Date: Fri, 21 Mar 2008 12:00:07 +0000
From: n3td3v <xploitable@...il.com>
To: n3td3v <n3td3v@...glegroups.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: sans handler gives out n3td3v e-mail to public

[15:49] * Now talking in ##security
[15:55] <worried> someone wants my attention
[15:55] <njan> worried, best way to make them go away: Don't give it to them.
[15:56] <worried> njan, query me their IP address
[15:57] <njan> worried, sorry, we don't hand out that sort of information.
[15:57] <sfirefinch> you fail
[15:58] <worried> where there is a will there is a way
[15:58] <worried> i don't need your help ;)
[15:58] <sfirefinch> heh, good luck
[15:58] <worried> sfire, thanks
[15:59] <worried> ex gov employee
[15:59] <sfirefinch> oh yeah?
[16:00] <worried> did you fall or did you get pushed?
[16:01] <lunaphyte_> just because you're paranoid doesn't mean they're
not out to get you.
[16:01] <sfirefinch> and just because you are paranoid doesn't mean
someone is listening to you
[16:01] <lunaphyte_> right.
[16:01] <worried> thats good
[16:02] <worried> how is sans institute coming along?
[16:02] <sfirefinch> quite well i am sure.
[16:03] * naxx|nothere is now known as naxxatoe
[16:03] <worried> i'm sure
[16:03] <worried> you didn't know much about iframe attacks for about
a whole weekend
[16:04] <worried> it was funny
[16:04] <sfirefinch> no.
[16:04] <sfirefinch> we didn't publish anything
[16:04] <sfirefinch> there is a difference
[16:04] <worried> you were crying out for info from random members of
the public to e-mail you
[16:04] <worried> and you thought there were two iframe attacks
[16:04] <sfirefinch> doesn't mean we didn't know, we wanted more info
[16:05] <iamnowonmai>
http://www.linuxworld.com/news/2008/031908-red-hat-open-sources-security.html
[16:08] <worried> as i said in e-mail, you exposed a break/weakness in
your intelligence gathering chain.
[16:09] * riotz is now known as riotz_
[16:09] <sfirefinch> and that is?
[16:09] <worried> you don't have strong links with non-professional circuit
[16:10] <sfirefinch> oh, how you are so colorfully wrong.
[16:10] <worried> to know whats going on, when you need to know, when
the pro scene dont come up with answers
[16:10] * riotz_ is now known as riotz
[16:11] <worried> when your rely on shirt and tie to e-mail you info
100% of the time then you're going toe ventually trip up and thats
what the iframe weekend showed folks like me
[16:11] <sfirefinch> well, the folks like you are more wrong then you reali=
ze.
[16:11] <sfirefinch> the beauty part about it is, you will never know.
[16:12] <worried> i know you didn't have intelligence on the iframe
weekend, so i know what type of sources you have
[16:13] <worried> you needed underground links for that, and you
obviously didn't have any
[16:13] <sfirefinch> please read my previous statement where I say
"you are wrong" in more ways than one?
[16:13] <sfirefinch> you ASSUME we didn't know anything
[16:13] <worried> good folks know the ppl behind the attack and would
be in their hideout.
[16:13] <sfirefinch> and are therefore wrong
[16:14] <worried> nevermind
[16:14] <worried> i dont want to continue this
[16:15] <worried> let's move on
[16:15] <sfirefinch> good, because you were going in an endless loop.
[16:15] <worried> your blog just exposed more than it should of that
you probably didn't realise you were giving away
[16:15] <rexy__> where was the writeup about iframe posted on sans ?
[16:16] <worried> the smallest of indications gives away clues to the enemy
[16:16] <sfirefinch> we were quite aware, thank you.
[16:17] <worried> you guys are all sitting on gmail addresses
[16:17] <rexy__> because i cant seem to find it
[16:17] <sfirefinch> you guys?
[16:17] <worried> contact.html
[16:18] <sfirefinch> that's the submission page
[16:18] <worried> are you willing to give your real name
[16:19] <sfirefinch> you should know it
[16:19] <echelon_> why is there a security conference in spain?
what've they contributed?
[16:19] <sfirefinch> lol
[16:20] <worried> echelon: its a few tents in the middle of a field
with wireless a campfire and beer
[16:20] <worried> i spoke to the guy already
[16:20] <echelon_> france would be a better location
[16:21] <worried> he is looking for english speaking people to talk
about security, cos its all spanish so far
[16:22] <worried> i'm not an enemy of sans im just an ethical enemy
[16:22] <worried> dont worry
[16:22] <rexy__> http://isc.sans.org/diary.html?storyid=4144&rss is
that the one you were talking about sfirefinch ?
[16:23] * naxxatoe is now known as naxx|nothere
[16:23] <worried> its not obvious to me how to fix the problem!!lolol
[16:23] <sfirefinch> rexy__: i think it would be more accurate to ask
if that's the one that worried was talking about.
[16:23] <worried> its a simple input valdiation flaw
[16:24] <rexy__> sfirefinch: probably :P
[16:24] <worried> they exploited
[16:24] <worried> which i e-mailed them to tell them
[16:24] <worried> lol
[16:24] <echelon_> what do you guys think of tunneling through a
nat-traversed connection?
[16:25] <sfirefinch> "its times like this that proves one thing to me
that you dicks dont
[16:25] <sfirefinch> have good intelligence links with the
underground, you're too busy
[16:25] <sfirefinch> show boating with your depaertment of homeland
security and cia type
[16:25] <sfirefinch> boffins, that you haven't got good underground
contacts, which prove
[16:25] <sfirefinch> invaluable at times like these when the
professional scene has no idea
[16:25] <sfirefinch> what's going on."
[16:25] <worried> they rely on http based intelligence at sans
[16:25] <sfirefinch> yeah, real polite.
[16:26] <rexy__> so what writeuup were you reffering to worried
[16:26] <worried> do you jsut know you broke your privacy agreement
and i'm lodging a complaint right now
[16:26] <worried> im serious
[16:27] <worried> want to give out any other info while you're
breaking your privacy agreement?
[16:27] <worried> this is going on FD dude
[16:27] <worried> and i hope you get taken off the sans handlers
[16:27] <sfirefinch> you say you are not an enemy
[16:27] <sfirefinch> yet you shout publically
[16:27] <njan> worried, I did warn you before that if you started
publishing things from ##security to FD or elsewhere, that you'd be
removed from the channel.
[16:27] <sfirefinch> you call names and are rude
[16:28] <sfirefinch> not a good way to get respect nor to get people to listen
[16:28] <sfirefinch> I think what you did was selfish and rude
[16:28] <sfirefinch> I don't respect that
[16:28] <sfirefinch> n3td3v, I am sure you have something to
contribute to the community
[16:28] <sfirefinch> and Id like you to do so
[16:28] <sfirefinch> however, at this point all you are doing is
making people made and not trust you
[16:28] <worried> you jsut pasted a private e-mail to the world wide web
[16:29] <morning_wood> kill it!
[16:29] <sfirefinch> no, i posted an email to irc
[16:29] <sfirefinch> and i only posted a part of it
[16:29] <sfirefinch> and not even the worst part
[16:29] <sfirefinch> the privacy agreement applies if you agree to it
[16:29] <sfirefinch> which you never have
[16:29] * morning_wood throws the towles used to clean up TubGirl at Worried
[16:30] <sfirefinch> worried: seriously dude, do you want me to help
you?  I will.
[16:30] <sfirefinch> I'm through trying to degrade you, i'll help you
and be nice
[16:30] <sfirefinch> but you have to be nice to the community in return
[16:30] <njan> sfirefinch++
[16:30] <sfirefinch> and you have years of doing the exact opposite.
[16:31] <sfirefinch> I am SERIOUSLY laying down the olive branch
[16:31] <worried> "Note: All information submitted via this form will
be sent to all ISC handlers. The information will be kept confidential
within this group. We will only publish your information with your consent. "
[16:31] <sfirefinch> yes, SUBMITTED THIS FORM
[16:31] <sfirefinch> you don't submit via the form
[16:31] <sfirefinch> you bypass everything you are SUPPOSED TO DO
[16:31] <sfirefinch> and email us directly
[16:31] <sfirefinch> therefore you violate the agreement
[16:32] <sfirefinch> again
[16:32] <sfirefinch> olive branch
[16:32] <sfirefinch> http://en.wikipedia.org/wiki/Olive_branch
[16:32] <rexy__> thanx i was just about to look that up
[16:32] <sfirefinch> In Western culture, the olive branch, apart from
its literal meaning as a branch of an olive tree, symbolizes peace or
goodwill
[16:33] <sfirefinch> I'll be nice to you, if are nice to us
[16:33] <worried> you mean you dont want me tell people what you've jsut done
[16:33] <sfirefinch> it's that simple.
[16:33] <samson--> worried: someone posted another security conference
on full-disclosure, you should warn them that the fedz are gonna raid
it
[16:33] <sfirefinch> if I was scared that you were going to tell
people what I've just done, i would have said that
[16:33] <sfirefinch> i'm pretty black and white dude.
[16:34] <sfirefinch> want me to help you?  I will.
[16:34] <sfirefinch> want people to take you seriously, I will.
[16:34] <sfirefinch> but you have to be nice in return
[16:34] <sfirefinch> and you don't do that
[16:34] <sfirefinch> for years.
[16:34] <rexy__> never knew worried was famous
[16:35] <samson--> sfirefinch: it is impossible to take him seriously,
all he does is lays down FUD after FUD
[16:35] <samson--> it helps noone
[16:35] <samson--> it doesnt even spread awareness properly
[16:35] <sfirefinch> okay, well at least me
[16:35] <sfirefinch> rexy__: worried = n3td3v
[16:36] <rexy__> familiar nick, not ringing bells
[16:36] <sfirefinch> he has a group on google groups and posts to FD
all the time
[16:37] <sfirefinch> currently he's off writing an email to FD about
how sans sucks.
[16:37] <rexy__> ah
[16:37] <morning_wood> like ppl care lol
[16:37] <rexy__> postings any good?
[16:37] <sfirefinch> and how i clearly violated the privacy agreement
that he does not adhere to.
[16:37] <rexy__> n3td3v (leetspeak for net-dev) is a person or persons
who has had a history of posting some fairly obnoxious stuff
on Full Disclosure
[16:37] <sfirefinch> rexy__: depends on your perspective
[16:38] <sfirefinch> is there merit in what he says?  sometimes yes
[16:38] <sfirefinch> but the way he says it is so rude and brash it's
not well received or respected.
[16:38] <samson--> sfirefinch: the group he has consists of one
person, which he has publicly admitted
[16:38] <sfirefinch> I think he has some descent things to say
sometimes, he shoots for the moon
[16:39] <sfirefinch> samson--: well, it has a bunch of members, lets say that.
[16:39] <iamnowonmai> hey morning_wood long time no see.
[16:39] <morning_wood> hey0
[16:40] <sfirefinch> he has some unfounded paranoia
[16:40] <samson--> only "some"?
[16:40] <sfirefinch> no, some of what he says is correct.
[16:40] <sfirefinch> he just says it so wildly and rudely that no one listens.
[16:41] <samson--> the kid is borderline paranoid schizophrenia
[16:41] <sfirefinch> well i am not making a medical diagnosis
[16:42] <samson--> i'm not a doctor either, but i did stay at a
holiday inn express last night
[16:43] <sfirefinch> heh
[16:43] <iamnowonmai> sfirefinch++ for being the peacemaker.
[16:44] <sfirefinch> i'm tryig to do the right thing
[16:44] <sChaaa> hola
[16:45] <worried> say sorry for pasting a message sent to handlers@...s.org
[16:45] <sfirefinch> okay, i apologize for pasting a message.  Now,
you say you are sorry for being rude.
[16:46] <worried> rude about what? there are so many things
[16:46] <sfirefinch> just the general statement
[16:47] <worried> you statement you pasted?
[16:47] <sfirefinch> you are just rude in general, and i ask you to be
nicer and apologize for it
[16:48] <worried> its true that you showboat about your cia and dhs contacts.
[16:48] <sfirefinch> um, no.
[16:48] <worried> and help the cia push out disinformation about power
cuts carried out by hackers
[16:48] <sfirefinch> that's not what i asked you to say
[16:48] <worried> via the sans con
[16:49] <sfirefinch> i had nothing to do with it, and again, not what
i asked you to say
[16:49] <morning_wood> oh phear
[16:50] * naxx|nothere is now known as naxxatoe
[16:53] <worried> i'm sorry for calling you dicks, thats the only part
i can say sorry for.
[16:54] <worried> a private e-mail shouldn't be disucssed in this
fashion via a public channel of communication
[16:54] <worried> this is highly unacceptable on any level of thinking
[16:54] <morning_wood> you could apoligize for being a total idiot
[16:55] <sfirefinch> worried: okay, fair enough, i apologized for it
already.  But why do you post IRC conversations to the web?
[16:55] <sfirefinch> err
[16:55] <sfirefinch> email
[16:55] <worried> an irc conversation is already on the web
[16:55] <njan> effectively to the web, given how much FD is archived.
[16:55] <njan> worried, not here, it isn't.
[16:55] <morning_wood> last one he posted on FD was him talking to himself
[16:56] <njan> worried, this channel explicitly doesn't log publicly,
and freenode explicitly bans people doing that without channel
consent.
[16:56] <morning_wood> then he follows it up with a post from "n3td3v" lol
[16:56] <njan> worried, anyone who logs this channel to the web does
so in the knowledge they're breaking the channel and network
guidelines, and they can be banned or klined for it.
[16:56] <morning_wood> responding to his own troll food
[16:56] <sfirefinch> and neither one has an expectation of privacy
[16:56] <sfirefinch> i am just asking a question
[16:57] <worried> njan, are you saying thats what you're going to do?
[16:58] <njan> worried, I've told you in the past if you log the
channel to the web, you'll be removed from the channel at the very
least.
[16:58] * morning_wood ant figure out why he hasnt been klined yet...
[16:58] <njan> worried, and for persistent offences in instances where
people know they're not supposed to publicly log without channel
consent, freenode can and does intervene where appropriate.
[16:58] <sfirefinch> i am going to go eat pizza
[16:58] <njan> worried, http://blog.freenode.net/?p=62 <= for instance.
[16:59] <worried> my google group isn't public
[16:59] <morning_wood> who gives a fuck
[17:00] <sfirefinch> it is if you can sign up for it for free.
[17:00] <iamnowonmai> sfirefinch: mushroom pizza++
[17:00] <sfirefinch> i am suprised you aren't more paranoid about google
[17:01] <worried> im not paranoid
[17:02] <njan> worried, for the purposes of this conversation, yes, it is.
[17:02] <samson--> what what what?
[17:02] <worried> tell me what i'm paranoid about
[17:02] <sfirefinch> the government for one.
[17:03] <samson--> RBN caring enough to send someone out to UK to take
care of you
[17:03] <worried> why would i be paranoid about them
[17:03] <Renski_> *cough* russian hackers *cough*
[17:03] <njan> worried, CCTV? ;)
[17:03] <samson--> if you arent paranoid, you are delusional
[17:03] <sfirefinch> i think you give them more credit then they are worth
[17:03] * sfirefinch is away for pizza
[17:03] <worried> i dont break laws
[17:03] <worried> so why would the gov phase me
[17:04] <worried> if anything its them who are paranoid if they are
tracking me, cos there is nothing to uncover
[17:04] <worried> its a waste of their time trying
[17:04] <njan> worried, http://en.wikipedia.org/wiki/First_they_came
[17:05] <njan> worried, I think that's a pretty powerful response to
the notion that anyone who isn't doing anything wrong doesn't have
anything to fear from their own government.
[17:05] <worried> what would the government do to someone who hasn't
broke a law?
[17:06] <rexy__> information
[17:06] <Renski_> worried: where were you during history?
[17:06] <worried> i haven't broke a law and im not a poltical threat
to the national interest
[17:06] <njan> Who was it that said that the price of freedom was
perpetual vigilence?
[17:07] <transzorp> eternal vigilence is the usual phrasing
[17:07] <njan> Ah.. Jefferson.
[17:07] <worried> there is no useful intelligence on my gmail
accounts, there is simply copy&pasted public news articles, everything
sent from my gmails goes straight to a mailing lsit where it can be
read by anyone, so the wiretap would be pointless
[17:07] <transzorp> yup
[17:08] <njan> or Wendell Phillips, according to wikipedia. hmm.
[17:08] <njan> <3 stolen quotes. :)
[17:08] <worried> i dont send e-mail to private ppl
[17:08] <iamnowonmai> njan: I would have guessed someone else.
[17:08] <transzorp> so since I'm lazy and don't want to read scroll
back who's wire taping who?
[17:08] <samson--> worried: you just sent an email to sans
[17:08] <worried> thats a list, its not a one on one e-mail
[17:08] <samson--> with the expectation that it was private
[17:08] <worried> no i dodnt think it was private
[17:09] <samson--> then what did you pitch a fit for?
[17:09] <worried> ethics
[17:09] <iamnowonmai> transzorp: worried has hurt feelings about his
note to the ISC being partially pasted here.
[17:09] <worried> no i dont have hurt feelings
[17:09] <worried> i jsut stated the person broke sans policy
[17:10] <Renski_> worried: stop whining alreadly
[17:10] <Renski_> he said sorry, and you havnt done the same.
[17:10] <worried> yes, i wasnt the one who brought it up again
[17:11] <worried> i did say sorry
[17:11] <worried> i said sorry for calling them dicks
[17:11] <transzorp> ok
[17:11] <worried> im not discussing a closed e-mail with this channel,
its unacceptable that this conversation is even possible
[17:12] <iamnowonmai> But you are discussing it.
[17:12] <worried> not now
[17:12] <worried> no, you brought it up
[17:12] <worried> i responded
[17:12] <iamnowonmai> That counts - you still are.
[17:12] <worried> you brought it up
[17:12] <Renski_> worried: the internet is a giant copying machine, get over it.
[17:12] <transzorp> so since I don't really care about emails etc.
what else is going on?
[17:13] <iamnowonmai> transzorp: not much. I'm still trying to glean
more information about the Hannaford breach.
[17:13] <worried> renski: no its not actually, there are rules and
regulations for professionals
[17:13] <iamnowonmai> Now they are blaming misconfiguration.
[17:13] <worried> im finished discussing this
[17:13] <transzorp> iamnowonmai: I haven't heard about the hannaford breach
[17:13] <Renski_> worried: really?
[17:14] * Renski_ doesnt recall signing anything
[17:14] <iamnowonmai>
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1306289,00.html
[17:14] <iamnowonmai> disable javascript and you bypass the registration crap
[17:15] <iamnowonmai> also here -
http://securosis.com/2008/03/18/picking-apart-the-hannaford-breach-what-might-have-happened/
[17:31] <worried> sweet, thats the transcript saved
[17:31] * Disconnected


---------- Forwarded message ----------
From: n3td3v <xploitable@...il.com>
Date: Thu, Mar 20, 2008 at 5:43 PM
Subject: breach in sans policy about to go public
To: handlers@...s.org


one of your sans handlers post one of the e-mails i sent to this
e-mail address to a ##security on freenode, this event has just
happened.

i'm posting the full transcript unedited onto full-disclosure

let's see how many media outlets pick this up :)

he said because the e-mail was sent to handlers@...s.org and not via
the form then

"All submissions are kept confidential. Your submission will reach all
ISC handlers. Your e-mail address will only be used to reply to your
submission." doesn't count.

we'll see what the public has to say eh?

this is a major news event thats about to unfold...

the name of the offender will remain undisclosed until i decide if i
go public with this or not and what the strategy will be....

the next few hours the transcript will be post to full-disclosure or
n3td3v list. maybe both.

this is a window of opportunity for dialog if you want to have it to
stop the transcript from being made public and for the person to owe
up to sans and the other handlers that this incident has just taken
place.

an e-mail i sent to handlers@...s.org was in the last hour post to
##security freenode, which led to the e-mail being publically
discussed with all the channel members, much to my embarassment.

i dont buy his excuse that because it wasn't sent via the form then
the e-mail was allowed to be copy& pasted to a public channel and be
discussed publically,

the person then told me to apologise for what i sent to sans infront
of everyone.

it is a big public channel, this is completely unacceptable.


---------- Forwarded message ----------
From: n3td3v <xploitable@...il.com>
Date: Thu, Mar 20, 2008 at 8:17 PM
Subject: Re: sans handler gives out n3td3v e-mail to public
To: Johannes Ullrich <jullrich@...lidian.com>, handlers@...s.org


On Thu, Mar 20, 2008 at 7:08 PM, Johannes Ullrich
<jullrich@...lidian.com> wrote:
> n3td3v:
>
>   thanks for letting us know. We will deal with this breach internally.

n3td3v please don't make this public, please please.

> Please refrain from sending any additional e-mail either regarding this
> incident or additional incidents to handlers@...s.org or other aliases used
> by this group or its individuals.

we're begging you, please!!!

>    Thanks.

its too late for thanks, prepare for a PR crisis.


[10:28] <PhilKC> Hi.
[10:31] <worried> hi
[10:32] <PhilKC> Hiya, fancy filling me in on all the details of your issue? :)
[10:32] <worried> a sans.org handler post an e-mail i sent to
handlers@...s.org to ##security
[10:33] <worried> this goes against their privacy agreement
[10:33] <worried> and the handler made fun of me and made me say sorry
about the e-mail
[10:33] <worried> which should never of been copy&pasted to the channel
[10:33] <worried> and then i said i want to post the channel log to a
mailing list and njan said he would k-line me if i did
[10:34] <PhilKC> Ah
[10:35] <worried> njan says he will ban me from security channel and
k-line me if i post proof of the sans violation to a public mailing
list
[10:35] <worried> this is unfair
[10:35] <worried> my rights to privacy were violated and i was made
fun of in a public freenode channel
[10:35] <PhilKC> Every channel has its own rules on public logging
(Wikipedia for example prohibits all public logging), breaking these
rules can result in you being banned from the channel/project, but,
from what you have told me, I don't see why a kline would be applied.
[10:36] <PhilKC> (njan is a channel op on ##security and as such can
enforce said rules about logging)
[10:36] <worried> so tell njan that, so i can proceed to press send on
this e-mail
[10:36] <worried> njan is just being a dick to protect his friend
[10:37] <worried> he is trying to stop me posting to a mailing list
through a technicality
[10:37] <worried> of a freenode rule
[10:37] <PhilKC> There's nothing to stop you sending the email, *but*
if it breaches the channel policy on public logging then you may be
banned from that channel.
[10:37] <worried> njan says k-line too
[10:38] <worried> he is trying his best to scare me
[10:39] <PhilKC> Hows about, before you send the mail, I have a chat
with njan and we'll see if we can sort this out?
[10:39] <worried> deal
[10:39] <PhilKC> :)
[10:39] <worried> are u a senior staff?
[10:40] <PhilKC> I'm staff, not senior though. :)
[10:40] <PhilKC> Will you be around for a couple of hours whilst I try
and summon njan?
[10:40] <worried> yes
[10:40] <PhilKC> Great, I shall poke you as soon as he's about. :)
[10:41] <PhilKC> And, thank you for coming to us to talk about the
issue, it is appreciated :)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists