lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 10 Oct 2012 14:06:06 -0700
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Philip Whitehouse <philip@...uk.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Multiple 0-days in Dark Comet RAT

It's InfoSec. Nothing has any meaning anymore.  Or, better stated, things means whatever people want them to mean in order to forward their agenda.  When we talked about full disclosure a while back, somebody said I was "jaded" as if it meant I had "clouded judgement."  They were actually right though, as jaded" means "negative by way of experience."  

I remember when people started using metrics like "moderately critical" to describe their [what they called] 0-day XSS vulnerability for some ancient CRM package. That way they get to say they published 14,000 0-days on their marketing material. 

Some dude recently posted on a professional list how he routinely cracks the NTLMv2 hashes for 10,000 users in 36 hours with rainbow tables.  Of course every single part of the statement is complete BS but no one (except me) even blinked. 

People talk about how stupid users are, but I think the people in the industry are far worse. 

Sent from whatever device will keep us from debating which one is better.

On Oct 9, 2012, at 9:59 AM, Philip Whitehouse <philip@...uk.com> wrote:

> Does 0-day have any meaning any more? It used to mean there were exploits in the wild used to cause damage before the vendor patched it not merely that a security researcher found it and disclosed it to the public before the vendor did.
> 
> If a 0 day is everything found by a security team before a vendor then the term will loose all purpose and meaning because almost all work done by such researchers is finding vulns. before the vendor.
> 
> End rant.
> 
> Philip Whitehouse
> 
> On 8 Oct 2012, at 21:33, "Hertz, Jesse" <jesse_hertz@...wn.edu> wrote:
> 
>> SQL Injection and Arbitrary File Access present in Command and Control server of DarkComet RAT
>> 
>> for more info see:
>> http://matasano.com/research/PEST-CONTROL.pdf
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ