lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 25 Apr 2011 11:31:22 -0400
From: Steven Pinkham <steve.pinkham@...il.com>
To: Rain Liu <yu.liu@...ec.org>
Cc: websecurity@...ts.webappsec.org,
	full disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Unbelivable,
	Pangolin 3.2.3 free edition released

Rain Liu wrote:
> Hi Steven Pinkham,
>
> I think this is an old questions that have been answered. You can make
> settings in Pangolin main panel.
>
> "Edit->Setting->Oracle", Change the "Remote Data URL" and "Remote Info
> URL" as you wish. Exit pangolin and run it again to take effects.
>
> Here is example settings
> http://www.nosec-inc.com/en/images/pangolin-oracle-setting.gif
>
> Wish you guys happy.
>
> BEST REGARDS TO YOU AND YOUR FAMILY
>
> Rain Liu

It's entirely possible that is all there is to it.
Let me be perfectly clear: For people in the real world to trust your
tool, those fields should be empty by default, and clear instructions
and demo code should be given on how to set that feature up on their own
servers.  A poorly documented feature that sends your data to third
parties by default *is unacceptable*, and if you want professional users
to take you seriously data privacy needs to be the default.

There's still a lot of questions that are poorly documented like:
How does the feature you call "bypass firewall" work?  What if any 3rd
parties are involved?

Can you certify that there no third parties involved in any action of
Pangolin besides the Oracle setting, or are there other undiscovered
pitfalls for the professional user?  The existence of this poorly
documented, data stealing by default option completely undermines my
trust in your tool, and I would be VERY cautious in any use of said tool.

Personally, I'd rather stick to open source, auditable tools whenever
possible, and sqlmap is my sql injection tool of choice.  Honestly, your
answers to these questions are not likely to make me switch(sqlmap is
*that good* in recent releases), but may serve to cut down on my abuse
of people who consider using your tool.
-- 
 | Steven Pinkham, Security Consultant    |
 | http://www.mavensecurity.com           |
 | GPG public key ID CD31CAFB             |

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ