Jericho has some 'splaining to do!
c.f. QUANTUMSQUIRREL**
clearly the squirrel schwag is just cover for the _real_ rogue revenues...
** https://peertech.org/files/QUANTUMSQUIRREL.JPG
attachment: QUANTUMSQUIRREL.JPG___
Full-Disclosure - We believe in
On Thu, Mar 6, 2014 at 4:09 PM, Pedro Worcel pe...@worcel.com wrote:
Bitcoins are doing great actually. =)
Used to be worth 0 a few years back, useless, and now you can use them to
buy some stuff.
also providing some awesome information for future uses, c.f.:
i for one am moved by the selfless dedication to promoting a happy bit
it every horse's mouth.
may the hack-a-more live forevar!
On Wed, Feb 26, 2014 at 11:01 AM, Sanguinarious Rose
sanguiner...@occultusterra.com wrote:
You have my Axe!
___
On Thu, Nov 28, 2013 at 12:25 PM, coderman coder...@gmail.com wrote:
Request for participants
FOIA with privacy waivers[0] ...
it is in my best interest not to pursue this effort any further. the
donations received for this have gone to Cryptome instead for their
FOIA efforts.
if you
On Sat, Jan 4, 2014 at 3:35 PM, scadastrangelove
scadastrangel...@gmail.com wrote:
...
ICS/SCADA/PLC Google/Shodan Cheat Sheet
THC Hydra with Siemens S7-300 support
Slides and video from SCADA Strangelove 2 talk.
A Hacker Disneyland by @ygoltsev and @arbitrarycode
Firebird/interbase database
On Sat, Jan 4, 2014 at 6:55 PM, Bernhard Kuemel bernh...@bksys.at wrote:
... the modem is ... poorly ...
isolated from the rest of the platform and could access critical
components such as storage, RAM, GPS and audio (microphone) of the
device
Can you tell me what attack vectors might
On Mon, Dec 30, 2013 at 10:02 AM, l...@odewijk.nl wrote:
...
Since the GSM f/w controls a radio, and thus the power, it may need a
FCC certification... [bad dependencies and liabilities here]
alternatively, encourage a market for open hardware and
firmware/software components suitable for
On Tue, Dec 10, 2013 at 10:43 AM, Sean Lynch se...@literati.org wrote:
...
software-defined radios such as the HackRF are coming onto the
market. My suspicion is that the legislation simply hasn't caught up to
this reality yet and that these will become difficult to obtain...
i hope you're
On Wed, Jan 1, 2014 at 3:14 AM, Lodewijk andré de la porte l...@odewijk.nl
wrote:
I love being mentioned...
duly noted; i aim to please!
best regards,
p.s. if you're looking for good high performance SDR gear,
look for the Noctar/BladeRF/HackRF/USRP*/RTL-SDR/*.* equivalents
of these
On Wed, Jan 1, 2014 at 4:09 AM, Moritz Muehlenhoff j...@debian.org wrote:
... In addition this update [...]
no longer uses the RdRand feature available on some
Intel CPUs as a sole source of entropy unless explicitly requested.
no CVE for the oops you were entirely dependent on RDRAND issue,
that one top post ... [was: RDRAND used directly when...
On Sat, Dec 14, 2013 at 4:33 AM, coderman coder...@gmail.com wrote:
as per the FreeBSD announcement[0] and others[1][2] direct use of
RDRAND as sole entropy source is not recommended...
___
Full
On Mon, Dec 16, 2013 at 7:27 PM, coderman coder...@gmail.com wrote:
...
what is affected??
fortunately impacts are less than anticipated!
nickm devised most concise fix: RAND_set_rand_method(RAND_SSLeay());
always after ENGINE_load_builtin_engines().
https://gitweb.torproject.org/tor.git
On Mon, Dec 16, 2013 at 2:50 PM, Fyodor fyo...@nmap.org wrote:
...
Apparently you touched a nerve! If the legal threats we received for
archiving this security advisory on SecLists.org are any indication,
ZippyYum really doesn't want anyone to know they were storing users' credit
card info
On Sat, Dec 14, 2013 at 4:33 AM, coderman coder...@gmail.com wrote:
...
if you are using an application linked with openssl-1.0.1-beta1
through openssl-1.0.1e you should do one of the following:
updated list with env suggestion:
a.) rebuild your OpenSSL with OPENSSL_NO_RDRAND defined
b
as per the FreeBSD announcement[0] and others[1][2] direct use of
RDRAND as sole entropy source is not recommended.
from Westmere onward you could use AES-NI to make crypto fast in
OpenSSL. a common theme is to initialize OpenSSL via
ENGINE_load_builtin_engines() which lets OpenSSL take
On Sat, Dec 14, 2013 at 8:31 AM, Dennis E. Hamilton
dennis.hamil...@acm.org wrote:
It would have been good if you had said security issue ...
i think the word you're looking for is Feature.
... but you and me are not the customer. ;)
___
On Sat, Dec 14, 2013 at 4:33 AM, coderman coder...@gmail.com wrote:
...
if you are using an application linked with openssl-1.0.1-beta1
through openssl-1.0.1e you should do one of the following:
...
b.) call RAND_set_rand_engine(NULL) after ENGINE_load_builtin_engines().
correction
On Mon, Dec 2, 2013 at 12:31 PM, ScripT setInterval(function(){for(
){alert('fixme')} } 10) /scRIpt tytusromekiatomek@...
-^
this is what happens when little bobby tables and his younger cousin
get into mischief...
___
Full-Disclosure - We believe in
On Thu, Nov 28, 2013 at 12:25 PM, coderman coder...@gmail.com wrote:
Request for participants
FOIA with privacy waivers...
yes; this requires trust in my efforts on your behalf.
alternatively you can file the requests yourself, covering your own
fees, if any, and collaborate with others
Request for participants
FOIA with privacy waivers[0] to investigate:
- FBI and other TLA use of offensive attacks as part of active
forensics in investigations. Circumstances around use; e.g. lack of
search and seizure warrants, only classified expedient requests or pen
register orders.
-
On Wed, Nov 27, 2013 at 2:10 PM, Nicolas Surribas
nicolas.surri...@gmail.com wrote:
...
I'm proud to announce the release of a new version of Wapiti, the
web-application vulnerability scanner...
What's new in version 2.3.0 ?
...
* Removed SOCKS proxy support (due to migration to
On Thu, Aug 11, 2011 at 4:14 AM, coderman coder...@gmail.com wrote:
...
seriously EOM this time.
well, what do you know, sunlight prevails! ;)
http://electrospaces.blogspot.com/2013/11/drtbox-and-drt-surveillance-systems.html
... this is but a feeling; one aspect of the whole.[0]
0. Blind
no, DC20 was not DRT.
then i would feel bad for getting my ass handed to me...
(when i discover the codename for my retribution, it shall become my
headstone..)
___
Full-Disclosure - We believe in it.
Charter:
On Sat, Nov 16, 2013 at 3:59 AM, mrame...@hushmail.com wrote:
... I come acrosss an ip address and a
mac address hardcoded in some libraries of a firmware for a vendor. Why
should it be there this kind of hardcode?
i've seen this done for testing purposes, when running hardware
through a
surprised not a peep about this one here yet,... hmmm
a fun one ;)
we are accustomed to old software adding risk;
new (secondary effects of combined AUTH+ENC modes)
also carries risk!
---
OpenSSH Security Advisory: gcmrekey.adv
This document may be found at:
On Fri, Nov 8, 2013 at 10:56 AM, CERT OPS Marienfeldt
cert.marienfe...@gmail.com wrote:
If exploited, this vulnerability might permit code execution
with the privileges of the authenticated user
might explains the absence ;-)
how many integrations and services auth without shell?
On Fri, Nov 8, 2013 at 8:28 PM, Bob Man Van Kim evdo.hs...@gmail.com wrote:
Actually, guys... im wondering if the lack of response is due to falling
user participation...
clearly we need more vulnerable installations. please reply with to
this email with your IPv4 listen addr and port once
my contempt for email is well known and reinforced by choice of provider.
there are myriad rebuttals to email as private channel, of which i
agree fully. however, if you pass muster, i can be reached via secure
email. yes your default client will balk. this is a feature not a
bug... you must
On Thu, Oct 31, 2013 at 7:55 PM, coderman coder...@gmail.com wrote:
my contempt for email is well known and reinforced by choice of provider.
there are myriad rebuttals to email as private channel, of which i
agree fully. however, if you pass muster, i can be reached via secure
email. yes
On Thu, Oct 3, 2013 at 3:21 AM, coderman coder...@gmail.com wrote:
... i would pay money to never read about lame XSS on this list again...
ok, lame is too harsh; inaccurate. as part of a larger campaign of
pwn, XSS can play part in a pandemic pounding of target host or
network.
better to say
On Thu, Oct 3, 2013 at 3:20 AM, coderman coder...@gmail.com wrote:
...
incompetent, disrespectful vendors can be really motivating...
i recant my accusation that Yahoo is disrespectful and idiotic; they
just have poor timing and appear to be addressing the complaints
discussed, and had been
'''
The NSA has undermined a fundamental social contract. We engineers
built the internet – and now we have to fix it...
By subverting the internet at every level to make it a vast,
multi-layered and robust surveillance platform, the NSA has undermined
a fundamental social contract. The companies
Re: [Full-disclosure] tor vulnerabilities?
On Wed, Jul 3, 2013 at 11:04 AM, coderman coder...@gmail.com wrote:
...
next generation low latency anonymity networks are a fun area of
research and suited to interesting attacks. you could help build and
break them when you're sufficiently sated
On Wed, Jul 3, 2013 at 7:34 AM, Georgi Guninski gunin...@guninski.com wrote:
...
I see no reason to trust tor.
How do you disprove that at least (say) 42% of the tor network
is malicious, trying to deanonymize everyone and logging
everything?
end to end privacy is orthogonal to anonymity,
On Fri, Apr 19, 2013 at 1:26 PM, paul.sz...@sydney.edu.au wrote:
...
2012-02-15 - Vulnerability Discovered by VUPEN
2013-03-06 - Vulnerability Exploited At Pwn2Own 2013 and Reported to
Adobe...
Is a delay of a year before reporting to the vendor, acceptable?
three years or more is
On Tue, Apr 2, 2013 at 10:49 AM, John Cartwright jo...@grok.org.uk wrote:
In all seriousness I accept the fact that the OS isn't meant to be
secure in any way and I have essentially wasted 24 hours of my life
horsing around with it.
attachment:
On Wed, Feb 27, 2013 at 3:13 AM, imipak imi...@gmail.com wrote:
SMTP_ECHO_REQUEST
ICMP_SOURCE_QUENCH
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
On Thu, Jan 10, 2013 at 9:03 AM, Mikhail A. Utin
mu...@commonwealthcare.org wrote:
...
I once shared my idea that ZDI is not right way to go. It should be a market
place (web portal) for selling vulnerabilities based on action price. Like
eBay.
this reasoning assumes money is the only
is sufficient,
provided key generation is secure. always a million caveats... and
adding dakarand to guests is better than not.
On Wed, Jul 18, 2012 at 12:35 PM, coderman coder...@gmail.com wrote:
On Fri, Dec 24, 2010 at 5:08 PM, Dan Kaminsky d...@doxpara.com wrote:
...
Don't we have hardware RNG in most
On Wed, Aug 15, 2012 at 6:10 AM, Dan Rosenberg
dan.j.rosenb...@gmail.com wrote:
...
So many things wrong here.
What's actually happening is these devices have a line in their /init.rc
scripts, which are run at boot as root by the init process,...
some of my favorite stories start this way!
On Tue, Aug 7, 2012 at 10:06 PM, Jeffrey Walton noloa...@gmail.com wrote:
...
Android 4.0+ offers a Keychain, and applications should be storing
base secrets in the Keychain
any bets on adoption? prepare to be disappointed...
(we should have a name and shame for just this purpose)
On Fri, Dec 24, 2010 at 5:08 PM, Dan Kaminsky d...@doxpara.com wrote:
...
Don't we have hardware RNG in most motherboard chipsets nowadays?
clearly not enough of them!
'Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices'
https://factorable.net/weakkeys12.extended.pdf
On Mon, Jul 16, 2012 at 12:23 AM, Yvan Janssens yvan.janss...@vasco.com wrote:
I found an XSS vulnerability in http://eenmiljardseconden.frankdeboosere.be/
. This vulnerability was possible due to invalid input validation/bad
programming. The owner was contacted and a satiric fix was
On Sat, Jul 14, 2012 at 4:25 PM, Bruce Schneier schne...@schneier.com wrote:
...
Many roadside farm stands in the U.S. are unstaffed. They work on the honor
system: take what you want, and pay what you owe. I like systems that
leverage personal moral codes for security. But I'll bet that
On Mon, Jul 16, 2012 at 10:59 AM, Григорий Братислава
musntl...@gmail.com wrote:
...
Is in my experience is that I place two folders in directory in is
root folder called /root/MilaKunisLeakedPhotos/ and
/root/OlgaKurlyenko/ is when I see is accessed. Then I know is my
machine compromised.
On Mon, Jul 16, 2012 at 11:52 AM, Ali Varshovi ali.varsh...@hotmail.com wrote:
I'm thinking that we need a comparison base or normal behavior profile to be
able to detect any deviations or abnormal/suspicious activity. While some
known patterns of behaviors are useful to detect malware
On Mon, Jun 25, 2012 at 12:21 AM, BMF badmotherfs...@gmail.com wrote:
...
I have a server with one of these in it:
http://www.entropykey.co.uk/
although I still need to find a reasonably secure way to share the
entropy with all of my VMs where it is really needed.
check out
On Sun, Jun 24, 2012 at 1:37 PM, Moritz Muehlenhoff j...@debian.org wrote:
...
Package : python-crypto
Vulnerability : programming error...
It was discovered that that the ElGamal code in PythonCrypto, a
collection of cryptographic algorithms and protocols for Python used
insecure
On Thu, Jun 21, 2012 at 1:37 PM, CORE Security Technologies Advisories
advisor...@coresecurity.com wrote:
...
9. *Report Timeline*
. 2012-05-30:
Core Security Technologies notifies Lattice Semiconductor Corporation of
the vulnerability. Publication date is set for June 26th, 2012.
.
On Tue, Jun 19, 2012 at 2:05 AM, Fyodor fyo...@insecure.org wrote:
From: Leo Impact Security,Inc cont...@leoimpact.com
To: fyo...@insecure.org
Subject: subject: http://seclists.org/fulldisclosure/2012/Apr/19 removing
...
I am Mark, CISO of Leo Impact Security, some fraud person post
On Sun, Jun 10, 2012 at 9:42 AM, Benjamin Kreuter ben.kreu...@gmail.com wrote:
...
(CALEA taps are *widely* exploited by the bad guys.
Do you have a good citation for this?
the most infamous case is the athens affair:
http://spectrum.ieee.org/telecom/security/the-athens-affair
While this
On Sun, Jun 10, 2012 at 2:05 PM, Benjamin Kreuter ben.kreu...@gmail.com wrote:
...
It is not clear to me that these were CALEA components, as opposed to
some similar law in Greece or the UK (where Vodaphone is based).
... is it clear that the Greek equipment was
built to US standard i.e. that
On Sun, Jun 10, 2012 at 2:22 PM, coderman coder...@gmail.com wrote:
...
we can split hairs on the origin and naming of a given capability, but
these are CALEA (aka lawful intercept) functions used unlawfully.
more fun reading, if you're curious:
Exploiting Lawful Intercept to Wiretap
On Sun, Jun 10, 2012 at 2:06 PM, Laurelai laure...@oneechan.org wrote:
... in regards to protecting yourself
from .gov malware, it really is quite simple... all only run on windows
platforms.
this is wrong in fact, and understanding.
factually other state driven malware has targeted OSX,
On Sat, Jun 9, 2012 at 3:30 PM, valdis.kletni...@vt.edu wrote:
... I'm *still* waiting for your
lawyers to serve me papers for Neal Krawetz's 2006 Black Hat presentation
cmon' valdis,
it's Dr. Neak Krawetz, PhD.
... i thought we've been through this??
On Fri, Jun 8, 2012 at 10:03 AM, Thor (Hammer of God)
t...@hammerofgod.com wrote:
...
What solution? [to countries using cyberwar] And who exactly is going to
“find” it?
AV industry vows to become better detectors,
find and reverse; you get million dollar vuln RD for free!
incident response,
On Wed, Jun 6, 2012 at 7:41 AM, Laurelai laure...@oneechan.org wrote:
...
Is anyone else the least bit concerned that stuxnet was carried out by the
US Government?
remember the siberian pipeline? uncle sam has been up in yer SCADA for
two decades.
if this is a surprise, you aren't paying
On Wed, Jun 6, 2012 at 11:16 AM, coderman coder...@gmail.com wrote:
... uncle sam has been up in yer SCADA for
two decades.
three decades; too early for maths!
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure
On Thu, May 31, 2012 at 6:56 AM, RandallM randa...@fidmail.com wrote:
..if flame was hidden in angry birds
flame is as successful as it is precisely because it is extremely
targeted. indiscriminate, promiscuous infection would defeat the
purpose.
however, if this same level of skill were
On Mon, May 28, 2012 at 10:49 AM, Georgi Guninski gunin...@guninski.com wrote:
some ...words you can use for profit:
division by _zero_, _integer_ overflow, attack _vector_, attack
_vector space_ [1], attack _curve_, attack _surface_, attack
_abelian surface_ [1], attack _group law_ [1] ,
On Sat, May 26, 2012 at 1:32 PM, Gage Bystrom themadichi...@gmail.com wrote:
If you havnt guessed from the replies, there are no such thing as an attack
tree...
The classical method is something along the lines of preform recon,
enumerate, attack, presist/extract data. You react based upon the
On Thu, May 17, 2012 at 5:51 AM, Mike Hearn he...@google.com wrote:
I understand your concerns, however they are not valid.
++
best thread on list all month. :)
now if only Google's two factor auth could use tamper resistant tokens.
i trust my phone even less than my browser... :(
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
On Sun, Mar 25, 2012 at 7:25 AM, Charlie Derr cd...@simons-rock.edu wrote:
... I always figured attempting to grab things with links or lynx from a
command-line GNU/linux environment ought
to be fairly safe, even for files that I'm pretty certain contain
viral/trojan code
once upon a time
On Sat, Mar 10, 2012 at 12:43 PM, Alberto Fabiano albe...@computer.org wrote:
... C++
is´nt the unique language that use COM, still has a way familiar...
can be another language.
where does the application framework end and the domain specific language begin?
lean event machine for invoking
why did they drop 11 billion lines of code from the open source scan report?
(11.5b 2009 to 0.037b 2011, hard to use 5.x? only 0.06b really
scanned in 2009?)
do any projects publish their fp db?
___
Full-Disclosure - We believe in it.
Charter:
On Sat, Mar 10, 2012 at 3:36 PM, William Pitcock
neno...@systeminplace.net wrote:
VC++ generates code like this when used with COM. The COM implementation
used on windows is compiler-assisted. Basically to generate assembly like
this, just you know, build code that uses COM (#using, various
2012/3/10 夜神 岩男 supergiantpot...@yahoo.co.jp:
...
From the description, it looks like someone pushed some code from a
Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by
GCL, for example, before compilation) into a C++ DLL.
you're hilarious!!
... but keep the day job.
On Sat, Mar 10, 2012 at 8:04 PM, valdis.kletni...@vt.edu wrote:
...
So what you're saying here is that there's a lot of people accepting
security advice and/or software from professionals who wouldn't recognize
a COM object if it came up and bit them on the butt...
cmon' valdis, if anyone
On Sat, Mar 10, 2012 at 8:24 PM, coderman coder...@gmail.com wrote:
everything old is new again, like fashion.
and you can kick it old skewl without {---C000-0046}
;)
___
Full-Disclosure - We believe in it.
Charter: http
On Fri, Feb 24, 2012 at 5:54 AM, not here zpamh...@gmail.com wrote:
-- I'll just pin this here --
http://www.bop.gov/iloc2/InmateFinderServlet?Transaction=NameSearchFirstName=stephenLastName=watt
lol, be careful who you blabla to...
___
On Wed, Feb 22, 2012 at 7:36 AM, Adam Behnke a...@infosecinstitute.com wrote:
A new write up at InfoSec Institute on circumventing NAT. The process works
in the following way. We assume that both the systems A and B know the IP
address of C.
a new write up? ...
On Fri, Mar 9, 2012 at 6:01 AM, RandallM randa...@fidmail.com wrote:
This list currently has served to xpose and disclose vulnerabilities.
Imagine its possibilities with humans. The talent here is endless.
hard pressed to top the talent of an angry squirrel,
On Tue, Mar 6, 2012 at 1:46 PM, Mark Krenz m...@suso.com wrote:
Title: Gnome terminal, xfce4-terminal, terminator and other libVTE based
terminals write scrollback buffer data to /tmp filesystem
temp data in /tmp ? i'm shocked, SHOCKED!
*cough*
Worse case scenario:
Classified,
On Thu, Feb 23, 2012 at 10:50 AM, Georgi Guninski gunin...@guninski.com wrote:
...
if i understood the paper correctly they broke some rsa keys because
they shared a prime $p$ (the rsa keys are different, shared rsa
keys might be explained by the debian random fiasco or the like bugs).
i
On Tue, Feb 21, 2012 at 2:09 PM, Ramo r...@goodvikings.com wrote:
I'll just leave this here.
http://eprint.iacr.org/2012/064.pdf
anyone who cares about proper key generation uses a hardware entropy
source. they put them in CPUs, they provide them on motherboards. they
make them very high
On Mon, Feb 20, 2012 at 6:04 PM, Jeffrey Walton noloa...@gmail.com wrote:
From the folks at OWASP. Please take a moment to provide feedback if
you have helpful comments.
i see your survey contained many reasons for using virtual patching,
none of which included: Haste: virtual patches can be
On Sat, Jan 28, 2012 at 2:26 PM, valdis.kletni...@vt.edu wrote:
...
For the record, all my media is legitimately acquired,
i once saw Valdis rockin' out with headphones on - volume at 11,
providing an unauthorized, non-personal broadcast of a copyright'ed
composition to those near by.
clearly
On Wed, Jan 25, 2012 at 2:55 AM, Ben Bucksch n...@bucksch.org wrote:
Dear coderman,
posting mails that were explicitly marked offlist on the public list is
no-go.
you must be new around here... why not let everyone learn from your fail?
___
Full
On Tue, Jan 24, 2012 at 3:47 PM, Ben Bucksch n...@bucksch.org wrote:
...
That is *precisely* what VNC is: an open-source IP KVM.
*precisely* ??
you keep using that word.
i do not think it means what you think it means...
this thread is full of lulz; you newbs might want to check out
Bucksch n...@bucksch.org wrote:
On 25.01.2012 02:05, coderman wrote:
you keep using that word.
i do not think it means what you think it means...
Where else did I use that word?
And what does it mean, in your understanding, that differs from my usage? I
checked the dict and it seems fine.
let
On Thu, Jan 19, 2012 at 7:13 PM, Wesley Kerfoot wja...@gmail.com wrote:
So there I was, innocently posting ... on ... facebook
hey, there's your problem!
friends don't let friends friend whore themselves. friend.
___
Full-Disclosure - We believe in
On Thu, Jan 12, 2012 at 1:57 AM, Giles Coochey gi...@coochey.net wrote:
...
If you have been hired by the company in a security capacity
... I've always found that you
are listened to, taken very seriously and usually have a direct route to
the CEO, CIO, COO or the whole board of directors.
On Wed, Jan 11, 2012 at 9:40 AM, Kyle Creyts kyle.cre...@gmail.com wrote:
I would also like to point out that finding the bugs is not the same as
fixing the bugs, and that for all the focus that is placed on finding
them, and lauding the people that do, fixing them is usually pretty
On Sat, Jan 7, 2012 at 12:55 PM, Shyaam Sundhar shy...@gmail.com wrote:
...
why are people sloppy by nature when it comes to
security?
this is like asking for the origin of existence; a mystery to the end!
Why is security still considered as a blanket as opposed to the
core of any system?
On Sat, Dec 31, 2011 at 9:13 PM, R0me0 *** knight@gmail.com wrote:
PROCMAIL!? come on, by some case ... are you a big loosseer !?
cmon' fuckface, classifying your email is internet 101
bitching about the noise is only adding to the noise.. you see the problem?
On Thu, Dec 29, 2011 at 11:24 AM, adam a...@papsy.net wrote:
In any case, the concept is pretty interesting.
data structures exposed to potentially malicious user input. what
could go wrong?
Big-O: a perfect case is not typical.
real-world is sometimes not average.
attacker inputs, they're
On Tue, Dec 27, 2011 at 2:30 PM, Gage Bystrom themadichi...@gmail.com wrote:
... My main criticisms
involved presentation of your work that I believed could wind up coining
useless buzz words, proliferation of bad terminology, and enforcing
incorrect paradigms.
in infosec they call this
On Tue, Dec 27, 2011 at 3:29 PM, syka...@astalavista.com wrote:
Ladies and gentleman, I will be unplugged from my email until the 17th of
January.
In the mean time here's a video of a bunny opening your mail
http://www.youtube.com/watch?v=LMyaRmTwdKs
...
ah, it's that time of year again.
On Fri, Dec 23, 2011 at 2:27 PM, Forristal, Jeff
jeff.forris...@intel.com wrote:
Folks on this list may be interested in a recent whitepaper talking about
types of attacks that leverage PC hardware to attack local software.
i look forward to the next installment:
'Hardware involved wetware
On Thu, Dec 22, 2011 at 8:08 AM, Christian Sciberras uuf6...@gmail.com wrote:
Since when hackers write excellent, well performing code?
In fact, quite the opposite, many hacks actively need to crash the browser
to work.
Killing script execution before that overflow happens may unintentionally
On Tue, Dec 20, 2011 at 9:40 AM, Charles Morris cmor...@cs.odu.edu wrote:
I'm curious what everyone's opinion is on the following question...
esp. to any FF dev people on list:
Do you think that the Firefox warning: unresponsive script is meant
as a security feature or a usability feature?
On Sat, Dec 3, 2011 at 4:14 AM, Alan J. Wylie
shyyqvfpybf...@wylie.me.uk wrote:
...
Interesting response from Carrier IQ in a long article on The Register:
http://www.theregister.co.uk/2011/12/02/carrier_iq_interview/
interesting response from FBI in regards to Carrier IQ
On Tue, Dec 13, 2011 at 2:50 PM, Ivan .Heca ivan...@gmail.com wrote:
http://www.gizmodo.com.au/2011/12/carrier-iq-explains-what-it-does-with-your-data/
These logs [full debug, keylogging, etc.] are generated on phones sold
with the Carrier IQ program preloaded but the company says it’s
working
On Sat, Dec 3, 2011 at 4:14 AM, Alan J. Wylie
shyyqvfpybf...@wylie.me.uk wrote:
...
| Yes, Carrier IQ is a vast digital fishing net that sees geographic
| locations and the contents of text messages and search queries
| swimming inside the phones the software monitors.. But except
| in rare
On Wed, Nov 30, 2011 at 1:30 PM, Adam Behnke a...@infosecinstitute.com wrote:
Hello full disclosureites, a new tutorial is available at InfoSec Institute
...
Your thoughts?
who was this content plagiarized from?
___
Full-Disclosure - We believe in
On Wed, Nov 9, 2011 at 11:25 AM, Sam Johnston s...@samj.net wrote:
Apologies for the HTML — too many inline links
the cool thing about plain text email: it can often prune those
annoying markup links!
it is cooler than a google barrel roll... try it
On Wed, Nov 2, 2011 at 2:07 PM, coderman coder...@gmail.com wrote:
...
- cipher suite probing to find un-accelerated suites or more
computationally expensive suites supported by a target.
a nice write up here covering relative costs of some suites, and more
discussion on computation DoS:
http
On Wed, Nov 2, 2011 at 1:21 AM, Marc Heuse m...@mh-sec.de wrote:
...
still you dont need a gpu, even with renegotiation disabled and hardware
acceleration present.
Just don't use openssl (or similar libraries).
indeed.
reminds me of the vanity onion generator shallot. you could do this
with
On Wed, Nov 2, 2011 at 10:04 AM, Tomasz Ostrowski tomet...@gmail.com wrote:
...
Suggested actions for clients
Change a bank, as Citibank is blatantly ignorant about security.
this is good advice for many reasons. citigroup is full of thieves:
1 - 100 of 365 matches
Mail list logo