It is important to note that CALEA only applies to telecommunications
services and explicitly exempts information services. Furthermore, there is
this exception:
(3) ENCRYPTION- A telecommunications carrier shall not be
responsible
for decrypting, or ensuring the government's
Concerning the credibility of recent cryptome posts, I did some research on
the NSA IP address list they have been updating and found out some really
interesting stuff. Here's my post on what I found:
The NSA controls most of the Internet, or at least that's what they want you
to think
the same thing about a VM.
Mark
-Original Message-
From: Tim Newsham [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 25, 2007 1:05 PM
To: M. Burnett
Cc: 'Arthur Corliss'; 'Jonathan Yu'; bugtraq@securityfocus.com
Subject: Re: More on VMWare poor guest isolation design
2
I hate writing such a long post here, but I think it's important that I
clarify some points:
1. Of course this won't issue won't affect everyone, especially if you are
using vmware mainly for hosting server roles and especially if you do not
run the client utilities, but even if it affects 10% of
://xato.net
-Original Message-
From: Arthur Corliss [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 23, 2007 10:49 AM
To: M. Burnett
Cc: bugtraq@securityfocus.com
Subject: Re: VMWare poor guest isolation design
On Wed, 22 Aug 2007, M. Burnett wrote:
I have run across a design
I have run across a design issue in VMware's scripting automation API that
diminishes VM guest/host isolation in such a manner to facilitate privilege
escalation, spreading of malware, and compromise of guest operating systems.
VMware's scripting API allows a malicious script on the host machine
This is such a widespread problem with so many applications that I always
prefer using STunnel (stunnel.org) rather than an application's built-in SSL
features. Many apps do not properly restrict--despite my many
complaints--the use of insecure ciphers and SSL/TLS versions, they use
self-signed
3APA3A, I just wanted to say that is very clever research you have done.
It's true that this does require some re-thinking of security practices, but
I don't think it's accurate to say it's impossible to secure a private
folder in a public one--I believe there is a way to do it securely.
There
But we'll have to agree to disagree. Your security scenarios are just
bizarre. It's a lot easier to hack people then going through all the
interations you suggest.
Roger, don't be so hard on 3APA3A for this. You can't judge a vulnerability
based on current scenarios because we really can't
One problem with using UseFastPathReject, as Microsoft recommends, is
that it too can be used to identify URLScan. UseFastPathReject just
sends back a generic 404 message. However, If a site normally uses a
custom 404 message, but rejects attacks with a generic message, it
will be pretty easy
Recently I advised Microsoft of a vulnerability in Internet Explorer
that would cause the browser to browse to one web site but display a
completely different URL in the address bar. Due to inconsistent
handling of authentication credentials in a URL, IE will parse the
URL one way when browsing
11 matches
Mail list logo
