lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 14 Oct 2007 15:49:42 -0700
From: "rpcxfsmd rpcxfsmd" <rpcxfsmd@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Why criticize security researchers? On the recent
	PDP case.

Fist of all sorry for my English, I'm from Russia and can't speak very
well.

I'm very sad for the current state of security, that includes people who
contest great contributions to the industry from people like pdp
(architect) and call them bullshit.

pdp does not give a damn about any of this sophomoric stuff. When he and
the other members of the think tank group post legitimate security
information in the true spirit of GNUCITIZEN half(partial)-disclosure
initiative pdp's and group's credibility is increased as well as the
amount of respect they receive amongst the security community.

GNUCITIZEN is more then a cutting-edge security blog. It is culture, way
of life, community. The GNUCITIZEN *ethos expands beyond* the boundaries
of the current domain (http://en.wikipedia.org/wiki/Same_origin_policy).

You clearly haven't read http://www.gnucitizen.org/blog/clear where
Petko D. Petkov, a.k.a pdp (architect), the founder and leading
contributer of the GNUCITIZEN group, explains why you are wrong. You
know when people is in right why the hell would admit to be in wrong?

A clear example of extremely important and military grade industrial
nuclear plant contribution is:

pdp (architect) wrote:
> http://www.gnucitizen.org/blog/intel-video-ad-on-security-directed-by-christopher-guest
> the video is quite interesting I must say.

He is only trying to show you that *while* ppl can be in the industry
from *many many years doing serious stuff* (that doesn't mention _http_
requests and responses) he (that is younger) can *exploit and 0wn*
devices at a faster rate using techniques like Strategic Hacking using
a specially crafted GEOIP database and a specially crafted mouse cursor
that will not be revealed.

All an attacker needs to do to exploit the weakness is to lure a victim,
part of an integrated network, to a malicious website or trick them into
opening specially crafted ICA file.

Now i ask you: How can you ignore this and show criticism to somebody
that is that clear?

I guess you have not read his explanation of how things are since he
won't in any way support his thesis and what he says is as-is, immutable
and perfectly spheric.

The first general misconception is regarding the CITRIX posts [..] my
intention was not to familiarize you with the techniques but to draw
your attention to the ridiculous number of wide open CITIRIX service
located on government and military facilities. I don't know about you
but to me this is concerning. It has become even more concerning when I
accidentally stumbled across some nuclear power I don't know what, a
global logistics system and US Federal funding portal. Since, I don't
have the time and the facilities to contact each of the affected
organization individually I decided to go public and let the people know
about the problem, hoping that someone will bother. Fortunately for all
of us, the operation was successful!

This is *ethics*, using informations contained in a document of many
years before written by somebody else to publicly show how critical
infrastructures are vulnerable by the hand of anybody who is able to
read GNUCITIZEN's web 2.1 blog.

It's pretty clear and easy to understand: he don't have the time and the
facilities to contact each of the targets that were vulnerable and
reachable by a google dork he provided: Nuclear power plants, a global
logistics system and US Federal funding portal were respectably at page
14, 5 and 32 of the Google results so people can contact them or just
interact with the terminal server and leave the admins a txt file on the
desktop pointing them to the issue.

Everybody especially who is in the security industry and owns a CISP
CPSTER COPCOP knows that script kiddies can't go far than the second
results page in Google an YAHOO InterTUBES (a great hacking tool).

     _*No joke. We all should be thankful to pdp for this.*_

Additionally he and Adrian published a post (BT Home Flub: Pwnin the BT
Home Hub) on the vulnerabilities they found in BT Home
Hub/Thomson/Alcatel Speedtouch 7G router, currently affecting more then
2 000 000+ (two millions plus) users. You know it's pretty cool to find
high risk security holes like XSS and CRSF in SOHO appliances because
they are generally really locked down and secured. Dunno why HDM didn't
this before.

They don't even know the exact number of the 2 000 000 and plus
affected users, nor their names. As you can see they are a pretty good
think thank hackers trying to lower the high level of crime emanating
from the internet. They don't know the exact number and the SSN of all
the vulnerable users because they have not exploited all of them (in
fact they just hacked 200 000+ users to make sure the attack was
working). They believe the number has to be at least 4 or 5 millions
(GLOBALLY!) mainly because of similar issues found on the Speedtouch
routers shipped by other ISPs.

People from FD and BUGTRAQ have responded with some very interesting but
quite groundless claims stating that this is not an issues and that if
you can make the user click on a RDP or ICA file then you can make them
click on anything (i.e. .exe and .bat files). Bollocks! Let me tell you
something! Executables and shell scripts are blocked by default by most
open source and *commercial grade* filters and mail gateways - RDP and
ICA are not. People use remote desktop facilities all the time. We've
been testing some of the world top financial organizations and all of
them use RDP for ICA. And the victim doesn't have to do anything but to
log in.

Understood? He has to login. P E R I O D. It's so _damn_ simple.

Last but not least I would like to bring some light on what he, the PDP
ARCHITECTS; GNUCITIZEND GRUPU that is a _think frank group_ of well
motivated whitecat/whiteass security professionals and possibly others.

P E R I O D.

Security in depth does not exist. IT security is not only about keeping
the perimeter safe. There is a lot more then that. Sometimes, it is so
hard to get the security right that attacks are just inevitable.
Sometimes systems are set in such an impossible way that it is extremely
hard and very expensive to set them the right way. This is all the time.
Security in depth is hard to implement. You may think that you implement
it the right away but as they say: a system is as secure as the weakest
link. Luckily we have a *Black PR/Crisis PR* consultant on board, here
at GNUCITIZEN, to explain to us how to handle the security problem the
right way.

I think you didn't understood:

L u c k i l y   w e   h a v e   a   * B l a c k   P R / C r i s i s   P
R *   c o n s u l t a n t   o n   b o a r d ,   h e r e  a t   G N U C I
T I Z E N ,   t o   e x p l a i n   t o   u s   h o w   t  o   h a n d l
e   t h e   s e c u r i t y   p r o b l e m   t h e   r i g h t   w a y.

Now that you have the point and understood that PDP is a legit security
researcher helping the Internet to be safe and lowering the level of
crime.

I personally think that people that haven't understood this should
resign immediately from the security and underground scene and give back
the keys of the box office. Forever. Ever. And never. [1]

And again GNUCITIZEN is more then a cutting-edge security blog. It is
culture, way of life, community. The GNUCITIZEN *ethos expands beyond*
the boundaries of the current domain. This is what _we would like_ to
call the *GNUCITIZEN group* [2].

[1] I spoke with many ppl and all them said that the method and modesty
what PDP uses to open the eyes of industry people is great and should
serve as example for young people in the security industry.

[2] Don't blame PDP for his "bonnes fréquentations":
http://img513.imageshack.us/img513/4449/didek15ry.jpg

PS: PDP! You didn't posted your last blog entry! Only posted on
wasc and owasp?!?! WHY? WHY? Don't HIDE you are in RIGHT!

We also like Drug n' Drop Web2.0 Hacking with surface agents
(ajax bots).

http://www.gnucitizen.org/projects/renaissance/

--
xfsmd

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ