lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 6 Oct 2006 14:15:35 +1000
From: "Greg" <full-disclosure3@...andyman.com.au>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Re: Removing the NIC cable = EoP?


-----Original Message-----
From: Pink Hat [mailto:pinkhat.h4x0r@...il.com] 
Sent: Wednesday, 4 October 2006 2:45 AM
To: Tonnerre Lombard
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Removing the NIC cable = EoP?


> Wrong.  

> It is about getting local admin rights in this case as the so called
attack scenario requires it.

> List -- this is so easy to disprove yet we have all kinds of so called
security professonals and in this case a (wow, I am almost pissing > myself)
BSD Kernel hacker, stating that they feel its a possible attack.

> Go grab VMWare and various windows versions from your favorite warez site
and spend the time to actually try things and understand how 
> the technology works before you comment.

> The bottom line is that what was posted on that site about "hacking high
school computers" is false.

I have been reading this thread on FD because there was something nagging at
my memory and I was hoping one of you might prod it to life. Unfortunately
you didn't but apparently the "My Documents" in my head defragged itself and
spit out the old answer.

This idea is a fake and I believe I know from whence it may have come. Back
in the 80s when having Internet to a home was about as cheap as buying a
747SP (not 747B, you couldn't afford that one with an Internet yearly
payment), there used to exist the old BBS scene. That is, Bulletin Boards
that you rang directly to using your 2400BPS modem (or even earlier for
those of you who remember the old 300/300 days). Some BBSs used to be
correctly written and upon loss of carrier would cancel the session and
reset to the start of the program, awaiting a new call. Some would not. Some
would sit there and time out before resetting while some would just sit
there endlessly. The result of the latter 2 was that someone ringing in
after the person who just cut the carrier would end up logged on under that
person's access and do whatever that person was capable of doing on that
BBS. This sounds like what this whole discussion has been based upon though
updated to today's standards. There was a case in the early 90s where you
could pull the networking cable out and put it into another computer and
assume the network rights of the computer that had it before. Heck, there
were some of us who used to do that to check that whatever the whinger was
having a whinge about was right or not. 

The point is, those days of "I am not hacking, I am helping" in the case of
the network cable or "Shit! Look at what this idiot has done!" in the case
of the modem dropper has not existed, to my meagre knowledge, in a very long
time. I do know the early days of the 90s in some ISPs when they were
learning their craft of security, you might actually logon and find yourself
with someone else's accounts, too. Happened quite accidentally to me once.
Rang in on dial up and found I was logged on as someone I didn't know before
I could do a thing. THOSE problems are long gone as well.

So, I believe that unless there is something I am sadly missing - and let's
be honest here, I admit I could be missing something - this seems all to be
a load of bullshit. I honest-to-God(Allah, Buddha, whomever) don't really
know of any program for communication purposes in serious use these days
that is so damned stupid unless it is at least 15 years old.

Therefore - PLEASE, someone correct me, point out the error of my ways by
either providing the relevant info directly or the link if you are bone lazy
like me - or in the absence of such proof, may we now decide this is a load
of "politician truth" (that being the same stuff you get from the arse end
of a bull)??????

Thank you,

Signed - Don't-know-nuffin.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ