Hi all,
i've been writing during past week a concept of leak management system
with the following main differences with wikileaks:
* Concentrate on leak amplification to let leaks reach media
* No editing or publishing
* Fully distributed organizations
* Use best of existing anony
Nice recipe to easily end up in a ton of trouble and ridicule.
My 2 cents...
On Wed, Dec 15, 2010 at 10:21 AM, Fabio Pietrosanti (naif) <
li...@infosecurity.ch> wrote:
> Hi all,
>
> i've been writing during past week a concept of leak management system with
> the following main differenc
It's a matter of splitting up responsibility among various players and
distributing almost everything.
With the growing number of improvised leak sites and more to come in
future, most doesn't even have a methodology/risk model or fully
understand the level of risks they are taking.
That's just a
> It's a matter of splitting up responsibility among various players and
> distributing almost everything.
Leaking information is not a game, unlike some kids seem to think.
> With the growing number of improvised leak sites and more to come in
> future, most doesn't even have a methodology/risk
Hi Fabio and others Full-Disclosure readers,
Have you seen how WikiLeaks are editing already released cables?
Seems like WikiLeaks do not believe in Full-Disclosure and WL
"partners" has already created "Ministry of Truth" (from Orwell's
final novel 1984).
For example in http://wikileaks.ch/cabl
On 15/12/10 12.24, Christian Sciberras wrote:
> > Which kind of trouble you refer to? It's nice to ear about understanding
> > and risks analysis on that stuff.
>
> Libel, fraud, sharing of illegal material.
>
> Hey, if you're really intent on going along with this, be my guest.
> I'll be watching
> Not to criticitze you but it seems to me that you have not understood
> which are the differences.
No problem with that. That's part of the point of discussion.
I did understand the differences. The main issue is that "dangerous"
material may be published anonymously without verification or ind
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 15/12/2010 11:34, Fabio Pietrosanti (naif) wrote:
> On 15/12/10 12.24, Christian Sciberras wrote:
>>> Which kind of trouble you refer to? It's nice to ear about understanding
>>> and risks analysis on that stuff.
>>
>> Libel, fraud, sharing of illeg
www.eVuln.com advisory:
BBCode CSS XSS in slickMsg
Summary: http://evuln.com/vulns/162/summary.html
Details: http://evuln.com/vulns/162/description.html
---Summary---
eVuln ID: EV0162
Software: slickMsg
Vendor: n/a
Version: 0.7-alpha
Critical Level: low
Type: Cross Site Scripting
On Wed, Dec 15, 2010 at 4:21 AM, Fabio Pietrosanti (naif)
wrote:
> Hi all,
>
> i've been writing during past week a concept of leak management system with
> the following main differences with wikileaks:
>
> Concentrate on leak amplification to let leaks reach media
> No editing or publishing
> Fu
On 15 December 2010 01:35, musnt live wrote:
> Original e-mail is from Theo DeRaadt
>
> Is my question: "Why is now Theo cower like rat." Is because his
> stance from the beginning: "we is audit everything" for make me
> believe Theo was is also on the payroll. Enjoy everyone.
What is wrong with t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2010:254
http://www.mandriva.com/security/
_
Kingcope, Where is the exploit for this? :P
regards,
--
Nahuel Grisolia - C|EH
Information Security Consultant
Bonsai Information Security Project Leader
http://www.bonsai-sec.com/
(+54-11) 4777-3107
___
Full-Disclosure - We believe in it.
Charter: htt
Dont encourage that weasel.
On Wed, Dec 15, 2010 at 2:33 PM, Nahuel Grisolia wrote:
> Kingcope, Where is the exploit for this? :P
>
> regards,
> --
> Nahuel Grisolia - C|EH
> Information Security Consultant
> Bonsai Information Security Project Leader
> http://www.bonsai-sec.com/
> (+54-11) 4777-
yeah kingc0pe strut your stuff!
u da b0mb!!111
2010/12/15 Benji
> Dont encourage that weasel.
>
>
> On Wed, Dec 15, 2010 at 2:33 PM, Nahuel Grisolia wrote:
>
>> Kingcope, Where is the exploit for this? :P
>>
>> regards,
>> --
>> Nahuel Grisolia - C|EH
>> Information Security Consultant
>> Bonsai
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> i've been writing during past week a concept of leak management system
Don't people see the irony of systems designed for leaking information
anonymously?
Tillmann
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJNCN
I hate it when some one beats me to a bug report.
https://addons.mozilla.org/en-US/firefox/user/5578717/ (this example
will only work against firefox).
The xss occurs due to no filtering / escaping the display name attribute for a
user.
___
Full-Disclos
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDVSA-2010:255
http://www.mandriva.com/security/
_
On Wed, Dec 15, 2010 at 9:19 AM, John Bond wrote:
> What is wrong with this. The code is audited and for all you know any
> back door which was placed in this code has been found and fixed. It
> would be arrogant and irresponsible for Theo or anyone else to ignore
> a claim of this nature, with
On 12/13/2010 4:27 PM, Ryan Sears wrote:
> Hey Dan,
>
> Freaking THANK YOU first and foremost. I've been waiting for someone to say
> that for days now, and was just about to myself.
> Plain and simple. *THEN* there's people who don't even bother to read that
> "Red Hat does not support Econet
After our Online Binary Planting Exposure Test became defunct as a result of
Microsoft fixing the Windows Address Book binary planting bug, we updated the
test
with two unfixed vulnerabilities. Everyone is welcome to keep testing their
Windows
computers for Internet-based binary planting attacks
On Wed, 15 Dec 2010 12:25:26 EST, musnt live said:
> [musntl...@pizda ~]# gcc -o hakaruski fullnullson.c && ./hakaruski
> [*] Failed to open file descriptors.
'#'. Exploit testing fail.
pgpHly80d0N0r.pgp
Description: PGP signature
___
Full-Disclosure
wooosshhh, right over Vlads head
On Wed, Dec 15, 2010 at 5:35 PM, wrote:
> On Wed, 15 Dec 2010 12:25:26 EST, musnt live said:
>
> > [musntl...@pizda ~]# gcc -o hakaruski fullnullson.c && ./hakaruski
> > [*] Failed to open file descriptors.
>
> '#'. Exploit testing fail.
>
>
On Thu, 2010-12-16 at 02:26 +1100, dave b wrote:
> I hate it when some one beats me to a bug report.
> https://addons.mozilla.org/en-US/firefox/user/5578717/ (this example
> will only work against firefox).
> The xss occurs due to no filtering / escaping the display name attribute for a
> user.
C
On Wed, Dec 15, 2010 at 5:49 PM, Peter Besenbruch wrote:
> On Thu, 2010-12-16 at 02:26 +1100, dave b wrote:
> > I hate it when some one beats me to a bug report.
> > https://addons.mozilla.org/en-US/firefox/user/5578717/ (this example
> > will only work against firefox).
> > The xss occurs due
On Thu, 16 Dec 2010 02:26:57 +1100
dave b wrote:
> I hate it when some one beats me to a bug report.
> https://addons.mozilla.org/en-US/firefox/user/5578717/ (this example
> will only work against firefox).
> The xss occurs due to no filtering / escaping the display name attribute for a
> user.
'Pointter PHP Content Management System' Unauthorized Privilege Escalation
(CVE-2010-4332)
Mark Stanislav - mark.stanis...@gmail.com
I. DESCRIPTION
---
A vulnerability exists in the 'Pointter PHP Content Management System'
authentication system which allows f
'Pointter PHP Micro-Blogging Social Network' Unauthorized Privilege Escalation
(CVE-2010-4333)
Mark Stanislav - mark.stanis...@gmail.com
I. DESCRIPTION
---
A vulnerability exists in the 'Pointter PHP Micro-Blogging Social Network'
authentication system which
On Wed, Dec 15, 2010 at 1:04 PM, Greg Whynott wrote:
> funny...
> 1. you were root when you ran the code! epic elite.
> 2. he said "red hat" NOT redhat based. Redhat has no control over what
> others do to "redhat based" efforts.
Is you must not feed the troll. Is proof this to be work on R
> Have a wonderful rest of the week!
You too!
You guys are awesome and fix things wy to fast.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia
--On December 14, 2010 8:40:14 PM -0500 b...@fbi.dhs.org wrote:
> Hi,
>
> Has anyone read this yet?
>
> http://www.downspout.org/?q=node/3
>
> Seems IPSEC might have a back door written into it by the FBI?
>
So for 10 years IPSEC has had a backdoor in it and not one person examining
the code has
Please is ignore Schmehl for to he is going senile:
http://www.utdallas.edu/staffcouncil/images/grouppic-05F.jpg
For Theo is technically make fabrication obviously
(http://en.wikipedia.org/wiki/Lie#Fabrication):
Fabrication
A fabrication is a lie told when someone submits a statement as truth,
w
On Dec 15, 2010, at 10:32 AM, Paul Schmehl wrote:
> --On December 14, 2010 8:40:14 PM -0500 b...@fbi.dhs.org wrote:
>>
>> http://www.downspout.org/?q=node/3
>>
>> Seems IPSEC might have a back door written into it by the FBI?
>>
>
> So for 10 years IPSEC has had a backdoor in it and not one p
Hey all,
Lots of interesting points so far. I have to respectfully dis-agree with those
saying 'NO POC, NO FOUL' (or however you put it).
Think carefully about the way in which one would go about back-dooring
something like IPSEC under such a scrupulous public eye. You have *very*
intelligent
The cformsII plugin for WordPress contains a vulnerability within its
Captcha Verification functionality. This vulnerability exists due to an
inherent trust of user controlled input. An attacker could utilise this
vulnerability to completely bypass the captcha security mechanism on any
wordpress fo
On 12/15/2010 01:32 PM, Paul Schmehl wrote:
> --On December 14, 2010 8:40:14 PM -0500 b...@fbi.dhs.org wrote:
> So for 10 years IPSEC has had a backdoor in it and not one person
examining
> the code has noticed it? Or even questioned it? That's a bit hard to
> believe. It's along the same lines
the exploit are in your ass motherfucker !
2010/12/15 Nahuel Grisolia
> Kingcope, Where is the exploit for this? :P
>
> regards,
> --
> Nahuel Grisolia - C|EH
> Information Security Consultant
> Bonsai Information Security Project Leader
> http://www.bonsai-sec.com/
> (+54-11) 4777-3107
>
>
--On December 15, 2010 10:55:39 AM -0800 bk wrote:
>
> On Dec 15, 2010, at 10:32 AM, Paul Schmehl wrote:
>
>> --On December 14, 2010 8:40:14 PM -0500 b...@fbi.dhs.org wrote:
>>>
>>> http://www.downspout.org/?q=node/3
>>>
>>> Seems IPSEC might have a back door written into it by the FBI?
>>>
>>
>>
On 12/15/2010 1:55 PM, bk wrote:
> On Dec 15, 2010, at 10:32 AM, Paul Schmehl wrote:
>
>> --On December 14, 2010 8:40:14 PM -0500 b...@fbi.dhs.org wrote:
>>> http://www.downspout.org/?q=node/3
>>>
>>> Seems IPSEC might have a back door written into it by the FBI?
>>>
>> So for 10 years IPSEC has ha
Hi,
You can get the full manual here: www.osstmm.org
Reports, reviews, and background osstmm info available at
www.infosecisland.com/osstmm.html
Also, mark your calendars because the OSSTMM Forum will be on Feb. 17
to 18 in Barcelona, Spain!
Sincerely,
-pete.
--
Pete Herzog - Managing Direc
> So for 10 years IPSEC has had a backdoor in it and not one person examining
> the code has noticed it? Or even questioned it? That's a bit hard to
> believe.
Yeah, this totally never happens in the FOSS world.
http://www.theregister.co.uk/2009/08/14/critical_linux_bug/
/mz
_
funny...
1. you were root when you ran the code! epic elite.
2. he said "red hat" NOT redhat based. Redhat has no control over what
others do to "redhat based" efforts.
you need more coffee! 8)
-g
musnt live spewed:
[musntl...@pizda ~]# awk '/rel/' /etc/issue
Scientific Linux SL release
On Wed, 15 Dec 2010 12:32:47 CST, Paul Schmehl said:
> So for 10 years IPSEC has had a backdoor in it and not one person examining
> the code has noticed it? Or even questioned it?
Debian/Ubuntu/etc SSL/SSH key vuln FTW. That backdoor with a commit
message of 'shut up valgrind' managed to hide
-g "musnt live" is a parody of "must live"... humor this =)
// rancor
2010/12/15 Greg Whynott
> funny...
> 1. you were root when you ran the code! epic elite.
> 2. he said "red hat" NOT redhat based. Redhat has no control over what
> others do to "redhat based" efforts.
> you need more
использовать свой мозг! Is we think with our brain and ask: "how is
team OpenBSD lying to is public" well then is the proof is in the
каша!
We has OpenBSD tell us:
"We have never allowed US citizens or foreign citizens working in the
US to hack on crypto code"
http://marc.info/?l=openbsd-tech&m=
On Wed, Dec 15, 2010 at 3:22 PM, Theo de Raadt wrote:
>> We has OpenBSD tell us:
>>
>> "We have never allowed US citizens or foreign citizens working in the
>> US to hack on crypto code"
>> http://marc.info/?l=3Dopenbsd-tech&m=3D129237675106730&w=3D2
>
> That statement remains true.
> Our project
ZDI-10-291: Symantec Endpoint Protection Manager Reporting Server fw_charts.php
Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-291
December 15, 2010
-- CVE ID:
CVE-2010-0114
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- Affected Vendors:
Symantec
-- Aff
2010/12/15 musnt live :
> What is this time to stop the press!
This fake broken English schtick is really stupid and annoying. Knock
it off. In the meantime you are kill filed. I suggest everyone else do
the same as nothing useful has ever come of this person.
BMF
___
In my own opinion, when the code hit the stable release, I doubt that
after the code is audited at 100% unless someone add a new feature to that
part or a bug is found in that code part. All that due to the complexity
to understand the code, all that energy is better invested to make new
features a
On Wed, 15 Dec 2010 10:55:39 -0800 bk wrote
> I call bullshit on all the people claiming this couldn't possibly have
> existed because "anyone can read the source." How many of you understand
> crypto. OK, now how many of you _actually_ understand crypto? And of those,
> how many look at *BSD?
> We has OpenBSD tell us:
>
> "We have never allowed US citizens or foreign citizens working in the
> US to hack on crypto code"
> http://marc.info/?l=3Dopenbsd-tech&m=3D129237675106730&w=3D2
That statement remains true.
IPSEC isn't 100% crypto; it is a complex layered subsystem with many
other
he has some cool root exploits. but you have to run them as root.
On Dec 15, 2010, at 5:00 PM, BMF wrote:
> 2010/12/15 musnt live :
>> What is this time to stop the press!
>
> This fake broken English schtick is really stupid and annoying. Knock
> it off. In the meantime you are kill filed. I s
Theo,
How would one go about getting the code that was worked on at the time? I
don't see it at openbsd.org.
Also, do you have a sense of what other projects used that code?
Presumably at least some of them did audits as well.
LJS
___
Full-Disclosure
i second that...yet we obviously need to figure out better ways to audit the
code...maybe some kind of security-oriented unit-test framework ? ( dont'know
if it exists already, and if it does, maybe that it's already employed for the
OpenBSD project...dunno )
WintermeW
Le 15 déc. 2010 à 20:59
On Wed, Dec 15, 2010 at 3:46 PM, clément Game wrote:
> i second that...yet we obviously need to figure out better ways to audit the
> code...maybe some kind of security-oriented unit-test framework ? ( dont'know
> if it exists already, and if it does, maybe that it's already employed for
> the
On Wed, Dec 15, 2010 at 6:53 PM, Larry Seltzer wrote:
> Theo,
>
> How would one go about getting the code that was worked on at the time? I
> don't see it at openbsd.org.
>
Theo would be is person to ask, he is after all person who is make change:
http://monkey.org/openbsd/archive/source-changes
Out-of-troll-mode;
Although I do see that it is probably all FUD, musnt live makes some valid
points.
At the moment OpenBSD just lost a few (more, if you count cvs's being
rooted) trustworthyness-points, which can only be rectified with an audit of
IPSEC coden (initially). Until this is done, Ope
On 12/15/2010 5:00 PM, BMF wrote:
> 2010/12/15 musnt live :
>> What is this time to stop the press!
>
> This fake broken English schtick is really stupid and annoying. Knock
> it off. In the meantime you are kill filed. I suggest everyone else do
> the same as nothing useful has ever come of this
> Has anyone read this yet?
>
> http://www.downspout.org/?q=node/3
>
> Seems IPSEC might have a back door written into it by the FBI?
>
Surely the thing to do now is not to audit *your own* OpenBSD code, but to
audit the OpenBSD code from about 8 years ago. If there's nothing there,
then the claim
On 16 December 2010 09:50, Larry Seltzer wrote:
>> Has anyone read this yet?
>>
>> http://www.downspout.org/?q=node/3
>>
>> Seems IPSEC might have a back door written into it by the FBI?
>>
> Surely the thing to do now is not to audit *your own* OpenBSD code, but to
> audit the OpenBSD code from a
Ok, so there is suspicion that IPSEC and maybe some related code has
been backdoored. How to validate? We have some smart folks on this
board, what methods do the gurus have to impart to the little people?
We are not stupid either, but sometimes a clue can help a brother
out...
-Rob
On Wed, Dec
On Dec 15, 2010, at 5:23 PM, Graham Gower wrote:
> On 16 December 2010 09:50, Larry Seltzer wrote:
>>> Has anyone read this yet?
>>>
>>> http://www.downspout.org/?q=node/3
>>>
>>> Seems IPSEC might have a back door written into it by the FBI?
>>>
>> Surely the thing to do now is not to audit
On Wed, Dec 15, 2010 at 7:40 PM, Rob Wilcox wrote:
> Ok, so there is suspicion that IPSEC and maybe some related code has
> been backdoored. How to validate? We have some smart folks on this
> board, what methods do the gurus have to impart to the little people?
> We are not stupid either, but s
> sci.crypt would probably be the best place to ask. I imagine there's a
> discussion already, but have not visited lately.
Have you been to the Usenet recently?;-)
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disc
I've been using Gmail and thought you might like to try it out. Here's an
invitation to create an account.
You're Invited to Gmail!
Rockey Killer has invited you to open a Gmail account.
Gmail is Google's free email service, built on the idea that email can be
intuitive, efficient, and fun. G
On Wed, Dec 15, 2010 at 11:28 PM, Michal Zalewski wrote:
>> sci.crypt would probably be the best place to ask. I imagine there's a
>> discussion already, but have not visited lately.
>
> Have you been to the Usenet recently?;-)
One stop shopping: get your crypto questions answered, pick up a
Rolex
Where we you all those years ago when I was dying for an invite...
On 16 December 2010 15:41, Rockey Killer wrote:
> I've been using Gmail and thought you might like to try it out. Here's an
> invitation to create an account.
>
>
--
Shaineel Singh
e: shain.si...@gmail.com
p: +61 422 921 951
w:
I should have sent the invitation carefully and should not have disturbed
such
a nice mailing list with some stupid invitation .. I apologize .. for that
..
Cheers,
Rockey
On Thu, Dec 16, 2010 at 11:09 AM, Shain Singh wrote:
> Where we you all those years ago when I was dying for an invite..
68 matches
Mail list logo
