securityfocus.com · Domains · Slashdot Mirror

Re:Slashdotted already. by Anonymous Coward · 2005-11-03 07:22 · Score: 0 · on Blizzard's Warden Thwarted by Sony's DRM Rootkit

Here's a link.

Meanwhile on Hacker Sports Network... by AndroidCat · 2005-11-03 05:41 · Score: -1, Offtopic · on Cisco Patches 'Black Hat' IOS Flaw

I'm too busy watching the messy fight between Sony's anti-copy DRM rootkit and Blizzard's anti-cheat Warden spyware. Oooh! Did you see that? Pass the popcorn!

200 Quatloos on the non-Windows OS.

0.01 EUR/USD/GBP contribution by VincenzoRomano · 2005-11-01 20:12 · Score: 1 · on Top 10 Items in the Linux Admin Toolkit

No words about the text editor choice just like no words about your religion faith.
I don't like dig as well as the old-fashioned nslookup because of the tight coupling with BIND. I prefer the independent host (read chap.3), an historical DNS tool.
Finally, if I'd need to do some tests in TCP/UDP I'd choose either netcat or GNU-netcat.
Of course there is no perefect choice in a absolute sense. I simply have found these tools more effective than the other ones.

One of the most important things by Anonymous Coward · 2005-11-01 02:19 · Score: 5, Informative · on OpenBSD 3.8 Released

One of the most important things new in this release is the mmap(2) based malloc(3) implementation. I can't believe the submitter didn't mention it. It has huge implications, in terms of added security and increased code quality overall. Already, important off-by-one bugs have been found and fixed in X.org which had been sitting there un-noticed for years. These bugs could cause the X server to crash on many systems, but OpenBSD exposed them reproducibly so they could be fixed.

Read more about it in this Security Focus article titled Security-related innovation in Unix and in Theo de Raadt's post to misc@.

Re:The truth by Anonymous Coward · 2005-10-30 17:24 · Score: 0 · on Worm With Rootkit Package Loose On AIM

Microsoft doesn't have exclusive rights to software bugs ;-p

Search securityfocus.com for 'gaim' and you find 146 vulnerabilities.

http://www.securityfocus.com/swsearch?sbm=%2F&meta name=alldoc&query=gaim&x=0&y=0

Or there are the amusing ones in the *nix world where there are possible overflow issues with such utilities as 'strings', and of course libraries for reading jpegs.

Hail Computers! Security holes galore.

Re:Everyone wants to go in that direction. by fyoder · 2005-10-29 08:26 · Score: 2, Interesting · on How Many Times Should We Pay For Our Software?

If I don't buy one of these subscriptions, my software doesn't get bug fixes, security updates, which means it is unfit for further use.

If you want free info on bugs subscribe to bugtraq. I don't know about Redhat or SuSe, but if there's a security bug in mysql is will be reported on bugtraq with work arounds if any or recommendation to upgrade to more recent version. Since moving from Mandriva to Fedora, I don't have any subscriptions or 'club memberships', and don't feel as though I'm missing anything.

Re:Who wrote the introduction? by Anonymous Coward · 2005-10-25 14:40 · Score: 0 · on A Guided Tour of the Microsoft Command Shell

"All I have to say is that you need to read what I said, not what you think I said. Unix has bugs, as does all software. That's why I said Unix was "less buggy" than Windows. Which it is." - by docgnome (868111) on Tuesday October 25, @06:37PM

First of all, on a comparison of ANY/ALL Unix type OS, vs. Windows NT-based ones? Well, here is a great point:

UNIX doesn't do 1/10th of what Windows can, & UNIX also does not run with as much hardware OR, as many softwares, period! Care to debate with me on that?

(The CLOSEST one to Windows here? It's LINUX... but, it lacks vs. Windows in so many areas for versatility?? It's still not there, period... it just does not have as many apps, drivers, & hardwares geared to it as Windows has, there is no commercial motive/impetus for developers to pursue work around it as Windows has, period!)

LASTLY?

This next one from you, heh, it's SO untrue & typical "Pro-Unix/Anti-Microsoft" F.U.D. that you're spouting, it's really typical from folks here @ slashdot from my time here!

So, with your statement of 'Windows being less secure than UNIX'?

(Even BSD variants like OpenBSD/FreeBSD??)

Well, again untrue, & here is why I state that, in a nutshell:

The ONLY type of UNIX that might be something that can outdo it, is BSD's IP stack vs. DDoS/DoS attacks, right out of the box & to how it's setup (the Windows 2000/XP/Server 2003 ip stack).

However, there are hacks for that in the Windows IP stack if you apply them that drop packets that come from the same source BUT do not reply in a timely fashion in an attempt to lockup a system via DDoS/DoS attacks by the OS & IPStack drivers raising their CPU priority in an attempt to compensate using its OWN NATURE AGAINST IT as well as that of the OS also (in OR out of sequence, which is what BSD's ip stack tests for (sequences)) anyways, & drops the connection holding to them via a timeperiod timeout you set!

You can also negate DDoS/DoS attacks on Windows NT-based OS like 2000/XP/Server 2003 as well... but, I do admire what the folks @ BSD type UNIX have done, & how it is described here:

http://www.securityfocus.com/columnists/361

BUT, there are also hacks/measures that NT-based OS users can use to help Win32 OS of the NT-based family as well... I have been using them for years here no less, & they work!

Both types of OS, & most all variants? Can be made VERY secure, or rather, as secure as can be against even DoS/DDoS attacks - IF you know what you're doing &/or where to look on how to do it!

Your point? Negated!

(Here? I set those very hacks via a registry .reg merge file each time I setup a new system in fact, with many other security oriented features - been doing it for YEARS now)

Heck, on that note? Well, & just now only??

Microsoft implements many of these very hacks I mention as well as service cutoffs etc. in the Windows Server 2003 "Security Configuration Wizard" you can run as well...

BY THE WAY/Newsflash - I did read what you wrote, & having a single API is why Windows took over, economically mainly, getting developers is KEY... they made it easy to make a living, train workers quickly via a commonly used @ home OS which is also used in industry/offices as well - they just cannot lose, & it shows!

Again - 90++ % of the world's computers running Win32 based OS (by now, NT-based ones no less) from desktops/laptops to servers cannot be TOO far wrong!

"I'm not disagreeing with you, save on the point that having many different Unix variants is bad." - by docgnome (868111) on Tuesday October 25, @06:37PM

Well, I do think it is "bad", & for whom? Pro-Unix people!

(Again, imo, it is the ONLY reason MS took off like they did, along with their wise planning, but the UNIX folks? Their splitting into tons of diff. variants of UNIX (of which I consider LINUX & BSD

Re:PHP is great stuff by Anonymous Coward · 2005-10-21 02:26 · Score: 0 · on PHP Succeeding Where Java Has Failed

Dangerous ? no surely not

Re:Easy prey? by Anonymous Coward · 2005-10-21 00:11 · Score: 1, Insightful · on Rootkit Creators Turn Professional

'A law against rootkits would be very problematic. Is VNC a rootkit? If there's a bug in SSH that is exploitable to gain root access I bet it would suddenly fall under the domain of being labeled a rootkit by any law banning them, should the mainatainers of SSH be prosecuted because of that?" - by prichardson (603676) on Friday October 21, @06:26AM

You do have a point there... PING is another example as well, & it ships with most OS.

It too, can be used to issue a "ping of death" though iirc, most OS are "proofed" against that now (again, iirc).

I would suppose it comes down to 1 thing as an analog:

"Guns don't kill people, people kill people."

APK

P.S.=> This is the 1 thing that "spooks me" somewhat - these rootkits.

Personally, I don't think the "war on virus" can be won either, but in a way, maybe this is all for the 'good of all' in that it makes the creators of our Operating Systems we use have to work to make them better vs. these things (nuts as they are in virus, worms, & yes rootkits).

On another note:

I took a GOOD read, from the BSD folks the other day, & liked what I saw about how they have created some things in their IP stack that make their OS appear to be FAR better vs. another supposedly "unstoppeable" bogus phenomenon out there:

The DDoS/DoS attack!

Take a read -> http://www.securityfocus.com/columnists/361

Microsoft AND the Linux camp could take a play from the OpenBSD/FreeBSD playbook on THAT account imo!

Between that, & heap/stack protection mechanisms in modern OS now being implemented/started? Things are starting to "look up" imo, but still have a ways to go...

In 2003, one of my bosses (not particularly educated or skilled in this field mind you imo) said something that has stuck by me ever since:

"We're still in the 'wild west days' & stone age of the computer/internet age - give it 10 years & watch how much gets better/stronger/faster"

& I agreed. In 15-20 years, I have seen things get SO much better/nicer in the way of computing, that I must agree... apk

Compatibility? by fmwap · 2005-10-18 17:42 · Score: 3, Informative · on Cisco Updates Network Security Technology

I wonder how this will work for non-Windows machines trying to gain access?

Somebody mentioned the Cisco Clean Access Agent in a previous post, googling around a bit shows that only Windows is supported for the AV/Patch scan, and this is easily bypassed by changing the User-Agent on the HTTP login page. Details here

Cisco's canned response is to use Nessus to determine the real OS, or write your own plugin. Although windows boxen are probably the most common, and the biggest threat, non-Windows products need some sort of working by-pass that doesn't involve simply spoofing the UA.

Re:Freedom DOES mean PRIVACY by CreatureComfort · 2005-10-18 12:19 · Score: 1 · on Hidden Codes in Printers Cracked

Ah yes, because the government is soooo good at defending against counterfeiters and unauthorized money.

Enjoy your freedom (when the U.S. Army starts quoting Trotsky, be afraid. Very afraid.)

A history of unfavorable gov't security reports by sczimme · 2005-10-10 11:02 · Score: 4, Informative · on U.S. Cybersecurity Not So Secure?

Much of the Federal government has a sub-optimal track record in the security arena. In March of 2004 Rick Forno published an article (with links) that summarized Uncle Sam's security issues:

The farce of federal cybersecurity

(That's the title Rick used, btw.)

As if users have no responsibility at all? by erik_norgaard · 2005-10-09 20:35 · Score: 1 · on Taking On Software Liability - Again

Bill seem to miss one important problem: When writing general purpose software the developer, software company or distributer has no realistic chance of evaluating the risks involved in the vast number of posible uses.

Nor have they any realistic chance of evaluating how the software will work when other software is installed on the same system. There are simply too many combinations.

Clearly, the second problem can be mitigated by developing applications such that each can run in a separate sandbox, but this is not very efficient.

It is perfectly ok for free software to disclaim any liability - if you don't want to take upon you the responsibility and cost of malfunction, don't use the software.

Commercial products could take some responsibility, but this increases costs. Are customers at all willing to pay that extra cost? I think not, look at the amount of pirate software - people do not consider software of any value at all. It is likely that if vendors take upon them more responsibility for their products costs will go up, sales go down, more pirated and less secure software will appear and we're all worse off.

Just how many do you know who have a fully legal computer with no pirated software at all? (assuming they run windows).

Fact is that the less you are willing to pay the more responsibility you must take yourself. Just like an ordinary ensurance: If you don't have it and accident happens, there's only yourself to blame.

Ofcourse, the developer should not take the lack of legal responsibility as a pillow but always do his best, as should anyone else in whatever they do.

But also, the user must take the required time to learn how to use the product correctly and safely. For driving, people are required to take a drivers licence, learn the rules of the road, take courses to stay in control on slipery roads etc.

There is no such requirement for the use of computers, even when these are connected to the internet. People just connect to the internet and ofcourse they crash! And they are not held liable when they unknowingly host a zombie or distribute a virus becuase of malconfiguration.

Take this story on securityfocus:
http://www.securityfocus.com/infocus/1848 on reducing browser privileges.

As it shows, much problems can be avoided if people use their browser with reduced privileges. Ofcourse, they shouldn't be running as administrator in the first place, but most do
of convenience and ignorance.

And what do people do when their computer starts to cause troubles? call a certisfied profesional? or call their neighbours 16 year old for help in exchange for a coke and a pizza? The last! Unlike cars, where people perfectly understand that the car must be repaired by profesionals and sent to a bianual check.

It's the consumers that define the market, and if consumers are not willing to pay for extra security, they won't get it, and they have to take the costs of any losses due to software malfunction.

Re:Instead of protection, how about a better OS? by lordofthechia · 2005-10-06 17:47 · Score: 2, Insightful · on Microsoft to Ship New Malware Protection Utility

(Worms for Windows) exist because it is the biggest target

Bah, it's the old Cardboard box vs safe argument... It goes like this: "People who keep their valuables in cardboard boxes are at risk because everyone uses a cardboard box to keep their stuff in. If everyone kept their valuable in safes they would be equally at risk since then safe cracking would become more common place." Nobody can argue that a virus or worm couldn't be written for a Mac or Linux for that matter (just like no safe is uncrackable), what is argued though is that for an equal amount of work expended in securing your Windows machine vs securing virtually anything else you end up a lot more secure system with a non-microsoft product.

So how secure is windows by default with no user intervention? How does a Mac compare? Granted Windows 2000 and XP are a great improvement over the good ol' 9x series but c'mon? How many security products did you have to install on your PC (that it did not come with) in order to get it secured?

Windows may be the biggest target, but it's also the easiest, like breaking into a cardboard box (ok, maybe XP is more like a pressboard box...). At least with other OS's and the speed with which security patches are made available we would see the security bar raised to the point where most malicious folks would just give up while trying to break into them.

CLiki, ll-discuss, Bugtraq, Practical Common Lisp by RAMMS+EIN · 2005-10-04 12:42 · Score: 4, Informative · on Top 5 Software Development Magazines?

While not magazines, I've found these resources to be useful in becoming a better programmer:

CLiki, a programming language blog. Contains lots of stuff on programming languages and paradigms, including debates on merits and disadvantages.

ll-discuss, a mailing list related to programming language concepts. Perhaps most interesting if you're into language implementation, but it's the closest thing to a magazine that I can recommend.

Bugtraq, a (the?) security list. This will teach you what things to avoid; at least, the 3 most common errors.

Practical Common Lisp, a book that basically provides a crash course on Common Lisp. It shows you how things are done in Common Lisp, why they are done that way, and occasionally draws comparisons with other languages, everything including practical examples. It is said that, even if you don't program in Lisp, knowing it makes you a better programmer.

How to Design Programs, a fairly extensive book on program design. I haven't read the whole book, but it seems to both solidly and concisely cover many fundamentals. It uses Scheme for explaining things, but the material applies to other languages just as well.

Re:My Windows XP has heap protection! by vulcan_pupil · 2005-10-03 05:17 · Score: 1 · on Heap Protection Mechanism

M$ added more than just NX support. SP2 added a heap protection mechanism, but as some have already pointed out, it can still be exploited.

Re:Try again - a little snack for a Troll by haruchai · 2005-09-28 06:08 · Score: 1 · on No Defense Against Windows Rootkits?

Well, since you can't spell G-O-O-G-L-E, try this:

http://www.securityfocus.com/columnists/188

Jeez, Mr. Troll, if anyone is washing in Hog water, it's you. Unix machines ARE the army of the Internet and have been since its inception. So, for the sake of efficient distribution of malware, Unix machines should have been the logical target.
Of course, it would be double duty to write viruses for Windows but find a way to distribute them by way of Unix, but, oh wait, this has been done by E-MAIL!!

Re:The Answer by kbielefe · 2005-09-28 05:59 · Score: 1 · on No Defense Against Windows Rootkits?

You're looking at it the wrong way. Computer security by patching is analagous to physical security by gun. It's effective, but it doesn't protect you from the guy that sneaks up on you. Open source only has the advantage of a faster draw.

The power of open source in security really struck me when I read this article the other day: Securing an Unpatchable Webserver. The author's client had a mission-critical web application so tightly coupled to IIS 3.0 that IIS couldn't be upgraded without an expensive rewrite.

Microsoft refused to patch an exploitable hole in 3.0 and insisted on the client upgrading to 4.0 to fix the problem. Long story short, the author modifies open source app "snort" to filter out the exploit and the hogwash IPS is born. All along I'm thinking that if they had been using apache in the first place and ran into a similar problem where an upgrade would break their app, they could have patched just the security hole themselves without affecting any functionality.

I have done this myself when a kernel upgrade broke an application but fixed a security hole. I maintained my own linux kernel for a while with just security patches until the (closed source) app that broke released an upgrade. It took some extra work, but it was the most stable kernel I have ever had.

Open source has the additional advantage of being able to be recompiled to enable more proactive and effective security measures. It is a lot of work initially, but you can eliminate practically all exploits before anyone even knows they exist. You still want to patch because an attempted exploit can kill the server, but at least it won't let an attacker in and you'll know when there is an unpatched exploit in the wild.

Re:Answer me this. by Irish_Samurai · 2005-09-26 12:18 · Score: 1 · on Poisoned Torrents Plague Mybittorrent

So pissed I didn't check my links.

Server logs: 1, 2, 3

ISP logs: 1, 2, 3 related directly to P2P apps

System logs: A textbook on the subject you might like to read, Explanation of how to read a system log

Re:Answer me this. by Irish_Samurai · 2005-09-26 12:13 · Score: 1 · on Poisoned Torrents Plague Mybittorrent

No I don't listen to Art Bell. And there are logs on ISP servers, I know because I use them all the time to track down people trying to use my websites as spambots.

. I mean, if there ARE logs on all the ISPs then why AREN'T they being used to catch the criminals using them?

Logs are being used to catch criminals all the time, it's just a little difficult to do it over borders and shit like that. Plus there's a lttle thing called the Constitution getting in the way here in America. And it's really hard to convict someone of a crime on circumstantial evidence, which is what a server log is considered in a court of law.

. And also, what would these phantom logs contain? Every bit that has ever been downloaded?

Your ISP doesn't have to log everybit that you moved, but it does log what requests you sent where. Then you take that info and go to the IP that you requested data from and check it's logs. Guess what, a list of every request ever made by YOUR IP, pointing DIRECTLY to the material. These logs are text files, which are really really small. I have logs of every request going back to 2002 on my webservers at work. I know where they were made from and who refered them.

I can also delete these logs on anytime I want, which is how we save space. After seven years, much like tax records, we assume the log is safe to delete.

Now you think about it, if there were no such thing as a server log, how did the RIAA succefully sue people who downloaded and uploaded copyrighted files? How did they prove it? It most have been my "phantom logs". Jesus man, you have no fucking idea what your talking about, do you?

The whole point is moot anyways as this whole ignorant rant from you is in response to me proving to you the legal difference between downloading and recording a TV show. You got stuffed on that subject by everyone in here and had to argue something so you could "be right." I tried explaining it to you like an adult, and you still don't get it. I use these damn things every fucking day and yet you tell me they don't exist. I work with people who use these things in a forensic capacity yet you say they can't do it. You are a fucking idiot. And here is your proof:

Server logs: 1, 2, 3

ISP logs: 1, 2, 3 related directly to P2P apps

System logs: A textbook on the subject you might like to read, Explanation of how to read a system log

Don't bother responding, cause I'm going to ignore the shit out of your ignorant ass anyways. Douchebag.

Re:Compatibility by geoffspear · 2005-09-26 05:08 · Score: 1 · on First modernized GPS satellite Launched

They "can't"? They have plans to do so in certain situations, whether you think it's a good idea or not.

Re:I Hope This Madness Will End Soon by Anonymous Coward · 2005-09-22 09:42 · Score: 0 · on TiVo User's Fears Explored

Nobody will ever spend a million bucks to crack DirecTV, because the goal would not be worth the expense. This effectively makes such a proposition impossible.

How much do you think this guy made money by selling cracked DirecTV smart cards? Anyhow, learn to use Google before making such uninformed claims.

Oh Symantec by SantiagoRoza · 2005-09-22 03:26 · Score: 1 · on Firefox 1.0.7 Released

Symantec the-company-that-sells-security-software-oriented- to-Microsoft-products says Firefox isn't really that much more secure than IE:
http://software.silicon.com/security/0,39024655,39 152423,00.htm

But Symantec the-company-that-sells-security-information (through its controlled company SecurityFocus) says IE 6 SP2 has 57 unpatched vulnerabilities, compared to Firefox's 3:
http://www.securityfocus.com/cgi-bin/index.cgi?l=1 &c=12&vendor=Microsoft&version=6.0%20SP2&title=Int ernet%20Explorer
http://www.securityfocus.com/cgi-bin/index.cgi?l=1 &c=12&vendor=Mozilla&version=1.0.6&title=Firefox
http://www.symantec.com/press/2002/n020717.html

Hmm, conflict of interests...?

Oh Symantec by SantiagoRoza · 2005-09-22 03:26 · Score: 1 · on Firefox 1.0.7 Released

Symantec the-company-that-sells-security-software-oriented- to-Microsoft-products says Firefox isn't really that much more secure than IE:
http://software.silicon.com/security/0,39024655,39 152423,00.htm

But Symantec the-company-that-sells-security-information (through its controlled company SecurityFocus) says IE 6 SP2 has 57 unpatched vulnerabilities, compared to Firefox's 3:
http://www.securityfocus.com/cgi-bin/index.cgi?l=1 &c=12&vendor=Microsoft&version=6.0%20SP2&title=Int ernet%20Explorer
http://www.securityfocus.com/cgi-bin/index.cgi?l=1 &c=12&vendor=Mozilla&version=1.0.6&title=Firefox
http://www.symantec.com/press/2002/n020717.html

Hmm, conflict of interests...?

Security lessons from Katrina by Cally · 2005-09-21 06:24 · Score: 1 · on Emergency Gadgets Reviewed

Talking of infrastructure interdependencies, Security Focus ran this excellent piece by Mark Rasch about the lessons of Katrina for info-sec (OK, a lot of it is about BCP / DR stuff, but it's generalisable to other aspects of the subject IMO.)

In the corporate Security Dept. where I work, we take it in turns to do a shotr 20min presentation at our weekly meetings - the subject is up to us, but obviously computer security subjects. I did my first one on the Columbia and Challenger shuttle accidents, and the accident enquiry board's reports into each (they're both absolutely fascinating, if you can find the time, highly recommended.) And both accidents have a lot of lessons for security. "Don't use powerpoint to communicate technical information to managers", for starters ;)

Rather to my surprise the feedback was that it was excellent and very interesting... only the second time I'd stood up in front of Powerpoint in my life.

Reporting... by OneFix+at+Work · 2005-09-21 01:55 · Score: 1 · on Mozilla Hits Back at Browser Security Claim

I think it's been mentioned before, but it bares repeating...

Mozilla's reporting system is completely open to the public...nothing is really kept "under wraps" when it comes to reported bugs...

Microsoft's reporting system is closed...they sit on exploits that are not "in the wild"...

From Microsoft's own mouth...

In early July 2005, the project discovered its first exploit for a vulnerability that had not been publicly disclosed, the researchers said in the paper. The attack used the JView profiler vulnerability that Microsoft announced later in July.

...Translation...M$ sits on exploits until they know they are in the wild...this we have pretty much expected, but this time we hear it from the horse's mouth so to speak...

Here's my advice by psiber · 2005-09-20 15:36 · Score: 3, Informative · on How to Approach Customers with Security Issues?

DO NOT scan/test a company's network without their permission! This is the fast track to a jail cell. Like QuantumG said (albeit a little sarcastically), get a sales manager and expect to pay out a lot of money in advertising.

If you think you're post was well composed, I would recommend some English/technical writing classes. If you recognize your post has some grammar problems and you know your writing skills are good, I would not worry about it.

Check out Bruce Schneier, Counterpane Internet Security, or SecurityFocus. Gibson Research Corporation is another site to check out. This is just a start to getting some background on the basics and depth of IT "security".

I would say from the post you are not coming from a security background. Assuming you have an IT Bachelors degree, the minimum I would recommend is for you to study for some basic security certifications (such as the CompTIA Security+ and the MCSE/MCSA: Security on Windows Server 2003 specialization) and take them if you have not already. On top of this, I would recommend doing research into security conferences and possibly even local university classes on IT security (although I recommend these with a grain of salt as there is a lot of variance between the quality and type of information offered currently). There are whole books written on this subject, so visit your local bookstores and research what they have available. My rule of thumb in evaluating books is to see how in depth they get with their subjects. If they just talk in general about their subjects with no specific examples, I typically look for something else (unless it is an introductory book, of course).

Finally, just remember security is different to everyone (even in the business/corporate world). One company might just need you to identify their weak spots, patch them, and setup a plan to make sure they stay patched. Another company might need you to analyze everything from weak spots/patches to physical security of IT assets. Your job as a consultant would be to identify what they need (Business 101).

Hope this helps.

Re:[OT]Secunia by kesuki · 2005-09-17 02:19 · Score: 1 · on MS Vista Look and Feel To Go Cross-Platform

there are other sources, SANS, cert, securityfocus, etc... but I like how secunia ogranizes the data they collect. they have nice easy to edit urls, too. cert's url is insanely long, with numerous 'obscure' variables http://search.cert.org/query.html?rq=0&ht=0&qp=&qs =&qc=&pw=100%25&ws=1&la=&qm=0&st=1&nh=25&lk=1&rf=2 &oq=&rq=0&si=1&qt=activex&col=certadv&x=0&y=0
Sans's is just a google interface...
security focus comes up with a lot more stuff including multiple pages of commentary on the same bug etc..
http://securityfocus.com/swsearch?query=activex&sb m=archive%2F1%2F&submit=Search!&metaname=alldoc&so rt=swishrank

so, secunia comes up with a nice clean layout of the data that was relevent... I don't see what the AC's gripe over using secunia is other than the fact that it's a company that makes it's living off selling a 'solution' for security problems.

Hardware for P2P User Identification by airherbe · 2005-09-15 07:46 · Score: 4, Informative · on P2P Now and Then

CacheLogic, the company which did this "comprehensive analysis" of P2P also happens to sell network hardware which does "Deep Packet Inspection" (read the specs on the device here).

Innoculously, the technology can efficiently route packets to ensure better QoS, elimination of network congestion, and even provide cached streaming.

But, one has to wonder if this technology, when used by the likes of the RIAA/MPAA would allow massive consolidation of data on P2P users. The above device specifically analyzes the content of the packet -- it's not a far cry that a company would create software for a device like this, which could automatically detect "flagged" files/hashes, and report them to "copyright owners" who have subscribed to the service.

Re:Done and... by jpostel · 2005-09-10 07:59 · Score: 2, Insightful · on Patch & Workaround for Firefox Flaw Available

Another thing that annoys me about this is the coverage of this flaw seems to indicate that this was unpatched for a while. This one is an example http://www.securityfocus.com/news/11308. Yet the original discovery was 9/4/2005 according to Tom Ferris' website http://www.security-protocols.com/advisory/sp-x17- advisory.txt

This bug was found and a work around was provided 6 days later. Is this unreasonable? If a patch were provided a week from now, would that be unreasonable?

I think that full disclosure is good, but giving a reasonable amount of time to patch a flaw is better. If we find out that Tom Ferris provided a patch to Mozilla that they ignored or rejected, then it changes things little, but releasing the vulnerability after 5 days due to a "run-in with Mozilla staff" http://news.com.com/Unpatched+Firefox+flaw+may+exp ose+users/2100-1002_3-5856201.html does not portray Tom Ferris in a good light.

Re:Only thing is Apple isnt Microsoft. by Anonymous Coward · 2005-09-09 11:32 · Score: 0 · on Ready For the Big Mac Virus?

How about this article from securityfocus.

Enumerates a number of vulnerabilities in open source components of OS X that Apple took months to ship patches for, after public disclosure of vulnerabilities, and PoC exploits. These are apps that the maintainers had tested and released patches for before the disclosure went public - all Apple had to do was package them up, test them, and publish them.

ANother example that the article doesn't mention is the openssh server vulnerabilities from about two years ago - those took something like a month and a half for Apple to patch, by which time exploits were already in the wild. Fortunately, those worms mostly targeted Linux on x86. As you may recall, every Linux and BSD distro (excluding Darwin/OS X of course) had the patch out inside of about a week.

The problem seems to be that Apple is still a "closed source" company, that hasn't realized that it ships an open source product, so it doesn't have the luxury to sit on patches that they used to - they don't get to choose when a MIT Kerberos patch comes out and the associated vulnerability is disclosed - MIT controls that whether they like it or not.

A good article by Kernel+Kurtz · 2005-09-01 16:57 · Score: 2, Informative · on Alternative Browsers Impede Investigations

Security Focus had a series of articles on web browser forensics a few months back that demonstrated the use of various tools.

Part 1

Part 2

A good article by Kernel+Kurtz · 2005-09-01 16:57 · Score: 2, Informative · on Alternative Browsers Impede Investigations

Security Focus had a series of articles on web browser forensics a few months back that demonstrated the use of various tools.

Part 1

Part 2

Do it yourself then by Xero_One · 2005-09-01 11:50 · Score: 0 · on Alternative Browsers Impede Investigations

SecurityFocus does a decent job of showing how to perform web browser forensics.

They have a 2 part article, aptly titled: Web Browser Forensics (Part 1, Part 2). It deals with getting data from both IE and Firefox.

Do it yourself then by Xero_One · 2005-09-01 11:50 · Score: 0 · on Alternative Browsers Impede Investigations

SecurityFocus does a decent job of showing how to perform web browser forensics.

They have a 2 part article, aptly titled: Web Browser Forensics (Part 1, Part 2). It deals with getting data from both IE and Firefox.

Use a Mac! by mpaque · 2005-09-01 10:43 · Score: 1 · on Alternative Browsers Impede Investigations

"If you're a bad guy and you want to frustrate law enforcement, use a Mac."
-- Dave Thomas, former chief of computer intrusion investigations at FBI headquarters

http://www.securityfocus.com/columnists/215
"Basically, police and government agencies know what to do with seized Windows machines. They can recover whatever information they want, with tools that they've used countless times. The same holds true, but to a lesser degree, for Unix-based machines. But Macs evidently stymie most law enforcement personnel. They just don't know how to recover data on them. So what do they do? By and large, law enforcement personnel in American end up sending impounded Macs needing data recovery to the acknowledged North American Mac experts: the Royal Canadian Mounted Police. Evidently the Mounties have built up a knowledge and technique for Mac forensics that is second to none."

"you want to frustrate law enforcement, use a Mac" by Anonymous Coward · 2005-09-01 08:44 · Score: 5, Interesting · on Alternative Browsers Impede Investigations

http://www.theregister.co.uk/2004/01/28/a_visit_fr om_the_fbi/

A visit from the FBI
By Scott Granneman, SecurityFocus
Published Wednesday 28th January 2004 13:05 GMT

[snip]

I teach technology classes at Washington University in St. Louis, a fact that I mentioned in a column from 22 October 2003 titled, "Joe Average User Is In Trouble". In that column, I talked about the fact that most ordinary computer users have no idea about what security means. They don't practice secure computing because they don't understand what that means. After that column came out, I received a lot of email. One of those emails was from Dave Thomas, former chief of computer intrusion investigations at FBI headquarters, and current Assistant Special Agent in Charge of the St. Louis Division of the FBI.

Dave had this to say: "I have spent a considerable amount in the computer underground and have seen many ways in which clever individuals trick unsuspecting users. I don't think most people have a clue just how bad things are." He then offered to come speak to my students about his experiences.

I did what I think most people would do: I emailed Dave back immediately and we set up a date for his visit to my class.

It's not every day that I have an FBI agent who's also a computer security expert come speak to my class, so I invited other students and friends to come hear him speak. On the night of Dave's talk, we had a nice cross-section of students, friends, and associates in the desks of my room, several of them "computer people," most not.

Dave arrived and set his laptop up, an IBM ThinkPad A31. He didn't connect to the Internet - too dangerous, and against regulations, if I recall - but instead ran his presentation software using movies and videos where others would have actually gone online to demonstrate their points. While he was getting everything ready, I took a look at the first FBI agent I could remember meeting in person.

[snip]

Dave had some surprises up his sleeve as well. You'll remember that I said he was using a ThinkPad (running Windows!). I asked him about that, and he told us that many of the computer security folks back at FBI HQ use Macs running OS X, since those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box. In the field, however, they don't have as much money to spend, so they have to stretch their dollars by buying WinTel-based hardware. Are you listening, Apple? The FBI wants to buy your stuff. Talk to them!

Dave also had a great quotation for us: "If you're a bad guy and you want to frustrate law enforcement, use a Mac." Basically, police and government agencies know what to do with seized Windows machines. They can recover whatever information they want, with tools that they've used countless times. The same holds true, but to a lesser degree, for Unix-based machines. But Macs evidently stymie most law enforcement personnel. They just don't know how to recover data on them. So what do they do? By and large, law enforcement personnel in American end up sending impounded Macs needing data recovery to the acknowledged North American Mac experts: the Royal Canadian Mounted Police. Evidently the Mounties have built up a knowledge and technique for Mac forensics that is second to none.

[snip]