lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2FE3228499A87F47ADF0B903A063D7450577A47E@bdo-syd-nt-02.bdonsw.local>
Date: Wed, 8 Mar 2006 06:04:40 +1100
From: "Craig Wright" <cwright@...syd.com.au>
To: <unknown.pentester@...il.com>, <bugtraq@...urityfocus.com>
Subject: RE: Purple Paper: Exegesis Of Virtual Hosts Hacking


Hello,
A quick peer review of the paper. First it is too simplistic. 
 
You have not provided a detailed methidology nor any way of repeating/verifying the data.
 
You have defined no method of detailing where virtual hosts are on separate virtual machines, CHROOT environments, hardware cards, through accelerators etc.
 
"All these techniques are absolutely legal." Without detailing the techniques this can not be determined. Also accessing a host without permission even if they have not secured is still illegal (right or wrong)
 
Your conclusion may be one I agree with, but for the wrong reasons. The conclusion does not follow from the evidence in the paper.
 
Lastly the tools you have used included have a high level of false positives. No mention of this nor of any measures to reduce error have been mentioned.
 
Regards
Craig

	-----Original Message----- 
	From: unknown.pentester@...il.com [mailto:unknown.pentester@...il.com] 
	Sent: Wed 8/03/2006 4:53 AM 
	To: bugtraq@...urityfocus.com 
	Cc: 
	Subject: Purple Paper: Exegesis Of Virtual Hosts Hacking
	
	
	What: Purple paper on discovery and exploitative vhost hacking techniques.
	
	Whom (target audience): pentesters.
	
	Where:
	http://public.gnucitizen.org/papers/exegesis.pdf <http://public.gnucitizen.org/papers/exegesis.pdf> 
	http://www.ikwt.com/projects/exegesis.pdf <http://www.ikwt.com/projects/exegesis.pdf> 


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.  

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ