Slashdot Mirror

"Who cares? They're all starting to smell the same."

Duh. That's because it's different names for the same people.

If you google It seeks Overall Control you get ISOC.

And only ISOC. I'm sure that's just coincidence.

But, that's the way it's always been.

I really had to laugh at the story about the ITU taking over control of the DNS namespace and IP allocations. Say it doesn't happen. The I* people are in charge. Say it does happen. They all move over there and they are still in charge. That's just what they do.

This is great. They have still not all figured out how to avoid bzip2 bombs, how are they supposed to be able to scan RAR files? I mean, heck, they can't adopt a new compression file every 2 weeks! Oh wait...

...to get the media attention. Read this post of his one month prior to his capture: http://lists.netsys.com/pipermail/full-disclosure/ 2004-September/026644.html

I'm not at all saying the cracker was right to break into NASA's systems. What I am saying is NASA has a responsibility to keep its systems secure, and spend the required $$$ to do so, and they failed. That they failed does not give them the right to charge that expense to the next person to walk through the door.

Not a website, no specific tracking but at you can be smarter and more prepared then the average bear if you subscribe to some security mailing lists.

Bugtraq mailing list. Not much noise and not Linux specific but good reading.

Full Disclosure mailing list. A lot of noise and higher volume but still has some good information.

Someone on the full-disclosure has posted a good analysis of what this is. Have a look at this thread.

If ANYONE here really cares about security their on Bugtraq anyways.

Except that these days, bugtraq is usually a day behind and seems to think that security news ceases to exist on weekends. Ahh, the beauty of a corporate buy-out.
The Full-Disclosure list is much more timely.

Much to microsoft's dismay, a work around has been found allowing non-premium customers to get an earlier warning than Microsoft gives to its premium customers, and often an earlier warning than even Microsoft themself has.

Information on this work around is here: http://lists.netsys.com/mailman/listinfo/full-disc losure

Full Disclosure is my favourite. Their archives even contain traffic from 2005 and 2006. I can read about vulnerabilities full two years before they are discovered.

What about the rest of you? What links do you check out, and what am I missing?

Marcus Ranum did NFS over email back in 1995

The ISC would like to go out on a limb and predict that the Internet will not vaporize into a cloud of nothingness this Thursday, but if it does, it's been our pleasure to help stave off its inevitable annihilation this long.

See also this VMyths posting to theFull Disclosure mailing list

Lookie Microsoft patented the Shatter/Redux method.

mid july or so there were a bunch of random automated-looking and weak looking ssh login attempts all over the place ....

threads on the full disclosure mailing list archives and dslreports forums about that ....

wonder if this is what the topic poster was encountering?

In addition to BugTraq and NTBugTraq, Full-Disclosure is another excellent vulnerability list, and is always a week or two ahead of the "official" advisories.

For other lists, Fyodor's SecLists.org is the list of security mailing lists.

We believe in it.

The signal to noise ratio can get pretty bad at times, but there are always intersting discussions.

The Risks Digest is also pretty interesting.

You know, for some reason, I feel bad for the IE Developers, who are probably a bunch of well meaning people that are hampered by upper-management decisions.

No, they are idiots. Remember that simple BMP image buffer over-flow found when the leak of the Windows Source code ?

That has nothing to do with upper-management decisions. More like Microsoft's human resources problem of hiring people from good colleges who lack real programming experience.

Sunny Dubey

I'm the one who posted this message to Full Disclosure. I was too lazy to test all popular e-mail clients, IM clients, word processors, etc. that run on Windows, so I posted after finding only two vulnerable programs. Who wants to help?

All you have to do is see if your programs accept links to shell:windows\notepad.exe. If clicking the link launches Notepad, it's vulnerable. If there's a warning dialog, it's somewhat vulnerable, depending on the wording of the dialog.

The original RFC is here.

Soundblaster for E450 Probably where this guy got the idea to begin with.

When ever I think that, something in Windowsland will get worse. There's a new bug in (fully patched) IE that will let any webpage download and execute arbitrary code on your computer. And it has been used in the wild for quite some time - no hypothetical exploit.

Follow the link and see it isn't there

And in classic form, Slashdot ran an article about pizza_party at 7:47PM...

http://slashdot.org/article.pl?sid=04/05/07/1382 38 &mode=nocomment

So a bunch of people probably downloaded the vulnerable version...

consideration

LMFAO

The Slashdot worm is propagating lol!

Pizza Party, how go get your password stolen by other geeks... Full-Disclosure

Multiple vulnerabilities in 'pizza_party'

<a href="http://lists.netsys.com/pipermail/full-discl osure/2003-October/012809.html">One that got through</a>.

Cars don't technically need locks... they can "create problems" if you lock your keys in the car. But would you buy a car without locks?


I'd like to quote something I read today on the Full Disclosure mailing list, posted by Cael Abal:

Thank you for giving me the opportunity to propose a new Corollary to Godwin's Law:

As an online security related discussion progresses, the probability of someone making an awkward comparison to the automotive industry approaches one.

The timeline of the vulnerability tells us that Microsoft was informed November 12, 2003. Now, they got 4 months to find a patch and release their security bulletin. Couldn't they find out that it was more critical in the 24*30*4 hours before?

From MS04-009:
Reason for Major Revision
Subsequent to the release of this bulletin, it was determined that this vulnerability could also affect users who do not have the "Outlook Today" folder home page as their default home page in Outlook 2002. As a result, Microsoft has re-released this bulletin with a new severity rating of "critical" to reflect the expanded attack vector.

What the heck? Does the severity of a bug depend upon how much people are affected?

Does a local root depend upon the number of people who are potentially affected? Ask someone who has lost money via such a local root.

Another interesting posting is available on full-disclosure mailing list, covering Microsoft's understanding of "security" (the Author, Nick FitzGerald, is a helpful and understanding regular poster on full-disclosure)

FreeBSD Security Advisory

FreeBSD Advisory

Another FreeBSD Advisory (note comments)

OpenBSD Advisory

Answer: Actually, it did. This is from around 1.0-1.2 IIRC.

http://lists.netsys.com/pipermail/full-disclosure/ 2002-November/002596.html

Long story short as I remember it (I'm sure there was a Slashdot story, but I can't find it):

Author discovers vulnerabilities, author reports them to Netscape via the bug bounty form. Author waits (4-5 months), vulnerable releases continue to follow. Author gets pissed, publically discloses them, and his unhappyness at not hearing anything back about his bounty. Author is pointed towards, and files issue(s) in bugzilla. Fixes make eventually their way into 1.0.2 and 1.2.

Crappy code is everywhere you look, and always will be as long as fallable human beings are involved in code creation.

yea, and?

those are the only tools in the tree because, like you said, that's all there is. if there were suitable replacements and the replacement effort was worth it, those would be the first to go.

tendra may one day be good, but it's not there yet, nor does it work for all arch(1).

then there is the plan9 toolchain. all ready to go, smokes gcc, but the license isn't quite right. search for theo's thoughts on it on google groups. here's a shortcut to one such discussion

And seems like cheap options have long been available DOS/Windows NFS clients for a long time. In 1994, this summary mentions XFS (shareware NFS client from Germany, not the SGI filesystem) TSoft and Sun's PC-NFS.

Nowdays you also have at least these option, and you are right, many are not cheap.

• HummingBird $300 My past impressions were always of good quality and features.
• Reflection $88 I know this name.
• ProNFS $40 (shareware?)
• DiskAccess $179
• SuperNFS $160 Found with google.

And as far as Kevin goes, he's had a hard time so I forgive him for it. But I am not going to give stories so these corporate bastards can figure out how to keep people out. I am totally down with the grey-hat backlash that has started - people who are connected with the hacker scene and then go work for ISS or @stake or wherever, and make money off of it. Selling out is bad enough, worse is people who were with the hacker community, start working for security companies, and maintain contact with the active hacker community on an active and "professional" basis.

I am totally down the grey-hat backlash. I see there being two classes - workers and idle heirs. Idle heirs own the majority shares of corporations, thus they control the corporations, thus they control the means of production. I think they have no right to this, and thus I as a worker hacking into a corporate computer am more justified being on there than even another worker following orders from the heir (e.g. working at the company).

I think the fact that hacking machines is a crime is as much bullshit as the fact that more black men in the US go to prison than go to college. Yes, I DO think I have the right to hack anything I want, even if isn't mine - if you look at say bond ownership in the US, about half is owned by 0.5% of the population, and 90% is owned by the poorest 90% of Americans. I could give a flying fuck about these heirs and what they own. I am for anarchy and anarchism - fuck all authority, workers control the means of production. Parasitism like profits, interest, dividends, rent at an end. Up against the wall motherfuckers, this is a stickup!

There used to be a good web page on the hacker backlash against security BS, but it shut down. Here are some links, maybe the page will pop back up. Or maybe YOU can join the movement.

Speech at H2k2

post to full disclosure

post to indymedia

This is good shit

And here are some links about other topics

Chomsky rules

Learn about anarchism

And there's lots of good books on how the working class is regularly ripped off by the man. Just remember - people like Paul Krugman are good, but light. Check out the more radical analysis as well. Workers of the world unite! No gods, no masters!

waiting for it to become so standard

You're forgetting one very big abuse I think microsoft has committed here... they didn't just wait around for FAT to become standard - their monopoly position allowed them to refuse to support any other standard. Being able to read mac disks would be a sellable feature and they should include in the operating system, but they don't have to because they've got a monopoly. So, they've bullied their way into forcing everyone else to support FAT (even solaris!) as a least-common-denominator.

"Full-Disclosure - We believe in it."

They ARE pretty cool.

You can see a review of one of their latest laptops here,

"The nice thing about standards is that you have so many to choose from; furthermore, if you do not like any of them, you can just wait for next year's model." - Andrew S. Tanenbaum. Which has been condensed by popular usage into "The nice thing about standards is that there are so many to choose from." (So close, Dr. Tanenbaum, yet so far. ;-) )

---
Doing my part to educate future generations

In recent months, I have found Bugtraq to be much less useful than the Full Disclosure mailing list.

I think Theo should get off the rags. Hey THEO! Y0u r teh scr3w.

The hack does not write anything to the BIOS chip, but instead uses a buffer overflow in the font handling code to run a hacked BIOS file loaded onto the HDD. The XBox Linux Project has loads of information on this, and other technical information on the XBox (and yes, I did put in the information for my XBox).
This is a more thorough discussion of the specific hack that I was talking about.

Yes.

Did anyone notice on the delete any file link that the next topic on that board was about the Half Life 2 source code and how it was actually leaked. http://lists.netsys.com/pipermail/full-disclosure/ 2003-October/011338.html Looks like microsoft's flaws are to blame

The attack makes an enormous amount of ssh connections and attempts
various offsets until it finds one that works permitting root login.

Can't see anything at the full disclosure mailing list poiting anything serious. Only a priv mail from theo stating the bug doesn't look exploitable for now.

So that must mean that what I read did not exist?

Try here

That is the message that describes that privsep was enabled - a few messages before, the ISP incidents are described.

Do you trust anybody posting something they've heard?

No, and neither should you.

But tell me, why would I deliberately lie?

The guy that started the "new ssh exploit?" thread stated first he knew of an ISP *blocking* sshd traffic (this is far from an exploit).

Yes, that mail states that they are blocking *because* they had several boxes rooted from what *seemed* to be an sshd exploit.

Can you read at all?

So FU** YOU.

Charming.

I am sure that if you could count, you would tell me in how many ways as well.

SO BAD THERE ARE OTHER ARCHIEVES AROUND.

*plonk*

I don't know what you are smoking, but I will try to avoid your dealer.

I see *nothing* in what you wrote above, that casts any doubt on the correctness of what I posted. It was doubtful whether privsep would prevent the bug, and I stated that in the post to keep it correct.

What's your point? So far you've called me a liar, become my first slashdot "freak", and blurted all sorts of things about how unfair the world is to you. Why is it that we need to care about your oppinions? Do you have an oppinion at all? What are you trying to tell us here?

I just saw the comment in the nmap article and got worried. A friend online showed me this post..

"I wonder if this is in any way related to an incident I heard about on efnet's #openbsd where someone at a european con (hack the planet?) mentioned that details of a new openssh exploit had been taped to the openbsd tent (on the outside) whilst all the openbsd ppl were inside, drunk? I suppose if there is any merit to that story (and I'd rank it as no more than heresay myself, but it does paint a good picture of college level kids :) and it was details of some new vulnerability for which there is an exploit then it has been around for a while...assuming,of course, it is the same "bug"."

I haven't seen anywhere else online go nuts, which is usually how people react to SSH exploits. What's going on?

Speaking of bad versions.

0 Day SSH EXPLOIT out today..
CVS DIFF patch Here

Details are sketchy here

Redhat and others haven't released patches yet.

ChiefArcher

This is funny, because I know somebody who's switching FROM Ford:

Okay, now lets make Ford like Microsoft...

My Ford has an oil leak. Ford doesn't call to tell me to tell me there's a big problem with oil leaks and a fix is available, but I find out from a guy on the Internet that they will fix it for free. I get my car back home from the shop and the next day there's oil all over the floor. I call Ford and they tell me they'll fix it next week.

A month later a repair is available. On the way home from the shop I crash into a tree because the oil leak fix conflicted with the brake system. Ford says, yeah, that's been happening... there should be a fix for the fix next week. I spend more than the car is worth rebuilding it, (Ford said I should have test driven it before I drove it home.) but can't really drive it safely until the fixed fix is available. I get home from the shop without getting in an accident (after the fixed fix) and as I pull into my driveway my neighbor says, Hey bill, did you know you've got a pretty bad oil leak? Disgusted, I take my Ford to the dealer and want to buy another car, preferably non Ford. He informs me that all the dealers in the area carry only Fords. But, he says, the newest, fanciest, most expensive Ford has been completely redesigned and is guaranteed not to have oil leaks.

Without much choice, I tell the dealer I'll take the new Ford and would like to trade in my old Ford. He informs me the old one isn't worth anything, but for a few dollars off he can give me an upgrade. I just have to keep my old Ford at home and every time I want to start the engine of my new Ford, I have to put the key in the old one first. This works okay for awhile. (Although I have to have the new Ford rebuilt as well because I'm T-boned by a guy in an older Ford that just repaired his oil leak.) A little bit later I come out and my new Ford has an oil leak!

I call Ford and they tell me there will be a fix next week. The fix is available in a couple of months and I take it in for repair. Remembering my brake incident, I stomp on the brakes several times hard, check the lights, washers and air bag. It all works well. I try to drive home but can't get there because the interstate is blocked with leaky Fords that have been T-boned by leaky Fords with bad brakes. I try to pass the time by listening to the radio... but it doesn't work any more. Since I can't get home, I head back to the dealer to complain about the radio. They tell me they can get the radio working but the "work-around" will kill my rear defogger. If I wait another 6 months though, a new model is being released that won't have oil, brake or radio problems...

I get angry and drive out of town to a dealership I heard about that can supply me with a custom configured *NIX Automobile. The dealer is cool but the new *NIX is way harder to drive than the Ford. I like it though and decide to buy one. Unfortunately, there is some kind of law or agreement that says I have to pay for a Ford (even though I don't get it) as well a fee to have my new *NIX setup and delivered.

At this point I give up with the dealers, go buy the book "Rebuilding your Ford into a *NIX in 21 days", do so, and live happily ever after. ( Later, I have a good laugh when a Ford rep comes on TV and tells the world that the latest Ford fiasco could have been avoided if all owners would just give a spare set of house keys to them so they could come in whenever they want and work on them when the owners aren't around. )

http://lists.netsys.com/pipermail/full-disclosure/ 2003-September/009561.html

True, there always seem to be things that could have been done better.

But, in the case of SoBig, there were several variants, accounting for more than the original 20 addresses which some people overlooked.

This provides to PS2 what has existed for the X-box for a while now. It was mentioned on slashdot and allows the X-box to run unsigned code after some preparation.

It replaces some font files (which are not checksummed) with ones that use an exploit in X-box firmware.