lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 27 Jul 2006 09:12:43 +0000
From: n3td3v <xploitable@...il.com>
To: n3td3v <n3td3v@...glegroups.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: F-Secure to release XSS "potential dangers"

On 7/27/06, Valdis.Kletnieks@...edu <Valdis.Kletnieks@...edu> wrote:
> On Wed, 26 Jul 2006 19:06:11 -0000, n3td3v said:
>
> > This is highly irresponsible of F-Secure and they should be held
> > legally responsible if the information they release in relation to
> > their "Netscape hacked" blog entry is used maliciously.
>
> You might want to review what you've posted to lists regarding vulnerabilities,
> and ask yourself - if F-Secure gets held to some legal standard of liability.
> where do you end up yourself?
>
> I don't know who's going to end up the test case/poster child for vulnerability
> liability - but it's much more likely to be an individual that posts to
> this list and can't afford a lawyer than a corporation with deep pockets
> like F-Secure....

Someone has got to keep track of what corporations are saying and
everything should be questioned.

You say a corporation with deep pockets, but at the end of the day
we're really just talking about individuals who work within
corporations.

The true intentions of a single employee may not have the same
intentions as the corporation.

Sure, once an individual employee makes a mistake that employee is
protected by deep pockets of the corporate brand name.

Does that mean n3td3v's aren't to ever question the wording of the
stated blog entry, just because its a corporation "oh I wouldn't
bother mentioning it, he works for a corporation!"

It wasn't what he was saying, it was the way that he said it and the
place (blog entry) he said it.

I'm not about to let off individuals and not report them when I think
something wrong is happening just because they work for a corporation.
If anything because they work for a corporation is even more reason to
report them.

What i'm saying falls in-line with a long term interest I have and
thats rogue employees within corporations, acting under the name of a
corporation and in full knowledge if they do something wrong they will
be protected by deep pockets.

What you said about deep pockets of a corporation is half the problem
of an overall problem of rogue employees within corporations.

They play upto the fact they are working for a corporation.

They exploit the fact they are in a corporation.

They use the corporation to get ahead.

Lots of them sell corporate data to outsiders for dollars.

This is going on at many corporations.

Theres lots of things I see, and lots of things I pick up on from
little blog comments and instant message conversations I have with
people.

My slogan is and always has been:

"Never trust your employees"

People have said this is a harsh thing to say, but i've seen first
hand whats really going on behind the scenes.

There are so many people hiding deep within corporations thinking they
aren't being detected, but its the little comments employees make that
trigger off my suspicion to investigate that individual further over a
prolonged period to see what else they are getting upto.

These are (some) the things I look out for:

When they are at work and think no one is watching, what do they say
to people, what are they doing on corporate machines? Are they talking
to questionable people and what is being said to them (I've seen
employees hacking on corporate machines, and boasting about what
they've just done over instant message)

Little giveaway comments made on blogs and instant messages. A lot of
the time people say little things by mistake which giveaway a bigger
hidden agenda.

Their activity when they get home at night and what they get upto.
What are they doing when they get home? What are their social circles
on the internet when they get home. Are these social circles
questionable? What are their excuses for talking to these questionable
people? Lots of the time the employee will use the excuse they are
talking to questionable people to get intelligence for the corporation
when they get caught by the corporations. And the corporation believe
them. This is a prime example of exploiting their job position to
openly talk to questionable people on questionable subjects in the
open, without fear of getting into trouble if someone eavesdrops into
a conversation with employee monitoring software or if someone copy's
and pastes their conversation.

There are other malpratice triggers i've not mentioned above to save
e-mail space, but you get the idea.

I will continue to keep an eye on corporate users and will report them
to my mailing list and (or) Fool-Disclosure regardless of what people
say.

I've witnessed first hand malpratice, and I believe tracking down
rogue employees and listening to some of the excuses they give their
employer for the things they do and say, when i highlight what they
are upto, is as much a buzz as finding bugs in software.

I know the more people who report this stuff, the bigger the
difference it makes overall.

Rogue employees are high on the n3td3v agenda and will continue to be.

If anyone would be suing F-Secure it would be Netscape, after F-Secure
release their information they said they would to teach the Digg users
how to attack Netscape.com better the next time they find a XSS hole
in their service.

Of course he will say he didn't mean it like that, but as far as i'm
concerned he did, and thats why I reported it.

Rogue employees, beware, you could be next, no one is safe from being
reported by n3td3v. You could be next, no one will escape being
reported to mailing lists by n3td3v. n3td3v is watching your internet
activity, your instant messages, your e-mail and your social circles
and the things you are hacking.

To everyone else, bug hunting is as much a buzz as finding rogue
employees and monitoring their activity and I encourage everyone to be
paranoid about who you work beside and keep an eye on what they are
doing.

Valids, when you mentioned deep pockets, you hit the nail on the head
why malicious users apply for jobs within corporations.

The biggest threat to the internet today is rogue employees. They have
the academic background, the knowledge, and the false sense of
security on their corporate computers.

Not all I've said relates to the F-Secure blog entry person, but it prolly does!
Thats all i'm going to say right now on the subject.

If you think you know a rogue employee and you can't be bothered
monitoring them, e-mail me at xploitable@...il.com

Trust no one and question everything.

Rant done.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ