lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 13 Jun 2008 11:16:44 +0200
From: Sergio 'shadown' Alvarez <shadown@...il.com>
To: michaelslists@...il.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: (:

hi silky,

It depends what the purpose of your hashes is.
Whenever I post hashes I always also post to what each hash belongs to. 
My hashes always belong to a file that triggers a vulnerability or a PoC 
exploit that I'm about to submit to a vendor, just in case the vendor 
plays dirty.
If the vendor communication goes well then there's a advisory after the 
vendor fixes the problems, otherwise I have the elements to demonstrate 
that the vendor fixes silently the problems without giving the proper 
credits to the researcher that reported the problem.
The 'see i told you so' in my opinion is an act of coward that is 
willing to take the credits of someone else without communicating 
anything to anybody, the same thing when a hash is posted and not what 
it is about, at least that's how I think about it.
Once 'sowhat' released an advisory of a vulnerability for one of the 
hashes that I've posted in the past (I've even demo it at CCC Camp 
2007),  and I've never claimed it because he found it and he was able to 
get in touch with the vendor. I wasn't able even to get an answer from 
the vendor and of course I've never sent the file to them, what I did 
was to congratulate sowhat for his finding and ask him how did he manage 
to get the right contact.
That's how I handle this hashes.
Different mindset different approach.

Cheers,
   Sergio

silky wrote:
> On Fri, Jun 13, 2008 at 2:37 PM, I)ruid <druid@...ghq.org> wrote:
>> MD5:    89ec9df95c1315dcb1a668e35b051b07
>> SHA1:   9f351ae9a3fbbbadaf10fea91384a32ed9836d36
>> SHA256: 02acfbfe892a47de50273f367f98cc2b5023dec34e668ca3ffbaa42c7dcbd5eb
> 
> i'm yet to see anyone actually claim one of these posted hashes yet.
> 
> like in the "see i told you so" fashion. maybe i've missed it.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ