| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 Jun 2007 10:00:47 -0400
From: "Stack Smasher" <stacksmasher@...il.com>
To: "H D Moore" <fdlist@...italoffense.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: You shady bastards.
This surprises you? You and everyone else at this point should know all
these "security" companies that have been spawned the last few years are all
fucking scumbags, who would sell their own mothers organs after a shot to
the head for a coupon to get a free ice cream sundae. They are soulless
money grubbing corporations feeding off executives fear someone is going to
steal all the money they worked hard to steal from consumers.
On 6/6/07, H D Moore <fdlist@...italoffense.net> wrote:
>
> Hello,
>
> Some friends and I were putting together a contact list for the folks
> attending the Defcon conference this year in Las Vegas. My friend sent
> out an email, with a large CC list, asking people to respond if they
> planned on attending. The email was addressed to quite a few people, with
> one of them being David Maynor. Unfortunately, his old SecureWorks
> address was used, not his current address with ErrattaSec.
>
> Since one of the messages sent to the group contained a URL to our phone
> numbers and names, I got paranoid and decided to determine whether
> SecureWorks was still reading email addressed to David Maynor. I sent an
> email to David's old SecureWorks address, with a subject line promising
> 0-day, and a link to a non-public URL on the metasploit.com web server
> (via SSL). Twelve hours later, someone from a Comcast cable modem in
> Atlanta tried to access the link, and this someone was (confirmed) not
> David. SecureWorks is based in Atlanta. All times are CDT.
>
> I sent the following message last night at 7:02pm.
>
> ---
> From: H D Moore <hdm[at]metasploit.com>
> To: David Maynor <dmaynor[at]secureworks.com>
> Subject: Zero-day I promised
> Date: Tue, 5 Jun 2007 19:02:11 -0500
> User-Agent: KMail/1.9.3
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> Message-Id: <200706051902.11544.hdm[at]metasploit.com>
> Status: RO
> X-Status: RSC
>
> https://metasploit.com/maynor.tar.gz
> ---
>
> Approximately 12 hours later, the following request shows up in my Apache
> log file. It looks like someone at SecureWorks is reading email addressed
> to David and tried to access the link I sent:
>
> 71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] "GET /maynor.tar.gz
> HTTP/1.1" 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en)
> AppleWebKit/419 (KHTML, like Gecko) Safari/419.3"
>
> This address resolves to:
> c-71-59-27-152.hsd1.ga.comcast.net
>
> The whois information is just the standard Comcast block boilerplate.
>
> ---
>
> Is this illegal? I could see reading email addressed to him being within
> the bounds of the law, but it seems like trying to download the "0day"
> link crosses the line.
>
> Illegal or not, this is still pretty damned shady.
>
> Bastards.
>
> -HD
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
"If you see me laughing, you better have backups"
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists