyfriend will go towards keeping his daughter happy. My boss is a multi-millionaire. The site is not the one in the sig. Graphixonline.com belongs to me. :) Nick - Original Message - From: "Fred Sanders" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 04, 2000 10:31 AM Subject: Re: Security holes revisited -- reward offered 2 grand compared to 5 custom t-shirts, hmmm. Where is the site or is it the one in your SIG? Fred - Original Message - From: "Nick Call" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 04, 2000 10:44 AM Subject: Security holes revisited -- reward offered Ok, fellow Listees, here's the deal... My boss's daughter has a boyfriend.. (can you smell the trouble already???). He is bent out of shape over the fact that I did not recommend that we hire him (I interviewed him and gave his skill sets an honest, thorough exam). He is good at A/V stuff, but his web experience/database experience is null. Anyway, back to the situation.. He has convinced the boss to pay him 2 grand to attempt to hack the system I built. He claims to be a super hacker, blah, blah, blah. I am not too confident that he can do it, but there is a small chance Multiple minds are better than one. I have gone over and over all the stuff I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. Thanks in advance. Nick Call [EMAIL PROTECTED] http://www.graphixonline.com -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
Ok, fellow Listees, here's the deal... Or he could have planted a TROJAN while his girlfriend went to the bathroom, etc. (I almost got kicked out of college for doing that to the nosey sysadmin once. :-) Im not sure I understand what your trying to say here :-) Steve -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
Two good places to start would be http://www.allaire.com/security/ and http://www.microsoft.com/security/ -Original Message- From: Nick Call [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 5 April 2000 1:44 AM To: [EMAIL PROTECTED] Subject: Security holes revisited -- reward offered Ok, fellow Listees, here's the deal... My boss's daughter has a boyfriend.. (can you smell the trouble already???). He is bent out of shape over the fact that I did not recommend that we hire him (I interviewed him and gave his skill sets an honest, thorough exam). He is good at A/V stuff, but his web experience/database experience is null. Anyway, back to the situation.. He has convinced the boss to pay him 2 grand to attempt to hack the system I built. He claims to be a super hacker, blah, blah, blah. I am not too confident that he can do it, but there is a small chance Multiple minds are better than one. I have gone over and over all the stuff I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. Thanks in advance. Nick Call [EMAIL PROTECTED] http://www.graphixonline.com -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
How much does the daughter/girlfriend know? At 09:44 AM 4/04/00 -0600, you wrote: Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
The most direct solution might be to make a play for the daughter. You get rid of the boyfriend and also have another 'in' with the boss. Hell, then maybe you can hack your own network and make $2k off of Daddy. :) -Original Message- From: Mark Ireland [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Tuesday, April 04, 2000 5:48 PM Subject: Re: Security holes revisited -- reward offered How much does the daughter/girlfriend know? At 09:44 AM 4/04/00 -0600, you wrote: Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security holes revisited -- reward offered
Sorry, wasn't trying to offend you. - Original Message - From: "Nick Call" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 04, 2000 5:28 PM Subject: Re: Security holes revisited -- reward offered The shirts come out of my own pocket. I am not loaded. The bundle he will pay his daughter's boyfriend will go towards keeping his daughter happy. My boss is a multi-millionaire. The site is not the one in the sig. Graphixonline.com belongs to me. :) Nick - Original Message - From: "Fred Sanders" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 04, 2000 10:31 AM Subject: Re: Security holes revisited -- reward offered 2 grand compared to 5 custom t-shirts, hmmm. Where is the site or is it the one in your SIG? Fred - Original Message - From: "Nick Call" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 04, 2000 10:44 AM Subject: Security holes revisited -- reward offered Ok, fellow Listees, here's the deal... My boss's daughter has a boyfriend.. (can you smell the trouble already???). He is bent out of shape over the fact that I did not recommend that we hire him (I interviewed him and gave his skill sets an honest, thorough exam). He is good at A/V stuff, but his web experience/database experience is null. Anyway, back to the situation.. He has convinced the boss to pay him 2 grand to attempt to hack the system I built. He claims to be a super hacker, blah, blah, blah. I am not too confident that he can do it, but there is a small chance Multiple minds are better than one. I have gone over and over all the stuff I know, but I am more than likely missing some stuff. Anyone care to share their CF/NT/IIS security checklist or other advice? It's escalated into all-out war. He is going to stop at nothing to make me look bad, and I will stop at nothing to prevent him from succeeding. Thanks in advance. I will custom print 5 free T-shirts with your logo (in one color) on them if you give me advice that plugs up a hole that I didn't know about. Thanks in advance. Nick Call [EMAIL PROTECTED] http://www.graphixonline.com -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
My bosses daughters boyfriend says he can answer this question for $2,000.00. If you can answer it then I'll give you 5 custom made html tables. I have a frame set with two frames. I want the user to surf around another site in frame one and when they are done, click a button in frame two and have the new url for frame one set as the value of a variable. Do I need some javascript to do this, or is there a cf function/ tag that can help? -Tom -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
You could do it with JavaScript. My syntax is really rusty but you can use the Frames[#].document.location to do this. Anyone have the correct syntax handy? -Original Message- From: Tom Rainey [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 7:12 PM To: [EMAIL PROTECTED] Subject: RE: Security holes revisited -- reward offered My bosses daughters boyfriend says he can answer this question for $2,000.00. If you can answer it then I'll give you 5 custom made html tables. I have a frame set with two frames. I want the user to surf around another site in frame one and when they are done, click a button in frame two and have the new url for frame one set as the value of a variable. Do I need some javascript to do this, or is there a cf function/ tag that can help? -Tom -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Table navigation - was [RE: Security holes revisited -- reward offered]
Q: I have a frame set with two frames. I want the user to surf around another site in frame one and when they are done, click a button in frame two and have the new url for frame one set as the value of a variable. Do I need some javascript to do this, or is there a cf function/ tag that can help? A: Yes, you need a client-side scripting language such as JavaScript, unless you want to use a plugin or ActiveX component. You could encapsulate the JavaScript in a CF tag but, CFML only executes on the server, it has no client-side component. Now where are my tables? And don't try short changing me with 5 tables all nested inside each other, I want 5 whole tables. And fresh at that! Does that come with a drink and can I supersize them? Steve -Original Message- From: Tom Rainey [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 10:12 PM To: [EMAIL PROTECTED] Subject: RE: Security holes revisited -- reward offered My bosses daughters boyfriend says he can answer this question for $2,000.00. If you can answer it then I'll give you 5 custom made html tables. I have a frame set with two frames. I want the user to surf around another site in frame one and when they are done, click a button in frame two and have the new url for frame one set as the value of a variable. Do I need some javascript to do this, or is there a cf function/ tag that can help? -Tom -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
Change you administor account name on NT. -Remake an account with the name "administrator" with no access. Logs all attemps. I just have to say that this is really clever. Clever, but useless against all but the simplest "script kiddies". For a demonstration, search any NT security site for "RedButton". Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
I disagree (somewhat). While I think the boss is throwing money away if he paid before success, lots of highly successful companies pay "Tiger Teams" to break into their networks. It's a VERY lucrative talent if you can do it. While it's true that there are network security consultants who will break in to demonstrate security flaws, this isn't what's being done here. There are several serious issues being ignored when you make this comparison. If you hire a company to test your security, and they're qualified, you and they will have lots of legal hurdles to cross. For example, you probably wouldn't want to test your production system directly - there might be accidental damage, or a service outage as a result. You'd need full logging of everything they tried. You'd need them to sign non-disclosure agreements, and they'd need you to sign theirs as well. You'd want background on their employees. In short, there are lots of i's to dot and t's to cross. A security audit is a non-trivial process, and an on-going one - it's not done when the server is compromised and the problem is fixed. In this case, some guy is going to find some other guy to hack the site. Who knows what this other guy is going to do? Will he leave a message on it saying it's "owned"? While it's running and presumably fulfilling some important business function? Will this other guy leave a rootkit on it, so that when this is all over, he can stash a couple hundred Mbs of porn and warez there without your knowledge, or use it as a platform to attack other machines? Will other parts of the network be compromised? Who will pay for the outage when he causes a buffer overflow to crash a service and execute his little code snippet, and the machine doesn't restart? There are many more problems than these. If I were put in the position that Nick's boss put him in, I'd give the boss this full warning. If the boss wants a security audit, hire the pros, and don't get the boss's girlfriend's boyfriend's college buddy to try first. What's worse is these teams usually get in. Many sites are built on servers that aren't properly secured. Whether it's because they were in a hurry or just learned HTML and now CFML and don't have time to learn system security, the doors are there. You'll also be amazed how many employees will actually give things out over the phone. It's scary. These teams will always "usually get in". It is practically impossible to completely secure a computer on a network. Given enough time, resources, and patience, any server is vulnerable. The only secure computer is the one that's turned off, put into a big iron box, and dropped to the bottom of the ocean. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.