lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 9 Jun 2011 18:42:35 +0300
From: nix@...roxylists.com
To: "James Rankin" <kz20fl@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: NiX API

>>> It definitely does something
>
> Well, what?
>

Example 1:

Your run a forum and ban a user for reason or another. You also
blacklisted his whole ISP subnet because you was very pissed due to abuse.
If he wants to, he will be back in less than five minutes with a proxy.

NiX API is effectily blocking 85% of all open proxies 24/7/365 fully
automatically.

Exampe 2:

You run an online shop as hundreds of thousands others do and you sell
iPhones and you accept credit card payments and more likely our lovely
PayPal.

A poor guy from africa does not have money to pay this nice phone. He
definitely want to have this phone, no matter what it takes. He either
give a good fuck about anything else.

He purchases stolen credit card information or he is cabable of hacking
sites to get this data. He will not for sure use his own IP for this
purpose unless he is an A plus idiot.

(sorry for my language but I wanted to explain it as it is in real life) :)

He will hack a web site from godaddy and set up a proxy to this hacked
shell to bounce him.

Without the NiX API, a majority of payment gateways will blindly pass this
purchase through including our 'well-known and secure PayPal'. We have
proved this issue over 50 times in two months period at our sites.

At this point this guy from africa has already caused enough damage,
whether or not he received the phone.

If u would have this API protection implemented, this guy access would
have been denied before he was able to even get to form that takes
payments.

---

That's it, if i would tell all examples and advantages of it's use, this
email would be 58 pages long.

Thanks for reading and understanding (english is my 2nd language)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ