lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3a166c090603172006i7bdeaf3do2917fd30645e12a8@mail.gmail.com>
Date: Sat Mar 18 04:07:06 2006
From: n3td3v at gmail.com (n3td3v)
Subject: Yahoo recommends you write down account
	information

Like I marked up earlier in this thread, its not about how an account would
be compromised. It was PHUN pointed at peoples I REGULARY post to off list
on a politically incorrect stance of having different wordings between Yahoo
teams.

The highlight of the thread is that once again i've proved Yahoo does not
co-ordinate, as I have ranted about on the n3td3v blog before I killed off
the trend of blogging.

Politically, a security team hates for the outside world to know they aren't
co-ordinated. The same goes for the number and skill level of incident
response staff they have on stand-by at certain times of year.

However, if you want to get into the criminal element of how paperwork is
obtained. Its often caught at refuge sites at dot coms. In the same was
fraud is carried out to obtain credit card info via receipts.

And you can bet Yahoo Inc have no CCTV at their refuge areas, in the same
way they don't take the threat of folks following folks home to break into
homes and steal hardware, in the same way they don't check for folks
standing outside Sunnyvale for peoples looking for insecure wireless
connections, and in the same way they don't take the threat from rogue
employees feeding out information from within to thrid party groups who are
offering them money.

Many folks in the industry seperate CRIMINALS, from cyber threats (ie:
hackers), although both are the same. You need to be tripping if you think
someone behind a computer wouldn't raid a corporate refuge area, to later go
back to a computer to compromise an account.

In the same way its trippy to think theres not yahoo employees harvesting
paper work information for third parties.

Its time for the industry to wake upto the fact that "cross criminality"
exists in computer crimes, and stop thinking say, phishing is equal to
criminals, while exploit code is equal to hackers.



On 3/18/06, MR BABS <mrbabs@...il.com> wrote:
>
> I did read them, and this again enforces my point, you guys are just
> trolls.
> Nobody takes you guys seriously.
> Provide me with a legitimate situation, in which a 'bad guy' has access to
> physically printed out documents, and the mailbox of the user , where he
> could not simply either install a keylogger, sniff the passwords off the
> network, or get them from the system.
> The truth is, yahoo uses this as a way to prevent annoyance. I'd suspect
> if they DIDN'T ask for this information n3td3v would be on here claiming
> that it was a DoS vulnerability or some comparable bullshit.
>
> Anyways, great troll, but this is an old meme, so lets keep moving the
> FDRUIN forward, shall we?
>
>
> On 3/17/06, n3td3v <n3td3v@...il.com> wrote:
> >
> >  Didn't you read this http://groups.google.com/group/n3td3v/browse_thread/thread/c18d3cb3267fc4a0/0e1a4176301c25c8#0e1a4176301c25c8
> >  before you carried out your own sector of trolling? http://groups.google.com/group/n3td3v/browse_thread/thread/c18d3cb3267fc4a0/0e1a4176301c25c8#0e1a4176301c25c8
> >
> > Please keep politically correct on FD, otherwise, the CERT folks might
> > get worried :P
> >
> >
> >
> > On 3/18/06, MR BABS <mrbabs@...il.com> wrote:
> > >
> > > WOW great troll n3td3v you are truly the greatest trolling
> > > organization on the earth! I bet you and bantown are cooking up some schemes
> > > right now!
> > >
> > > On 3/16/06, bigdaddyzeroday@...h.ai < bigdaddyzeroday@...h.ai> wrote:
> > > >
> > > > Do you blow everything out of perportion like this?  How old must
> > > > you be to have this attitude.
> > > >
> > > > On Thu, 16 Mar 2006 15:52:06 -0800 n3td3v group
> > > > <system_outage@...oo.com > wrote:
> > > > >You're Yahoo's top security advisor, who I talk to every day off
> > > > >the record, but you say PEOPLE LIE ABOUT INFORMATION THEY PUT ON
> > > > >ONLINE FORMS?
> > > > >
> > > > >  I think you're missing the point. The account information YAHOO
> > > > >ask users to print out is the ACTUAL information on the users
> > > > >ACCOUNT table.
> > > > >
> > > > >  SURE, folks can type COMPLETE crap in their registeration for
> > > > >signing upto a Yahoo account, but whatever information is
> > > > >submitted to the Yahoo account, it is the TRUE information that
> > > > >would give access to that account.
> > > > >
> > > > >  SO, no matter the trend of users giving BOGUS information to
> > > > >sign up for an account, the only people who would print out
> > > > >information is people who would have submitted TRUE information.
> > > > >Otherwise, why would they print out info they knew was bogus?
> > > > >
> > > > >  MARK, you're Yahoo's top security advisor, and I respect you off
> > > >
> > > > >the record, but coming on here trying to defend Yahoo's sec pros
> > > > >for getting it totally wrong in their CONTRADICTION between sites
> > > > >is totally wrong.
> > > > >
> > > > >  Yahoo said the wording  "DONT WRITE DOWN YOUR PASSWORD" but on
> > > > >the registeration proceedure it says "YAHOO RECOMMEND YOU WRITE
> > > > >DOWN YOUR ACCOUNT INFORMATION"
> > > > >
> > > > >  YOU AS YAHOO SECURITY ADVISOR NEED TO ADMIT "YAHOO" AS A
> > > > >CORPORATION GOT IT WRONG.
> > > > >
> > > > >  I speak to you every day off list, but going off on your own
> > > > >crusade won't make the rest of the Yahoo security team like you
> > > > >better.
> > > > >
> > > > >  SEE YOU OFF LIST SEIDEN.
> > > > >
> > > > >  Sorry to everyone else, this is part of an off list argument
> > > > >that Yahoo's top advisor can't get a grip of.
> > > > >
> > > > >  (How did you become Yahoo's top security advisor? :P)
> > > > >  SEE YOU OFF LIST
> > > > >  Bye
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >   mis@...den.com wrote:
> > > > >    a certain number of people lie about their birthdate and
> > > > >zipcode, or
> > > > >they forget just what they lied about, or move from place to
> > > > >place and forgot where they lived when they registered,
> > > > >and they don't have a working alternate email address.
> > > > >
> > > > >
> > > > >---------------------------------
> > > > > Yahoo! Mail
> > > > > Use Photomail to share photos without annoying attachments.
> > > >
> > > >
> > > >
> > > > Concerned about your privacy? Instantly send FREE secure email, no
> > > > account required
> > > > http://www.hushmail.com/send?l=480
> > > >
> > > > Get the best prices on SSL certificates from Hushmail
> > > > https://www.hushssl.com?l=485 <https://www.hushssl.com/?l=485>
> > > >
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > Hosted and sponsored by Secunia - http://secunia.com/
> > > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060318/42156131/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ