lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20041202200037.GA2267@znvyfrei.dyadsecurity.com>
From: robert at dyadsecurity.com (robert@...dsecurity.com)
Subject: RE: Isecom.org ideahamster.org and the hackerhighschool.org

your_momma@...hmail.com(your_momma@...hmail.com)@Thu, Dec 02, 2004 at 09:34:41AM -0800:
>  is that,, (IMHO) an sql injection flaw on a SECURITY SOFTWARE YOU 
>  RELEASED?

Just try getting alicorn installed, I dare you :).  Alicorn doesn't work
yet.  Maybe this Friday's release will. The release you looked at was a
prelim devel release that was noted to have security issues.  Don't act
like you're doing anyone any favors by pointing out something that was
already documented to be true.

>  SO, IT SEEMS YOU DON'T UNDERSTAND SECURITY, NEITHER SECURE
>  DEVELOPMENT and all that you could offer us is "if you truely want
>  security, please use selinux"????

It is inevitable that software modules will have mistakes.  The
unicornscan code is actually pretty well written from a security
perspective, but I'm sure it will be shown to have a problem somewhere
someday... though I notice you didn't bother to find one yet.  If you
do, please share.  I am a fan of full disclosure as a rule ;).

The real take away here though is that if you run software in a
Discretionary Access Control model, you have no inherent security
assurances.  This is why we recommend using SE Linux, so you can enforce
what the software is allowed to do in case it comes to light that there
was a mistake made in the software module.

>  So you want war.. you'll have war.

I don't want a war.  To be honest, I've always though you guys were
pretty funny, if not a bit on the childish side.  I appreciate your
humor.  What is annoying though is after I tried to reach out and make
the peace with you, you've decided to resort to baseless personal
attacks.

>  a little retard, you know.. another script kiddie that broke isecom
> b0x.

Heh .. I hate the term script kiddie.  It's overused and is most
commonly used by people who aren't technical enough to be throwing
around comments like that.  Granted you didn't get root on the box...
but that wasn't your point.  Your point was to deliver a political blow
against ISECOM by making it seem as though you fully compromised the
website.  That's actually a brilliant social hack, and I can appreciate
that even if the technical details of the hack were a bit lame :).

In closing .. I mean you no harm.  Please move on.  It will only get
ugly from here on.

Sincerely, 

Robert

-- 
Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert@...dsecurity.com
M - (949) 394-2033


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ