Re: [funsec] Important Service Announcement
On Thu, 05 Mar 2015 20:31:50 +, Kain, Rebecca (.) said: Back when I was young, we got our p0rn via uuencode and we liked it! Many moons ago, I got a trouble ticket about a user who had 2 complaints: 1) Their mail would take forever to send. 2) My Listserv server was rejecting even short messages with a message too large error. and lo and behold, where you'd expect a .sig block, there was: begin 644 qzdf.gif followed by lots of uuencoded data. When extracted, it depicted several people engaging in something that I'm *still* convinced is anatomically improbable. So I send the user a polite note to check their config carefully, as it appears that their .sig block was the cause of the problem. About 45 minutes later, I get a reply from the user, sans .sig block, saying just Be right back - need to go kill the asshole roommate. pgprqc8MvGM7E.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Waste four and a half minutes of your time
On Fri, 27 Feb 2015 20:29:59 +,Sam Finnemore said: It begs the question, how on *earth* did we make it to the top of the food chain? We're the only species that can get high speed chase and Yakkity Sax into the same sentence. Because let's face it, we really don't have anything else going for us than the mental ability to make sentences like that pgpMFHof2jPvn.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Net-connected Barbie?
On Tue, 17 Feb 2015 14:57:04 -0800, Rob, grandpa of Ryan, Trevor, Devon Hannah said: Then what kind of algorithm is being used to feed jokes and games? There wouldn't be *any* possibility that someone could tweak the agenda here, is there? No possibility of propaganda aimed at the kids? Harry Harrison wrote I always do what Teddy says back in 1965. pgpmWHmnu8PyR.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Don't mess with Canadians carrying sticks ...
On Wed, 22 Oct 2014 21:36:16 -0400, Jeffrey Walton said: Given that some politicians are more dangerous than terrorist, and we kill terrorist, then what should be done with politicians who commit crimes against the democracy and the citizens? They should either lose elections, or they should end up in a criminal court and given a fair trial, no matter *how* big a scum they are. Saying that it's OK for random vigilantes to shoot at them means you've basically given up the idea of the rule of law. pgpdj2WiCxj_S.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Don't mess with Canadians carrying sticks ...
On Wed, 22 Oct 2014 17:02:14 -0400, Jeffrey Walton said: Politicians are usually corrupt to the core. They are more than happy to take money and peddle influence. I'd much rather see a politician killed, and I'm not sure I would bestow honors on someone who stopped it... Would you bestow honors on the guys who stopped John Hinkly Jr before he managed to get another bullet into Reagan? How about if somebody had stopped Lee Harvey Oswald or the guys who shot Ghandi and Benazir Bhutto? Yes, many of them *are* corrupt, but jumping from there to Every single one of them is so corrupt that they don't deserve an attempt to stop an assassination shows something pretty sad about you. If nothing else, remember that most of them have families that will grieve. Those politicians need to lose an election. Not a life. pgp5HH0PnMLWi.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Fake Cell Phone Towers Discovered Grabbing Signals
On Tue, 09 Sep 2014 09:23:53 +0200, PsychoBilly said: The fake towers force phones to slow down to 2G from 4G, so a sudden decrease in download speed may be a clue that a phone is being tapped. That's f#ing hilarious statement... You'd be amazed what you can use to detect that somebody is trying something nefarious. Some co-workers of mine wrote code that was not only able to tell when a mobile device was being hit with an nmap scan or other attack, but identify what sort of nmap scan or attack it was... ... based on the drain pattern on the device battery. http://www.security.vt.edu/security_lab/publications.html and look at the battery stuff down towards the bottom. pgp4YrRE9DMV_.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Weather forecasts XOR wind power ...
On Wed, 13 Aug 2014 12:10:37 -0700, Rob, grandpa of Ryan, Trevor, Devon Hannah said: http://www.cbc.ca/news/technology/radar-software-may-fix-weather-forecast-issues-caused-by-wind-farms-1.2735138 Right up there with the mayfly blossom the other week that registered as a hailstorm on the radar. Sorry, but I find this completely predictable. In fact I strongly suspect a large scale wind farm would modify the weather, since you are harvesting the energy in weather systems (albeit relatively close to the ground ...) Almost certainly *not* enough to make a significant difference. A single medium-sized thunderstorm can release 10^15 joules of energy, which works out to about 300 gigawatt-hours. Assuming a 2 hour lifespan, that's a power release of about 150 gigawatts. The biggest wind farms out there are about 1 gigawatt, and most large farms are closer to 300 megawatts. Somehow, I doubt that sucking out 0.2% of the energy is going to make a hill of beans difference. http://en.wikipedia.org/wiki/List_of_onshore_wind_farms pgpYF03NsaM1E.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Chip based on human brain
On Fri, 08 Aug 2014 12:07:37 -0800, Rob, grandpa of Ryan, Trevor, Devon Hannah said: Is programming these things going to be more akin to psychoanalysis? Debugging large server clusters is already halfway there. pgpxBovPzNtzm.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Driverless cars could be lethal - FBI
On Sat, 19 Jul 2014 15:44:45 -0700, Rob, grandpa of Ryan, Trevor, Devon Hannah said: http://www.bbc.com/news/technology-28344219 Seems to me that nobody in the FBI is reading the traffic fatality statistics obtained on cars driven by humans. (OK, yes, the feebies seem to be concerned about automated cars that allow the passenger to shoot back at you. But isn't that already happening anyway?) And, under the heading Multitasking, the FBI said that bad actors will be able to conduct tasks that require use of both hands or taking one's eyes off the road which would be impossible today. That raised the prospect that suspected criminals would be able to fire weapons at pursuing police cars. Drivers are apparently already quite capable of applying lipstick, shaving, and updating spreadsheets in rush-hour traffic, I'm not seeing any new threats here? pgpV8Ur6t0CtV.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] US capitol not in US, according to TSA
On Fri, 18 Jul 2014 11:29:16 -0400, Jeffrey Walton said: Potomac. Maybe he was hoping it swallowed all the assholes in Washington and reverted back to the swamp ;) And you thought the marshes near Chernobyl were a toxic waste site. pgpY1NTTq24H0.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Computing student jailed after failing to hand over crypto keys
On Thu, 10 Jul 2014 02:03:43 -, Blanchard, Michael (InfoSec) said: So, just for debate... The 5th protects us from handing over passwords. So they ask for decrypted data to be handed over. Wouldn't that be a 5th amendment violation as well? Keep in mind that the story is from England, which doesn't have a 5th Amendment (or a 4th, for that matter). And a lot of the current fuss in US case law on the subject actually does revolve around whether requiring somebody to cough up a password is more akin to producing a physical key for a padlock and covered by the 4th, or whether it's compelling a statement and thus covered by the 5th. (The problem is that the ground rules for a DA to force a statement and force production of a key are quite different) pgpFAB7HMZpmV.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] US capitol not in US, according to TSA
On Thu, 17 Jul 2014 23:23:37 -0400, Bill Terwilliger said: The comment about smart people being involved is a bit presumptive. Geography knowledge may or may not be an indicator of intelligence but I somehow doubt that lack of it is an indicator of stupidity. OK. I admit *I* don't know what a DC driver's license looks like either. But give me a *break*: When Gray handed the man his driver's license the agent demanded to see Gray's passport. Gray told the agent he wasn't carrying his passport and asked why he needed it. The agent said he didn't recognize the license. Gray said he asked the agent if he knew what the District of Columbia is, and after a brief conversation Gray realized the man did not know. OK? The TSA guy *did not understand that DC is part of the US*. Which means the TSA's vetting process for employees is so weak that they'll hire *people who don't know where the fuck the capital of their own country is*. Now think *real* hard - would *you* hire a security guard who didn't even understand that Washington DC is our nation's capital? pgpNPG2Mwj6Tb.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] Crap. Why didn't I think of that?
Oy. Vey. Study done by Carnegie Mellon University examine the cost for an attacker to pay users to execute arbitrary code - potentially malware. User at home are asked to download and run an exe without being told what it did and without any way of knowing it was harmless. Each week they increase the payment. Study observed that for payments as low as $0.01, 22% of the people who viewed the task ultimately ran the executable. Once increased to $1.00, this proportion increased to 43%. As the price increased, more and more users who understood the risks ultimately ran the code. They conclude that users are generally unopposed to running programs of unknown provenance, so long as their incentives exceed their inconvenience. http://www.spywarenews.org/easiest-way-to-get-people-to-install-malicious-software-is-to-pay-them/ pgpzfdv_hTQua.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] LinkedIn to face customer lawsuit over email addresses -- itnews.com.au
On Mon, 16 Jun 2014 10:17:32 -0700, Steve Pirk said: I keep putting off deleting my LinkedIn account. If they can blow off any security concerns with this app, then they are quite clueless or evil, take your pick. I posit that anybody who hasn't already made up their minds regarding PlinkedIn's cluelessness or evilness is probably best described by either the phrase total noob or paid apologist. pgp7dQq6GeYCx.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] I made Obama's BlackBerry
On Wed, 28 May 2014 06:59:10 -0400, Rich Kulawiec said: [1] Please. No whining. Steve Miller once rhymed Texas and facts is. The dude also thinks that pompetus is a word. pgporFhMtWLg0.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] We're in for it now ...
On Wed, 28 May 2014 16:59:41 -0700, Rob, grandpa of Ryan, Trevor, Devon Hannah said: http://www.sciencedaily.com/releases/2014/05/140528163739.htm People with high levels of cynical distrust may be more likely to develop dementia. So being a realist makes you eventually go crazy? :) pgpBsS4_7ZeN8.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Interesting twist on intellectual property law
On Sat, 22 Mar 2014 12:53:36 -0700, Rob, grandpa of Ryan, Trevor, Devon Hannah said: The trick can't be protected, but the performance can. [2] [2] - Normally I'm not on the side of IP protection, but I find this an intriguing legal argument. That's been baked into US copyright law since the beginning - an idea can't be copyrighted, but an instantiation or performance can. The murky part is deciding if a claimed infringement is based on an idea or on a specific instance of it - you can rack up a lot of billable hours deciding whether a story is based on a trope like young girl treated horribly by wicked stepmother until saved by prince, or whether you've included too many story elements from Disney's version of Cinderella. Similarly, you're allowed to draw pictures of young boy with animated stuffed animal, but if it looks too much like Calvin and Hobbes or either the AA Milne or Disney versions of Winnie the Pooh, you may want legal advice pgplsy19YzQZr.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Obfuscation = cryptography?
On Mon, 03 Feb 2014 16:28:28 -0800, Rob, grandpa of Ryan, Trevor, Devon Hannah said: OK, I'll admit that the math in this type of paper is completely beyond me. http://www.wired.com/wiredscience/2014/02/cryptography-breakthrough/ But, hasn't he, or any of his friends, paid any attention to malware in the past two decades? There is plenty of obfuscation out there. (Most of it does what his program does: turn little programs into bloated monsters.) The guy's an academic. He's focusing on what's theoretically possible, not what makes sense out in the real world. Two main reasons it will never fly: 1) The performance hit. It will *by definition* be excessive for production use - because if it was cheap (say, a 2X to 10X hit), it would be easy to reverse engineer (note that we *can* RE the current class of obfuscated malware). 2) The debugging hit. It's hard enough to figure out why software crapped out - this would make it even harder. pgpHzu5CNp16Z.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Job Security!!!!
On Wed, 29 Jan 2014 09:00:23 -0800, Rob, grandpa of Ryan, Trevor, Devon Hannah said: Apparently the new Cisco annual security report for 2014 says that some time this year the industry will be short more than a million security professionals. (I'd break out the champagne, except that I recall a Gartner report from a decade ago that said the US alone would need a quarter million CISSPs as of that time. Apples, Oranges. Security professionals, CISSPs. pgphLhKtI6_FE.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Invitation to connect on LinkedIn
On Wed, 08 Jan 2014 18:38:19 -0500, Jeffrey Walton said: Thanks kind of interesting, considering the officers control and steer the organization. Have you been following this (trying to remove an NSA co-chair due to the surreptitious sabotaging of standards): NSA co-chair claimed sabotage on CFRG list/group, http://lists.randombit.net/pipermail/cryptography/2014-January/006136.html and ECC patent FUD revisited, http://lists.randombit.net/pipermail/cryptography/2014-January/006108.html. OK.. I took a sick day, and I'm insuffiently caffeinated, but I'm missing the ISC2 connection there? pgpSXNa8Md9hw.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] It's ... SUPER-USER!
On Fri, 30 Aug 2013 15:20:52 -0700, Rob, grandpa of Ryan, Trevor, Devon Hannah said: According to the NSA, NOBODY could stop Snowden he was A SYSADMIN! If they were using SELinux with the MLS policies, even as sysadmin he couldn't have done that stuff without being detected, because the sysadmin user and the audit/security user are two separate roles, and sysadmin can't touch the audit logs nor can they su to 'audit'. Maybe they should go talk to the people who developed SELinux. Oh wait... pgpIY0XETFmKB.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Explosive breast implants
On Tue, 20 Aug 2013 09:53:52 -0400, Stephanie Daugherty said: And the real reason airliners aren't being attacked anymore probably has more to do with the passengers than the added security. Post 9/11, the passengers will beat someone to a pulp before they can even think about doing anything funny... Bruce Schneier says that attitude change and hardening the cockpit doors are the only two effective aircraft security changes we've had post-9/11. pgpTBD47ftNPS.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Encryption is less secure than we thought
On Fri, 16 Aug 2013 21:58:10 +0200, Daniël W. Crompton said: http://www.mit.edu/newsoffice/2013/encryption-is-less-secure-than-we-thought-0814.html What do you think? It's an interesting result, but not likely to make much real difference. Basically, they're pointing out that most estimates of a crypto system's strength assume that keys are basically white noise, while in practice they're usually a colored noise, and you can leverage the difference to make it a bit easier to crack. Of course, this is basically what password cracking programs have been doing for decades now, when they apply heuristics to what passwords and variations to try first. pgpUN05KZixg4.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] How *NOT* to handle incorrect passwords ...
On Thu, 25 Jul 2013 10:59:55 -0700, Rob, grandpa of Ryan, Trevor, Devon Hannah said: https://twitter.com/cjcheshire/status/360326695137468416/photo/1 Virgin Atlantic feels that it is a good idea to provide the failed password, in plain text, in the URL when you try for a reset ... Just be glad it isn't the correct password, helpfully provided for your second attempt. pgpqguD2PKNxE.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Huawei
On Mon, 22 Jul 2013 18:47:33 -0600, Bruce Ediger said: On Mon, 22 Jul 2013, Rob, grandpa of Ryan, Trevor, Devon Hannah wrote: Huawei Is a Security Threat and There's Proof, Says Hayden However, they are not going to tell you what the proof is. I assumed that because it was Hayden, that was just more Let's keep the Cyberwar Boogieman going, because otherwise, how will we keep the pig's trough with taxpayer dollars? Either that, or he simply didn't get the memo? http://www.propublica.org/article/nsa-says-it-cant-search-own-emails pgpkN1UvPT6se.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] We know where you are. And where you've been ...
On Thu, 18 Jul 2013 16:49:09 -0400, Joel Esler said: License plates are not private information. Yes. But does the location of the car they're attached to count as private info? Is it legitimate to use massive amounts of cameras to end-run the court cases where a warrant was required to use a GPS tracker? How is using cameras instead of a GPS different? pgpBG2F6OeoZa.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Mailer Software that inserts X-NSCC header?
On Tue, 25 Jun 2013 05:54:59 -0400, Rich Kulawiec said: a) Inserting headers into the canned meat products of the Hormel Corporation would be a very neat trick. How do you know that Hormel isn't already doing that? Consider what they *do* put in there.. :) pgpQ_j3IJHaYl.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] The ultimate illegible PowerPoint slide!
On Thu, 20 Jun 2013 11:49:46 -0700, Rob, grandpa of Ryan, Trevor, Devon Hannah said: http://www.gartner.com/technology/research/digital-marketing/transit-map.jsp Am I the only one bothered by the fact there's a Pink Line that's unidentified? pgpd_6LqLi2u6.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] The ultimate illegible PowerPoint slide!
On Thu, 20 Jun 2013 17:51:36 -0500, RL Vaughn said: http://www.gartner.com/technology/research/digital-marketing/transit-map.jsp I am color blind. Are you talking about the pink line labeled Commerce or the pink line labeled MKTG MGMT? I mean the one that *would* be 'Ad Technology' if it was wired up correctly and not permanently greyed out... (at least it is in Firefox). pgpbJ18kvZTRy.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Former DOJ Prosecutor Files $3 Billion Suit Against Obama, Holder, NSA, Verizon Over PRISM
On Sat, 15 Jun 2013 20:55:25 -0400, Jeffrey Walton said: https://www.google.com/#q=Larry+Klayman+lawsuit+prism All the references are non-mainstream (Washington Post, NY Times, and other mainstream outlets have not picked up the story yet). This will almost certainly go nowhere, for the exact same reason that most of the lawsuits about warrantless spying went nowhere - nobody can show proof they were actually spied on and therefor have standing to sue as plaintiff who was spied on. Every single one of the warrantless spying cases went bye-bye except for one law firm that got hold of an accidentally released document showing that they were in fact targeted. pgpkgyYmdFhhV.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] 1984 sales spike
On Fri, 14 Jun 2013 17:51:35 -, Blanchard, Michael (InfoSec) said: But it's THEIR country to deal with but more so, You know... my grandfather left Latvia because doing so was a lot easier than staying there and trying to avoid being either shot or sent to Siberia, because there really wasn't much he could actually do to get rid of Stalin and his armies an KGB agents. (And yes, the KGB *was* actively looking for my grandfather) Are you suggesting he should have stayed there and dealt with it? Saying it's their country to deal with overlooks the very real fact that often, the only realistic choices are exile and martyrdom. pgpsdprkECWx6.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] 1984 sales spike
On Tue, 11 Jun 2013 15:32:15 -0400, Conrad Constantine said: On 6/11/2013 3:25 PM, Rob, grandpa of Ryan, Trevor, Devon Hannah wrote: In other news, the NSA now knows the names of everyone who bought 1984 in the past three months ... Is anyone else feeling the urge to go buy a copy of Catcher In The Rye.. y'know.. even though you already have 8 copies of it at home? No, what you *want* to do is have a sudden noticable spike in sales of something apparently innocuous, like a new edition of Hamlet or an annotated collection of the works of Lewis Carrol. pgpaiDRD_3mGh.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Risk analysis
dOn Sun, 12 May 2013 09:09:10 -0700, Steve Allison said: The military and law enforcement may end up having an horrifying dilemma. When they took the oath of enlistment (military and law enforcement), as I did, they swore to support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same. But in the next breath, we had to say, I will obey the orders of the President of the United States and the officers appointed above me. Could be a terrible dichotomy for our military. What it *actually* says: and that I will obey the orders of the President of the United States and the orders of the officers appointed over me, according to regulations and the Uniform Code of Military Justice http://www.army.mil/values/oath.html I do believe that the Uniform Code clearly states that you have both the right and the obligation to refuse an illegal order. So not much dichotomy there. pgptmQQClJdDs.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] REVIEW: World War Hack, Ethan Bull/Tsubasa Yozora
On Fri, 03 May 2013 19:20:01 -0400, Jeffrey Walton said: I didn't know INTPs and INTJs read fiction outside of Bradberry, Tolkien, and other classics :) Meyer-Briggs is a total crock. Any model of personality types that doesn't allow for psychopathic asshole is flawed. pgpCZlVmNTC_s.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] I'll believe corporations are people when they let them drive in the HOV lane ...
On Tue, 05 Feb 2013 08:42:46 -0600, Dan White said: I do not fear the tyranny of the majority. I believe when push comes to shove that people will make their own selfish decisions, for the betterment of themselves and their own families. There is sufficient evidence in the last few election cycles of people voting directly contrary to their own self-interest that your belief is not at all a foregone conclusion. pgprOB3agI_Yg.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] While we're all trying to fix politics, economics, etc.
On Tue, 05 Feb 2013 12:49:44 -0500, Rich Kulawiec said: I have a question. Please to consider the following candidate password: S.3-t=2ga+Zilg59CEkp4 I'm curious as to how y'all would classify that on a scale of weak-to-strong. The answer is it depends. It's a strong password if your threat model includes rainbow tables and dictionary attacks and brute force. It's a insanely weak password if your thread model includes keystroke loggers and people spotting the post-it note on the monitor. pgpU5mcs0UpRB.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] While we're all trying to fix politics, economics, etc.
On Tue, 05 Feb 2013 13:44:25 -0500, Charlie Derr said: Aren't all passwords insanely weak for threat models that include keystroke loggers and spotting the post-it on the monitor? Yes. So what's your point? pgp6alKYoBFZt.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] I'll believe corporations are people when they let them drive in the HOV lane ...
On Tue, 05 Feb 2013 18:26:55 +, Blanchard, Michael (InfoSec) said: If you use an old party label in any manner or function, you are immediately disqualified from candidacy The problem is that the instant a candidate says I'm standing with these 27 other congresscritters in support of proposals A, B, and C, you've re-invented the party platform. And there's no really good way to ban 28 congresscritters from banding together to get A, B, and C passed. pgpTW3YJHo6b3.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP
On Tue, 29 Jan 2013 09:06:41 -0800, Paul Ferguson said: UPnP is a security nightmare. Period. What, just because its *design purpose* was to allow a machine behind a firewall to send a Pants Down! command to the firewall? :) pgpERkJQhn15c.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Youth expelled from Montreal college after finding sloppy coding that compromised security of 250, 000 students personal data
On Tue, 22 Jan 2013 08:14:34 -0500, Rich Kulawiec said: about that story is that this statement from the company CEO (Edouard Taza): We acted immediately to fix the problem, and were able to do so before anyone could use it to access private information. was not challenged by the article's author, since it is of course an obvious fabrication. Yeah, I liked how they didn't know they had gotten probed till the kid *told* them, but were immediately able to verify that they didn't have any other un-noticed exploits of the hole. (Sure, you can easily grep for the scanning tool's footprint, but it takes a lot longer to verify there's no disguised attacks with a different footprint). pgpgk0X7RrGGW.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Fwd: petition to remove Aaron Swartz prosecutor
On Tue, 15 Jan 2013 11:04:41 +, Michael Simpson said: Young men are the best patient group for successfully completing suicide and often the cause is multifactorial and difficult to elucidate However I think that the upcoming court case has to be taken into account. Exactly. I'm positive the court case didn't help - but that's a *long* way from the prosecutor has blood on their hands. Would be useful to know if there had been a *very* recent history of Aaron's mood seeming to lift or if there was a change in his medication (if any) The public may never find out that one. pgpbQ0gK6iSIM.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Fwd: petition to remove Aaron Swartz prosecutor
On Mon, 14 Jan 2013 12:15:09 -0500, Jeffrey Walton said: From the Full Disclosure mailing list. Schwartz recently committed suicide over the incident. Do we have any confirmation that the suicide was directly caused by the legal issues? Like a suicide note that says so? pgp2aH3qFGXcX.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Fwd: petition to remove Aaron Swartz prosecutor
On Mon, 14 Jan 2013 15:34:32 -0500, Jeffrey Walton said: On Mon, Jan 14, 2013 at 3:26 PM, valdis.kletni...@vt.edu wrote: On Mon, 14 Jan 2013 12:15:09 -0500, Jeffrey Walton said: From the Full Disclosure mailing list. Schwartz recently committed suicide over the incident. Do we have any confirmation that the suicide was directly caused by the legal issues? Like a suicide note that says so? His family made the statement: http://articles.latimes.com/2013/jan/12/local/la-me-0113-aaron-swartz-20130113. Yes, that's what his *family* said. What did *Aaron* say? From the same article: On his blog, Swartz had written of his history of depression. So it may have have been one contributing cause, but it's not a slam dunk to conclude a direct causal relationship court case therefor suicide. For all we know, he's been having those thoughts for *years*, and Friday was simply the day that he woke up and realized there was no way he could face Saturday. pgpMKsqxvlgts.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] B.C. judge certifies class-action suit for men denied gambling winnings
On Sat, 12 Jan 2013 11:29:22 -0800, Rob, grandpa of Ryan, Trevor, Devon Hannah said: And this week, B.C. Supreme Court Justice John Savage ruled there were sufficient grounds to certify a class-action for winners denied because they were in the self-exclusion program. I suppose there must be some legal reason why the suit was OKed, but it seems stupid. They agreed not to collect: they didn't collect. Well, all certifying for class action means is that even if it *is* stupid, we may as well litigate it once for everybody and get it over with. There's probably more legal issues under the covers - for instance, whether there was any way to *leave* the program once you had signed up for it. cue Young Frankenstein clip No matter what I say, don't open the door... pgpmWzkpVasUN.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Whya can't my laptop figure out what time zone I'm in, like my cell phone does?
On Thu, 06 Dec 2012 12:47:12 -0700, Rob Slade, doting Grandpa of Rayn, Trevor, Devon, and Hannah said: Computers can find out (or somebody can find out) where a specific computer is when they are on the net. (And you have to be on the net to get time updates.) Some Websites use this (sometimes startlingly accurate) information in a variety of amusing (and sometimes annoying or frightening) ways. So it is quite possible for a laptop to find out what time zone it is in, when it updates the time. Well, sure - *if* you're willing to accept the fact that if geolocation gets it wrong, you just missed your meeting. And it's not perfect. Don't believe me, wander over to the NANOG archives and search for all the postings where people have gotten screwed over because they're in New Jersey but somebody's geolocation thinks they are in France... pgpqM4Fw8Y7ZS.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Twinkipocalypse averted
On Tue, 20 Nov 2012 16:03:51 +, Blanchard, Michael (InfoSec) said: Little Debbie is a perfect example⦠no unions, better management solutions⦠You *do* realize that at many companies, the *threat* of unionizing is sufficient to make the companies play nice? Or are you one of those that think it would be Perfectly OK if we went back to the sort of abuses that caused unions to get powerful, and which we decry when we see them at non-union shops at Foxconn or Nike? pgpyetSywkNyx.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Sandy and BCP
On Tue, 06 Nov 2012 14:12:40 -0500, Jeffrey Walton said: Who is more dangerous to this country? The corrupt politicians who never face investigation or prosecution? Or the Muslims living in a cave pissed off about socio-economic injustice and biased foreign policy? The corrupt politicians who never face investigation or prosecution because they scare us with the threat of the Muslims living in a cave. FTFY. pgpnIRTpFlG0k.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] This is [phishing] news?!?
On Fri, 05 Oct 2012 15:35:56 -0400, Blanchard, Michael (InfoSec) said: Man, you just used the one term that makes my skin crawl APT. APT == Anything our security team hasn't figured out how to stop. pgpoc6vFpqgjY.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] City of Tulsa website not hacked after all
On Tue, 02 Oct 2012 09:51:03 -0500, Dan White said: A third-party security firm that was hired to do periodic, unannounced tests of the city's networks for vulnerabilities used an unfamiliar testing procedure last month that city IT personnel misinterpreted as an unknown breach, according to a city statement. tl;dr: The consultant ran nmap or nessus and the network fell over? pgpFkS261nRmQ.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Automatic cyber-counter-attacks
On Wed, 12 Sep 2012 19:45:53 -0700, Kyle Creyts said: And what happens in cybersepsis? Isn't that already the normal state of the Internet? pgppsjGyY39PE.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] More bad news for risk management
On Sat, 18 Aug 2012 12:17:40 -0400, Jeffrey Walton said: On Fri, Aug 17, 2012 at 12:43 AM, Tomas L. Byrnes t...@byrneit.net wrote: Ignoring risk is a perfectly valid way of managing it, if the return of putting the resources into the risky endeavor exceed the costs of putting them into managing the risk. I know its common practice, but I respectfully disagree. Its been my experience that most problems can be solved correctly from an engineering standpoint. Reading comprehension fail. Tomas's point is that yes, often there *is* an engineering solution. But if you invest $250K in an engineering solution for a problem that only risks $100K loss, you're being stupid. At that point, just making a note that you have a potential $100K liability and getting on with your life *is* the proper way to manage that risk. (Of course, if the engineering solution only costs $10K, then yes it should be pursued. But only when it costs less than just ignoring the risk). pgpXz9Srq2tLh.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] What's the yiddish for 'D'Oh!?
http://www.npr.org/blogs/thetwo-way/2012/08/14/158773637/leader-of-anti-semitic-party-in-hungary-discovers-hes-jewish?ft=1f=1001 pgpm1UP0YTNvs.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] Obama was *WHAT*??!?
There's a few screws loose crazy, and there's the lug nuts holding this guy's brain in place are in the next county crazy... http://www.addictinginfo.org/2012/08/06/pakistani/ pgpEj5ONu0D3J.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] Sometimes, you gotta feel sorry for the poor TSA agent...
http://www.rawstory.com/rs/2012/07/16/tsa-frisks-man-with-worlds-largest-penis/ pgpqJPuAXsQG1.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Citizen cyber-protectors?
On Thu, 19 Jul 2012 16:43:16 +0100, Drsolly said: What, even if loads of beetle-sellers told you how important it is? I usually disregard any advice regarding how important *anything* is until I've also heard it from somebody who doesn't have a vested interest in my believing it's important. pgp5k3L2TmUcp.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Disney to sue the planet Mercury
On Fri, 15 Jun 2012 19:18:33 -0700, Robert Slade said: ... claiming any images of their flagship mouse are a violation of inter-multiverse copyright laws: http://messenger.jhuapl.edu/gallery/sciencePhotos/image.php?gallery_id=2image_id=876 And promptly gets countersued and has their ass handed to them because the craters are older than Mickey's image. Try calculating the damages with what the MPAA wants as damages. Times the number of frames of film Mickey has been in. Times the number of times those movies have been shown pgpu5BZ8GmgYF.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Really awful TV news report on virus (from 1988)
On Mon, 11 Jun 2012 14:09:06 -0700, Rob, grandpa of Ryan, Trevor, Devon Hannah said: I believe the author was quite upset he messed things up like he did. Bob Jr's statement that he intended it to be more limited seems to ring true, but it was definitely supposed to be a worm. He got an 'if' statement backward - instead of a 1 in 9 chance of it hitting a potential target, there was an 8 in 9 chance. pgp1iBeZVEuYx.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Tue, 05 Jun 2012 16:20:04 -0300, Marcio B. Jr. said: really matters, that is, an imminent *real* war against China: http://www.bbc.co.uk/news/world-us-canada-18305750 One could equally well read that as We're fed up and about to pound North Korea even further back into the Stone Age. Also, a move of 10% of the navy over the next 8 years doesn't translate to imminent. pgpIJfKTw6GzX.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Flame on!
On Wed, 30 May 2012 22:51:09 -0400, michael.blanch...@emc.com said: a-effin-men Rob! I went through the same screaming fit too Even though it sounds clever until you dig in just a little bit... 20 freakin meg in size? I mean seriously The only reason it hasn't been caught in 5 years (if that's even true) is because it's so freakin' huge LOL All the AV products probably have a check If it's a binary over X bytes in size, it must be a legit binary from Microsoft or Adobe check. Somebody probably just wrote a meg of code, then pasted in 19M of total dead-code crap from Microsoft Flight Simulator just to bulk it up over the limit. Flame can gather data files, remotely change settings on computers, turn on computer microphones to record conversations, take screen shots and copy instant messaging chats. [So? We had RATs that could do that at least a decade ago.] How big was Back Orifice, which did much of the same stuff *way* back when? pgpPHAXVeAsmz.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] .secure TLD
On Fri, 11 May 2012 21:23:01 -0400, Ben April said: http://www.darkreading.com/authentication/167901072/security/security-management/24187/new-i-secure-i-internet-domain-on-tap.html If they really wanted to be secure they would require the implementation of RFC 3514 Read between the lines. The guy scored $9M in startup funding, and only has to pay ICANN $185K for the .secure TLD. And then he gets to collect *more* money from anybody silly enough to buy into the TLD. Step 3: Profit! pgpdkTSxtBY9u.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Seriously?
On Sat, 05 May 2012 15:18:39 -0400, Jeffrey Walton said: Seriously? The new threat of user-initiated drive by downloads? NBC actually used if you haven't seen it, it's new to you as a slogan during reruns season a few years back. pgpu1upVqsIVZ.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] OK, all you EU guys who took the CEH just wasted your money
On Fri, 30 Mar 2012 12:46:04 -0700, Vic Vandal said: Ethical (the E in CEH) hackers would only attack systems that belong to organizations that gave them written permission to do so. The new laws would be inapplicable to that scenario. From the fine article's first paragraph: Possessing or distributing hacking software and tools would also be an offence, Got a copy of Metasploit or Nessus on your laptop? Better not visit the EU with that laptop in your possession. And what will pen-testers use to run pen-tests, if they can't have hacking software and tools? I don't know the exact wording proposed - possession or distribution with intent to commit a crime would be a heck of a lot easier to deal with. The devil is in the details. Consider that almost every car has a tire iron - and they're not weapons until you try to use them on something other than your own car's tires. pgpmAxvwKCwl9.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] OK, all you EU guys who took the CEH just wasted your money
On Fri, 30 Mar 2012 18:05:44 -0700, Vic Vandal said: It's not illegal to possess a tire iron (as mentioned in the email below), but that makes a decent segue to a similar point. It is a crime in the state where I live to have lockpicking tools in your possession - if you're illegally breaking and entering with them. But if you're a locksmith and you're not illegally breaking and entering, you can carry those tools every day and never be worried about being found guilty of a crime. The important grey area is if you're not a locksmith, merely a hobbyist, and have lockpicks on you. Where I live, the law says: Code of Virginia - Section 18.2-94 - Possession of burglarious tools, etc.If any person have in his possession any tools, implements or outfit, with intent to commit burglary, robbery or larceny, upon conviction thereof he shall be guilty of a Class 5 felony. The possession of such burglarious tools, implements or outfit by any person other than a licensed dealer, shall be prima facie evidence of an intent to commit burglary, robbery or larceny. As far as I can tell, Mississippi and Nevada are the other states where mere possession is evidence of intent. In the other 47 states, the DA has to do some actual work to prove intent. http://www.lockpickguide.com/legalityoflockpicks.html pgpckLKHujM7S.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] OK, all you EU guys who took the CEH just wasted your money ...
On Thu, 29 Mar 2012 17:06:21 -0700, Rob, grandpa of Ryan, Trevor, Devon Hannah said: http://www.europarl.europa.eu/news/nl/pressroom/content/20120326IPR41843/html/Hacking-IT-systems-to-become-a-criminal-offence So.. what's the difference between attack tools and a good pentester's toolkit? pgpcY5UKC4V3x.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] US spent USD 25 [million] on internet freedom in Middle East in 2012
On Fri, 16 Mar 2012 20:16:20 PDT, Paul Ferguson said: Oh, irony of ironies... Fortunately, the tools are available to US citizens too. :) pgpx9OKpcGDc5.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] NSA Creates Android based Super Secure Smartphone
On Sat, 03 Mar 2012 22:04:07 EST, Jeffrey Walton said: Will there be an NSA sponsored Market so folks can get hardened apps? Anything that adds finer grain permissions for applications is a NSA already gave us SELinux. pgpx9476QLNbg.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] [Full-disclosure] Trustwave and Mozilla
On Wed, 15 Feb 2012 18:13:25 +0900, peter evans said: Does anyone know the LD50 for coffee in humans? ^^? From the Wikipedia page: The LD50 of caffeine in humans is dependent on individual sensitivity, but is estimated to be about 150 to 200 milligrams per kilogram of body mass or roughly 80 to 100 cups of coffee for an average adult.[3] Though achieving lethal dose with caffeine would be exceptionally difficult with regular coffee, there have been reported deaths from overdosing on caffeine pills, with serious symptoms of overdose requiring hospitalization occurring from as little as 2 grams of caffeine. In other words, your friends are gonna scrape you off the ceiling and take you to the ER to have your jitters treated *long* before you actually manage to off yourself that way. ;) pgp1GzDASxeyl.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] [Full-disclosure] Trustwave and Mozilla
On Sun, 12 Feb 2012 05:54:30 EST, Jeffrey Walton said: For what its worth, pinning the certificate can usually remediate these sorts of MitM attacks, but Mozilla subverted it: http://ssl.entrust.net/blog/?p=615. Maybe I'm not sufficiently caffienated, but that link doesn't seem to mention Mozilla at all, much less anything they did to subvert pinning. (Note that I don't consider doesn't happen to support the feature yet as subversion - that requires an active decision to take some action that undermines the feature) pgpzo0GXXUrXH.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] WTF? Cyber bill to put US in charge of global cyber security
On Wed, 08 Feb 2012 20:55:18 PST, Paul Ferguson said: Chris Sonderby, Facebook's Associate General Counsel who oversees the company's global law enforcement relations, believes it's in the interest of private companies to partner with law enforcement agencies to protect customers as much as themselves. People demand a level of security, said Sonderby, whose company holds data on over 800 million active users. Those companies that don't protect information are those that people are going to be uncomfortable sharing with or they're not going to use. There are powerful market incentives to make sure that companies you entrust information to have taken adequate steps to protect that data. A Facebook representative said all that with a straight face? Reallly? A *FACEBOOK* rep? :) pgpcU7fYlnIWA.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] [Full-disclosure] can you answer this?
On Fri, 03 Feb 2012 02:58:52 CST, Fatherlaptop said: ... Why? How is this IP asking for DHCP to another not in my trust IP scheme? Simple - it probably came in from elsewhere, and it's asking an IP from an address that it thought *was* in *its* trust scheme. pgpa1TQ5nT8UP.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] BitDefender, you've created a monster! (story ...)
On Mon, 30 Jan 2012 10:34:57 EST, michael.blanch...@emc.com said: s dribble and by far nothing at all new. But when I'm talking to folks that claim to be malware experts, or IT security experts, and they start stating stuff like yah, malware's getting so bad these days that viruses are infecting malware! Imagine that?! My stock reply to this sort of junk: As far as 'new' goes, it's relative. Is it still 'new' if it was first seen before you were even toilet trained? If it keeps up, we're going to be seeing new stuff that was around before their *parents* were toilet trained. A co-worker of mine has a rubber stamp that says I first told you about this in 19__. He's *still* getting use out of it. pgpssCRCjRno1.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Teaching reporters infosec ...
On Mon, 30 Jan 2012 10:51:19 EST, michael.blanch...@emc.com said: I just type everything in using on the fly, in my head blowfish encryption to fool the keyloggers Cryptonomicon time. pgpIqALSwRJ2T.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Confusion Flaw?
On Tue, 24 Jan 2012 18:04:13 EST, Jeffrey Walton said: From USN-1263-2 (http://www.ubuntu.com/usn/usn-1263-2/): It was discovered that a type confusion flaw existed in the in the Internet Inter-Orb Protocol (IIOP) deserialization code. A remote attacker could use this to cause an untrusted application or applet to execute arbitrary code by deserializing malicious input. (CVE-2011-3521) I give - what is a confusion flaw? 'type confusion' - where a programmer forgot what type a variable had. Was that a signed int or an unsigned int? 32-bit or 64-bit? A pointer to a string, or a pointer to a struct? pgpaYbECSxORw.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Consumer group accuses Hollywood of 'threatening politicians'
On Mon, 23 Jan 2012 10:43:59 EST, michael.blanch...@emc.com said: Is there anyone who would claim a PAC contribution is not a bride (other than Congress and lobbyists)? Yes, a PAC contribution is certainly NOT a bride... Yes it is. Take a look at the ugly divorces that happen when a politician wants to leave his PAC. ;) pgp6zaILSJBWM.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Did the borg start this way?
On Tue, 17 Jan 2012 16:24:27 EST, Patrick Laverty said: I know Kung Fu. Show me. At which point we'll need even better anti-virus software for memes, because otherwise you just can't win The Game. pgpNl5lwFjWbQ.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Stratfor is Online
On Mon, 16 Jan 2012 12:10:52 EST, Jeffrey Walton said: cards) should thank Stratfor for their failure, since the costs will be passed on to stock holders; and higher credit card rates will be used to offset loss due to this sort of incompetence. You have that only half right. Higher rates will be used to offset the losses, but the costs are rarely passed on to stock holders. pgp3RFm9c8xzR.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Issa Announces Oversight Hearing
On Mon, 09 Jan 2012 21:08:26 PST, Rob, grandpa of Ryan, Trevor, Devon Hannah said: http://j.mp/A9G3fG (U.S. House) House Committee on Oversight and Government Reform Chairman Darrell Issa (R-CA) today announced that the Full Committee will hold a hearing on January 18 to examine the potential impact of Domain Name Service (DNS) and search engine blocking on American cyber-security, jobs and the Internet community. Maybe he should have held the frikking hearings *before* he introduced the legislation? pgpeIRYzbPMbx.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Copper thieves get dumber?
On Fri, 06 Jan 2012 11:51:50 PST, Rob, grandpa of Ryan, Trevor, Devon Hannah said: http://www.nsnews.com/news/Vandals+Internet+thousands/5955855/story.html A while ago, I saw a picture of the new cable cladding being used by one European telco, that says in like 7 or 8 langauges fiber cable - no copper inside - don't bother stealing. pgpwkeYKSCbxN.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Who's Who phish
On Wed, 04 Jan 2012 11:42:32 PST, Rob, grandpa of Ryan, Trevor, Devon Hannah said: Hello Candidate, it starts, and goes on to tell me that As the school year opens, *facepalm*. pgpVCa7PCoVdq.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Happy Merry.
On Thu, 15 Dec 2011 19:32:28 GMT, Drsolly said: So, never mind. Merry Christmas. Whether you like it or not. (If not, yo u can have a Happy New Year anyway :-) You insensitive clod, for some of us the New year starts on the First of Nissan. Corporate sponsorship has obviously gone *way* too far. pgpVBgNORrQ7b.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] REVIEW: Good Night Old Man, George Campbell
On Wed, 14 Dec 2011 07:02:46 EST, Marc said: air! You can get most anywhere around the world on 5 watts RF with CW while voice requires many times that. Great. You can tune into 154.342 and talk to somebody in Zanzibar on 5 watts. Let's think about that for a moment - it *also* means that between here and Zanzibar, *nobody else* is trying to talk on 154.342. In other words, the set of people trying to talk on Morse is roughly comparable in size to the set of people who still make buggy whips. If you ask around, you can find somebody to teach you how to nap flint into an arrowhead too. Doesn't mean it's not pretty much a dead technology. pgpZQZ8vMfXd7.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] Israeli hacker tries to rob bank...
Gadi, do you know this guy? ;) https://www.youtube.com/watch?v=RJVHTQSvUIo pgpSLH7HeFYX2.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] If only this were just a Friday joke ...
On Sat, 03 Dec 2011 12:03:59 EST, Jeffrey Walton said: I believe that's called extortion. From the article, it sounds like business as usual with Buma/Stemra. Is there no oversight in the Netherlands? I don't believe there's any realistic oversight of copyright extortion schemes anywhere in the world. Consider SOPA. pgpYCqNWGkove.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Siri's been cracked!
On Mon, 14 Nov 2011 20:15:18 PST, Rob, grandpa of Ryan, Trevor, Devon Hannah said: it has been able to figure out. (A fair volume of information itself.) (Also, think about that: Apple has the full audio of every request you make of Siri. And anything it can parse out of the audio.) There's a new and horrid copyright bill in the pipes, that would make it illegal to rebroadcast incidental music. So who get nailed for the liability if you use Siri in a bar that's got some Skynyrd playing on the jukebox? pgpioLslLiTYz.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] There are some things man was not meant to meddle with ...
On Tue, 01 Nov 2011 09:37:40 +0200, Gadi Evron said: But as they can choose WHEN to enter our universe, A dubious proposition at best - they're pretty much restricted to entering the space-time cone of the lab *after* the experiment. If they can go back in time, that creates all the usual time-travel paradoxes. pgpypTxHcelwB.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] There are some things man was not meant to meddle with ...
On Tue, 01 Nov 2011 17:49:19 +0200, Gadi Evron said: Not necessarily, this is uncharted territory. Their Universe may answer to different laws of physics, and be independent of our own. But their entry point has to obey the laws of physics in *this* universe. pgpvPtsBkb1D9.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] There are some things man was not meant to meddle with ...
On Mon, 31 Oct 2011 12:30:35 PDT, Rob, grandpa of Ryan, Trevor, Devon Hannah said: OK, ten bucks says they tear the fabric of the universe apart, and then can't figure out how to stitch it together again. (You ever notice that these biggest in the world things never seem to have a woman on staff?) It will cause the mysterious particles of matter and antimatter thought to make up a vacuum to be pulled apart, allowing scientists to detect the tiny electrical charges they produce. *yawn*. Pair production. Hawking radiation in the lab. ;) The only really big question is whether pair production from vacuum energy is qualitatively different from pair production from an energy source like a gamma ray. I'm not concerned - they say this is 200 times bigger than any current laser system. Meanwhile, we're bombarded every day with cosmic rays that are several *billion* times more powerful than the interactions at the LHC and after 4.5 billion years the planet is still here. Five bucks says they create a new universe, and the inhabitants of said universe, running at billions of times our time frame, evolve quickly into a race of super- intelligent beings, and, depressed by the futility of existence, come and destroy us in retaliation for having created them. For thousands more years the mighty ships tore across the empty wastes of space and finally dived screaming on to the first planet they came across---which happened to be Earth---where due to a terrible miscalculation of scale the entire battle fleet was accidentally swallowed by a small dog. Even if they detonate their entire universe into a matter-antimatter explosion, they've only got a fraction of a milligram of mass in our universe to play with (tops). And even a small Hiroshima-sized bomb converts about 1 gram to energy (do the math - 1 gram gets you about a 21.5kt explosion). So blowing up a milligram of mass will be about the same as 200 pounds of TNT. Will screw up the lab, but probably not us - we've spent a decade doing that much exploding every minute in Iraq and Afganistan and there's still people there. pgpWhM3xWYxEN.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] 15 Mind-Blowing Facts About Wealth And Inequality In America
On Sun, 16 Oct 2011 23:49:58 EDT, Jeffrey Walton said: The underlying problem is the politicians. The problem is not democrats, republicans, conservatives, liberals, rich, or poor. Only a small fraction of the 1% was responsible for the additional burdens the 99% must bear. The problem is the politicians, their addictive greed, their lack of accountability, their utter disregard for the country, and their contempt for the citizens. Tell you what - call it the politicans *and* the filthy rich who bribed them to support their money-making schemes and I'm all in. ;) (Remember - a bribe has two ends, and usually both ends are morally culpable) pgphceXzrszj4.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Sony was a victim as well: Australian privacy watchdog
On Fri, 30 Sep 2011 20:06:28 EDT, Jeffrey Walton said: http://www.theregister.co.uk/2011/09/30/sony_cleared_by_privacy_commissioner/ According to Pilgrim's investigation, the PSN and Qriocity breaches did not breach National Privacy Principles. This is exactly the sort of topsy-turvy logic you'd expect from someplace where everybody stands upside down all day... pgpzQg0xbeath.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] One touch search and seizure
On Wed, 28 Sep 2011 13:09:09 PDT, Rob, grandpa of Ryan, Trevor, Devon Hannah said: Interesting. Touch `Any' key, or move the mouse, and you can invalidate the evidence from a search. http://volokh.com/2011/09/27/taking-a-computer-out-of-screensaver-mode-to-see-suspects-facebook-wall-as-a-fourth-amendment-search/ It's important to note the logic here - it's (approximately) the same difference as the diary was sitting on the table and open to a page that had incriminating text in big readable letters versus the officer picked up the diary and opened it, and hinged on the in plain view requirement. Cops also aren't allowed to go poking around in drawers and then claim the contents were in plain view after they open the drawer either... pgpdkRR7HzHNF.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] That's cheating!
On Mon, 26 Sep 2011 12:19:31 PDT, Rob, grandpa of Ryan, Trevor, Devon Hannah said: Somebody is using virtual monkeys to recreate Shakespeare. The virtual monkeys aren't the cheating part. The fact that they are doing it only nine characters at a time, *that's* cheating! As somebody pointed out on BoingBoing, if they had just had 26 monkeys that did one key each, they could have done it a lot faster. Or two monkeys and wait for a zero and a one... pgpUiPPp3q13K.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] APT Summit
On Fri, 16 Sep 2011 14:49:44 EDT, michael.blanch...@emc.com said: I LOL'd at the newly found #1 threat when I first read that PDF a few days ago social engineering is now the #1 threat When was the first Your PC is broadcasting an IP address pop-up? pgpVPzB6V7T8A.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Gender? (Y/N)
On Thu, 15 Sep 2011 09:23:15 PDT, Robert Slade said: etting harder to determine these days, so is gender no longer of any use for authentication? It's still just as good as any *other* biometric data on the passport. I may gain/lose a drastic amount of weight, change hair color/style, or get plastic surgury to alter my facial appearance. And I'm more likely to do any of those things than I am to change which team I play for. But I don't see any big rush to remove photos from driver's licenses. pgppEwfcvdjt3.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Apple's faith-based security taking a hammering
On Wed, 14 Sep 2011 10:40:22 EDT, Joel Esler said: My thought behind the whole thing is that iTunes accounts are getting hacked by brute force of the password. There are indications that at least some are being done via phishing, and there have been complaints about the fact that iTunes passwords get cached - which means that if you enter the iTunes password for one purpose and then your kid is playing with the device, the app can zing you for a second transaction without the kid having to enter the password again. pgpjeTXBkUgCs.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Apple's faith-based security taking a hammering
On Tue, 13 Sep 2011 18:52:44 EDT, Joel Esler said: Oh, I'm a fanboy. Anyone knows that. I'm also a believer in the factor that most humans are stupid and set their passwords to password. Am I the only one surprised that unintentional mis-spellings of password aren't higher up the most frequently used password lists? pgpZdUfFMInYt.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Sony Just Hired a Chief Information Security Officer (CISO)
On Thu, 08 Sep 2011 01:40:23 EDT, Jeffrey Walton said: Philip Reitinger, former director of the United States National Cyber-Security Center, a division of the Department of Homeland Security, will be joining Sony as a chief information security officer, Sony said Sept. 6. Horses and barn doors... Security experts and industry watchers criticized Sony for not having had a CISO prior to the breaches. How can a worldwide company with billions in revenue and an even larger market cap not have a CISO? It boggles the mind, Phil Blank, an analyst in the security, risk and fraud practice area at Javelin Strategy Research, wrote on the market research firm's blog in May. If you spend more on coffee than you spend on IT security, then you will be hacked. What's more, you deserve to be hacked. -- Richard Clarke Anybody want to guess what Sony's coffee/itsec ratio was? pgpT12YyvxFVi.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Fight! Fight!
On Fri, 19 Aug 2011 12:20:39 PDT, Rob, grandpa of Ryan, Trevor, Devon Hannah said: http://blogs.mcafee.com/mcafee-labs/shady-rat-is-not-a-botnet Well.. she says: Speaking of technical arguments, apparently Mr. Kaspersky has gotten it in his head that Shady RAT is a botnet. And then continues with: that we only know of 72 companies/organizations victimized through one command control server, out of hundreds or more used by this adversary. OK, I'll bite, if it was a CC server, *what do we call the thing being controlled* if it wasn't a botnet? pgpnOvxNlTrhw.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Bitcoin vs spam?
On Wed, 17 Aug 2011 16:50:39 PDT, Rob, grandpa of Ryan, Trevor, Devon Hannah said: I wonder if some botherders, possibly not as good at math, converted some of their networks? Who said anything about it being an either-or situation? If you got a botnet client on a machine that has a graphics card that supports CUDA, you can be doing a lot of Bitcoin mining during all those pesky 50-60ms RTTs you keep hitting on the network when trying to deliver spam. And even if you don't have CUDA, you should still be able to do a lot of computations if you don't care if the machine's owner wonders why the fan is on a lot. Probably want to avoid Bitcoin mining if the machine is running on battery power, that's kinda self-limiting. 15 years ago, I was managing to do well over 1M RCPT TO's a day on an IBM RS6K-220, which had a whole whopping 66Mhz PowerPC chip in it. And even with only 66Mhz pushing it, the big constraints were network latencies and timeouts and disk performance (do you know how many time Sendmail will end up invoking fsync() if you hit a timeout trying to reach a host? Lots.) pgp9dL3ejfhEM.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] MBR Rootkit
On Sat, 13 Aug 2011 13:08:59 MDT, Daniel Otis said: Does anyone have a sample of the latest MBR Rootkit? I need one to experiment on, thanks! *the* latest? Try 'git clone git://github.org/mbr' or similar? ;) (And here I thought there were multiple *families* of MBR rootkits out there, each with multiple instances? Are you looking for a *specific* one, and are criteria like new variants from under 24 hours ago meaningful for your experimentation? There's a few bazillion variants of malware out there, the more specific you can be the better pgpDdvl8auyaU.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Pwnie Awrd Winners Announced Today
On Mon, 08 Aug 2011 19:57:11 EDT, Jeffrey Walton said: http://pwnies.com/ Dude, that was *so* last week. Literally. Click the link you provided, and: Latest posts Pwnie Award winners for 2011 Aug 3, 2010 The winners of Pwnie Awards 2011 were announced today at a ceremony in Las Vegas. The full list of nominees is available as well. pgpyF1kjHEwtZ.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.