you have too much time on your hands, but this is hilarious stuff =)
It's true though, most people don't even know what a zombie process is :(
On Tue, Jun 12, 2012 at 11:34 AM, Григорий Братислава
musntl...@gmail.com wrote:
Hello is Full Disclosure!! !! !!
Is like to warn you about is Zombie
I know for a fact HBGary was working with the NSA in regards to stuxnet.
I've never been all that good at spelling... but am I wrong that
HBGary is an anagram for posturing charlatan ?
Alternatively: if this is true then we are even worse off than I thought.
On Wed, Jun 6, 2012 at 12:13 PM, Laurelai laure...@oneechan.org wrote:
On 6/6/12 11:50 AM, Charles Morris wrote:
I know for a fact HBGary was working with the NSA in regards to stuxnet.
I've never been all that good at spelling... but am I wrong that
HBGary is an anagram for posturing
Let's just ditch browsers already. =)
On Wed, May 30, 2012 at 4:35 PM, Michal Zalewski lcam...@coredump.cx wrote:
Another moderately interesting tidbit, I guess...
___
Full-Disclosure - We believe in it.
Charter:
I request your permission to test any and all of your facilities in any way I
deem appropriate including (by not limited to) your personal machines, the
machines of your coworkers and family, and any other device I deem within
scope of my testing. Further, I request you to grant full,
You should have went to a CERT with this, shouldn't vendor
coordination be of urgency here?
On Thu, May 17, 2012 at 12:35 PM, Григорий Братислава
musntl...@gmail.com wrote:
Hello Full-Disclosure!! !! !!
Is like to warn you about is vulnerability in Dopewars. I'm is
discover vulnerability
On Tue, Apr 24, 2012 at 11:13 AM, Michal Zalewski lcam...@coredump.cx wrote:
IMHO, anyone who willingly, knowingly places customer data at risk by
inviting attacks on their production systems is playing a very dangerous
game. There is no guarantee that a vuln discovered by a truly honest
Welcome to 2002
On Tue, Apr 3, 2012 at 10:01 AM, Adam Behnke a...@infosecinstitute.com wrote:
We all know that hackers are constantly trying to steal private information
by getting into the victim's system, either by exploiting the software
installed in the system or by some other means. By
Dear Valdis and whoever else;
The really ridiculous points are the following:
A) Every time you execute/install/download a program you are
committing evil data theft by not only copying
secret or illegal information into
RAM/Disk/Registers/Buffers/Busses/photons coming off the screen/human
I'm curious what everyone's opinion is on the following question...
esp. to any FF dev people on list:
Do you think that the Firefox warning: unresponsive script is meant
as a security feature or a usability feature?
___
Full-Disclosure - We believe in
Just quickly I digress; this is a massive problem in the mindset of many.
They won't ever learn about something if they aren't ever made aware of it.
Say, by fixing the problem...
I have seen the most users don't understand X anyway as an argument
against fixing X in the browser several
Okay.. I'd be happy to help you, but could you rephrase the question?
So, whos going to offer REAL DAMN ONLINE SEC HELP HERE , SIMPLE
On Fri, Dec 9, 2011 at 5:27 AM, xD 0x41 sec...@gmail.com wrote:
Oh wow anothwer fucking genius!
Upir actually know him, why arent you a nice guy who
Michal/Google,
IMHO, 500$ is an incredibly minute amount to give even for a error
message information disclosure/an open redirect,
researchers with bills can't make a living like that.. although it
might? be okay for students.
How many Google vulnerabilities per month are there expected to be?
Don't be strange, was I not specific enough?
I think people should be encouraged to do the work,
if they are good enough to find something that nobody else has noticed yet-
and all of these cash for bugs programs have me a bit annoyed.
Not offering the money for issues that they claim to offer
pretty much nearly almost implying and implying are very different things.
On Thu, Dec 8, 2011 at 10:05 AM, Benji m...@b3nji.com wrote:
IMHO, 500$ is an incredibly minute amount to give even for a error
message information disclosure/an open redirect,
researchers with bills can't make a living
that already are willing to gain no money for their work
in disclosing vulns. Again, this is just my point of view.
2011/12/8 Charles Morris cmor...@cs.odu.edu
Granted, but I know that vulnerability research can take a huge chunk
of time out of a person's life,
and without getting in to monetary
Sorry paul, Gage is right here!
Instead of silly maybe more like correct :(
On Tue, Dec 6, 2011 at 2:42 PM, Paul Schmehl pschmehl_li...@tx.rr.com wrote:
Don't be silly. You can run static binaries off a thumb drive without
taking the system down. And that includes md5sum. You can put
+1. Except instead of MD5 you want to use something that isn't garbage.
On Tue, Dec 6, 2011 at 1:18 PM, Paul Schmehl pschmehl_li...@tx.rr.com wrote:
A poor man's root kit detector is to take md5sums of critical system
binaries (you'd have to redo these after patching), and keep the list on an
This is extremely depressing.
On Fri, Dec 2, 2011 at 2:14 PM, Jeffrey Walton noloa...@gmail.com wrote:
On Thu, Dec 1, 2011 at 10:59 PM, Sanguinarious Rose
sanguiner...@occultusterra.com wrote:
I am at a lack of words for this, why pay $4.99 when you can just do
some simple googling? You can
Valdis,
(For real fun, consider that published and unpublished works are treated
differently. And
a password list almost always becomes a published work without the permission
of
the author(s) ;)
Talking of currently implemented systems...
One could argue that the author of lists
that the entire idea behind
hashes is for them to be uniqueyeah.
On Dec 2, 2011 11:17 AM, Charles Morris cmor...@cs.odu.edu wrote:
This is extremely depressing.
On Fri, Dec 2, 2011 at 2:14 PM, Jeffrey Walton noloa...@gmail.com wrote:
On Thu, Dec 1, 2011 at 10:59 PM, Sanguinarious Rose
nice try though
On Fri, Nov 18, 2011 at 9:10 AM, Dan Kaminsky d...@doxpara.com wrote:
On Fri, Nov 18, 2011 at 5:01 AM, valdis.kletni...@vt.edu wrote:
On Thu, 17 Nov 2011 15:53:41 CST, C de-Avillez said:
There is no guest account on an Ubuntu server, so at least there
this is not a
Nathan, It IS an issue, don't let their foolishness harsh your mellow.
Although it's a completely ridiculous, backwards, and
standards-relaxing security mechanism,
the fact is they implemented it, and you subverted it.
In my book that's Pentester 1 :: Fail Vendor 0
I've had large vendors
1) Fix CVSS from disastrously broken to slightly broken or better
2) eliteness = #CVE* avg CVSS /sec + coolpoints
3) eliteness *= (taking credit for other people's vulns and known
issues) ? 0 : 1
On Fri, Jun 3, 2011 at 6:28 AM, Georgi Guninski gunin...@guninski.com wrote:
On Thu, Jun 02, 2011 at
On Fri, Mar 4, 2011 at 11:14 AM, bk cho...@gmail.com wrote:
On Mar 4, 2011, at 7:53 AM, Michael Krymson wrote:
The problem with this discussion is simply one of definition of security.
For some, security is entirely black and white.
I can't speak for others, but I don't see anything as
Ok great, but by comparing MitM with sniffing, we're already assuming
the attacker has access to the traffic. Think about it. There aren't
any networks in common use today which in their physical
implementation make alteration of packets harder than observation of
packets. This is why the
- ENCRYPTION IS POINTLESS WITHOUT AUTHENTICATION
BTW there really isn't a security difference between
encrypted-but-unauthenticated traffic and just plain unencrypted traffic.
The only attacker you're defeating is a casual observer,
Fail. I hear the blackhats cackle as you switch to
the same. Another way to look at it is O(MitM) = O(sniff). There may
be some implementation details that make MitM harder, but it's within
a constant factor.
To illustrate this point, we merely need to search the web for MitM
tools. At the network layer, we could achieve this in one of
It's hard to do if you're starting from zero and have to write your own
tools. It's not hard to do when you can just download something off the
Internet, which is the reality we're dealing with. Jay Beale released a tool
to do this years ago at Toorcon. There are many others. Game over
mz
Disclosing how their epic story simply involved SQLi, well, what about the
guys discovering 0days in native code?
Totally. I have long postulated that perl -e '{print Ax1000}' is
considerably more l33t than scriptalert(1)/script or ' OR '1' ==
'1.
I don't understand the point you are
I always felt purposefully antagonizing others and inciting general
distress, fear, uncertainty, doubt, and frustration among as many
people as possible, without letting others know it was your intention
was a better description..
All in all it means you aren't a nice person and you have
Michele,
Granted I don't know or really care about drupal, and I'm not just
trying to defend MustLive,
who just seems to be a guy trying to get ahead in the world, even if
he's a little misguided; but what really gets to me is when people
dismiss issues like that. Not to mention you are assuming
It is my personal belief that all vulnerabilities should be patched
regardless of existence of a known attack vector or exploit.
Let me fix that for you:
All vulnerabilities should be evaluated as to whether patching them
makes sense. If it's a one-liner fix for a stupid logic error, yes
Sorry, when I say eligible, I mean which server would they be allowed to
take down by law?.
I'm not too hot on the laws of encryption, but I'm sure there is something
which states that hosting encrypted files are not illegal, it's distributing
the key which allows you to gain access to those
On Thu, Oct 7, 2010 at 11:10 PM, Ryan Sears rdse...@mtu.edu wrote:
Hi all,
As some of you may or may not be aware, the popular (and IMHO one of the
best) FTP/SCP program Filezilla caches your credentials for every host you
connect to, without either warning or ability to change this without
food for thought:
https://bugzilla.mozilla.org/show_bug.cgi?id=602181
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
On Tue, Aug 31, 2010 at 7:03 PM, Dan Kaminsky d...@doxpara.com wrote:
On Aug 31, 2010, at 2:20 PM, Charles Morris cmor...@cs.odu.edu wrote:
On Tue, Aug 31, 2010 at 5:15 PM, Dan Kaminsky d...@doxpara.com wrote:
Again, the clicker can't differentiate word (the document) from word
On Fri, Aug 27, 2010 at 11:27 AM, matt m...@attackvector.org wrote:
Dan,
While I agree with most of what you're saying, I do find this to be a pretty
serious issue, and here's why.
1) The file doesn't have to be fake. It could be a legitimately real ppt,
vcf, eml, html, whatever. The
... Don't run applications from untrusted locations ...
You got it wrong. Only trusted applications are run. - The attacker
prepares a WORD.DOC (and a RICHED20.DLL) file in some place. The
victim clicks on the WORD.DOC file, using his own installed MSWord.
Aaah, well if that is the issue,
On Tue, Aug 31, 2010 at 5:15 PM, Dan Kaminsky d...@doxpara.com wrote:
Again, the clicker can't differentiate word (the document) from word (the
executable). The clicker also can't differentiate word (the document) from
word (the code equivalent script).
The security model people keep
is there anyone?? vulnerabilities found, off-list replies sought.
fall students approach; standard contact methods give: just disappointment.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted
On Wed, Aug 4, 2010 at 2:44 PM, Marsh Ray ma...@extendedsubset.com wrote:
On 08/04/2010 09:44 AM, Paul Schmehl wrote:
--On Monday, August 02, 2010 12:36:37 -0400 Elazar Broadela...@hushmail.com
Spot on. I know of one large accounting/ERP system(which shall
remain nameless, though I am sure
-outs. With any biometric authentication it's going to be expensive
and have all kinds of bugs and quirks... just teach him a password..
sheesh.
--
Charles Morris
cmor...@cs.odu.edu,
cmor...@occs.odu.edu
Network Security Administrator,
Software Developer
Office of Computing
at ODU (production
included) has had NTLM turned off.
No complaints yet.
--
Charles Morris
[EMAIL PROTECTED],
[EMAIL PROTECTED]
Network Security Administrator,
Software Developer
Office of Computing and Communications Services,
CS Systems Group Old Dominion University
http://www.sowela.edu/elearning.html
... comments?
--
Charles Morris
[EMAIL PROTECTED],
[EMAIL PROTECTED]
Network Security Administrator,
Software Developer
Office of Computing and Communications Services,
CS Systems Group Old Dominion University
http://www.cs.odu.edu/~cmorris
Dear full-disclosure, please forever archive and cherish these
beautiful RIPEMD160 SHA1 sums.
a26a3bc9210ea737111477df501d9f9235d94d46
3c5b90c8b6fcc65122da864931f76e0e39f0c384
Sincerely,
--
Charles Morris
[EMAIL PROTECTED],
[EMAIL PROTECTED]
Network Security Administrator,
Software
other paths,
therefore it is not nearly a sufficient workaround.
--
Charles Morris
[EMAIL PROTECTED]
Network Administrator
CS Systems GroupOld Dominion University
http://15037760514/~cmorris
___
Full-Disclosure - We believe
and is documented at
http://msdn.microsoft.com/library/default.asp?url=""
Andres tarasco2006/5/21, Charles Morris [EMAIL PROTECTED]
:
Microsoft Explorer (iexplore.exe) calls CreateProcess() withlpApplicationName = NULL. Instead, the lpCommandLine variable is used.Unfortunateally, if the lpC
48 matches
Mail list logo
