From: aliver at xexil.com (aliver@...il.com)
Subject: tradecraft and subversion

On Tue, 27 Aug 2002, crap producer wrote:
> You're no blackhat. You're just a programmer out of a few hundreds of
> thousands.

Your opinion mostly mirrors that of sockz. See my response to him.

> Private stock? Why tell us then? Show off your outdated skills?

I was mentioning some previous projects because it might provide some
context on my background. You don't mention in this attack what skills you
consider outdated. Note that most of the attacks I mention are still valid
and working. Also, mentioning it doesn't mean revealing the details - it's
important to understand the difference.

> >but due to the recent corporate ownership and the loss of Blue Boar, >well,
> >screw that.
> Your crap wouldn't make its way to *any* kind of moderated list, not
> even vuln-dev.

This mailing list is the first time I've used the alias of "aliver." I
choose it specifically to participate in this list. Regretably, I've
posted much more than my fair share to Bugtraq, and it _always_ made it.
So much for this weak attack.

> Which explains your presence here.

What pray-tell would explain your presence here, Mr. Hushmail Anonymous?
To bring the sword of truth crashing down on hapless posers such as
myself?  You have no credibility and your arguments lack weight. In my
opinion, you and sockz should get together and have a beer, if you are old
enough to drink that is.

> You must be kidding me.
> You really think exploits for initiator-side bugs are not being written
> already?

I never said that, I said that there was less research in this area and in
many cases the bugs are more plentiful. Sharpen your reading comprehension
skills, and you won't come across as so thoughtless next time.

> And why you want to exploit the bug one time in ten anyway?

Again, you lack reading comprehension skills. I clearly stated that it
would be a tactic that would cause a condition that is harder to
troubleshoot, and thus make the victim less wary at first.

> Why would the client crash? You're not skilled enough to write working
> exploits yet?

Actually based on this ignorant comment, it appears conversely that _you_
aren't. The nature of a buffer overfow is that it creates a condition that
will cause a segmentation violation or (depending on OS of course) another
fatal error. Overwriting EIP and returning to shellcode generally
precludes being able to predict or store the actual (legitimate) return
address after you've executed your own code. Therefore, the client
application will nearly always hang or crash after your exploit is
complete. Try reading a basic paper on stack smashing before you make
another comment like this, humilating yourself.

> That crap aint steganography. Its just some gayass uselessly space
> consuming ascii armoring.

You showing your ignorance again. The project is _by definition_
steganographic in nature since the output is human readable and would
likely be incorrectly perceived as something that it's not (a readable
leetspeak rant). Steganography, from Greek steganos, or "covered," and
graphie, or "writing") is the hiding of a secret message within an
ordinary message and the extraction of it at its destination. If you were
trying to build any credibility for your arguments, it's shot to hell now.
Learn to do a Google search before you spew this kind of garbage.

> And I thought you said your skills in crypto increased dramaticaly.
> Hell, I can't imagine what it looked like before.

Well, Mr Hushmail, why don't you _really_ show everyone how stupid I am by
posting a method to obtain plaintext from a file encrypted with xxt (which
I posted a week or so ago) and show me and everyone how weak my skills
with cryptographic implementation are? I'm sure everyone will be quite
impressed. I'll ask you the same question I've asked a few other mouthy
folks: What code have _you_ posted? Got anything _real_ to attack? You and
your kind remind me of a rat dog. Yip Yip Yip - YIPE!

aliver

Powered by blists - more mailing lists