lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: rfp at vulnwatch.org (Rain Forest Puppy)
Subject: Of course you guys support full-disclosure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> "rfp the ripper" refers to the recent Novell advisory that
> accredits RFP with the discovery of a technique that, prima
> facie, was dropped by some ~el8 sympathizer in a rant on this
> list in order to point out what he/she/it considered a
> technical blunder on the part of RFP and other prominent
> whitehat web security figures. He/she/it alluded to the
> Phrack article wherein RFP made the blunder. If the
> vulnerability is related to the little useless bread crumb
> dropped by said poster, which some say is, then in all
> respects the technique was "ripped". Now I'm sure the
> poster is not suffering any degree of agony over this
> small incident, but it is still an amusing reflection of
> a larger pattern that has seen whitehats "leeching" and
> standing on the shoulders of higher beings...

Well, I'm honored that you'd care so much to make some public statement
about me, but lemme let you in on a few secrets:

- - That Novell bug was sent to them in June.  This list was created in
July.  Thus a bit tough for me to rip something said on this list.

- - That ~el8 sympathizer got it wrong.  It was not a blunder, and it still
holds true:

The Phrack article discusses how to pass parameters to a program exec'd
*FROM WITHIN* a CGI.  You can not pass POST parameter (STDIN) to these
applications because the parent CGI reads in and parses STDIN before the
sub-application is executed.  The ~el8 sympathizer was talking about
executing the CGI itself.  Two different things.

Perhaps you and the ~el8 sympathizer should go back and reread the
article.  And if you have questions in understanding it, please, feel free
to email me.

- - rfp

-----BEGIN PGP SIGNATURE-----
Comment: Public key at http://www.wiretrip.net/rfp/gpg-key.txt

iD8DBQE9a4Ck8z6qql3x7WgRAjmIAJ40iOsDGzsoNs9flnIxnyaDwN8W8ACeJOur
JanggeGY1WxcQXkWo9GmKWk=
=0+l5
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ