[Full-disclosure] Fwd: Re: Operation Bring Peace To Machines
Sorry that the following text is in french. You can probably find a translator to understand it. Cheers Take Care /JA Message original Sujet: Re: Operation Bring Peace To Machines Date : Sat, 18 Feb 2012 12:54:50 -0500 De :Richard Stallman r...@gnu.org Répondre à :r...@gnu.org Pour : Jerome Athias jer...@netpeas.com Les erreurs, ou faiblesses, dans le code des logiciels sont exploitées par des méchants. Pire encore, d'autres méchants introduisent des fonctionalités malveuillantes dans leurs programmes privateurs. Par exemple, Windows, MacOS, iOS (dans les iThings), Flash Player, Kindle, Playstation 3. Les fonctionalités dites « de sécurité » protègent les utilisateurs contre les tiers, mais seulement le logiciel libre les protège contre les développeurs. -- Dr Richard Stallman President, Free Software Foundation 51 Franklin St Boston MA 02110 USA www.fsf.org www.gnu.org Skype: No way! That's nonfree (freedom-denying) software. Use free telephony http://directory.fsf.org/category/tel/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Re: Operation Bring Peace To Machines
According to Gmail: Errors or weaknesses in software code are exploited by bad guys. Worse, other villains introduce features malveuillantes privateurs in their programs. For example, Windows, MacOS, iOS (in iThings), Flash Player, Kindle, Playstation 3. The features called security protect users against third parties, but only free software protects against developers. While I mostly agree with the last paragraph, I don't really see the point of this. 2012/2/18 Jerome Athias jer...@netpeas.com Sorry that the following text is in french. You can probably find a translator to understand it. Cheers Take Care /JA Message original Sujet: Re: Operation Bring Peace To Machines Date : Sat, 18 Feb 2012 12:54:50 -0500 De : Richard Stallman r...@gnu.org r...@gnu.org Répondre à : r...@gnu.org Pour : Jerome Athias jer...@netpeas.com jer...@netpeas.com Les erreurs, ou faiblesses, dans le code des logiciels sont exploitées par des méchants. Pire encore, d'autres méchants introduisent des fonctionalités malveuillantes dans leurs programmes privateurs. Par exemple, Windows, MacOS, iOS (dans les iThings), Flash Player, Kindle, Playstation 3. Les fonctionalités dites « de sécurité » protègent les utilisateurs contre les tiers, mais seulement le logiciel libre les protège contre les développeurs. -- Dr Richard Stallman President, Free Software Foundation 51 Franklin St Boston MA 02110 USAwww.fsf.org www.gnu.org Skype: No way! That's nonfree (freedom-denying) software. Use free telephony http://directory.fsf.org/category/tel/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Re: Operation Bring Peace To Machines
1) one typo in the french word malveuillantes it should be writen: malveillantes 2) privateurs comes from the latin word privatus; /privative software http://venezuela-us.org/2011/08/16/u-s-programmer-richard-stallman-highlights-benefits-of-free-software/ /it is just an open your mind try think just do it Happy Hacking! /JA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CFP] FRHACK Africa 2012 Call For Papers extended
Information here: http://www.frhack.org/frhack-cfp.php CFP extended : + 1 month *Hacker* 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. RFC1392, the Internet Users' Glossary, usefully amplifies this as: A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. 2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming. 3. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations. /JA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Re: Operation Bring Peace To Machines
On Sat, Feb 18, 2012 at 11:43 AM, adam a...@papsy.net wrote: According to Gmail: Errors or weaknesses in software code are exploited by bad guys. Worse, other villains introduce features malveuillantes privateurs in their programs. For example, Windows, MacOS, iOS (in iThings), Flash Player, Kindle, Playstation 3. The features called security protect users against third parties, but only free software protects against developers. While I mostly agree with the last paragraph, I don't really see the point of this. It's just Stallman being Stallman. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fwd: Re: Operation Bring Peace To Machines - War Game
It's in trunk of openvas-manager. It's implemented as an XSLT. Sujet: Re: [Full-disclosure] Operation Bring Peace To Machines - War Game Date : Sat, 18 Feb 2012 20:19:58 + De :Tim Brown t...@openvas.org Pour : Jerome Athias jer...@netpeas.com OpenVAS already has a partial IVIL implementation, I know because I wrote it: ~/Development/Private/Unpublished/OpenVAS/trunk/openvas- manager/report_formats/IVIL$ ls generate IVIL.xsl Thanks very much for thinking of us, if anyone does take an interest and gets OpenVAS could you point them in my direction? Tim -- Tim Brown mailto:t...@openvas.org http://www.openvas.org/ signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Re: Operation Bring Peace To Machines
Now that's a controversial stance. True; but you'll always find idiots who will fight it. Sent from my BlackBerry® wireless device -Original Message- From: Ian Hayes cthulhucall...@gmail.com Sender: full-disclosure-boun...@lists.grok.org.uk Date: Sat, 18 Feb 2012 12:37:42 To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Fwd: Re: Operation Bring Peace To Machines ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Re: Operation Bring Peace To Machines
http://pfsense.bol2riz.com/downloads/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Re: Operation Bring Peace To Machines
IVIL is not EVIL http://forum.pfsense.org/index.php/topic,46401.0.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Re: Operation Bring Peace To Machines
http://code.google.com/p/capirca/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Re: Operation Bring Peace To Machines
maybe useful for malwares? http://www.labnol.org/internet/google-dmca/19256/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CFP] FRHACK Africa 2012 Call For Papers extended
What is this non sense ? It seems that Jérôme is having some trouble. -- phocean 0...@phocean.net Le samedi 18 février 2012 à 20:07 +, Jerome Athias a écrit : Information here: http://www.frhack.org/frhack-cfp.php CFP extended : + 1 month Hacker 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. RFC1392, the Internet Users' Glossary, usefully amplifies this as: A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. 2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming. 3. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations. /JA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Operation Bring Peace To Machines : New Info
Sorry, I am just crazy \x90 Sujet: RE: Vulnerability conceptual map (UNCLASSIFIED) Date : Sat, 18 Feb 2012 16:37:45 -0500 De :WOLFKIEL, JOSEPH L CIV DISA PEO-MA joseph.wolfk...@disa.mil Répondre à :joseph.wolfk...@disa.mil Pour : Multiple recipients of list scap-...@nist.gov Classification: UNCLASSIFIED Caveats: NONE The NetD schemas were developed with that concept in mind. We had hoped to contribute the entire body of knowledge to the community and start building automated communications based on the schemas and the relationships they document. Using SCAP names and metadata tags was a key component and gave us some early quick wins. I'd love to come to community consensus on ontological models for threat, vulnerability, device, person, incident, event, workflow, etc that we could start incorporating into SCAP standards (starting with ARF and ASR). Joseph L. Wolfkiel Engineering Group Lead DISA PEO MA/IA52 (301) 225-8820 joseph.wolfk...@disa.mil -Original Message- From: scap-...@nist.gov [mailto:scap-...@nist.gov] On Behalf Of Davidson II, Mark S Sent: Friday, February 17, 2012 7:55 AM To: Multiple recipients of list Subject: RE: Vulnerability conceptual map I think the core of the topic is turning information into action. You might have an ongoing attack, a vulnerability that needs to be patched, an exploitable configuration, or one of many other security risks. You will have varying degrees of information (as Kurt said) within each risk. Currently, an organization that can aggregate risk and threat information to a single point and have a human make a decision that is carried out in a timely manner is among the more mature organizations. Many organizations do not have all of their security information in a single place. Many organizations, once they make a security decision, have a difficult time implementing and communicating that decision. There's probably three areas of action: 1) Collect information and present it in a useful way 2) Make a decision based on that information 3) Carry out the decision #1 and #3 should be automated, and #2 should be where we spend most of our effort. SCAP and CM are within the domain of Collect/Present, and I think there have always been discussions about automating #3. Certain decisions in #2 can be automated once you have #1 and #3, but that's a ways away (in my opinion). Part of the difficulty of #3 is that networks will always be different. Network management technologies will always be different. Let's say for the sake of argument you want to block web traffic. How would you communicate that? You'd have to, at a minimum, communicate the following: inbound/outbound, applicable subnets/locations, timeframe. Specifying a port may not be enough. What about web traffic over non-standard ports? Then you'd have to use an application aware firewall. Or, what if you are trying to contain a segment of the network that has a router as it's only access? You'd have to have a uniform language that could turn a thought Block web traffic for sales - they got ANOTHER virus into a command that must be usable by a variety of devices with functionality that may or may not overlap, all in a network whose topography cannot be known when that language is written. And you have to be able to 'remove' the block when you want. I guess that was just a long way of saying 'I agree'. There's a lot of work to be done and much of it is unexplored (at least from a shared knowledge perspective). -Mark -Original Message- From: scap-...@nist.gov [mailto:scap-...@nist.gov] On Behalf Of Kurt Seifried Sent: Thursday, February 16, 2012 6:55 PM To: Multiple recipients of list Subject: Re: Vulnerability conceptual map On 02/16/2012 06:11 AM, Jerome Athias wrote: For me, The problem: we must quickly mitigate (and then remediate) vulnerabilities Existing scope: we have actually (too much?) too complicated (and incomplete) standards we have not-interoperable vulnerability tools My proposed solution: we have to act quickly to deal with the problem So the idea is to produce, and use an open, SIMPLIFIED, easy to implement and use, standard What i call IVIL v1.0 And I would like to explain, demonstrate and validate my solution I find this discussion interesting. As I see it for a vulnerability (e.g. a technical issue that can be exploited to gain access or elevate privilege) we have several options: 1) fix it with a software update (which generally relies upon a vendor(s) shipping an update) 2) use a workaround (like change file permissions, disable the specific component that is affected, etc.) 3) disable the entire thing temporarily or permanently. For example by turning it off, restricting access to a limited subset of users, replacing it with something else, etc. 4) accept the risk and continue on (e.g. denial of service attacks, have a re-mediation routine to deal with it such as restarting it).
Re: [Full-disclosure] Operation Bring Peace To Machines : New Info
If by crazy, you mean a spammer: absolutely. On Sat, Feb 18, 2012 at 4:45 PM, Jerome Athias jer...@netpeas.com wrote: Sorry, I am just crazy \x90 Sujet: RE: Vulnerability conceptual map (UNCLASSIFIED) Date : Sat, 18 Feb 2012 16:37:45 -0500 De : WOLFKIEL, JOSEPH L CIV DISA PEO-MA joseph.wolfk...@disa.mil joseph.wolfk...@disa.mil Répondre à : joseph.wolfk...@disa.mil Pour : Multiple recipients of list scap-...@nist.gov scap-...@nist.gov Classification: UNCLASSIFIED Caveats: NONE The NetD schemas were developed with that concept in mind. We had hoped to contribute the entire body of knowledge to the community and start building automated communications based on the schemas and the relationships they document. Using SCAP names and metadata tags was a key component and gave us some early quick wins. I'd love to come to community consensus on ontological models for threat, vulnerability, device, person, incident, event, workflow, etc that we could start incorporating into SCAP standards (starting with ARF and ASR). Joseph L. Wolfkiel Engineering Group Lead DISA PEO MA/IA52(301) 225-8820joseph.wolfk...@disa.mil -Original Message- From: scap-...@nist.gov [mailto:scap-...@nist.gov scap-...@nist.gov] On Behalf Of Davidson II, Mark S Sent: Friday, February 17, 2012 7:55 AM To: Multiple recipients of list Subject: RE: Vulnerability conceptual map I think the core of the topic is turning information into action. You might have an ongoing attack, a vulnerability that needs to be patched, an exploitable configuration, or one of many other security risks. You will have varying degrees of information (as Kurt said) within each risk. Currently, an organization that can aggregate risk and threat information to a single point and have a human make a decision that is carried out in a timely manner is among the more mature organizations. Many organizations do not have all of their security information in a single place. Many organizations, once they make a security decision, have a difficult time implementing and communicating that decision. There's probably three areas of action: 1) Collect information and present it in a useful way 2) Make a decision based on that information 3) Carry out the decision #1 and #3 should be automated, and #2 should be where we spend most of our effort. SCAP and CM are within the domain of Collect/Present, and I think there have always been discussions about automating #3. Certain decisions in #2 can be automated once you have #1 and #3, but that's a ways away (in my opinion). Part of the difficulty of #3 is that networks will always be different. Network management technologies will always be different. Let's say for the sake of argument you want to block web traffic. How would you communicate that? You'd have to, at a minimum, communicate the following: inbound/outbound, applicable subnets/locations, timeframe. Specifying a port may not be enough. What about web traffic over non-standard ports? Then you'd have to use an application aware firewall. Or, what if you are trying to contain a segment of the network that has a router as it's only access? You'd have to have a uniform language that could turn a thought Block web traffic for sales - they got ANOTHER virus into a command that must be usable by a variety of devices with functionality that may or may not overlap, all in a network whose topography cannot be known when that language is written. And you have to be able to 'remove' the block when you want. I guess that was just a long way of saying 'I agree'. There's a lot of work to be done and much of it is unexplored (at least from a shared knowledge perspective). -Mark -Original Message- From: scap-...@nist.gov [mailto:scap-...@nist.gov scap-...@nist.gov] On Behalf Of Kurt Seifried Sent: Thursday, February 16, 2012 6:55 PM To: Multiple recipients of list Subject: Re: Vulnerability conceptual map On 02/16/2012 06:11 AM, Jerome Athias wrote: For me, The problem: we must quickly mitigate (and then remediate) vulnerabilities Existing scope: we have actually (too much?) too complicated (and incomplete) standards we have not-interoperable vulnerability tools My proposed solution: we have to act quickly to deal with the problem So the idea is to produce, and use an open, SIMPLIFIED, easy to implement and use, standard What i call IVIL v1.0 And I would like to explain, demonstrate and validate my solution I find this discussion interesting. As I see it for a vulnerability (e.g. a technical issue that can be exploited to gain access or elevate privilege) we have several options: 1) fix it with a software update (which generally relies upon a vendor(s) shipping an update) 2) use a workaround (like change file permissions, disable the specific component that is affected, etc.) 3) disable the entire thing
Re: [Full-disclosure] Operation Bring Peace To Machines - War Game
YES WE sCAN! On Saturday 18 Feb 2012 20:29:02 Jerome Athias wrote: can you (do you want) to share to the world? thanks It's in trunk of openvas-manager. It's implemented as an XSLT. Tim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/