lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ILEPILDHBOLAHHEIMALBCEKFGJAA.jasonc@science.org>
From: jasonc at science.org (Jason Coombs)
Subject: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source

Nick FitzGerald came to his senses and removed me from the pedestal he had
placed me on, and then launched into a well-written barrage of fact, beginning
thus:
>> I agree completely. The sobig spam is valuable -- it shows us who we
>> should not trust to operate a computer.
>_If_ you know what to take from the headers _AND_ have omniscient
>access to the mythical IP-to-user mapping address list...

Ah, but Nick, I *DO* have omniscient access to the non-mythical IP-to-user
mapping list -- and so do you. How many FD subscribers post to the list from
the ISP "NetZero/United Online/untd.com" out of Honolulu, Hawaii? I can assure
you that I am the only one.

Received: from smtp04.lax.untd.com (outbound28-2.lax.untd.com [64.136.28.160])
	by netsys.com (8.11.6p2/8.11.6) with SMTP id h7KJJA401175
	for <full-disclosure@...ts.netsys.com>; Wed, 20 Aug 2003 15:19:10 -0400 (EDT)
Received: from dialup-67.30.168.213.dial1.honolulu1.level3.net (HELO win2kdev)
(67.30.168.213)
  by smtp04.lax.untd.com with SMTP; 20 Aug 2003 19:19:08 -0000

Likewise, you are quite possibly the only person who posts from CLEAR Net
Mail, New Zealand. At least while using your mobile device...

From: Nick FitzGerald <nick@...us-l.demon.co.uk>
Received: from smtp2.clear.net.nz (smtp2.clear.net.nz [203.97.37.27])
	by netsys.com (8.11.6p2/8.11.6) with ESMTP id h7LDigC13293
	for <full-disclosure@...ts.netsys.com>; Thu, 21 Aug 2003 09:44:42 -0400 (EDT)
Received: from mobilenick (218-101-96-116.dialup.clear.net.nz
[218.101.96.116])
 by smtp2.clear.net.nz (CLEAR Net Mail)
 with ESMTP id <0HJZ0009D26ETO@...p2.clear.net.nz> for
 full-disclosure@...ts.netsys.com; Fri, 22 Aug 2003 01:44:41 +1200 (NZST)

I appreciate your attention to detail, but the relevant detail you missed was
my conclusion, a witty challenge to Len Rose to stop concealing the truth and
give us full disclosure:

> it's the least he could do after intentionally covering
> up for these people.

Humor was the detail you missed, and a strict interpretation of the empirical
evidence of the design of SoBig just wasn't very funny.

I did get a private "Hah!" e-mail out of Len, which revealed to me the IP
address, OS, mail transfer agent and patch level, and mail user agent he was
using at the time, which allowed me to launch an attack against his computer
and its surrounding network, which turned out to be the same network used by
the FD server itself. I noted that the patch level of my ISP's mail transfer
agent is lower than that of FD's and I was appropriately humbled.

Return-Path: <len@...sys.com>
	by helsinki.west-network.net (8.11.6/8.11.6) with ESMTP id h7KLIox30956
	for <jasonc@...ence.org>; Wed, 20 Aug 2003 17:18:50 -0400
Received: (from len@...alhost)
	by netsys.com (8.11.6p2/8.11.6) id h7KLDU105559
	for jasonc@...ence.org; Wed, 20 Aug 2003 17:13:30 -0400 (EDT)
Date: Wed, 20 Aug 2003 17:13:26 -0400
User-Agent: Mutt/1.4i

Thor Larholm then came up with a very good idea to post a Web-based
full-disclosure archive of everything received not just everything that ends
up distributed to the list. The potential forensic value of Thor's suggestion
is staggering.

Thor Larholm wrote:
> In that case, I would prefer if Len put up an archive of all the virus
> mails sent to FD so everybody on the list could have fun analyzing it.
> Couple it with the archives of normal posts and some regging+grep'ing
> you will be bound to find correlations between posting IP addresses.

Nick, I truly did not deserve to be on your pedestal, anyway, so this has all
been very constructive.

It's important that we remember to laugh a little, especially at ourselves.

The funniest thing I've seen in a long time is the direct relationship between
Symantec's stock price (SYMC) and the release of successful worms/virii...
Antivirus software vendors may not be paying the authors of malware directly,
but it sure looks like a good business to write and release malware in order
to manipulate the market price of certain A/V vendors' stock. You gotta love
the free market...

Sincerely,

Jason Coombs
jasonc@...ence.org

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Nick
FitzGerald
Sent: Thursday, August 21, 2003 3:45 AM
To: full-disclosure@...ts.netsys.com
Subject: RE: [inbox] Re: Fwd: Re: [Full-Disclosure] Administrivia:
Binary Executables w/o Source


"Jason Coombs" <jasonc@...ence.org>, whose input is usually
intelligent, considered and well-reasoned, chose to fall from his
pedestal thus:

...


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ