Heya Robert,
So there's this pile of law around the world around work and kids; it's
a rather recent development that 18 year olds can find problems that
multibillion dollar interests are willing to pay bounties for. The laws
are all trying to protect you from being made to pick berries or
...you are a magnificent bastard.
On Sun, May 5, 2013 at 5:43 PM, Michal Zalewski lcam...@coredump.cx wrote:
I guess this may be somewhat amusing...
As you probably know, most browser vendors have fixed the ability to
enumerate your browsing history through the CSS :visited
On Wed, Nov 28, 2012 at 6:23 AM, Georgi Guninski gunin...@guninski.comwrote:
On Tue, Nov 27, 2012 at 10:32:16PM -0800, Dan Kaminsky wrote:
One Google employee responds to another Google employee about Google
stuff...
It's almost like security people at Google have been security
One Google employee responds to another Google employee about Google
stuff...
It's almost like security people at Google have been security people for a
very long time, and are given a redonkulously long leash ;)
--Dan
___
Full-Disclosure - We
My assumption is that the other Unixes weren't looking at interrupt
timing
to begin with, i.e. they've always been as starved for entropy as Linux
eventually became.
Well, you know what they say about assumptions.
Smart people will come around and help correct them? :)
That
On Mon, Aug 20, 2012 at 8:29 AM, Paul Schmehl pschmehl_li...@tx.rr.comwrote:
--On August 20, 2012 2:22:28 AM -0700 Dan Kaminsky d...@doxpara.com
wrote:
May I ask what FreeBSD's entropy sources are?
I'm surprised you don't already know. From device noise.
Which class? There are many
On Mon, Aug 20, 2012 at 9:29 AM, Paul Schmehl pschmehl_li...@tx.rr.comwrote:
--On August 20, 2012 8:32:59 AM -0700 Dan Kaminsky d...@doxpara.com
wrote:
On Mon, Aug 20, 2012 at 8:29 AM, Paul Schmehl pschmehl_li...@tx.rr.com
wrote:
--On August 20, 2012 2:22:28 AM -0700 Dan Kaminsky d
Lots of people are using haveged already, it operates on a similar
principle.
http://www.issihosts.com/haveged/
Ciao, Marcus
Oh yes, there's been code floating around for years that uses timing drift
-- but it's never anything that, say, gets integrated into kernels or
distros or even
On Sun, Aug 19, 2012 at 10:13 AM, Ben Laurie b...@links.org wrote:
On Sun, Aug 19, 2012 at 5:42 PM, Dan Kaminsky d...@doxpara.com wrote:
entropy gathering has gotten *worse* (via abandonment of interrupts), not
better.
Entropy gathering in _one particular OS_. Credit where its due, please
On Sun, Aug 19, 2012 at 3:03 PM, Ben Laurie b...@links.org wrote:
On Sun, Aug 19, 2012 at 9:28 PM, Dan Kaminsky d...@doxpara.com wrote:
On Sun, Aug 19, 2012 at 10:13 AM, Ben Laurie b...@links.org wrote:
On Sun, Aug 19, 2012 at 5:42 PM, Dan Kaminsky d...@doxpara.com wrote:
entropy
PM, Dan Kaminsky d...@doxpara.com wrote:
...
Don't we have hardware RNG in most motherboard chipsets nowadays?
clearly not enough of them!
'Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network
Devices'
https://factorable.net/weakkeys12.extended.pdf
Surely you can create a sock puppet for debugging purposes.
On Thu, May 17, 2012 at 11:43 AM, Michael Gray mg...@emitcode.com wrote:
I'm not interested in providing that information. You can reproduce it
without knowing my user name.
On May 17, 2012 8:45 AM, Mike Hearn he...@google.com wrote:
Yeah, there's a bunch of wild stuff in SVG. The browsers ignore most of
it, AFAIK. I think Firefox is the only browser to even consider
ForeignObjects (which let you throw HTML back into SVG).
Probably the most interesting SVG thing is how they either do or don't have
script access, depending
, 2012 at 10:13 AM, Dan Kaminsky d...@doxpara.com wrote:
Yeah, there's a bunch of wild stuff in SVG. The browsers ignore most of
it,
AFAIK. I think Firefox is the only browser to even consider
ForeignObjects
(which let you throw HTML back into SVG).
Probably the most interesting SVG thing
But we're making progress, we now know that opensuse on x86 is broken.
Is VSYSCALL at a fixed address a similar problem? My Ubuntu boxes indeed
have this mapped at the fixed location mentioned.
--Dan
___
Full-Disclosure - We believe in it.
Charter:
Steve while he's often derided goes into this very well. Many cisco's
only stop advertising wps when it is off but wps actually still
exists...which means they are still easily hackable.
Have you directly confirmed a WPS exchange can occur even on devices that
aren't advertising support?
sleekmountain...@gmail.comwrote:
i have tested reaver on a netgear and linksys (dont have model nos. with
me) with wps disabled and enabled. the wps setting did not matter and both
were vulnerable. was able to recover wpa2 passphrase in ~4 hrs on both.
On Mon, Feb 13, 2012 at 8:32 AM, Dan
:
On Mon, Feb 13, 2012 at 1:57 PM, Dan Kaminsky d...@doxpara.com wrote:
That's a fairly significant finding. Can anyone else confirm the
existence
of devices that still fall to Reaver even when WPS is disabled?
The Netgear N750 definitely does. I can rummage through my Box'o'Stuff
and see
Fixing a vulnerability like this with all the bureoucratic, QA and legal
process wouldn't take no more than 2 weeks
If bureaucratic, QA, and legal issues emerge, you can't even get the names of
the people you need to speak to in less than 2 weeks, let alone schedule a
conference call. Fixing?
According to the Reaver people, DD-WRT doesn't support WPS at all :)
On Fri, Feb 10, 2012 at 2:00 PM, Zach C. fxc...@gmail.com wrote:
Solution: use DD-WRT? Or is that vulnerable too? (Or are there worse
problems? :))
On Feb 10, 2012 10:12 AM, Dan Kaminsky d...@doxpara.com wrote:
Fixing
On Fri, Feb 10, 2012 at 4:33 PM, valdis.kletni...@vt.edu wrote:
On Fri, 10 Feb 2012 14:41:37 EST, Dan Kaminsky said:
According to the Reaver people, DD-WRT doesn't support WPS at all :)
The sort of people that run DD-WRT probably consider that a feature, not a
bug. ;)
If you've got
Welcome to why BitCoin is so impressive. You've got this app. It's wide
open to the Internet, to the point where it opens up firewall rules if
necessary. It's running some home grown network protocol, that ostensibly
ships little executable programs around. It's written in C++, the
non-memory
Those who try to manage potentially malicious servers do so over IP KVM, in
which the foreign server basically gets only inbound Keyboard and Mouse and
outbound uncompressed pixels.
Anything more is untrusted, for a reason.
On Tue, Jan 24, 2012 at 5:50 PM, Nick FitzGerald
Nothing to be done, really. Most users run as admin.
On Tue, Jan 17, 2012 at 4:19 PM, Floste flo...@gmx.de wrote:
Hello,
Avast Antivirus also comes with sandbox and a SafeZone. But both can
be circumvented using simple dll-injection and they seem to do nothing
about it:
LAN-only, no?
Sent from my iPhone
On Jan 17, 2012, at 4:11 PM, HI-TECH .
isowarez.isowarez.isowa...@googlemail.com wrote:
Demonstration of the Exploit:
http://www.youtube.com/watch?v=78nAxh70yZE (thanks ClsHack)
see attached content
/Kingcope
undeadattack.c
On Tue, Dec 20, 2011 at 7:00 PM, coderman coder...@gmail.com wrote:
On Tue, Dec 20, 2011 at 9:40 AM, Charles Morris cmor...@cs.odu.edu
wrote:
I'm curious what everyone's opinion is on the following question...
esp. to any FF dev people on list:
Do you think that the Firefox warning:
On Mon, Nov 21, 2011 at 9:58 AM, valdis.kletni...@vt.edu wrote:
On Mon, 21 Nov 2011 14:12:38 GMT, Darren Martyn said:
Valdis - I did not know the source had gotten THAT big, still, will be
interesting to explore parts of it that interest me - the TCP stack for a
start... Also, thanks for
What is the security differential between su and sudo bash?
Sent from my iPhone
On Nov 19, 2011, at 6:15 AM, ja...@zero-internet.org.uk wrote:
I'll second that; the isp I work at has a sizeable ubuntu customer base and
these are customers who have made an informed decision.
Now; let's
-Original Message-
From: Dan Kaminsky d...@doxpara.com
Date: Sat, 19 Nov 2011 11:36:47
To: ja...@zero-internet.org.ukja...@zero-internet.org.uk
Cc: Johan Nestaasjohannest...@gmail.com;
full-disclosure-boun...@lists.grok.org.ukfull-disclosure-boun...@lists.grok.org.uk;
Olivierfeui...@bibibox.fr
Blocking of unpassworded accounts in sshd_config, IIRC.
Sent from my iPhone
On Nov 19, 2011, at 7:35 PM, Robert Kim App and Facebook Marketing
evdo.hs...@gmail.com wrote:
Ummm... any idea why remote SSH is not possible?!?!? o_O
kinna weird!
On Thu, Nov 17, 2011 at 4:23 AM, Olivier
On Fri, Nov 18, 2011 at 5:01 AM, valdis.kletni...@vt.edu wrote:
On Thu, 17 Nov 2011 15:53:41 CST, C de-Avillez said:
There is no guest account on an Ubuntu server, so at least there
this is not a real/perceived risk.
And nobody's *ever* installed the desktop version on a server because
Works mostly everywhere. It's apparently enough of a pain in the butt to
deal with, and abused so infrequently, that it's left alone.
On Fri, Oct 7, 2011 at 3:32 AM, Marshall Whittaker
marshallwhitta...@gmail.com wrote:
I recently noticed that you can tunnel TCP through DNS (I used iodine) to
.
On 7/10/2011 6:35 PM, Dan Kaminsky wrote:
Works mostly everywhere. It's apparently enough of a pain in the butt to
deal with, and abused so infrequently, that it's left alone.
On Fri, Oct 7, 2011 at 3:32 AM, Marshall Whittaker
marshallwhitta...@gmail.com wrote:
I recently noticed that you
/machine would be redirected to a DNS server that
only returned the appropriate service page. Most or all other traffic would
be blocked. Much like NAC.
Thanks,
James
On Fri, Oct 7, 2011 at 10:05 AM, Dan Kaminsky d...@doxpara.com wrote:
One major reason it sticks around is -- what are you
AM, Dan Kaminsky d...@doxpara.com wrote:
One major reason it sticks around is -- what are you supposed to do,
return bad data until the user is properly logged in? It might get cached
-- and while operating systems respect TTL, browsers most assuredly do not
(well, it MIGHT take us somewhere
Ok, now nobody can spoof a URL, but how come a user will tell good
URLs and bad ones apart? Oh boy!
Wherever did you get the idea that users can do this?
___
Full-Disclosure - We believe in it.
Charter:
For the record, no. Windows Update doesn't just depend on
WinVerifyTrust,
it also calls CertVerifyCertificateChainPolicy with
the CERT_CHAIN_POLICY_MICROSOFT_ROOT flag, documented here:
http://msdn.microsoft.com/en-us/library/aa377163(v=vs.85).aspx
By your logic there would be
On Thu, Sep 8, 2011 at 2:55 AM, Georgi Guninski gunin...@guninski.comwrote:
http://www.theregister.co.uk/2011/09/07/diginotar_hacker_proof/
I'm able to issue windows update, he [Comodohacker] wrote. Microsoft's
statement about Windows Update and that I can't issue such update is totally
On Wed, Aug 24, 2011 at 10:52 PM, root ro...@fibertel.com.ar wrote:
Seriously. This is Zalewski we're talking about. If you've extended his
work, you're doing something right.
Or perhaps, not. Respectfully, fuck this elitist bullshit.
I'm sure you and your friend are good hard-working
On Wed, Aug 24, 2011 at 9:45 PM, root ro...@fibertel.com.ar wrote:
On 08/25/2011 01:33 AM, Michal Zalewski wrote:
Good catch, but you didn't provide for a working exploit at the time.
Now I only see your name on the press. Why?
I don't know why this is in the news at all, let alone
it. No
double-clicking and you couldn't launch an executable this way. Better?
Cheers,
Mitja
On Jul 8, 2011, at 9:10 PM, Dan Kaminsky d...@doxpara.com wrote:
And here's where your exploit stops being one:
===
Suppose the current version of Apple Safari (5.0.5) is our default web
browser. If we put
]
Sent: Thursday, June 02, 2011 6:00 PM
To: secur...@acrossecurity.com; 'Dan Kaminsky'
Cc: full-disclosure@lists.grok.org.uk; bugt...@securityfocus.com
Subject: RE: [Full-disclosure] COM Server-Based Binary
Planting ProofOfConcept
But it *is* worth mentioning that you have to create
Don't most TCP/IP stacks block localhost addresses from coming in over the
network?
On Mon, May 16, 2011 at 12:44 PM, ZDI Disclosures
zdi-disclosu...@tippingpoint.com wrote:
ZDI-11-168: Multiple Vendor librpc.dll Remote Information Disclosure
Vulnerability
Super Mario Brothers 2 is not vulnerable to this exploit, as it does not
ship with a Bowser.
It is possible to use the Plumber to inject Wart, but only during sleep(3).
On Fri, Apr 1, 2011 at 6:59 AM, Nelson Elhage nelh...@ksplice.com wrote:
Advisory Name: Plumber Injection Attack in Bowser's
It's change. And change is scary.
(Seriously, nothing wrong with hashbang, except perhaps a slightly
increased risk of CSRF from people forgetting, yes, the web's broken
session management is still broken even with client side JS page
assembly.)
On Wed, Feb 23, 2011 at 2:51 PM, Security
You can use nmap to set the RDYMSG of a printer and xss the printer
web interface:
nmap --script=pjl-ready-message.nse
--script-args='pjl_ready_message=scriptalert(1);/script' . [0]
*chuckles*
What's the rendering engine? WebKit?
___
Sent from my iPhone
On Dec 25, 2010, at 2:38 PM, BMF badmotherfs...@gmail.com wrote:
On Sat, Dec 25, 2010 at 2:12 PM, cpol...@surewest.net wrote:
Check out Markus Jacobsson et al, A Practical Secure Physical Random
Bit Generator, 1998, using the turbulence of airflow inside the drive
as
On Fri, Dec 24, 2010 at 4:37 PM, BMF badmotherfs...@gmail.com wrote:
On Fri, Dec 24, 2010 at 4:27 PM, coderman coder...@gmail.com wrote:
how many of you have a competent userspace entropy
daemon funneling hardware sources into host pool?
It would be nice if there were inexpensive hardware
On Wed, Dec 22, 2010 at 3:47 PM, Dave Nett dave.n...@yahoo.com wrote:
http://marc.info/?l=openbsd-techm=129296046123471w=2
Long mail which just admit has backdoor, poor Theo.
(g) I believe that NETSEC was probably contracted to write backdoors
as alleged.
(h) If those were
Won't work against a hardware keylogger, as it gets the strokes before the
driver does.
Won't work against any software aware of it; thread inject into Firefox to get
the real keystrokes and it's game over. Or heck, simply pretend to be a
firefox process to get the decryption key, assuming
On Tue, Dec 7, 2010 at 6:02 PM, Georgi Guninski gunin...@guninski.com wrote:
do i get it right?:
1. the verizon paper is entirely correct
Well, sure.
2. some interpret it as a feature and some as a bug?
Does it have to be either?
On Sun, Dec 05, 2010 at 11:25:36PM +0200, Georgi Guninski
-
Finally, Microsoft and other software vendors should clearly document which
features do and do not
have associated security claims. Clearly stating which features make security
claims, and which do not,
will allow informed decisions to be made on IT security issues.
-
From
Did you read the Reg article? It has nothing to do with the definition of a
security boundary. It's not about that at all. It's about a title tease
of bypassing protected mode with associated inaccurate content when the
whole thing could be summarized with Protected Mode is not enabled
On Sat, Oct 30, 2010 at 8:02 AM, valdis.kletni...@vt.edu wrote:
On Sat, 30 Oct 2010 04:43:14 +0800, Jacky Jack said:
It's now a time for vendors to re-consider their updating scheme.
And do what differently, exactly?
We really need autoupdate baked into the platform.
A) Laying in wait for
Sent from my iPhone
On Oct 20, 2010, at 8:58 AM, Michal Zalewski lcam...@coredump.cx wrote:
Security-Assessment.com follows responsible disclosure
and promptly contacted Oracle after discovering
the issue. Oracle was contacted on August 1,
2010.
My understanding is that Stefano Di Paola
Well, awesome. This sounds near-identical to some issues that the Sun JRE
had a few years back[1]. I wonder if the code shares a common lineage? :)
No common lineage required; ICC's filled with 32 bit element counts.
They're always int overflow bait.
On Tue, Sep 14, 2010 at 6:07 PM, Stefan Kanthak stefan.kant...@nexgo.de wrote:
Dan Kaminsky wrote:
h0h0h0. There be history, Larry.
Short version: Go see how many DLLs exist outside of c:\windows\system32.
Look, ye mighty, and despair when you realize all those apps would be broken
by CWD
The idea is the same as crossdomain.xml in flash -- content can
explicitly opt into being shared across domain boundaries.
Our real problem is that there's no way to know whether content is
generically available to the Internet, or just you because of IP
firewalling / cookies / whatnot. So we
On Fri, Sep 10, 2010 at 11:46 AM, Nikhil Mittal
nikhil_uitr...@yahoo.co.in wrote:
Here's my definition
Exploitable vulnerability = vulnerabilityn't t
Non-exploitable vulnerability = mental masturbation
Nice definition. I would like to add one more line for my definition
Inability to
research in this area has been done by by
Marlinspike, Dan Kaminsky and Mike Zusman which you really should
read.
...
The whole PKI architecture is broken and cannot be safely relied upon.
Any system of authentication which relies on a “trusted” third party
that you have no dominion over
So, what's the security model around .ygwx files?
On Tue, Sep 7, 2010 at 1:57 AM, YGN Ethical Hacker Group li...@yehg.netwrote:
The fixed version KeePass 2.13 has been released.
http://keepass.info/news/n100906_2.13.html
But failure to describe DLL Hijacking was fixed.
excuse me, kdbx. same difference
On Tue, Sep 7, 2010 at 2:23 AM, Dan Kaminsky d...@doxpara.com wrote:
So, what's the security model around .ygwx files?
On Tue, Sep 7, 2010 at 1:57 AM, YGN Ethical Hacker Group
li...@yehg.netwrote:
The fixed version KeePass 2.13 has been released.
http
On Aug 31, 2010, at 2:01 PM, Charles Morris cmor...@cs.odu.edu wrote:
... Don't run applications from untrusted locations ...
You got it wrong. Only trusted applications are run. - The attacker
prepares a WORD.DOC (and a RICHED20.DLL) file in some place. The
victim clicks on the
On Aug 31, 2010, at 2:20 PM, Charles Morris cmor...@cs.odu.edu wrote:
On Tue, Aug 31, 2010 at 5:15 PM, Dan Kaminsky d...@doxpara.com wrote:
Again, the clicker can't differentiate word (the document) from
word (the
executable). The clicker also can't differentiate word
On Aug 31, 2010, at 4:08 PM, paul.sz...@sydney.edu.au wrote:
Dan Kaminsky d...@doxpara.com wrote:
I can differentiate my coolProposal.doc from msword.exe just fine..
Uh huh. Here, let me go ahead and create 2010 Quarterly
Numbers.ppt.exe with a changed icon, and see what you notice
On Aug 31, 2010, at 4:11 PM, paul.sz...@sydney.edu.au wrote:
valdis.kletni...@vt.edu wrote:
... The victim is attempting to view a plain text file. Surely
that can be done safely?
Only if your OS's security model understands the fact that executable
code and data belong in different
On Aug 31, 2010, at 6:49 PM, paul.sz...@sydney.edu.au wrote:
Dan Kaminsky d...@doxpara.com wrote:
iexplore.exe has a security model. Explorer.exe doesn't ...
Very dim view. So, there is no way for a Windows user to access his
desktop, e.g. any data on a CD or USB stick, in a safe way
On Mon, Aug 30, 2010 at 11:45 AM, Pavel Kankovsky
p...@argo.troja.mff.cuni.cz wrote:
On Thu, 26 Aug 2010, Dan Kaminsky wrote:
The question is whether they're supposed to execute code in this
particular context.
I think the question ought to be: what authority and privileges shall
On Fri, Aug 27, 2010 at 1:51 AM, valdis.kletni...@vt.edu wrote:
On Fri, 27 Aug 2010 01:29:32 EDT, Dan Kaminsky said:
Again, let me emphasize. Really interesting vector, will probably end up
attached to an unambiguous flaw. But right now, we're just seeing flaws
along the lines of Double
On Fri, Aug 27, 2010 at 9:10 AM, valdis.kletni...@vt.edu wrote:
On Fri, 27 Aug 2010 07:20:22 EDT, Larry Seltzer said:
Why wouldn't eliminating the CWD from the DLL search order fix the
problem?
I asked Microsoft about this (
they can put their apps in Office/sharedDLLs and point to it.
At least we could move forward from here. Microsoft’s choice here dooms us
to this problem for the forseeable future.
*From:* Dan Kaminsky [mailto:d...@doxpara.com]
*Sent:* Friday, August 27, 2010 10:08 AM
*To:* Larry Seltzer
*Cc
h0h0h0. There be history, Larry.
Short version: Go see how many DLLs exist outside of c:\windows\system32.
Look, ye mighty, and despair when you realize all those apps would be broken
by CWD DLL blocking.
Longer version:
Unix has always had the tradition of a system administrator. When it
27, 2010 at 4:19 PM, Dan Kaminsky d...@doxpara.com wrote:
Well, if I pull out the crystal ball, I see two possibilities:
1) Patch goes out, implementing this policy
2) 1% of customers go dark
3) That's a WHOLE BUNCH OF CUSTOMERS WHO DISABLE WINDOWS UPDATE
1) Patch goes out, off
On Thu, Aug 26, 2010 at 3:53 PM, matt m...@attackvector.org wrote:
Hey guys..
Here's an example the DLL hijacking attack using a USB drive with autorun.
I haven't seen this done yet, so I figured I'd post it.
http://www.attackvector.org/autorun-dll-hijacker-usb-stick/
Sure, but you have
On Aug 26, 2010, at 7:53 PM, Larry Seltzer la...@larryseltzer.com
wrote:
Instead of it executing wab.exe (Windows Address Book) and open the
file test.vcf, one can directly get any .exe file open.
Users have shown themselves very willing to open up test.vcf.exe.
Or for that matter,
On Aug 26, 2010, at 9:30 PM, paul.sz...@sydney.edu.au wrote:
Dan Kaminsky d...@doxpara.com wrote:
Instead of it executing wab.exe (Windows Address Book) and open
the
file test.vcf, one can directly get any .exe file open.
Users have shown themselves very willing to open up
On Fri, Aug 27, 2010 at 1:06 AM, paul.sz...@sydney.edu.au wrote:
Dan Kaminsky d...@doxpara.com wrote:
Badly setup desktops: do not hide extensions, maybe view details
(or list) not icons.
All that matters is defaults, and icons are way more powerful ...
Those defaults are wrong
On Fri, Aug 27, 2010 at 1:05 AM, valdis.kletni...@vt.edu wrote:
On Thu, 26 Aug 2010 20:39:04 PDT, Dan Kaminsky said:
There may very well be a legitimate boundary cross from this DLL
stuff, but we haven't seen it yet. All the present stuff has the
indelible mark of a false boundary
On 7/25/2010 4:59 PM, Pavel Kankovsky wrote:
On Sat, 24 Jul 2010, Dan Kaminsky wrote:
And what do you think is doing revocation checking?
Hint: Even fewer things than are doing chain validation.
So... no one is doing revocation checking and expiration is evil.
How are we supposed to get
People may neglect to revoke certificates that have become invalid (e.g.
a personal certificate for someone who has deceased).
And what do you think is doing revocation checking?
Hint: Even fewer things than are doing chain validation.
The problem is a conflict between security and
Operationally, it just shouldn't be that big a deal to schedule a
maintenance every few years. Like expiring domain registrations, the hardest
part is simply to not lose track of it. The Accounting dept in an
organization can sometimes help to not forget that stuff.
Shouldn't? That's a nice
On Thu, Jul 22, 2010 at 11:28 PM, Marsh Ray ma...@extendedsubset.comwrote:
On 07/22/2010 08:05 PM, Dan Kaminsky wrote:
That's $240K/yr being spent to manage three year expirations, just on
labor.
Yep.
But as Dr. Laura would say, you knew that before you married her.
Nobody said you
Junk,
X.509 always has another way it falls over in the field.
Expiration management is one of those ways. In theory, it's no big
deal to swap out an expired cert for a valid one.
In reality, it's a time bomb, of the sort that usually doesn't
exist. Does the output of gcc have a
Out of band signaling can be made to work in small networks. In larger
networks and systems, the problem is -- what makes you think you have
simply two planes? We call them n-tier, not 2-tier after all.
And nobody tunnels like telephony guys. If they ain't encapsulating,
they ain't living.
DR And many of them could be mitigated via BCPs until such time as
DR fixed code could be deployed, as well.
There it is again, BCP. Is this the new IDS ?
Best Practices are what forms when Ops guys are given broken systems and
told to make them work.
This isn't meant in a derogatory way.
And this is why BreakingPoint matters: Because, oh man, network people let
manufacturers get away with shipping some really fragile code.
If a Windows desktop fell over because you looked at it funny -- and lets be
honest, nmap -sV is quite literally, looking at something funny -- it'd be
an
I would not object to posts on Full-Disclosure along the lines of nmap -sV
crashes x device. Unauthenticated remote permanent DoS's from standard
network scanning tools are certainly legitimate findings, and if this gives
more power to the QA guy in $NETWORKVENDOR, all the better.
On Thu, Jul 1,
Permanent DoS's are unacceptable even from intentionally malicious
traffic, let alone a few nmap flags. They're unacceptable to us,
they're unacceptable to Microsoft (see: MSRC bug bar), and even Cisco
PSIRT has shown up on thread desiring to clean things up.
It's funny you bring up SNMP.
Agreed completely on don't panic.
On Jul 1, 2010, at 9:30 PM, Dobbins, Roland rdobb...@arbor.net
wrote:
On Jul 2, 2010, at 8:13 AM, Lee wrote:
so presumably the scan came from a network that had full access to
the routers.
One question is whether or not the network in question
In summary, any http hit on an insecure network is dangerous on all
browsers.
(FWIW, Chromium resolves this for me. When I type mailenter into the
omnibar, it auto-completes to https://mail.google.com/)
Actually, I see this as a legitimate gap. HTTP links don't cache-mix with
HTTPS links,
On Tue, Jun 29, 2010 at 12:41 AM, Chris Evans scarybea...@gmail.com wrote:
On Mon, Jun 28, 2010 at 1:30 PM, Dan Kaminsky d...@doxpara.com wrote:
In summary, any http hit on an insecure network is dangerous on all
browsers.
(FWIW, Chromium resolves this for me. When I type mailenter
I really like the hash length declaration bugs, where the client can
tell the server how many bytes of a hash need to be validated. (Yep,
you just say one byte is plenty)
SNMPv3 and XML-DSIG both fell to this, catastrophically.
On May 1, 2010, at 2:23 PM, Georgi Guninski
On May 1, 2010, at 8:30 PM, Nick FitzGerald n...@virus-l.demon.co.uk
wrote:
Dan Kaminsky wrote:
I really like the hash length declaration bugs, where the client can
tell the server how many bytes of a hash need to be validated. (Yep,
you just say one byte is plenty)
SNMPv3 and XML
Also, Billy Hoffman has done a lot of fun work in this space, see
http://www.gnucitizen.org/blog/javascript-remoting-dangers/
2010/4/22 Dan Kaminsky d...@doxpara.com:
Interesting use, using filesize to back into the actual CAPTCHA used for a
given query. Sneaky!
So it's possible to read
Interesting use, using filesize to back into the actual CAPTCHA used for a
given query. Sneaky!
So it's possible to read not only filesize, but image dimensions
cross-domain. I actually found a use for this -- it's a good way to
exchange a small amount of data between sites that mutually
So it's a super common thing for schools to have 'locked down' Windows
desktops, and even more common for even slightly nerdy kids to take
the lockdown as a challenge to be defeated.
The point of course is that the kids always win: At the point
somebody has the set of privileges exposed
they are, and more importantly, are NOT doing insofar as
security is concerned when it comes to access to local assets.
t
From: Dan Kaminsky [mailto:d...@doxpara.com]
Sent: Saturday, March 27, 2010 7:37 AM
To: wicked clown
Cc: Thor (Hammer of God); Full-Disclosure@lists.grok.org.uk
Subject: Re: [Full
Sai,
I see where you're coming from, but what are the most recent statistics
on the effectiveness of hash cracking? Isn't it something like 70% of the
passwords in the field can be cracked with a minimal amount of brute
forcing?
There are best practices, and there are vulnerabilities. I
On Thu, Feb 25, 2010 at 10:39 AM, Michael Neal Vasquez
m...@alumni.princeton.edu wrote:
On Thu, Feb 25, 2010 at 8:05 AM, Dan Kaminsky d...@doxpara.com wrote:
Sai,
I see where you're coming from, but what are the most recent statistics
on the effectiveness of hash cracking? Isn't
, Feb 25, 2010 at 9:07 AM, Dan Kaminsky d...@doxpara.com wrote:
On Thu, Feb 25, 2010 at 10:39 AM, Michael Neal Vasquez
m...@alumni.princeton.edu wrote:
On Thu, Feb 25, 2010 at 8:05 AM, Dan Kaminsky d...@doxpara.com wrote:
Sai,
I see where you're coming from, but what are the most
1 - 100 of 124 matches
Mail list logo
