lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 11 Nov 2011 23:03:58 +1100
From: xD 0x41 <secn3t@...il.com>
To: Sam Johnston <samj@...j.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Steam defaced

Hi!
Hrm, well, i guess the best thing then is to maybe re tell them abit
about it... maybe I should try adding in a report of report :s , as Im
a amazon user, and, it is so big, that somany could be affected for
nothing, and really, i am free user so, id loose nothing but, i know
my family, has used it for simply books etc...wich, makes me abit
paranoid with it.. but, I am sorry, i did not take enough time to
read, i was busy, and just saw abit of a laugh at first,without
real;ly seeing why :s
i can say sorry, and will, and hope that Amazon is bloody listening this time!
if not, we can make them :)
i know, that it should be rep[aired, if it is not secure,and best way,
is always thru discussion and bringing it to places like here to
scrutinise..so infact, we prettymuch, agree on this, and then have
more power with amazon, as there is then 2 minds on it.. and, this
would then be hard to ignore, as, only more people would just
privately add theyre own comments im sure, as users that is..(if
users0..
I will try to get anything within the system, fixed, so, maybe i
should be writing less emails when i am not feeling well :s.
I apologise for my rudeness earlier... i was, and have had, a bad
day... a blown box, (my best box..) amongst other things :s... anyhow,
I do wish only best for amazon, so, any infos on this, and, oonn the
earlier reports etc and how they then handled it, i guess is what ill
be looking for.
i seem to have a good rapport with the staff there, and, they have
done me many favors, so, i could always try to speak to them to :s
i guess every words count...whe it comes to matters where, one voice
just, does not ring thru enough... and, they are so buig, you could
just get one lazy ass admin who doesnt want to patch...and, it would
take then, persistence...
So, if this is the case and, your being ignored, we could easily solve that..
I will ead more on this and your links when i wake... i am now in
sleepy land, and , already half asleep..so, all i say is, sorry for
the misunderstanding, i am abit of an arsehole at time :s but feel
free to kick my butt back :P
hehe.
take care, and thanks, for being a good spotrt.
if you code, pleae feel free to join my competition...and, with that,
every donation received by my non profit website, would be shown, as
going directly back into competition prizes/hosting. This would be
shown, and, i guess it would proove to be very bad, if i werent keepin
that word.. but, i have, and will uphold this... and, am forking out
the prize (yes a nice Kindle Pad from amazon), the newer models, are
very very nice, but, it will be even newer by the first draw... so, i
implore people with the extra bux, to read how to donate1 and, this
way, i would happilym, run 250-300bux code prizes, ona  very regular
basis.
Thankyou to those who are already participating, feel free to register
or email me about it, and, i will add you in...

now taking, skilled coders/pocs,and for more indepth rules, regarding
how it will be judged and what will be judged as materials..well, you
may want to speak to me or my staff about this, but, it basically is ,
all for the coders.
as it was, always before it was 'popular'..
cheers!

xd-- @ #HaxNET,#HaxSHELLS@...ET

http://crazycoders.com/2011/11/craziest-coders-ever-and-links/
<------------ COMPETITION,But for indepth rules and judging,please ask
me, orill maybe add that into the online space in next day..but
basically d0s is not in, 0days are not what makes the prize and coding
skills will be judged,
Coding Styles/Methods used/Originality/Unique-exploitation vectors,
uses of methods wich are uncommon or, different and ofcourse simply
writing the better codes
Nomatter what the overflow, all stack based will be ofcourse, judged
more indepth,aswith simply a GOOD PC wich, covers all elements of the
PoC details, only 2010-2011 will be judged, since, we are NOT in 2009
anymore.
Hope this will bring some people fun and, all donates will be saton,
tomakesure theyre NOT illegit,so dont even waste time if your a carder
:)






On 11 Noember 2011 22:32, Sam Johnston <samj@...j.net> wrote:
> On Fri, Nov 11, 2011 at 12:54 AM, xD 0x41 <secn3t@...il.com> wrote:
>>
>> about the clouds, dude, i found the whole attacking of amazon as rude,
>
> So did I, which is why I came to Amazon's defense in pointing out that
> those in glass houses shouldn't be throwing stones. The company
> (Enomaly) abusing Amazon over a complex SAML XML digsig
> vulnerability[1] was/is still using a trivial vulnerable signature
> mechanism in their own products that Amazon had fixed years ago[2],
> among other issues which I had reported 6+ months earlier (not
> validating requests, passing prices to clients in hidden form fields,
> etc). Their security response is also appalling[3].
>
>> and shit, so, as i said before, your a lamer. and, just stfu and wear
>> it, thats MY opinion i did not say the whole list has to follow
>> shithead.
>>
>> stfu and ride your magical carpet thru the clouds... :P~
>> to the others who find cloud bs amusing, or ripping or fucking with
>> amazon as amusing, go read what your kids are buying shit from.. then
>> maybe you would see, some places, you do not fuck with, you ttreat
>> with respect, because they sometimes wont affect you directly, but
>> oneday, it wmay well do this, thanks to your silly exploits on things
>> that should not be used like this, features manipulated into
>> exploits...shit, you should not be disclosing shit with amazon, on Fd,
>> fullstop.
>> If you cannot see my view then, your just as stupid as i have thought.
>> now go play with your cloud formations, and upload some f1les to s0m3
>> l33t 4p4ch3 s3rv3r kid.
>>
>> eh sorry henri and others, but i had to just get that out to, about
>> cloud/sploitcloud... it is fkn ridicuoud...asking for trouble, people
>> like that should get knocks on the door, simply to be put into a
>> mnental home for theyre own good.
>
> Sorry for the confusion but that's not at all what I said[4]. No harm
> done — others replied off list to say they found it amusing. Anyway I
> have a credit card to go cancel (per the subject of this thread).
>
> Sam
>
> 1. http://www.theregister.co.uk/2011/11/01/amazon_downplays_cloud_crypto_flaw/
> 2. http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html
> 3. http://samj.net/2011/11/how-not-to-respond-to-vulnerability.html
> 4. http://samj.net/2011/10/sploitcloud.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ