OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  • application/octet-stream attachment: Joke.exe
 
Re: [Full-Disclosure] If Lycos can attack spammer sites, can we all start doing it?

Valdis.Kletnieksvt.edu
Date: Thu Dec 02 2004 - 11:29:53 CST

On Thu, 02 Dec 2004 08:57:24 GMT, Adam Challis said:

> Being based in Germany, wouldn't they be subject to German and EU law?

That's a minor factual detail, and we care somewhere between diddly and squat
regarding the facts of the case. ;)

The US government of late has shown little moral or ethical qualms about
imposing its law and morality on people and actions in other sovereign states,
while reserving its right to pick-and-choose regarding its own behavior.

Remember, we're the bunch that detained a lot of people for things they did
in their own country to repel an invading army (namely, us), and then stuffed
them into Guantanamo Bay so that we wouldn't have to actually accord them
their Geneva Convention rights as prisoners-of-war. We've also seen fit to
skip the whole idea of "habeas corpus" for our *own* citizens (see "Hamdi v.
Rumsfeld" and "Rumsfeld v. Padilla") and even the concept that you should be
allowed to know what law you're violating (see "Gilmore v. Ashcroft").

So be afraid. Be very afraid....

(OK, you can have the soapbox back now... ;)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFBr1ERcC3lWbTT17ARArjNAKD+QDDubIeOTxRU3Z15J8/or83YtgCgp/uZ
2MPrO4OprzxSnNKloxuTP4o=
=TKHu
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] If Lycos can attack spammer sites, can we all start doing it?

From: Jason Coombs (jasoncscience.org)
Date: Thu Dec 02 2004 - 13:10:49 CST

Are we forgetting that there is no such thing as software product liability?

Look at the EULA for the Lycos screen saver.

Even without explicit language in the EULA, Lycos is just a software maker in this case. It is the end user who is guilty of an abusive attack -- if anyone is. The rate limit per client is set to prevent a single client from crossing the attack threshold, so this could be the first test of product liability for the intentional creation of zombie armies.

Microsoft, Symantec, and other vendors of products that auto-update have been in control of zombie armies for many years, with periodic DoS of the zombies, but as of yet no known external impact. Lycos is the first, and they are pioneering an odd precedent.

More proof that the nature of capitalism is that anything that can be done that might be profitable eventually will be done. This does not bode well for nanotechnology and genetic engineering.

Jason Coombs
jasoncscience.org

-----Original Message-----
From: Kyle Maxwell <krmaxwellgmail.com>
Date: Thu, 2 Dec 2004 08:48:18
To:n3td3v <xploitablegmail.com>
Cc:full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] If Lycos can attack spammer sites, can we all start doing it?

On Thu, 2 Dec 2004 03:47:06 +0000, n3td3v <xploitablegmail.com> wrote:
> Thought:
> Hey, thanks for the insight. I can't see Lycos introducing the
> screensaver without talking with legal teams first, so surely we can
> presume everything is legal and above board?! Otherwise, why would
> Lycos want to put themselves in a legal tangle? Unless they weighed up
> the legal costs against the profit they would make from the PR stunt,
> from which all I can see, is all this whole thing appears to be.

It's entirely possible that their lawyers cleared it but that doesn't
necessarily make it really above board; if lawyers always agreed on
what was allowed, we wouldn't have so many corporate lawsuits. :) They
may be standing on the principle of "these are just a bunch of website
visits" without taking into account the fact that there's a stated
intent beyond just visiting the sites.

This is probably going to get a lot messier for Lycos before it's all over.

--
Kyle Maxwell
[krmaxwellgmail.com]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] If Lycos can attack spammer sites, can we all start doing it?

From: KrispyKringle (krispykringlegmail.com)
Date: Thu Dec 02 2004 - 12:20:03 CST

Valdis.Kletnieksvt.edu wrote:
> That's a minor factual detail, and we care somewhere between diddly and squat
> regarding the facts of the case. ;)

I didn't know they were based in Germany.

> The US government of late has shown little moral or ethical qualms about
> imposing its law and morality on people and actions in other sovereign states,
> while reserving its right to pick-and-choose regarding its own behavior.
>
> Remember, we're the bunch that detained a lot of people for things they did
> in their own country to repel an invading army (namely, us), and then stuffed
> them into Guantanamo Bay so that we wouldn't have to actually accord them
> their Geneva Convention rights as prisoners-of-war. We've also seen fit to
> skip the whole idea of "habeas corpus" for our *own* citizens (see "Hamdi v.
> Rumsfeld" and "Rumsfeld v. Padilla") and even the concept that you should be
> allowed to know what law you're violating (see "Gilmore v. Ashcroft").
>
> So be afraid. Be very afraid....
>
> (OK, you can have the soapbox back now... ;)

Actually, many countries, I believe, recognize the right of citizens to
sue foreign entities, who's in-country assets can then be seized.

But yeah, don't talk to me about Guantanamo. Today I happen to be
wearing my nice anti-Bush t-shirt ;)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] overburning edit of molded cdroms feasible?

From: Steve Kudlak (chromazinesbcglobal.net)
Date: Thu Dec 02 2004 - 12:41:47 CST

Saber Taylor wrote:

>Saber Taylor wrote:
>
>
>>>Scenario: chinese agent buys molded cdroms from
>>>
>>>
>[...]
>Phillip Paradis wrote:
>
>
>>1. Recording data on a pressed CD is physically
>>
>>
>[...]
>
>
>>2. Most retailers will not accept opened software,
>>movies, cassettes,
>>
>>
>
>I was cheating here a little bit in my discussion
>bait. Gosh though, I can see how these lists draw
>people in to talking about locksmith type of ideas.
>
>China has lots of bootleg pressed cdrom factories so I
>doubt they are hideously difficult to utilize if an
>organization has access to them. But otherwise
>morning_wood trumped my idea.
>
>On the second matter, a friend-of-a-friend several
>years ago obtained a shrinkwrap machine (which he used
>for nefarious porpoises to his heart's delight). The
>card board tear-off seals on some cdrom envelopes may
>be more tamper resistant, but most customers wouldn't
>notice if Badguy replaced them with a more generic
>envelope (inside the shrinkwrapped box).
>
>
>S. Taylor
>
>
>
>
>__________________________________
>Do you Yahoo!?
>Take Yahoo! Mail with you! Get it on your mobile phone.
>http://mobile.yahoo.com/maildemo
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
Did you actually knpw the FOAF (Friend Of A Friend) as ususually a
FOAF story is of the urban legend variety. I mean I guess one could sell
lots "X" out of a POBX , if it was enticing it might attract people, like a
CD of stills from the Pamela and Tommy movie or a DVD ogf such a
have no product in it. But that is a way to get oneself into a lot of
trouble
because one needs a bank account to cash checks and usualkly banks will
not immediately credit checks from distant places but will hold them until
they clear. This makes the cut and run type capers kind of difficult.

Yeah well to do security stuff one has to think both ways. For example
I should at least my theory by sending in a well dressed friend with some
money and seeing if they could open an account wiith a borrowed $10,000.00
which would be removed a week later, actually that might work if one had
someone to loan one $10,000 to get around the immediate credit problem.
But still this is difficult as banks usually like large depositers. I
wonder how
paranoid they get if one deposits cash thesdays. I don't know anyone I can
borrow $100,000.00 from to go to banks and try opening accounts and seeing
how spooked they get. I know the bank in West Virginia was paranoid even
though they knew me. They seem less so in Caliufornia.

These questions are intriguing becuase they deal with how do people do
these thinga.
I mean Tom Clancy novels are full of things where people hide their
nefarious activities
acting perfectly normal. OI always wondered what happened of one were
perfectly
normally going around and depositing cash. For awhile I handled
considerable amounts
of cash, but it was at a bank that knew me.

Have Fun,
Sends Steve

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] If Lycos can attack spammer sites, can we all start doing it?

From: bkfsec (bkfsecsdf.lonestar.org)
Date: Thu Dec 02 2004 - 12:40:38 CST

Adam Challis wrote:

> >The Computer Fraud and Abuse Act
> (_http://www.usdoj.gov/criminal/cybercrime/1030_new.html_).
>
> Being based in Germany, wouldn't they be subject to German and EU law?
>
> Does anybody know which German and EU laws are relevant to MLNS?
>
> Adam
>

IANAL, but my understanding is that some of these laws may be
"exportable" via treaty. I have no idea if our treaties with Germany
make such a stipulation. It's just a factor to think about here.

          -Barry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Multiple vulnerabilities in Kreed 1.05

From: Luigi Auriemma (aluigiautistici.org)
Date: Thu Dec 02 2004 - 13:44:03 CST

#######################################################################

                             Luigi Auriemma

Application: Kreed
              http://www.kreed3d.com
Versions: <= 1.05
Platforms: Windows
Bugs: A] in-game format string
              B] forced exit caused by "message too long"
              C] server temporary freezed by script errors
Exploitation: remote, versus server
Date: 02 December 2004
Author: Luigi Auriemma
              e-mail: aluigialtervista.org
              web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Kreed is a FPS game developed by Burut (http://www.burut.ru) and
released at August 2003.

#######################################################################

=======
2) Bugs
=======

------------------------
A] in-game format string
------------------------

An attacker can exploit a format string bug in the server using a
nickname or sending a message containing format arguments like the
classical %n%n%n.

-------------------------------------------
B] forced exit caused by "message too long"
-------------------------------------------

An attacker can force the exit of the server simply sending an UDP
packet of 1401 or more bytes. That causes a "message too long" socket
error in the server that handles it as critical.

--------------------------------------------
C] server temporary freezed by script errors
--------------------------------------------

Some errors in the scripts used by the server to handle the players are
the cause of this third bug.
If an attacker uses a very long nickname or model type, on the server
will appear some consecutive dialog boxes reporting script errors.
The problem is that the server is completely freezed until the dialogs
stay on the screen and the game returns normal only when the admin
removes them.

#######################################################################

===========
3) The Code
===========

http://aluigi.altervista.org/poc/kreedexec.zip

#######################################################################

======
4) Fix
======

No fix.
No reply from the vendor.

#######################################################################

---
Luigi Auriemma
http://aluigi.altervista.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] RE: Isecom.org ideahamster.org and the hackerhighschool.org

robertdyadsecurity.com
Date: Thu Dec 02 2004 - 14:00:37 CST

your_mommahushmail.com(your_mommahushmail.com)Thu, Dec 02, 2004 at 09:34:41AM -0800:
> is that,, (IMHO) an sql injection flaw on a SECURITY SOFTWARE YOU
> RELEASED?

Just try getting alicorn installed, I dare you :). Alicorn doesn't work
yet. Maybe this Friday's release will. The release you looked at was a
prelim devel release that was noted to have security issues. Don't act
like you're doing anyone any favors by pointing out something that was
already documented to be true.

> SO, IT SEEMS YOU DON'T UNDERSTAND SECURITY, NEITHER SECURE
> DEVELOPMENT and all that you could offer us is "if you truely want
> security, please use selinux"????

It is inevitable that software modules will have mistakes. The
unicornscan code is actually pretty well written from a security
perspective, but I'm sure it will be shown to have a problem somewhere
someday... though I notice you didn't bother to find one yet. If you
do, please share. I am a fan of full disclosure as a rule ;).

The real take away here though is that if you run software in a
Discretionary Access Control model, you have no inherent security
assurances. This is why we recommend using SE Linux, so you can enforce
what the software is allowed to do in case it comes to light that there
was a mistake made in the software module.

> So you want war.. you'll have war.

I don't want a war. To be honest, I've always though you guys were
pretty funny, if not a bit on the childish side. I appreciate your
humor. What is annoying though is after I tried to reach out and make
the peace with you, you've decided to resort to baseless personal
attacks.

> a little retard, you know.. another script kiddie that broke isecom
> b0x.

Heh .. I hate the term script kiddie. It's overused and is most
commonly used by people who aren't technical enough to be throwing
around comments like that. Granted you didn't get root on the box...
but that wasn't your point. Your point was to deliver a political blow
against ISECOM by making it seem as though you fully compromised the
website. That's actually a brilliant social hack, and I can appreciate
that even if the technical details of the hack were a bit lame :).

In closing .. I mean you no harm. Please move on. It will only get
ugly from here on.

Sincerely,

Robert

--
Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robertdyadsecurity.com
M - (949) 394-2033

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] If Lycos can attack spammer sites, can we all start doing it?

From: James Tucker (jftuckergmail.com)
Date: Thu Dec 02 2004 - 13:40:20 CST

I would feel very sorry for the small time ISP's being DoS'd off the
planet by some of the potential "attack backs" that could be generated
by such an idea. DoS wars are not a good way to fight spam. Judgement
of the receivers total bandwidth capability is difficult to impossble
to accurately judge (assuming that they oculd simply code modulated
response delays in to throw off the attack scheme). Thus all that
could result of this is DoS attacks, not a garunteed "slow down" as is
described.

It is not just volume to the site that will be generated either,
remember you are loading up every router along the way.

On Thu, 2 Dec 2004 02:37:48 +0000, n3td3v <xploitablegmail.com> wrote:
> If Lycos EU is going to go legally unchallenged, can we all start
> attacking sites which send unsolicited mail to a non-lycos mailbox. As
> long as we can prove the mail is actually spam. This isn't as hard as
> you may imagine. All you need to do is for example, check Yahoo's or
> Gmail's spam folder, and the mails in that must hold some legal
> justification as being spam on Gmail or Yahoo (because Yahoo and Gmail
> use elite spam filters), making it justified as spam and therefore
> would give someone legal permission (because yahoo and gmail spam
> filters are pretty trustworthy) to attack the spammers site, which the
> spammed mail was trying to ask you to visit. One could even code a
> program to keep checking the Gmail or Yahoo spam folder for new spam
> to add to the attack list. As long as one doesn't make the spammers
> site unreachable, but if you slow it down, so it takes ages for
> legitimate users to browse it, it must be ok, because thats what Lycos
> EU is doing legally unchallenged.
>
> Could botnets actually become legal, as long as they only attack
> unsolicited mail, which Yahoo and Gmail and other non-lycos providers
> have marked as spam.
>
> The possibilities are endless.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Official IFRAME patch - make sure it installs correctly

From: Nick FitzGerald (nickvirus-l.demon.co.uk)
Date: Thu Dec 02 2004 - 14:18:17 CST

Todd Towles wrote:

> As stated in the FAQ of the patch page. It would appear the new baseline
> for all future patches will be SP1 unless they decided to change it.

"New"?

There is nothing new about this. It has been standard MS policy for
many years now to only support the two most recent "releases" of an OS,
thus when Gold and SP1 are the only versions, "all versions" are
supported, but once SP2 ships, the Gold release for that OS drops off
the supported list.

There is nothing new about this at all.

Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Amazon security contact

From: sp3ctacle 3 (sp3ctaclegmail.com)
Date: Thu Dec 02 2004 - 13:57:12 CST

Someone asked what the official security contact at Amazon was. Here it is.

securityamazon.com

The Sp3ctacle

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #2093 - 36 msgs

From: Randall Craig (rgcraiggmail.com)
Date: Thu Dec 02 2004 - 13:32:54 CST

On Thu, 2 Dec 2004 10:58:02 -0600, Randall Craig <rgcraiggmail.com> wrote:
 Ok I am super duper new to this list and also new to *nix... i will
 never go back to M$ ceptin for gaming purposes... I am running on OS
 X.3.3 and was wanting to know if the Security Alert pertaining to
 FreeBSD would also affect my system. I know that BSD is running
 underneath OS X... I am fairly sure that Apple is aware of it by
 now-.
 thnx
 
 n0 r3m0r53
 
###############

FreeBSD-SA-04:17.procfs                                     Security Advisory
                                                         The FreeBSD Project

Topic:          Kernel memory disclosure in procfs and linprocfs

Category:       core
Module:         sys
Announced:      2004-12-01
Credits:        Bryan Fulton, Ted Unangst, and the SWAT analysis tool
               Coverity, Inc.
Affects:        All FreeBSD releases
Corrected:      2004-12-01 21:33:35 UTC (RELENG_5, 5.3-STABLE)
               2004-12-01 21:34:23 UTC (RELENG_5_3, 5.3-RELEASE-p2)
               2004-12-01 21:34:43 UTC (RELENG_5_2, 5.2.1-RELEASE-p13)
               2004-12-01 21:33:57 UTC (RELENG_4, 4.10-STABLE)
               2004-12-01 21:35:10 UTC (RELENG_4_10, 4.10-RELEASE-p5)
               2004-12-01 21:35:57 UTC (RELENG_4_8, 4.8-RELEASE-p27)
CVE Name:       CAN-2004-1066

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

The process file system, procfs(5), implements a view of the system
process table inside the file system.  It is normally mounted on
/proc, and is required for the complete operation of programs such as
ps(1) and w(1).

The Linux process file system, linprocfs(5), emulates a subset of
Linux's process file system and is required for the complete operation
of some Linux binaries.

II.  Problem Description

The implementation of the /proc/curproc/cmdline pseudofile in the procfs(5)
file system on FreeBSD 4.x and 5.x, and of the /proc/self/cmdline
pseudofile in the linprocfs(5) file system on FreeBSD 5.x reads a process'
argument vector from the process address space.  During this operation,
a pointer was dereferenced directly without the necessary validation
steps being performed.

III. Impact

A malicious local user could perform a local denial of service attack by
causing a system panic; or he could read parts of kernel memory.  Such
memory might contain sensitive information, such as portions of the file
cache or terminal buffers.  This information might be directly useful, or
it might be leveraged to obtain elevated privileges in some way.  For
example, a terminal buffer might contain a user-entered password.

FreeBSD 4.x does not implement the /proc/self/cmdline pseudofile in
its linprocfs(5) file system, and is therefore only affected if the
procfs(5) file system is mounted.

In its default configuration, FreeBSD 5.x does not utilize procfs(5)
or linprocfs(5) and will therefore be unaffected by this vulnerability
unless the configuration is changed.

IV.  Workaround

Unmount the procfs and linprocfs file systems if they are mounted.
Execute the following command as root:

 umount -A -t procfs,linprocfs

Also, remove or comment out any lines in fstab(5) that reference
`procfs' or `linprocfs', so that they will not be re-mounted at next
reboot.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_3, RELENG_5_2, RELENG_4_10, or RELENG_4_8 security branch dated
after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.8, 4.10,
5.2, and 5.3 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs4.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs4.patch.asc

[FreeBSD 5.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs5.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs5.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
 Path
- -------------------------------------------------------------------------
RELENG_4
 src/sys/miscfs/procfs/procfs_status.c                          1.20.2.6
RELENG_4_10
 src/UPDATING                                              1.73.2.90.2.6
 src/sys/conf/newvers.sh                                   1.44.2.34.2.7
 src/sys/miscfs/procfs/procfs_status.c                      1.20.2.5.4.1
RELENG_4_8
 src/UPDATING                                             1.73.2.80.2.30
 src/sys/conf/newvers.sh                                  1.44.2.29.2.28
 src/sys/miscfs/procfs/procfs_status.c                      1.20.2.4.8.2
RELENG_5
 src/sys/compat/linprocfs/linprocfs.c                           1.84.2.1
 src/sys/fs/procfs/procfs_status.c                              1.52.2.1
RELENG_5_3
 src/UPDATING                                             1.342.2.13.2.5
 src/sys/compat/linprocfs/linprocfs.c                           1.84.4.1
 src/sys/conf/newvers.sh                                   1.62.2.15.2.7
 src/sys/fs/procfs/procfs_status.c                              1.52.4.1
RELENG_5_2
 src/UPDATING                                                 1.282.2.21
 src/sys/compat/linprocfs/linprocfs.c                           1.78.2.1
 src/sys/conf/newvers.sh                                       1.56.2.20
 src/sys/fs/procfs/procfs_status.c                              1.49.2.1

###############
--

R__|____|| C____
                            |

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] If Lycos can attack spammer sites, can we all start doing it?

auto184605hushmail.com
Date: Thu Dec 02 2004 - 15:00:13 CST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Not to mention this discusses US LAW, not EU.

j

On Thu, 02 Dec 2004 09:19:02 -0800 Valdis.Kletnieksvt.edu wrote:
>On Wed, 01 Dec 2004 22:22:30 EST, KrispyKringle said:
>
>> The Computer Fraud and Abuse Act
>> (http://www.usdoj.gov/criminal/cybercrime/1030_new.html) forbids

>one to,
>> among other things, ``knowingly cause the transmission of a
>program,
>> information, code, or command, and as a result of such conduct,
>> intentionally cause damage without authorization, to a protected
>> computer,'' which pretty much covers viruses and other malware.
>This
>> would appear to apply to the Lycos software as well, given that
>it
>> ``causes damage without authorization to a protected computer.''

>So that
>> is the key point, one that has not, to my knowledge, been tested

>in court.
>
>The point that Lycos is probably betting on is the "causes
>damage". If their
>rate-limiting works, they're *NOT* actually causing a DDoS - if
>the site is
>still responding, claiming "damage to the computer" is quite the
>reach.
>
>Damage to the bandwidth bill from your provider - that's something

>else. Not
>sure that's a criminal offense, but I'd not be at all surprised if

>the ISP
>left holding the bag for the unpail bill (what - you think the
>spammer will
>actually pay for the bandwidth? ;) might go after Lycos on the
>"your actions
>cost me money" theory of civil tort.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkGvglkACgkQEW4lHHBvoLePFwCfcjOkZVhrzlYSLSktNZYLA5XYOdEA
n3S6DQKTnh7BysTEyI1qqhHzDDQI
=3iAT
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #2093 - 36 msgs

From: Dan Margolis (krispykringlegentoo.org)
Date: Thu Dec 02 2004 - 15:24:10 CST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Randall Craig wrote:
> On Thu, 2 Dec 2004 10:58:02 -0600, Randall Craig <rgcraiggmail.com> wrote:
> Ok I am super duper new to this list and also new to *nix... i will
> never go back to M$ ceptin for gaming purposes... I am running on OS
> X.3.3 and was wanting to know if the Security Alert pertaining to
> FreeBSD would also affect my system. I know that BSD is running
> underneath OS X... I am fairly sure that Apple is aware of it by
> now-.
> thnx

No. When people comment that OSX runs on BSD, they don't mean that OSX
actually runs a FreeBSD kernel. It does not (it runs XNU, based on Mach
but incorporating BSD code). Read
[http://www.kernelthread.com/mac/osx/arch_xnu.html] for more information.

Specifically regarding this vulnerability, MacOSX does not have procfs
(/proc on systems that have it), so it's hard to imagine that it is
subject to this vulnerability.

On a side-note, Apple is pretty tightlipped about vulnerabilities (much
the way Microsoft used to be, though they *seem* to be learning their
lesson, from what I've heard). Apple should follow the lead set by other
vendors and recognize that once a vulnerability is public, the
responsible path is to acklowedge and publish workarounds or fixes, not
deny the problem until a final solution is available.

Dan
- --
Dan "KrispyKringle" Margolis
Security Coordinator/Audit Project, Gentoo Linux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iQEVAwUBQa+H+rDO2aFJ9pv2AQJbyQf8DcnBTOQdpqfZSRPIAaW/g/FE+/YYJFAG
AqHovG9SJ9JGVmzLW+3fFWXSqevzaxmIkaj/WzSDxDFb9MD4H9jwGdFD7AXyHTFS
go5c0t8r7auNrwhwxJiiJyyH3Y3rBAJQqJyRNFlRt7qL8rCG2Hzo1u1Yvrm6tcHG
KxJ2XU3EqavBghT9iQXVTcOTf66e6MzTrOI0c/xffcvjAu2XTyXXNnsj0wloTv04
JqdenT/SfLe0LowY6cpT2p1W0r/x5UkU2jlaTxkvmNvDbKsuvhMBX5CRw9QZv/pj
v72fjnpIoMPQ+WM6ykk06b6T5c0+tAXV0IGoRoddLibZsJM+bBbdSQ==
=RjMr
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Network Sniffing

From: xtrecate (xtrecatespymac.com)
Date: Thu Dec 02 2004 - 15:45:37 CST

I wasn't alive during the Nixon's reign of wtfs, but I don't think Nixon, or
indeed anyone engaging in underhanded political subterfuge, would be
particularly worried about the log files at insecure.org, which is what my
commentary pertained to.

"This depends heavily on who decides what a felony is.
Just consider free speech in China. Brings you right into jail.
And I wouldn't go as far as to put the FBI (or any other such agency) beyond
doubt. Same applies to our (german) authorities as well."

I was not instilling blind faith into the FBI, more trying to provide a
perspective not so tainted by the paranoia intrinsic to many of the messages
I see pass through FD.

--xtrecate

-----Original Message-----
From: lee.e.riancensus.gov [mailto:lee.e.riancensus.gov]
Sent: Wednesday, December 01, 2004 8:47 AM
To: xtrecate
Subject: RE: [Full-Disclosure] Network Sniffing

> People intending to commit felonies over the internet, obviously, have
> something to worry about... though I'm not sure why anyone would be
> sympathetic to their plight.

It's not only felons or even just people that intend to commit felonies
that the FBI investigates. Are you old enough to remember Nixon & Hoover?

-----Other Original Message I'm Replying Too-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Florian Streck
Sent: Wednesday, December 01, 2004 11:57 PM
To: full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] Network Sniffing

On Tue, Nov 30, 2004 at 08:26:41PM -0800, xtrecate wrote:
> The article states that the FBI served subpoenas for specific information
> from insecure.org, likely after finding evidence that some specific
attacker
> (who, no doubt, did something which deserves to be investigated) retrieved
> data from insecure.org. It would appear they are simply trying to
> cross-reference logs to discover an attacker's real IP address. This is
> pretty legitimate, and Fyodor was apparently very diligent in ensuring all
> information was retrieved via legal methods.
>
> People intending to commit felonies over the internet, obviously, have
> something to worry about... though I'm not sure why anyone would be
> sympathetic to their plight.

This depends heavily on who decides what a felony is.
Just consider free speech in China. Brings you right into jail.
And I wouldn't go as far as to put the FBI (or any other such agency)
beyond doubt.
Same applies to our (german) authorities as well.
>
> > Take a look at:
> > http://www.insecure.org/tools.html
> [...]
> Note: The FBI is monitoring HTTP logs from insecure.org.
>
> http://slashdot.org/article.pl?sid=04/11/25/1835238&from=rss
>

Florian

--
Memory fault -- core...uh...um...core... Oh dammit, I forget!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Official IFRAME patch - make sure it installs correctly

From: Berend-Jan Wever (skylinededup.tudelft.nl)
Date: Wed Dec 01 2004 - 18:49:52 CST

The IFRAME vulnerability has been patched, see http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx

*** Make sure you are patched after installing ***
I installed it using "Automatic Updates" (on Win2ksp4), rebooted and loaded my InternetExploiter.html: IT STILL WORKED!!
Even though both "Automatic Updates" and "http://windowsupdate.microsoft.com" reported that I was patched!?!
I manually downloaded the exe and ran it, rebooted and now I'm finally truely patched.

It might just have been a glitch on my system, but you might wanna check anyway: InternetExploiter.html can still be downloaded from my website.

Berend-Jan Wever
<skylinededup.tudelft.nl>
http://www.edup.tudelft.nl/~bjwever
SkyLined in #SkyLined on EFNET

This email and any files transmitted with it are intended for the named recipient only. The information contained in this message may be confidential, legally privileged or commercially sensitive. If you are not the intended recipient you must not reproduce or distribute any part of the email, disclose its contents to any other party, or take any action in reliance on it. If you have received this email in error, please contact the sender immediately by return email and delete this message from your computer.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: Thanks :)

From: Irwanhadi (irwanhadiphxby.com)
Date: Thu Dec 02 2004 - 15:34:03 CST