lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200412021734.iB2HYn8o048119@mailserver2.hushmail.com>
From: your_momma at hushmail.com (your_momma@...hmail.com)
Subject: RE: Isecom.org ideahamster.org and the hackerhighschool.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(fast note.. written in 2 minutes with a notepad.. )



 What the hell.. finally I understood!!! I know why you attempt to
defend isecom, all your security-lies-based-easy-money-bussines
belongs
to Pete ;)

 I've got somethings to tell you robert.. about a million things..
now
i have to express myself 'monosilabicaly' enough for you to
understand
them all.

 You, Robert.. don't buster!

> "While this may be CEH compliant.. it is not OSSTMM compliant
:)."

 It was compliant with our own compliant methodologies.. and our
methodology, like YOURS, is a mess.. little shit to sell your
customers,
all standard based (I have some more standards if you want to
include them).
YOUR methodology SHOULD be an asshole if you plain to comply all
the
standars you include into, as some of them are oppossite.. better
stop googling
looking for more standars to include and start doing security.

> Also it's a total fabrication of what you actually did.  You
actually exploited
> a PHP problem in the forums.  Some of your humor would be funny
and even appreciated
> if you had enough Ethics to be honest.  I guess you can't even
qualify as a CEH.
> Oh well, maybe you could study up and pass the CISSP.

 Well.. as you said.. We actually "exploited"  a php problem in the
forums.. A WELL KNOWN
problem. It's isecom-ideahamster-hhs fault to not update or fix
this problem? Let's
call it NEGLIGENCE.. here it's the name for that reason.. and for
you.. if you
blame NEGLIGENCE is correct.. them let us call you dumb buster too,
blame!

 Humor is a part of our lifes, as ethics.. We can afford someone
breaking us, could you?

 By the way, don't base all your skills in qualifying.. you'll get
stucked. that's it,
stop qualifying and start doing more security.


> Hehe .. wouldn't it be fun if we all could just make believe that
things
> really happened?  It certainly would be a lot easier that way.

 Intelligent humor needs intelligent people to understand it.

 If you consider local exploits as dificult as you point.. stop
considering and
start doing security, money-monkey.

> Pedro, you know, with all of that desire with the right
mentoring, you may
> even become useful someday.  Until you can learn to be honest
about your
> findings however, I suggest staying out of the lime light.

 Who do you think you are to educate? Is that what you've learnt at
isecom?
talk talk and talk? stop talking and start doing security, savvy.

 It was fun to pwn isecom stuff. It was not fun talk to you.. It's
like
talking to my mother, but my mother had sexual relations.. did you?




 And now that you mention..

 I was suprised when I saw your domain.. first (osstm compliant)
with the
whois.. Now I'm confussed.. Am I talking with dyadsecurity's CTO or
am i
talking to dyadsecurity system administrator? Don't you have
qualified
people to register your domain and you have to do all by yourselfs?

 Now, I don't want to see more.. but I can't.. Just get a round..
google
results are filled with your name.. conferences, forums.. tons of
places
where we have to read your stupidity (later you'll see). Stop
writting and
start doing some security!

 All your bussines is based on isecom, even one of your latest
conferences..
didn't you have your own methodology? All your bussines is based in
isecom's
shit. It's easy to understand why YOU and not Pete answered
previous email.
>From qualifying through services.. all your bussines is Isecomed!
then, GO TO HELL WITH PETE!

 You can check my IP address in the downloads and start DDoSing
me.. read
osstm DoS test carefully to acomplish your mission, doggie. I
downloaded your
shit just to see what did you offer to the world.. wtf.. doogie..

Unicornscan 0.4.2
Alicorn (php web interface)


 Simple review of alicorn code..


 Line 51 of htdocs/scan_data/scan_info.php

     switch ($_GET["_action"]) {
         case "delete_confirm":
              delete_scan((int)$_GET["_scan_id"]);
              print "Scan ID: ".(int)$_GET["_scan_id"]." has been
successfully deleted.";
              print "<br/><a href=\"./scan_info.php\"
target=\"body\"><- back</a>\n";
              break;
         case "delete":
              $scan = new scanclass;
              print "<a
href=\"scan_info.php?_scan_id=".(int)$_GET["_scan_id"]."&amp;_action
=delete_confirm\">Yes, I am sure I want to ...
51:           $scan = $scan->db2scan($_GET["_scan_id"]);    <-------
- ---------
              $scan[0]->print_scan_info();
              // yes, this is intended behavior
         case "details":

uooooooooooooo is it a $_GET from http request withouth any
filter?? it must be an error...
look for $scan->db2scan() to see what happends....

 Line 59 of unicorn-lib/scanclass.php

       function db2scan($val = null)
        {
                dprint("Entering db2scan...");
                global $db;
59:             $query = "select * from
scan".echo_on_set($val,null," where scan_id = ".$val);


 Line 96 of unicorn-lib/defines.php


function echo_on_set($dat, $ret1, $ret2="", $val="")
{
        if ($dat == $val) return $ret1;
        return $ret2;
}


 GOOBLES GOOBLES GOOBLES!!!!

 select * from scan where scan_id = $val;

 ROBUST RELIABLE USERFRIENDLY MOTHERFUCKER 0day WAREZ!!!!


 is that,, (IMHO) an sql injection flaw on a SECURITY SOFTWARE YOU
RELEASED?

 You dumb doggie.. is that isecom compliant? didn't you do reviews
of code?
oh, wait a minute.. It's not true..  Is this the security you sell?
Are
your customers reading this now? wtf.. doggie..


 I downloaded a copy of unicorscan to check also.. But I readed the
README's and
saw this:


 .....
 SPECIAL NOTE:
      if you have a development release, be carefull, there could
be `security issues'
      with it. no joke, i make mistakes often,
 .......

   Blah blah blah.. excuses.. excuses and excuses..

 .......
     we audit the code at release cycles, not before and not after
them. if you
     truely want security, please use selinux, BUT YOU MUST REVIEW
the policy and
     your system configuration as it applies to YOU.
 .......


 SO, IT SEEMS YOU DON'T UNDERSTAND SECURITY, NEITHER SECURE
DEVELOPMENT and all
 that you could offer us is "if you truely want security, please
use selinux"????
 Dumb PETE
DOGGIE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



 As you metion in the readmes code is messy and there's a lot of
shit there : that works!
 HOLY SHEET! Are these your programming skills? didn't you qualify?

......
        tcp `connection' code:
                there is alot to say here. for us (on linux) it
works almost in a usable form HOWEVER it fails sometimes to connect
                because there is code missing, and the api and code
is not well thought out.
........

 XDDDDDDDD


.......
	clustering mode:
                it works for us, neener neener. but we have real
code, you dont. sorry about that.
.......


.......
what is due to be fixed cause we think it sucks:
        the configuration parser:
                its a small wonder it works, and it getting
replaced with a real implementation.
        the database interface:
                no comment. it does work however (with the database
type we like and if you read things)
........

   "is does work however?"
XDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD




 And now the final shit.. ALL YOUR CUSTOMERS WOULD LIKE TO READ
STUFF:

.........
  The doCumenTaion:
        what can we say here. it sucks. the API for modules also is
messy. obviously we have to fix that before we can write
documentation
        about it, otherwise we would be wasting my time (for
example).
.........

 INCREDIBLE!!!!!!!!!!!!!!!!



 Please, Pete, keep your doggies safe, stop them to open their
mouths and
try to say something that sounds really what people want to know.

It's: You will retire soon!!

 You talk about ethics and disclosed names, companies and all..

 You talk about ethics and denied broken boxes..

 So you want war.. you'll have war.


 a little retard, you know.. another script kiddie that broke
isecom b0x.

 Ah, a little reminder.. call us script kiddies doesn't tell much
about your security
skills.. as we did exploit that php ;)


In reply to:


robert@...dsecurity.com robert@...dsecurity.com
Tue, 30 Nov 2004 15:24:22 -0800

Previous message: [Full-Disclosure] makelovenotspam website defaced

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

- --------------------------------------------------------------------
- ------------


While this may be CEH compliant.. it is not OSSTMM compliant :).

Also it's a total fabrication of what you actually did.  You
actually exploited a PHP problem in the forums.  Some of your humor
would be funny and even appreciated if you had enough Ethics to be
honest.  I guess you can't even qualify as a CEH.  Oh well, maybe
you could study up and pass the CISSP.

> tar xvzf freebsdlocal0day-donotdistributed-suppliedby-
divineint.tgz
> make freebsdlocal0day-donotdistributed-suppliedby-divineint
> uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys),
4(tty), 5(operator), 20(staff), 31(guest)

Hehe .. wouldn't it be fun if we all could just make believe that
things really happened?  It certainly would be a lot easier that
way.

Pedro, you know, with all of that desire with the right mentoring,
you may even become useful someday.  Until you can learn to be
honest about your findings however, I suggest staying out of the
lime light.

Robert

- --
Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert@...dsecurity.com
M - (949) 394-2033


-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkGvUjYACgkQhzkSqM0TRRQFcwCfUPuM1GZTDewIPZH8oU0MuoTVe/UA
oJsaweBuPSuDw7/QR05F6Hd5xOgs
=lPaw
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ