lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BANLkTincLsuykRy9DU8eyWJ+_rdwFhZ6Jw@mail.gmail.com>
Date: Mon, 25 Apr 2011 14:19:00 -0700
From: "Zach C." <fxchip@...il.com>
To: Steven Pinkham <steve.pinkham@...il.com>
Cc: websecurity@...ts.webappsec.org,
	full disclosure <full-disclosure@...ts.grok.org.uk>,
	Rain Liu <yu.liu@...ec.org>
Subject: Re: Unbelivable,
	Pangolin 3.2.3 free edition released

Heh -- did anyone else just get spammed by these jokers?

In any case: even if you change this setting where they tell you to, does
the code actually honor the change or is it just a farce for the user's
benefit? And, perhaps more importantly, why should I have to grab it,
blindly trust it and run it to find out?

Besides even that, assuming the change was actually honored, how would one
go about creating a page that would work with it?

On Mon, Apr 25, 2011 at 8:31 AM, Steven Pinkham <steve.pinkham@...il.com>wrote:

> Rain Liu wrote:
> > Hi Steven Pinkham,
> >
> > I think this is an old questions that have been answered. You can make
> > settings in Pangolin main panel.
> >
> > "Edit->Setting->Oracle", Change the "Remote Data URL" and "Remote Info
> > URL" as you wish. Exit pangolin and run it again to take effects.
> >
> > Here is example settings
> > http://www.nosec-inc.com/en/images/pangolin-oracle-setting.gif
> >
> > Wish you guys happy.
> >
> > BEST REGARDS TO YOU AND YOUR FAMILY
> >
> > Rain Liu
>
> It's entirely possible that is all there is to it.
> Let me be perfectly clear: For people in the real world to trust your
> tool, those fields should be empty by default, and clear instructions
> and demo code should be given on how to set that feature up on their own
> servers.  A poorly documented feature that sends your data to third
> parties by default *is unacceptable*, and if you want professional users
> to take you seriously data privacy needs to be the default.
>
> There's still a lot of questions that are poorly documented like:
> How does the feature you call "bypass firewall" work?  What if any 3rd
> parties are involved?
>
> Can you certify that there no third parties involved in any action of
> Pangolin besides the Oracle setting, or are there other undiscovered
> pitfalls for the professional user?  The existence of this poorly
> documented, data stealing by default option completely undermines my
> trust in your tool, and I would be VERY cautious in any use of said tool.
>
> Personally, I'd rather stick to open source, auditable tools whenever
> possible, and sqlmap is my sql injection tool of choice.  Honestly, your
> answers to these questions are not likely to make me switch(sqlmap is
> *that good* in recent releases), but may serve to cut down on my abuse
> of people who consider using your tool.
> --
>  | Steven Pinkham, Security Consultant    |
>  | http://www.mavensecurity.com           |
>  | GPG public key ID CD31CAFB             |
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ