| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Feb 2010 17:30:32 +0100 From: Christian Sciberras <uuf6429@...il.com> To: Rosa Maria Gonzalez Pereira <analuis13@...mail.com> Cc: pen-test@...urityfocus.com, craig.wright@...ormation-defense.com, full-disclosure@...ts.grok.org.uk, security-basics@...urityfocus.com Subject: Re: SMS Banking Yahoo Babelfish: Good because they do not pay to me in one go, acceptance 50,000.00 Google Translate: Well because I pay my once, I agree 50,000.00 Average translation: Rosa Maria Gonzalez Pereira, will donate 50,000 eur to everyone in this list. Where's my money? :D On Thu, Feb 11, 2010 at 5:19 PM, Rosa Maria Gonzalez Pereira <analuis13@...mail.com> wrote: > > > > Bueno porque no me pagan a mi de una vez, acepto 50,000.00 > > > > ________________________________ > From: Thor@...merofgod.com > To: craig.wright@...ormation-Defense.com; Valdis.Kletnieks@...edu > Date: Wed, 10 Feb 2010 19:56:40 +0000 > CC: full-disclosure@...ts.grok.org.uk; pen-test@...urityfocus.com; > security-basics@...urityfocus.com > Subject: Re: [Full-disclosure] SMS Banking > > *ME* stop trying to weasel? Wow. At least you’ll have a shot at comedy > when this is over. > > > > Answer my questions, “Dr.” as posted. Include the system YOU said YOU > would set up. Include that if it gets breached ANY WAY I WANT within 6 > months that you will pay me $100,000. > > > > Is that simple enough for you? Is there any part of that that one can deem > as “weaseling?” Product the freaking contract already and stop wasting our > time. > > > > t > > > > From: Craig S. Wright [mailto:craig.wright@...ormation-Defense.com] > Sent: Wednesday, February 10, 2010 11:51 AM > To: Thor (Hammer of God); Valdis.Kletnieks@...edu > Cc: pen-test@...urityfocus.com; 'full-disclosure'; > security-basics@...urityfocus.com > Subject: RE: [Full-disclosure] SMS Banking > > > > Tim, > > You stated “You are officially “on.” “ to my challenge. > > > > I am arranging a contract. An attorney has been arranged for both the > contract and the escrow. This will take a number of days. > > > > The amount has upped and there are a couple other aspects, but the initial > framework holds. Stop trying to weasel. > > > > Regards, > > ... > > Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... > > Information Defense Pty Ltd > > > > > > From: Thor (Hammer of God) [mailto:Thor@...merofgod.com] > Sent: Wednesday, 10 February 2010 3:59 PM > To: craig.wright@...ormation-Defense.com; Valdis.Kletnieks@...edu > Cc: pen-test@...urityfocus.com; 'full-disclosure'; > security-basics@...urityfocus.com > Subject: RE: [Full-disclosure] SMS Banking > > > > Now you’re talking. But first let’s work up an actual contract. Neither of > your components define anything. When you say that you are going to predict > “risk” with your magic formula, do you mean if the software has > vulnerabilities? That it can be hacked, or will be hacked? > > > > Be sure to define this properly and definitively – if you end up saying that > a system has a 1% change of being hacked, and I (or my auditors) hack it, > would you claim you were “right”? I question if you can even define the > parameters of this bet, much less apply your formulas, but we’ll see. > > > > I also want to know what “scale” you plan to use. So far, even though I’ve > asked, you’ve not provided what the “answer” to your formula is, or how it > will be applied. I’m assuming, unless you are going to change your tune > which I wouldn’t doubt, that you won’t look at the software code or threat > models, but rather apply your formulas. I further assume that the “loser” > will be financially responsible for the “audits” done my way. > > > > I’m more than happy to take your money, and I look forward to doing so. > Since one of your masters degrees is in law, I’m assuming you can clearly > define the terms of the contract. I will, of course, insist upon a > contract, and I hope you won’t mind that I have my own attorney look it > over. I’m not immediately trusting of the competence of one with a > doctorate degree and multiple masters degrees who can’t spell “technology” > or “experience” correctly on his on-line CV. > > > > You are officially “on.” And I’m looking forward to it. > > > > t > > > > > > > > From: Craig S. Wright [mailto:craig.wright@...ormation-Defense.com] > Sent: Tuesday, February 09, 2010 7:41 PM > To: Valdis.Kletnieks@...edu; Thor (Hammer of God) > Cc: pen-test@...urityfocus.com; 'full-disclosure'; > security-basics@...urityfocus.com > Subject: RE: [Full-disclosure] SMS Banking > > > > I have a simple answer to this. Forget the debate, rhetoric is not a > scientific method of determining truth. > “Thor” wants a challenge, let’s have one – a real one and not one based on > verbalisations, abuse and unfounded assertions. > I suggest two components; > 1 A selection of software products are tested using both processes, > that is I use a model for the risk of these products, and “Thor” can make up > whatever guesses he wishes. We model (or “Thor” guesses, pulls from a > hat...) the vulnerabilities over a time period. The number of bugs in > software as well as the risk are to be presented as a monthly estimate. > 2 We model a few systems (say 50). We can use Honeypots (real systems > set to log all activity without interference) run by an independent party to > each of us. I use probabilistic models to calculate the risk. “Thor” does > whatever he wants. > Each of the predictions is published by all parties. The one who is most > accurate wins. Fairly simple? > I will even give a handicap to “Thor”, I will offer to predict within a 95% > confidence interval and that for me to win, at least 90 of the 100 software > products and 45 of the 50 systems have to lie within my predicted range that > I calculate and release. “Thor” has to simply guess better than I do no > matter how far out he is. > I will put up $10,000 Au for my side. Let’s see if “Thor” has something real > to offer. > Regards, > ... > Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... > Information Defense Pty Ltd > > > ________________________________ > Discover the new Windows Vista Learn more! > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists