lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CALCvwp43Wi_SzxbVw6MO=Tuu=D-S0YA9DraNBCfK7vZ_vV5zDw@mail.gmail.com>
Date: Wed, 2 Nov 2011 09:38:53 +1100
From: xD 0x41 <secn3t@...il.com>
To: Peter Dawson <slash.pd@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Facebook Attach EXE Vulnerability

I sort of have to agree with this, as I earlier stated, FB somehow
seems to affect even those who dont use it (like me), but all my
family, and theyre friends and theyre friends, as i know, neary
everyone i know uses it but me!
I guess this is why I am abit peeved at theyre offer of 500bux for a
bug but again, this is 90% more than 99% of the others out there would
offer :s
This is a large netork, and as i know myspace failed due to many bugs
and virus, and one particular worm (was actually coded in VB and was
hiding itself as some pllugin...remember) that bug destroyed the
entire place, trust was gone, one bug did this.
would it be hard for them to say UP gtheyre portfolio and maybe align
it in accordance with atleast google, who is paying 1337$ for standard
bugs and this INCLUDES d0s, wich was pathetic i saw that FB wont pay
on that, i know theyre webserver cannot be that good, and if theyre
this confident, then they must still not have learnt about 0days...
If more people followed googles lead, id be a happier man. that is all
bugs 1k minimum, rce/rci 3k, now, you are on par with the blacker
side, and worth more than the fun of the exploiting or even now the
gains...
cheers.



On 2 November 2011 02:56, Peter Dawson <slash.pd@...il.com> wrote:
> Yes to a certain degree its all about " Saving FACE". .. however FB's
> 30member integrity team is only bothered about how to manage the vectors
> that have been primed to protect.
>
> FB is the  largest network "protected" .. (YES big word Protected !! / they
> have over 25B checks per day and reaching upto 65K/sec at peak.  Building an
> Immune System as large as FB's takes time, but its only on known vectors.
> The unknown is never realized unless one is willing to collaborate and
> confirm with user/community.   Large Org's have the syndrome if living in
> the "ivory tower" and that is the biggest downfall.
>
> What could have happened if a zero day was filed and alternative markets
> were sought with this bug ?  Yes, alternative markets pay better !.. but
> just saying. .what  was damage ratios to users ?
>
>
> /pd
>
> On Tue, Nov 1, 2011 at 9:03 AM, Mikhail A. Utin <mutin@...monwealthcare.org>
> wrote:
>>
>> Face Book is trying to save its face. It's typical.
>> I got the same answer from SonicWALL one year ago when discovered that
>> simple internal network scanning (Nessus, Nmap, etc.) brings down entire
>> network. The firewall internal TCP connections stack was overloaded within a
>> few seconds (IPS is not enabled, thus was not accepting new connections.
>>
>> Mikhail A. Utin, CISSP
>> Information Security Analyst
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ