lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120113163805.1e3b3bd7@d-172-27-99-125.bootp.virginia.edu>
Date: Fri, 13 Jan 2012 16:38:05 -0500
From: Benjamin Kreuter <ben.kreuter@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Rate Stratfor's Incident Response

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, 13 Jan 2012 15:17:07 -0600
Paul Schmehl <pschmehl_lists@...rr.com> wrote:

> --On January 13, 2012 2:03:36 PM -0600 Laurelai
> <laurelai@...echan.org> wrote:
> 
> >>
> > Well just remember they could have *not* told you and helped
> > themselves to a backdoor. If they wanted to door you they probably
> > wouldn't have told you.
> >
> 
> Which is precisely what he'd like you to think.

So the attacker, hoping to keep his backdoor, will tell you about the
vulnerability he exploited that you were presumably not aware of, and
then hope that the system is not audited?

Of course you are going to audit the system that was attacked.  Not
because you fear the person who reported the problem, but because there
is an exploitable vulnerability that anyone could have exploited.

- -- Ben



> -- 
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> "There are some ideas so wrong that only a very
> intelligent person could believe in them." George Orwell
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 


- -- 
Benjamin R Kreuter
UVA Computer Science
brk7bx@...ginia.edu

- --

"If large numbers of people are interested in freedom of speech, there
will be freedom of speech, even if the law forbids it; if public
opinion is sluggish, inconvenient minorities will be persecuted, even
if laws exist to protect them." - George Orwell
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQIcBAEBCgAGBQJPEKRCAAoJEOV0+MnZK9ijv7MP/3XMMK3h60kAWWaKV+wpC57T
eHcO0NAF/+6MWgZGhggCGDP/hCH0xa/mIH/I173ATfxgJJAQVcN/6aPWRQWs3CcJ
S4affujeJ+/hgK0FtSMIwEx/jZciuw85hZc4i11IKzEs5Tjhe/CO6jZdlmULI/Ia
E+MUk6L2Mb+XlV0dlc7y15lOY+qGVYV6FeAIfyncgmXJScx+ZUi4kBmdJ8ep0HSz
Zhl1D19jk6IH7taXYjk78jlRZ1p8gkgsT8R4dL5F/ZkwBMJ2u4ejpXWIKQo+fMXn
adpfivtAsHQeMXJffklaV27gWvvfP0fR85HeXSl+pe5JejLLldl7nvezH0GNNAmC
9kKDS/8WP6sG+p2gWo9XfiJvLH9hXcCOgDeUwQ6WFAov65BVXEXuhEKNyRuvf4OX
zIGcg5T1YelC9ytE5EzcHRe+pvyzXa2TU6u1dtBFMRXPFCEmMP9SVzU/8HuEJD0P
ByIjk+7INYRmyF2qyp3JEM8DRtQJW8I/x8Ll1m822Pdd91n9ILm9wURYT2TUGLJQ
8GvLb3R7uazsKgQxpdF2Pi5wr6QHtMb/L81Fpyqey9WSfyeDJpQtXR4Xl/N6sVwY
Kwu22OxHU2hofAwxzjng+/Tz2UI8bBTwcvj+z6hAac/Gw53mgsQ2Byz6rKLg3EK2
3DCnHBRToUChjPVOowbL
=fZSB
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ