lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031217161610.KEAN25110.mta10.adelphia.net@toto>
From: ashton at joltmedia.com (ashton)
Subject: Edonkey/Overnet Plugins Could Pose Harm

Signing does make it safe if MetaMachine(the company) does it and has
Overnet check for this before executing that code. WMP does not have sockets
open to 1.2 million users neither does IE. We are talking peer to peer, the
plugin can send a flood off popups to all 1.2 million users at one time as a
message, it can copy the "uber upload limit crack" to the shared folder, it
could even be a legit plugin and then timebomb in 6 months and have 2
million users DDOS'ing, it's just not a good model for P2P and Plugins, I
mean P2P has enough issues with virus propogation.

-ashton

-----Original Message-----
From: petard [mailto:petard@...eshell.org] 
Sent: Wednesday, December 17, 2003 10:54 AM
To: ashton
Subject: Re: [Full-Disclosure] Edonkey/Overnet Plugins Could Pose Harm

On Wed, Dec 17, 2003 at 10:45:52AM -0500, ashton wrote:
> My attempt is to get MetaMachine to make them all be SIGNED before they
can
> be loaded, it's a P2P app and would have 1.2 million+ times the effects of
> an WMP plugin, perhaps you took it wrong. My COM statement was that any
> dumbarse can write something in MFC to be harmful but when it is pure C++
> and COM it's not as easy, MFC gives virus writers or n00bs an easy route
at
> creating these plugins. So my goal is what I first stated, you cannot
> compare WMP or PS to Overnet w/ Plugins because Overnet has 1.2 million
> online users at your disposal instantly. You must look at it as a whole.
> 
Is there some automatic way to get the 1.2 million users to download and
install them or something? What would make all 1.2 million plus users
download an eDonkey plugin? Signing code doesn't make it safe. I can
sign malicious ActiveX; if I can still get you to execute it, I win.
Look at gator. There are well more than 1.2 million WMP users (well over
10 million, in fact!). Or IE users. And nothing similar has happened.

(And COM is really not harder than "pure C++"... try it :-) I've seen some
real "n00bs" write COM objects.)

regards,

petard


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ