Got to love the cock smoking kiddies on this list. So when you say
you do penetration testing does that mean you scan networks with
Nessess and insert your company logo into a report.
Or when you say penetration testing do you mean being fucked in the
ass by a large nigger named bubba
On
mulching my azaleas when you bring them over?
Thanks.
http://iainsidethebeltway.typepad.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, May 05, 2006 4:09 PM
To: [EMAIL PROTECTED]
Cc: full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] MSIE
CERT has more leaks than a whore who has been anally fucked with a
loaded shotgun.
On Mon, 01 May 2006 12:31:50 -0700 [EMAIL PROTECTED] wrote:
On Mon, 01 May 2006 14:51:23 EDT, Tim Bilbro said:
Some have suggested a 'Vulnerability Escrow' A third party that
tracks
and holds vulnerability
Gee All this fornication under the command of the king is turning
violent. I don't think the King would approve
[EMAIL PROTECTED] wrote:
CERT has more leaks than a whore who has been anally fucked with a
loaded shotgun.
On Mon, 01 May 2006 12:31:50 -0700 [EMAIL PROTECTED] wrote:
Tim Bilbo wrote:
Setting aside analogies, the questions remain: Does full disclosure make
the IT community as whole less secure than it would otherwise would be?
Is it more dangerous to have a handfull of sophisticated blackhats
lurking about with an unknown exploit vs. publishing it for every
Tim Bilbro wrote:
I don't think it is inevitable. Think about browser DoS vulnerabilties.
An stealth blackhat wouldn't bother with that type of exploit. It's
brute force, messy, doesn't get you root and it's trackable to some
degree. But, lesser hackers will immediately adopt exploits that just
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
Tim Bilbro wrote:
Bkfsec wrote:
...
What you do usually see with full disclosure (likewise with patching),
which is ironically dragged out as an argument against full disclosure,
is that when a flaw is disclosed, you do see script
Oh fuck. I am so motherfucking sorry for my goddamn fucking cunt
mouth language.
Won't happen a fucking again.
On Fri, 28 Apr 2006 05:32:28 -0700 Sol Invictus
[EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
[EMAIL PROTECTED]@%!^@ fuck up whiner.
Mr. C.I.S.S.P... Mr. M.C.S.E
What the
On Thu, 27 Apr 2006, Brian Eaton wrote:
Please note that I ask this out of curiousity, and not in an attempt to
be critical. Why not give MSRC a head start of one week?
Because, among other things I've already mentioned, it will in no way
affect when they're going to release a patch. Their
Blah blah blah... shut the fuck up whiner.
Mr. C.I.S.S.P... Mr. M.C.S.E
What the fuck do you know about working with vendors and
vulnerabilities? Jack and shit.. that is what you know.
You want a service.. then fuckin pay for it newb.
On Wed, 26 Apr 2006 08:06:09 -0700 Tim Bilbro
[EMAIL
[EMAIL PROTECTED] wrote:
[EMAIL PROTECTED]@%!^@ fuck up whiner.
Mr. C.I.S.S.P... Mr. M.C.S.E
What the fuck [EMAIL PROTECTED](*%^*(^(*(^*(%^
vulnerabilities? Jack and shit.. that is what you know.
[EMAIL PROTECTED]@#$^%^*$%^(*%e.. then fuckin pay for it newb.
Excuse me but can we watch
On Thu, 27 Apr 2006, Brian Eaton wrote:
Please note that I ask this out of curiousity, and not in an attempt to
be critical. Why not give MSRC a head start of one week?
Michal Zalewski wrote:
Because, among other things I've already mentioned, it will in no way
affect when they're going to
My $0.02, ignore as you see fit.
As a consumer, I prefer (arguably have the right) to know at the earliest
possible opportunity whether a product I am using is flawed. Whether a
medication appears to cause cancer, my car is prone to exploding when rear
ended, or a piece of software is found to
Bravo, ol' chap, Bravo!
Chris Eagle wrote:
My $0.02, ignore as you see fit.
As a consumer, I prefer (arguably have the right) to know at the earliest
possible opportunity whether a product I am using is flawed. Whether a
medication appears to cause cancer, my car is prone to exploding when
My $0.02, ignore as you see fit.
As a consumer, I prefer (arguably have the right) to know at the earliest
possible opportunity whether a product I am using is flawed. Whether a
medication appears to cause cancer, my car is prone to exploding when rear
ended, or a piece of software is found to
On Fri, 28 Apr 2006 20:47:41 BST, Aaron Gray said:
The only thing that I would add that ehat in an idea world firstly on
finding a vulnerability that an advisory is made to the product producer
then secondly to the list with an IDS fingerprint SNORT. Then not until a
reasonable time to fix
The only thing that I would add that ehat in an idea world firstly on
finding a vulnerability that an advisory is made to the product producer
then secondly to the list with an IDS fingerprint SNORT. Then not until
a
reasonable time to fix the vulnerability the proof of concept exploit is
On Wed, 26 Apr 2006, Larry Seltzer wrote:
It wasn't my analogy. I was criticizing it.
Larry,
Sorry if I criticized you undeservedly, then. That exchange of mails was
unclear at best, however. In this particular branch of this (silly)
thread:
1) Tim Bilbro blasted me for disclosing a problem
This is Full-Disclosure if you didn't notice. I personally don't care
about the vendors. I disclosure. going to check the stores can get me
nothing but jail time. but if it's not prohibited by law hell i will
disclosure such list.
Javor Ninov aka DrFrancky
http://securitydot.net/
Tim Bilbro
On Thu, 27 Apr 2006, Larry Seltzer wrote:
More on this in my column later this morning at
http://security.eweek.com/
Just who does he think he is? [...] Zalewski may think he's some sort
of hero disclosing this information, but his is the act of a vandal. If
it turns out that the bug is
Just who does he think he is? [...] Zalewski may think he's some sort
of hero disclosing this information, but his is the act of a vandal.
If
it turns out that the bug is exploitable and abused before it's
patched,
then perhaps he'll be proud to be remembered for that.
He is what he
This isn't the whitehat lovers group, anything and everything goes for
Full Disclosure.
Just who does he think he is? [...] Zalewski may think
he's some sort of hero disclosing this information, but his is the act of a
vandal.
No a vandal wouldn't disclose the information, a vandal on the
The funny part about this whole situation is that the people thatbashed on MZ never contributed a pea to what he has to this list.
yeah you people should stop whining and start disclosing
On 4/27/06, str0ke [EMAIL PROTECTED] wrote:
This isn't the whitehat lovers group, anything and everything
Subject: RE: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag
vulnerability
There aren't people out there looking to exploit the flaws in your car
in order to drive it where they want it to go. It's a lousy analogy.
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/ http
On Thu, 27 Apr 2006, Tim Bilbro wrote:
There is no question that vendors, particulary Microsoft, have a history
of neglect in this area, and folks have a right to be angry with them.
I'm not angry with Microsoft. It's just a company, and not a particularly
evil one. I simply believe that there
Full Disclosure is a good thing and anyone involved in the security community should be thankful for its existence! If people actually believe that the 0-days posted to this list are all 100% unique all i can say is wow, you're disconnected. Lets pretend for a second that this was never posted
Full Disclosure is a good thing and anyone involved in the security
community should be thankful for its existence! If people actually believe
that the 0-days posted to this list are all 100% unique all i can say is
wow, you're disconnected.
Ditto.
Case study:
At least twice in the
Why didn't I even try, you say? Past experiences of numerous
researchers
aside, consider this: Microsoft takes 3-6 months to fix critical but
non-public vulnerabilities in their flagship software (some of these
flaws
must've been independently discovered by the rogues, hence putting
customers at
On 4/27/06, Michal Zalewski [EMAIL PROTECTED] wrote:
Why didn't I even try, you say? Past experiences of numerous researchers
aside, consider this: Microsoft takes 3-6 months to fix critical but
non-public vulnerabilities in their flagship software (some of these flaws
must've been
Hi Tim,
Perhaps instead of viewing this as breaking into locked doors and look
at it as consumer product information, such as problems with my
automobile, it would not appear as such a big deal. I like product recalls
and keeping vendors honest. Product safety has improved significantly
On Wed, 26 Apr 2006, Tim Bilbro wrote:
You do a disservice to all IT shops by announcing these vulnerabilities
before contacting the vendor.
How were you impacted? What were your damages? The only loss that could
possibly occur to you or your company was the time you wasted to write
this rant,
Your blog seems to suggest that you are also quite severely mistaken in
regard to my identity.
Secunia did not notify Microsoft ahead of time in order to allow for
them to patch it before it became public. [...] Microsoft chided
Zalewski [from Secunia] for jumping the gun and posting his
On Sun, 23 Apr 2006, Paul Nickerson wrote:
I don't approve of your disclosure practices, Mr. Zalewski
Then follow your own, Paul.
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and
Perhaps not surprisingly, there appears to be a vulnerability in
how
Microsoft Internet Explorer handles (or fails to handle) certain
combinations of nested OBJECT tags. This was tested with MSIE
6.0.2900.2180.xpsp.040806-1825 and mshtml.dll 6.00.2900.2873
xpsp_sp2_gdr.060322-1613.
At
I also remember LSD pesters Microsoft and they were rapidly sold out.
I knew those guys were on something when they created Windows!!! They
had Dealers sell out of LSD ROFLMAO
Sol.
___
Full-Disclosure - We believe in it.
Charter:
On Sunday 23 April 2006 01:30, Michal Zalewski wrote:
Perhaps not surprisingly, there appears to be a vulnerability in how
Microsoft Internet Explorer handles (or fails to handle) certain
combinations of nested OBJECT tags. This was tested with MSIE
6.0.2900.2180.xpsp.040806-1825 and
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability
On Sunday 23 April 2006 01:30, Michal Zalewski wrote:
Perhaps not surprisingly, there appears to be a vulnerability in how
Microsoft Internet Explorer handles (or fails to handle) certain
Out of curriosity ... do you approve of your vendors (M$ in this case)
poor coding practices? How about the disclosure practices that THEY use?
Didn't think so...
-KF
Paul Nickerson wrote:
Confirmed on IE 7 beta 2 on Windows XP SP2
For the record, I don't approve of your disclosure
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
Michal Zalewski wrote:
Perhaps not surprisingly, there appears to be a vulnerability in how
Microsoft Internet Explorer handles (or fails to handle) certain
combinations of nested OBJECT tags. This was tested with MSIE
39 matches
Mail list logo
