Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
No, you're saying something's a vulnerability without showing any indication of how it can be abused. On Fri, Mar 14, 2014 at 11:00 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: The full-disclosure mailing list has really changed. It's full of lamers nowdays aiming high. On Fri, Mar 14, 2014 at 5:58 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Says the script kiddie... Beg for some publicity. My customers are FTSE 100. -- Forwarded message -- From: Nicholas Lemonias. lem.niko...@googlemail.com Date: Fri, Mar 14, 2014 at 5:58 PM Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC To: antisnatchor antisnatc...@gmail.com Says the script kiddie... Beg for some publicity. My customers are FTSE 100. On Fri, Mar 14, 2014 at 5:55 PM, antisnatchor antisnatc...@gmail.com wrote: LOL you're hopeless. Good luck with your business. Brave customers! Cheers antisnatchor Nicholas Lemonias. wrote: People can read the report if they like. Can't you even do basic things like reading a vulnerability report? Can't you see that the advisory is about writing arbitrary files. If I was your boss I would fire you. -- Forwarded message -- From: Nicholas Lemonias. lem.niko...@googlemail.com Date: Fri, Mar 14, 2014 at 5:43 PM Subject: Re: [Full-disclosure] Google vulnerabilities with PoC To: Mario Vilas mvi...@gmail.com People can read the report if they like. Can't you even do basic things like reading a vulnerability report? Can't you see that the advisory is about writing arbitrary files. If I was your boss I would fire you, with a good kick outta the door. On Fri, Mar 14, 2014 at 3:55 PM, Mario Vilas mvi...@gmail.com wrote: On Fri, Mar 14, 2014 at 12:38 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Jerome of Mcafee has made a very valid point on revisiting separation of duties in this security instance. Happy to see more professionals with some skills. Some others have also mentioned the feasibility for Denial of Service attacks. Remote code execution by Social Engineering is also a prominent scenario. Actually, people have been pointing out exactly the opposite. But if you insist on believing you can DoS an EC2 by uploading files, good luck to you then... If you can't tell that that is a vulnerability (probably coming from a bunch of CEH's), I feel sorry for those consultants. You're the only one throwing around certifications here. I can no longer tell if you're being serious or this is a massive prank. Nicholas. On Fri, Mar 14, 2014 at 10:45 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: We are on a different level perhaps. We do certainly disagree on those points. I wouldn't hire you as a consultant, if you can't tell if that is a valid vulnerability.. Best Regards, Nicholas Lemonias. On Fri, Mar 14, 2014 at 10:10 AM, Mario Vilas mvi...@gmail.com wrote: But do you have all the required EH certifications? Try this one from the Institute for Certified Application Security Specialists: http://www.asscert.com/ On Fri, Mar 14, 2014 at 7:41 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Thanks Michal, We are just trying to improve Google's security and contribute to the research community after all. If you are still on EFNet give me a shout some time. We have done so and consulted to hundreds of clients including Microsoft, Nokia, Adobe and some of the world's biggest corporations. We are also strict supporters of the ACM code of conduct. Regards, Nicholas Lemonias. AISec On Fri, Mar 14, 2014 at 6:29 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Hi Jerome, Thank you for agreeing on access control, and separation of duties. However successful exploitation permits arbitrary write() of any file of choice. I could release an exploit code in C Sharp or Python that permits multiple file uploads of any file/types, if the Google security team feels that this would be necessary. This is unpaid work, so we are not so keen on that job. On Fri, Mar 14, 2014 at 6:04 AM, Jerome Athias athiasjer...@gmail.com wrote: Hi I concur that we are mainly discussing a terminology problem. In the context of a Penetration Test or WAPT, this is a Finding. Reporting this finding makes sense in this context. As a professional, you would have to explain if/how this finding is a Weakness*, a Violation (/Regulations, Compliance, Policies or Requirements[1]) * I would say Weakness + Exposure = Vulnerability. Vulnerability + Exploitability (PoC) = Confirmed Vulnerability that needs Business Impact and Risk Analysis So I would probably have reported this Finding as a Weakness (and not Vulnerability. See: OWASP, WASC-TC, CWE), explaining that it is not Best Practice (your OWASP link and Cheat Sheets), and even if mitigative/compensative security controls (Ref Orange Book),
Re: [Full-disclosure] when did piracy/theft become expression of freedom
Not necessarily. Look at the effects of people posting DeCSS and the HDDVD keys a while back. The industry ended up giving in precisely because people said, en masse, fuck off. On Mon, Jan 30, 2012 at 12:05 AM, Christian Sciberras uuf6...@gmail.com wrote: No, it follows the fact that vengeance (the fuck you Byron mentioned) isn't fruitful to remedy the situation. On Mon, Jan 30, 2012 at 8:54 AM, Mike Hale eyeronic.des...@gmail.com wrote: What you said doesn't follow. Making a digital copy isn't burning down a business. The analogy linking 'piracy' with theft is ludicrous. On Sun, Jan 29, 2012 at 11:50 PM, Christian Sciberras uuf6...@gmail.com wrote: Byron, you don't protest to the government by burning down 100-year-old business, if you know what I mean... On Mon, Jan 30, 2012 at 12:12 AM, Byron L. Sonne byron.so...@gmail.com wrote: The thing that makes me laugh about all of this, and one of the key things I learned from reading Gibbon's Decline Fall is this: The number and frequency of laws passed regarding things directly relates to how widespread these things are, and how they much the laws are ignored and ineffective. Laws can't prevent a damn thing, they can only specify remedies. As it is said, it's only illegal if you get caught. The cat is out of the bag and will never be put back in. There's no way to stop people from 'illegally' copying copyrighted material. If they somehow managed to require and implement tech so that perfect digital copies can't be made (unlikely) then people will simply use a camera to record the video as it plays on the screen. Hey, wait a minute, that sounds just like that screener I downloaded someone taped in Russia! ;) If they manage to require and implement tech so that you can't trade it over the internet (unlikely) then people will simply trade it on private networks or, like we used to do in the old days, via sneakernet. The problem is that in an attempt to control the dissemination of copyrighted material (and people are right, artists do have a right to reap the benefits of their effort) the powers-that-be are stepping over the line and into territory that impacts our ability to communicate in the fashion we choose. It might be fine to try and prevent piracy but in the process of doing so you are trashing the other desires of people that have nothing to do with piracy. I'm sure if the copyright lobby had their way, they'd require us to wear special glasses in order to see our laptop screens, on the assumption that anything not explicitly licensed was assumed to be unlicensed, and thus pirated, which we would be blocked from our field of view... and as a result, some girl/guy who wants to write a simple freeware text editor now has to jump through regulatory hoops and spend money to obtain a special registration that allows their text editor to display to the screen. This is a cheesy example, but I think it makes the point. In the guise of 'protecting artists and businesses' what is happening is that the powers-that-be are requesting (and too often getting) powers that allow them to trample on the general idea of freedom of communications and other things people cherish. As a result, people are inclined to engage in the very behaviours that elicited the laws and crackdowns, quite simply, as a way to raise their middle finger and say Fuck You. This is when piracy and theft becomes freedom of expression - when it's done in protest. -- http://www.freebyron.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
What you said doesn't follow. Making a digital copy isn't burning down a business. The analogy linking 'piracy' with theft is ludicrous. On Sun, Jan 29, 2012 at 11:50 PM, Christian Sciberras uuf6...@gmail.com wrote: Byron, you don't protest to the government by burning down 100-year-old business, if you know what I mean... On Mon, Jan 30, 2012 at 12:12 AM, Byron L. Sonne byron.so...@gmail.com wrote: The thing that makes me laugh about all of this, and one of the key things I learned from reading Gibbon's Decline Fall is this: The number and frequency of laws passed regarding things directly relates to how widespread these things are, and how they much the laws are ignored and ineffective. Laws can't prevent a damn thing, they can only specify remedies. As it is said, it's only illegal if you get caught. The cat is out of the bag and will never be put back in. There's no way to stop people from 'illegally' copying copyrighted material. If they somehow managed to require and implement tech so that perfect digital copies can't be made (unlikely) then people will simply use a camera to record the video as it plays on the screen. Hey, wait a minute, that sounds just like that screener I downloaded someone taped in Russia! ;) If they manage to require and implement tech so that you can't trade it over the internet (unlikely) then people will simply trade it on private networks or, like we used to do in the old days, via sneakernet. The problem is that in an attempt to control the dissemination of copyrighted material (and people are right, artists do have a right to reap the benefits of their effort) the powers-that-be are stepping over the line and into territory that impacts our ability to communicate in the fashion we choose. It might be fine to try and prevent piracy but in the process of doing so you are trashing the other desires of people that have nothing to do with piracy. I'm sure if the copyright lobby had their way, they'd require us to wear special glasses in order to see our laptop screens, on the assumption that anything not explicitly licensed was assumed to be unlicensed, and thus pirated, which we would be blocked from our field of view... and as a result, some girl/guy who wants to write a simple freeware text editor now has to jump through regulatory hoops and spend money to obtain a special registration that allows their text editor to display to the screen. This is a cheesy example, but I think it makes the point. In the guise of 'protecting artists and businesses' what is happening is that the powers-that-be are requesting (and too often getting) powers that allow them to trample on the general idea of freedom of communications and other things people cherish. As a result, people are inclined to engage in the very behaviours that elicited the laws and crackdowns, quite simply, as a way to raise their middle finger and say Fuck You. This is when piracy and theft becomes freedom of expression - when it's done in protest. -- http://www.freebyron.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
Exploits this, maybe? http://www.us-cert.gov/cas/bulletins/SB05-040.html#smb On Tue, Oct 25, 2011 at 6:50 PM, xD 0x41 sec...@gmail.com wrote: Hello List, Id like people to also, like this thread asks, to pls give some opinion, other than mine.. wich, i am yet to make; http://www.hackerthreads.org/Topic-5973 Please look at this .c code on here, if you wish, and tell me, why A. It is still in circulation, seeminlgly, on MANY MANY boxes B. people still seem to try keep it private :s This morning, a friend from webhostingtalk.com ,asked me to take a look. I have and, i can only sofar say, once i decrypt the shellcode, ill know abit more.. altho , i rmember this thing, and, somany people were after it, people were paying for it, this is first time i have seen it actually disclosed tho, admittedly only looked today. If skiddies are using it to ddos things, I want to makesure i can expose it, and kill the threats. thankyou. xd .// exposing bullshit as i ride! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] Obama said: American people understand that not everybody's been following the rules
Obviously not. Again. They looked like they had weapons. The pilots weren't wondering...they were sure they saw weapons. They then engaged what appeared to be a clear threat to other US forces nearby. The pilots acted exactly as they should have, given the information presented to them. This was a war zone, not a country club. On Thu, Oct 13, 2011 at 11:23 PM, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Oct 14, 2011 at 2:19 AM, Mike Hale eyeronic.des...@gmail.com wrote: Except that they weren't obviously unarmed. Not only where they not obviously unarmed, they appeared to be armed. Look at the 4 minute mark. That sure as shit looks like an RPG. The crew thought the group was armed. Ergo, they were cleared to engage. This wasn't a war crime...and the allegation that it was just makes people look ridiculous. Listen to yourself: we weren't sure if they were armed, so we killed them. Put yourself and your family in the shoes of the dead folks. Its not a comfortable place to be, is it? Jeff On Thu, Oct 13, 2011 at 11:05 PM, valdis.kletni...@vt.edu wrote: On Thu, 13 Oct 2011 22:44:44 PDT, Mike Hale said: Seriously! Think about the injustice of having American helicopters engage armed individuals shadowing American soldiers. Shooting at armed individuals is one thing. If it's civilians and Reuters employees who *aren't* obviously armed, it's something else. -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] Obama said: American people understand that not everybody's been following the rules
Of all the wars, crimes and massacres that happen in the world, you're gonna sit here and tell me it's the US that the security council should have stopped? If that's truly your attitude, your worldview is completely FUBAR. On Fri, Oct 14, 2011 at 4:29 AM, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Oct 14, 2011 at 7:26 AM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: ...And what, exactly, gave the US the right to be there in the first place? Non existant WMD? Human rights? The US has to stop seeing themselves as international police. The US can't police itself; and it has no business trying to police others. The UN Security Council is a joke - it should have stopped the US a long time ago (an impossibility under its current structure). Jeff On Fri, Oct 14, 2011 at 7:28 AM, Mike Hale eyeronic.des...@gmail.com wrote: Obviously not. Again. They looked like they had weapons. The pilots weren't wondering...they were sure they saw weapons. They then engaged what appeared to be a clear threat to other US forces nearby. The pilots acted exactly as they should have, given the information presented to them. This was a war zone, not a country club. On Thu, Oct 13, 2011 at 11:23 PM, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Oct 14, 2011 at 2:19 AM, Mike Hale eyeronic.des...@gmail.com wrote: Except that they weren't obviously unarmed. Not only where they not obviously unarmed, they appeared to be armed. Look at the 4 minute mark. That sure as shit looks like an RPG. The crew thought the group was armed. Ergo, they were cleared to engage. This wasn't a war crime...and the allegation that it was just makes people look ridiculous. Listen to yourself: we weren't sure if they were armed, so we killed them. Put yourself and your family in the shoes of the dead folks. Its not a comfortable place to be, is it? Jeff On Thu, Oct 13, 2011 at 11:05 PM, valdis.kletni...@vt.edu wrote: On Thu, 13 Oct 2011 22:44:44 PDT, Mike Hale said: Seriously! Think about the injustice of having American helicopters engage armed individuals shadowing American soldiers. Shooting at armed individuals is one thing. If it's civilians and Reuters employees who *aren't* obviously armed, it's something else. -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] Obama said: American people understand that not everybody's been following the rules
Except that they weren't obviously unarmed. Not only where they not obviously unarmed, they appeared to be armed. Look at the 4 minute mark. That sure as shit looks like an RPG. The crew thought the group was armed. Ergo, they were cleared to engage. This wasn't a war crime...and the allegation that it was just makes people look ridiculous. On Thu, Oct 13, 2011 at 11:05 PM, valdis.kletni...@vt.edu wrote: On Thu, 13 Oct 2011 22:44:44 PDT, Mike Hale said: Seriously! Think about the injustice of having American helicopters engage armed individuals shadowing American soldiers. Shooting at armed individuals is one thing. If it's civilians and Reuters employees who *aren't* obviously armed, it's something else. -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] Obama said: American people understand that not everybody's been following the rules
Seriously! Think about the injustice of having American helicopters engage armed individuals shadowing American soldiers. The inhumanity is heart breaking. Go troll somewhere else. On Thu, Oct 13, 2011 at 9:53 PM, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Oct 14, 2011 at 12:22 AM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Oct 13, 2011 at 11:59 PM, Ivan . ivan...@gmail.com wrote: don't feed the trolls http://whatreallyhappened.com/ Don't forget http://www.collateralmurder.com/. Its appalling the US pilots of the helicopter make a joke and laugh when they shoot the children (they shouldn't have brought their kids to work, IIRC). My bad. The Apache pilot joked, It's their fault for bringing their kids into a battle (at 15:28), with 'their' meaning the civilians and Reuters employees killed by the US military in an unprovoked attack. Jeff On Fri, Oct 14, 2011 at 2:53 PM, Laurelai laure...@oneechan.org wrote: On 10/13/2011 7:11 PM, Christian Sciberras wrote: So if they cause damage for profit that makes it ok? No. But it's certainly better than doing damage without profit. Making profit means that at the end of the day, the money's going to go somewhere further in the chain. Flattening a tower, for instance, or attacking the local bank that refused to give you a loan because of the time you spent in a cell, isn't as productive. Neither is it making a company loose clients/profit just because they decided they don't want you to use their services (as if you did have a right in the first place...). So by your logic the civil disobedience that helped sparked the revolutionary war is worse than if someone had done the same acts just to drive up tea prices? Again I also remind you the trickle down theory doesn't work And yes I acknowledge the American public has a measure of responsibility in the situation too, human beings are by nature imperfect, but the largest share of responsibility lies with the names listed below. The largest share? I can see Ex-president Bush trying to sell you a bottle of beer for $10 dollars ($7 profit). Wait, I can't. But we did see him increase deregulation and allow this to happen, we also saw him provoke a war with another country based on a known lie for the sole purpose of gaining resources and more control in the middle east. We saw him legalize torture and saw him strip away a good chunk of our civil liberties so the anti terror industry could make a buck. But like you said its ok since someone is making money off of it. Who needs civil liberties anyways right? That sort of thing has happened to me and I paid back every dime of it, most people are decent human beings and would do the same. Most people? I could have sworn 90% of the people in the NYC subway would thank $deity if you suddenly dropped dead so they could get things off you. Call me cynical, but I wouldn't trust anyone else in such cases, other than myself. Frankly 90% of people on this list would just thank $deity i suddenly dropped dead regardless of how much stuff i had :) Regarding that list of yours, great! Now we just need a little more effort. For each of those persons, please enlighten us as to what they did legally wrong. Of course, the people that landed in jail shouldn't be counted. The 99% protest is a modern one committed to change, it just can't right wrongs by pointing at jailed people. [SNIP] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Other recommended lists?
Probably becuase you've been the biggest troll on this list for the last few weeks? On Mon, Feb 21, 2011 at 11:04 AM, Cal Leeming [Simplicity Media Ltd] cal.leem...@simplicitymedialtd.co.uk wrote: And why is that, Paul? On Mon, Feb 21, 2011 at 7:03 PM, Paul Schmehl pschmehl_li...@tx.rr.com wrote: --On February 21, 2011 6:15:07 PM + Cal Leeming [Simplicity Media Ltd] cal.leem...@simplicitymedialtd.co.uk wrote: Can anyone recommend any decent lists, preferably that are moderated against douchebaggery and trolls (but allow swearing and insults etc), and allows for general security/tech related discussion? Seriously? I think it's safe to assume you don't understand irony. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead. Thomas Jefferson There are some ideas so wrong that only a very intelligent person could believe in them. George Orwell ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Other recommended lists?
Your porn thread among others? Is this is a serious question? On Mon, Feb 21, 2011 at 11:07 AM, Cal Leeming [Simplicity Media Ltd] cal.leem...@simplicitymedialtd.co.uk wrote: How so? On Mon, Feb 21, 2011 at 7:06 PM, Mike Hale eyeronic.des...@gmail.com wrote: Probably becuase you've been the biggest troll on this list for the last few weeks? On Mon, Feb 21, 2011 at 11:04 AM, Cal Leeming [Simplicity Media Ltd] cal.leem...@simplicitymedialtd.co.uk wrote: And why is that, Paul? On Mon, Feb 21, 2011 at 7:03 PM, Paul Schmehl pschmehl_li...@tx.rr.com wrote: --On February 21, 2011 6:15:07 PM + Cal Leeming [Simplicity Media Ltd] cal.leem...@simplicitymedialtd.co.uk wrote: Can anyone recommend any decent lists, preferably that are moderated against douchebaggery and trolls (but allow swearing and insults etc), and allows for general security/tech related discussion? Seriously? I think it's safe to assume you don't understand irony. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead. Thomas Jefferson There are some ideas so wrong that only a very intelligent person could believe in them. George Orwell ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IBM DeveloperWorks Pwned and Defaced
http://ploader.net/files/ad1da891a1cef64466a7562879291c30.jpg On Sat, Jan 8, 2011 at 11:23 PM, Cal Leeming [Simplicity Media Ltd] cal.leem...@simplicitymedialtd.co.uk wrote: Got a screenshot? I only see: Our apologies The IBM developerWorks Web site is currently under maintenance. Please try again later. Thank you. On Sun, Jan 9, 2011 at 7:04 AM, Shinnok rayde...@yahoo.com wrote: http://www.ibm.com/developerworks/linux/library/l-proc.html \^^ Br, Shinnok http://twitter.com/raydenxy ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Andrew Auernheimer (aka weev) wants his victim's to masturbate for him
Jesus, you are such a troll. On Fri, Jan 7, 2011 at 7:46 AM, Victor Rigo victor_r...@yahoo.com wrote: same old useless crap Victor Rigo, CISSP Independent Computer Security Consultant Buenos Aires, AR +5411-4316-1901 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
In fact, I can just make the Domain Admin a guest on my workstation if I want to and there is nothing they can do about it. With the caveat that they can readd themselves using GP anytime they want...but you know. I just wanted to throw that out there. I think the key vulnerability in this is the non-repudiation one the OP mentioned. Being able to run stuff under the domain admin's account is something a rogue user could potential abuse. I don't think this issue is particularly critical, but something a good admin should be aware of, IMO. On Thu, Dec 9, 2010 at 7:07 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: What do you mean by regular local administrator? You're a local admin, or you're not. There are not degrees of local admin. Why are you under the impression that there are things on a local system that the local admin should not have access to? They can do anything they want to by design. Are you under the impression that the Domain Administrator has different permissions on a local machine than the local administrator does? The only reason a Domain Admin has admin rights by default on a domain workstation is because they simply belong to the local Administrators group. If I, as a local admin, remove the domain admin account from my local Administrators group, then they will not be local admins. In fact, I can just make the Domain Admin a guest on my workstation if I want to and there is nothing they can do about it. Sorry to be the bearer of bad news for you, but the local admin can do what they want to by design, and there is nothing that was not intended by the software developer here. This is, of course, why the people at MSFT dismissed it as noted. t -Original Message- From: StenoPlasma @ ExploitDevelopment [mailto:stenopla...@exploitdevelopment.com] Sent: Thursday, December 09, 2010 6:13 PM To: Thor (Hammer of God); full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) T, My article describes how to use the SECURITY registry hive to trick the Microsoft operating system in to performing an action that has a result that is not intended by the software developer. This action is performed on the Active Directory logon account cache that regular local administrators should not have access to. There are always other ways of doing things when it comes to this type of work. Thank you, - StenoPlasma at ExploitDevelopment.com www.ExploitDevelopment.com - Original Message From: Thor (Hammer of God) t...@hammerofgod.com Sent: Thursday, December 09, 2010 6:07 PM To: stenopla...@exploitdevelopment.com stenopla...@exploitdevelopment.com, full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Why all the trouble? Just change the log files directly when logged in as the local admin. It's a whole lot simpler, and you don't even need the domain administrator to have interactively logged into your workstation. Or is your point that local administrators are, um, local administrators? t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of StenoPlasma @ www.ExploitDevelopment.com Sent: Thursday, December 09, 2010 5:07 PM To: bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk Cc: stenopla...@exploitdevelopment.com Subject: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) --- --- www.ExploitDevelopment.com 2010-M$-002 --- --- TITLE: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts SUMMARY AND IMPACT: All versions of Microsoft Windows operating systems allow real-time modifications to the Active Directory cached accounts listing stored on all Active Directory domain workstations and servers. This allows domain users that have local administrator privileges on domain assets to modify their cached accounts to masquerade as other domain users that have logged in to those domain assets. This will allow local administrators to temporarily escalate their domain privileges on domain workstations or
Re: [Full-disclosure] Congratulations Andrew
That is too fucking funny. Sometimes schadenfreude comes back to bite you in the ass. On Thu, Jun 24, 2010 at 1:10 PM, Cody Robertson c...@hawkhost.com wrote: On 6/24/10 3:54 PM, T Biehn wrote: Ouch dude: http://www.cbc.ca/canada/toronto/story/2010/06/23/tor-g20-arrest.html Guess you ate a dick too. On Wed, Jun 16, 2010 at 7:05 PM, Byron Sonne blso...@halvdan.com wrote: Looks like Andrew/weev/n3td3v finally gets to do what he likes the most Performing fellatio on his fellow inmates http://www.theregister.co.uk/2010/06/16/auernheimer_arrested/ Oh man, pretty sweet! I've been waiting years to see weev eat a dick, and the time has come at last. Maybe there is a god. -- Byron L. Sonne :: blso...@halvdan.com :: www.halvdan.com gpg: 0x69D9EAA6, C651 EF07 1298 58B3 615D 4019 E196 BAE1 69D9 EAA6 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Oh wow, June 23rd?! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A lot of people have labelled me a snitch, Mr Lamo told BBC News.
Yeah, Lamo is a complete fucking douche. That said...Manning is a complete and total moron. *shakes head* -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WTF eEye Really?
Looks like he rewrote it and clarified what he meant to say. I think this is a lesson on why you really should proofread stuff and ask someone else to go over your writings before you publish something. On Mon, May 3, 2010 at 5:44 PM, Sec News secn...@gmail.com wrote: Did anyone else see this? http://blog.eeye.com/vulnerability-management/penetration-tools-can-be-weapons-in-the-wrong-hands Penetration Tools Can Be Weapons in the Wrong Hands Author: Morey Haber Date: May 3rd, 2010 Categories: Network Security, Vulnerability Management After a lifetime in the vulnerability assessment field, I’ve come to look at penetration testing almost as a kind of crime, or at least a misdemeanor. We enjoy freedom of speech, even if it breaks the law or license agreements. Websites cover techniques for jailbreaking iPhones even though it clearly violates the EULA for Apples devices. Penetration tools clearly allow the breaking and entering of systems to prove that vulnerabilities are real, but clearly could be used maliciously to break the law. Making these tools readily available is like encouraging people to play with fireworks. Too bold of a statement? I think not. Fireworks can make a spectacular show, but they can also be abused and cause serious damage. In most states, only people licensed and trained are permitted to set off fireworks. Now consider a pen test tool. In its open form, on the Internet, everyone and anyone can use it to test their systems, but in the wrong hands, for free, it can be used to break into systems and cause disruption, steal information, or cause even more permanent types of harm. How many people remember the 80’s TV show Max Headroom? Next to murder, the most severe crime was if users illegally used information technology systems to steal information or make money. There was tons of security around these systems and even possession of tools to penetrate a system was a crime too. So what’s the difference? Yes, it is just a TV show but in reality today we are in effect putting weapons in people’s hands, not tracking them, and allowing them to use them near anonymously to perform crimes or learn how to perform more sophisticated attacks. It all comes back to the first amendment and Freedom of Speech. I can write a blog of this nature, state my opinion about how I feel about free penetration testing tools, and assure everyone that they need defenses to protect their systems, since free weapons are available that can break into your systems – easily. WOW - am i the only one to go WTF to this? Talk about alienating your customers and shitting where you eat. And to think i used to be a fan... - Some anonymous ex-eEye fan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Your comparison doesn't work. It's not A versus B, it's A versus C, with C being Company does nothing because it can't afford a thorough security program. On Mon, Apr 26, 2010 at 2:07 PM, Michel Messerschmidt li...@michel-messerschmidt.de wrote: On Mon, Apr 26, 2010 at 06:02:48AM -0700, Shaqe Wan wrote: I am not stating that PCI is good in no way, but I am saying that its a MUST for companies dealing with CC. And in a windows environment, an AV is important. Did you consider that an anti-virus may actually be the worst security solution for certain threats because it allows companies not to think about security while providing insufficient protection? What's your choice: Company A installs an anti-virus and updates it regularly (BTW regularly includes once a year). Company B has a recovery concept, incident response team, vulnerability monitoring, patch management, NIDS, security training but no anti-virus. He probably thought that I am with the rules of PCI, or that I don't have any idea that the world is not just WINDOWS !!! No, I don't think so. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
-they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) So you fall into this category? On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras uuf6...@gmail.comwrote: In short, you just said that PCI compliance _is_ a waste of time and money. Why else would you protect something which is bound to fail anyway?! This is a lost battle, as I said no one cares about the arguments because these people fall into three categories: -they believe the illusion that PCI by itself enhances security -they do there job and don't give a f*ck about it -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan sh...@yahoo.com wrote: You won't know not now, not ever. Maybe they do get a commission for your AV installation, who knows ! But maybe they think it is something that everybody needs so the force it. To get to know the true answer, we need to sit down with the guys who wrote the requirements and brainstorm with them those issues. We shall keep just running around and around in a circle here, because no one here if no CC company guy is around can give a definite answer. Just our simple argues ! As I said before, I have to use it on a windows box, because its a requirement, its not my opinion at all. I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) NB: I don't use an AV, never did, and never will :p Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 10:37:24 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan sh...@yahoo.com wrote: Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining it and discussing with others until a couple of days ago when I saw this topic. Finally, the compliance can be taken of as a base starting point, and then moving further, like that it shall not be a waste of money ! Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 9:59:59 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Perhaps you haven't noticed, this is Full-Disclosure, which at least, is used to discuss security measures. As such, it is only natural to argue with PCI's possible security flaws. Besides, in a democratic society (where CC do operate as well), you can't force someone to install an anti-virus just because _you_ think it is secure. The argument were compliance is wasted money still holds. Cheers. On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan sh...@yahoo.com wrote: Hola, The problem is not weather they are educated against other standards or policies or not, the problem is that without this compliance you can't work with CC !!! Its something that is enforced on you ! BTW: why don't people discuss what is the points missing in the PCI Compliance better than this argue ? Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Mon, April 26, 2010 4:19:27 PM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds OK. All those in favour of
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Point is, you're arguing for the sake of arguing, as you have no understanding what PCI is, based on your own admission. On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras uuf6...@gmail.comwrote: Nice way of reading whatever feels right to you. Perhaps you'd have better read what I wrote a few lines before that? On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale eyeronic.des...@gmail.comwrote: -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) So you fall into this category? On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras uuf6...@gmail.com wrote: In short, you just said that PCI compliance _is_ a waste of time and money. Why else would you protect something which is bound to fail anyway?! This is a lost battle, as I said no one cares about the arguments because these people fall into three categories: -they believe the illusion that PCI by itself enhances security -they do there job and don't give a f*ck about it -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan sh...@yahoo.com wrote: You won't know not now, not ever. Maybe they do get a commission for your AV installation, who knows ! But maybe they think it is something that everybody needs so the force it. To get to know the true answer, we need to sit down with the guys who wrote the requirements and brainstorm with them those issues. We shall keep just running around and around in a circle here, because no one here if no CC company guy is around can give a definite answer. Just our simple argues ! As I said before, I have to use it on a windows box, because its a requirement, its not my opinion at all. I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) NB: I don't use an AV, never did, and never will :p Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 10:37:24 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan sh...@yahoo.com wrote: Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining it and discussing with others until a couple of days ago when I saw this topic. Finally, the compliance can be taken of as a base starting point, and then moving further, like that it shall not be a waste of money ! Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 9:59:59 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Perhaps you haven't noticed, this is Full-Disclosure, which at least, is used to discuss security measures. As such, it is only natural to argue with PCI's possible security flaws. Besides, in a democratic society (where CC do operate as well), you can't force someone to install an anti-virus just because _you_ think it is secure. The argument were compliance is wasted money still holds. Cheers. On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan sh...@yahoo.com wrote: Hola, The problem is not weather they are educated against other standards or policies or not, the problem is that without this compliance you can't work with CC !!! Its something that is enforced
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Actually, you're right. You're not the one who said that, I apologize. But I maintain that you're arguing over something that you don't understand. You took one section (the anti-virus one) and got your panties in a bunch over a security standard that says you *should* run anti-virus. You completely ignored that PCI allows you to have compensating controls in place for virtually any requirement. On Tue, Apr 27, 2010 at 8:07 AM, Christian Sciberras uuf6...@gmail.comwrote: based on your own admission On who's admission? Perhaps you should bother to cite sources next time? And, how is quoting me in a different argument your point? On Tue, Apr 27, 2010 at 4:55 PM, Mike Hale eyeronic.des...@gmail.comwrote: Point is, you're arguing for the sake of arguing, as you have no understanding what PCI is, based on your own admission. On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras uuf6...@gmail.comwrote: Nice way of reading whatever feels right to you. Perhaps you'd have better read what I wrote a few lines before that? On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale eyeronic.des...@gmail.comwrote: -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) So you fall into this category? On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras uuf6...@gmail.com wrote: In short, you just said that PCI compliance _is_ a waste of time and money. Why else would you protect something which is bound to fail anyway?! This is a lost battle, as I said no one cares about the arguments because these people fall into three categories: -they believe the illusion that PCI by itself enhances security -they do there job and don't give a f*ck about it -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan sh...@yahoo.com wrote: You won't know not now, not ever. Maybe they do get a commission for your AV installation, who knows ! But maybe they think it is something that everybody needs so the force it. To get to know the true answer, we need to sit down with the guys who wrote the requirements and brainstorm with them those issues. We shall keep just running around and around in a circle here, because no one here if no CC company guy is around can give a definite answer. Just our simple argues ! As I said before, I have to use it on a windows box, because its a requirement, its not my opinion at all. I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) NB: I don't use an AV, never did, and never will :p Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 10:37:24 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan sh...@yahoo.com wrote: Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining it and discussing with others until a couple of days ago when I saw this topic. Finally, the compliance can be taken of as a base starting point, and then moving further, like that it shall not be a waste of money ! Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 9:59:59 AM *Subject:* Re
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
The point is, what s PCI aiming at? It's aiming for a basic level of security among companies that process credit cards. Nothing more. You have to remember that PCI didn't come about in a vacuum. It was created to solve a specific problem that the major credit cards faced in regards to the security posture of their processors. The two alternatives for the Payment Card Industry are: 1) The base level of security specified by PCI 2) No base level of security, with most companies not implementing any security whatsoever. PCI does not stop a company from enacting stricter and better security controls. If your internal security is better than what PCI specifies, but you do not meet one of the requirements, you use the compensating control mechanism to justify it. For the record, I apologize for the 'panties in a bunch' comment. I lost track of who said what, and you did not bring up the AV stuff. Haven't had my coffee yet... ;) On Tue, Apr 27, 2010 at 8:33 AM, Christian Sciberras uuf6...@gmail.comwrote: My point isn't about a particular section, nor whether the amount of experience I have in PCI DSS compliance (which is next to novice). The point is, what s PCI aiming at? Real security, or just a way companies can excuse their incompetence by citing full PCI compliance? Which reminds me, it wasn't I that brought anti-viruses to the discussion. Cheers. On Tue, Apr 27, 2010 at 5:16 PM, Mike Hale eyeronic.des...@gmail.comwrote: Actually, you're right. You're not the one who said that, I apologize. But I maintain that you're arguing over something that you don't understand. You took one section (the anti-virus one) and got your panties in a bunch over a security standard that says you *should* run anti-virus. You completely ignored that PCI allows you to have compensating controls in place for virtually any requirement. On Tue, Apr 27, 2010 at 8:07 AM, Christian Sciberras uuf6...@gmail.com wrote: based on your own admission On who's admission? Perhaps you should bother to cite sources next time? And, how is quoting me in a different argument your point? On Tue, Apr 27, 2010 at 4:55 PM, Mike Hale eyeronic.des...@gmail.comwrote: Point is, you're arguing for the sake of arguing, as you have no understanding what PCI is, based on your own admission. On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras uuf6...@gmail.com wrote: Nice way of reading whatever feels right to you. Perhaps you'd have better read what I wrote a few lines before that? On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale eyeronic.des...@gmail.comwrote: -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) So you fall into this category? On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras uuf6...@gmail.com wrote: In short, you just said that PCI compliance _is_ a waste of time and money. Why else would you protect something which is bound to fail anyway?! This is a lost battle, as I said no one cares about the arguments because these people fall into three categories: -they believe the illusion that PCI by itself enhances security -they do there job and don't give a f*ck about it -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan sh...@yahoo.com wrote: You won't know not now, not ever. Maybe they do get a commission for your AV installation, who knows ! But maybe they think it is something that everybody needs so the force it. To get to know the true answer, we need to sit down with the guys who wrote the requirements and brainstorm with them those issues. We shall keep just running around and around in a circle here, because no one here if no CC company guy is around can give a definite answer. Just our simple argues ! As I said before, I have to use it on a windows box, because its a requirement, its not my opinion at all. I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) NB: I don't use an AV, never did, and never will :p Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 10:37:24 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Then, as I said, the PCI requirements are total nonsense... You say this based on absolutely zero understanding of what the requirements are, by your own admission? On Sun, Apr 25, 2010 at 8:40 PM, Nick FitzGerald n...@virus-l.demon.co.uk wrote: Tracy Reed to me: Anyone authoritatively stating that antivirus software is a necessary component of a reasonably secure system is a fool. No, they just think all the world is Windows. My comments were, and still are, OS agnostic. It matters not what the OS -- anyone authoritatively stating that antivirus software is a necessary component of a reasonably secure system is a fool. Ditto my second comment... So _if_, as you and another recent poster strongly imply, the PCI standards include a specific _requirement_ for antivirus software, then the standards themselves are total nonsense... PCI only requires antivirus for systems commonly affected by viruses. ... Then, as I said, the PCI requirements are total nonsense... ... This means Windows. PCI security council has said that UN*X OSs etc. are not required to have antivirus. So what system and application integrity requirements do they require for those OSes (presumably instead of antivirus)? Your response strengthens my belief that PCI is dangerous because it enshrines small-minded ignorance as best practice (or, at least, as minimally acceptable practice) without recognizing the possibility that there may be better options that have not been so, ummm over sold as to become perceived as necessary. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Uhm.. No Uhm, yes? It's a 'hassle' if: You don't have a firewall. You use default passwords. You don't protect stored data. You don't encrypt that data in transit. You don't use antivirus. You don't restrict data access. You don't use unique logins. You don't log stuff. You don't test your security regularly. You don't have an information security policy. Seriously dude? It's a hassle? If you run a secure network, it's cake. If you don't, it's a very necessary hassle. On Fri, Apr 23, 2010 at 3:01 PM, Christian Sciberras uuf6...@gmail.com wrote: .. -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Their conclusions are based, IMO, on a flawed methodology. With some conservative assumptions, the paper indicates that companies actually spend 50% of their budget protecting secrets versus 20% on complying with external regulations. I wrote up a more thorough response which I'll post in a few days when I've proof-read it some more. On Thu, Apr 22, 2010 at 4:48 PM, Christopher Gilbert mot...@gmail.com wrote: The paper concludes that companies are underinvesting in--or improperly prioritizing--the protection of their secrets. Nowhere does it state that the money spent on compliance is money wasted. On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale eyeronic.des...@gmail.com wrote: I find the findings completely flawed. Am I missing something? -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Look at the PCI requirements. What's unreasonable about them? Which portions are *NOT* part of having a secure network? If you strive for security, and weave that into your network, complying with PCI should be cake. On Fri, Apr 23, 2010 at 10:40 AM, Stephen Mullins steve.mullins.w...@gmail.com wrote: I don't see what the hubbub is Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. Crazy notion, I know. On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: How can you say it is “wasted”? It doesn’t matter if you are a “fan” of it or not, in the same way that it doesn’t matter if you are a “fan” of the 4% surcharge retail establishments pay to accept the credit card as payment. Using your logic, you would way it is “wasted money,” and might bring into question the “value” of the surcharge, etc. It is simply a cost of doing business. If you choose to offload processing to a payment gateway, then that will also incur a cost. Depending on your volume, that cost may or may not be higher than you processing them yourself while complying to standards. The implementation of actual security measures will be different. But you can’t “handle” credit cards in the classic sense of the word without complying with PCI. If you pass along the transaction to a gateway, you are not handling it. If you DO handle it, then you have to comply with PCI. If you process less than 1 million transactions a year, you can “self audit.” If you process more, you have to be audit by a PCI auditor. None of this MEANS you are secure, it means you comply. If you don’t like PCI, then don’t process credit cards, or come up with your own. I still don’t really see what all the hubbub is about here. t From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 9:29 AM To: Thor (Hammer of God) Cc: Christopher Gilbert; Mike Hale; full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds it is simply part of the cost of doing business in that market. A.k.a. wasted money. Truth be told, I'm no fan of PCI. Other companies get the same functionality (accept the storage of credit cards) without worrying about PCI/DSS (e.g. through Payment Gateways). In the end, as a service, what do I want, an inventory of credit cards, or a stable payment system? The later I guess. As to security, it totally depends on implementation; one can handle credit cards without the need of standards compliance. My two cents. Regards, Christian Sciberras. On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Another thing that I think people fail to keep in mind is that when it comes to PCI, it is part of a contractual agreement between the entity and card facility they are working with. If a business wants to accept credit cards as a means of payment (based on volume) then part of their agreement is that they must undergo compliance to a standard implemented by the industry. I don’t know why people get all emotional about it and throw up their hands with all the “this is wasted money” positioning – it’s not wasted at all; it is simply part of the cost of doing business in that market. t From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christopher Gilbert Sent: Thursday, April 22, 2010 4:48 PM To: Mike Hale Cc: full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds The paper concludes that companies are underinvesting in--or improperly prioritizing--the protection of their secrets. Nowhere does it state that the money spent on compliance is money wasted. On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale eyeronic.des...@gmail.com wrote: I find the findings completely flawed. Am I missing something? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
I actually disagree with the conclusions presented by this paper. I'm in the process of writing up a more thorough explanation, but my main issue lies with their key finding on compliance spending. According to the paper, roughly 40% is spend on directly securing secrets, and another 40% is spent on compliance of some type. They further suggest that half of this compliance spending is spent on internal compliance, and half on regulatory/external compliance. Internal security policies are designed to protect the network and the companys data. Therefore, reason would dictate that spending on internal compliance is money spent on securing your secrets (a fraction of that spending, anyway). Is it unreasonable to assume that half of money spent on compliance with internal policies postively affects security of your data? I find the findings completely flawed. Am I missing something? -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
