lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <5D989F38-AF45-4D60-A407-311871D22C82@b3nji.com>
Date: Thu, 15 Nov 2012 19:09:02 +0000
From: Benji <me@...ji.com>
To: klondike <klondike@...ndike.es>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Skype account + IM history hijack
	vulnerability

Furthermore, I didn't say you we're talking about a '0day'. It was an example. 

Re never seeing anyone call it user enumeration; do you live in a cave of some sort? This is what all a) major tools classify it as b) cve issuings classifies it as c) major infosec providers such as pentest companies.



Sent from my iPhone

On 15 Nov 2012, at 18:59, klondike <klondike@...ndike.es> wrote:

> El 15/11/12 09:47, Benji escribió:
>> Sometimes when people argue over the definition of '0day', it is important to be clear.
> I never called my attack a 0-day, did I?
>> Although the bash script made it clear, I have never ever seen someone call 'user enumeration' an 'oracle attack'.
> Turns out I have never seen anybody call an 'oracle attack' 'user
> enumeration'.
>> Probably because this is 2012 and the Matrix hasn't just come out.
> Probably because the attack won't give you the whole list of usernames
> but instead tell you which e-mails (not necessarily being an username)
> on your list are on its list. Also turns out the concept of oracle has
> been in use on the computation world way before you think and before the
> OWASP guys arbitrarily decided such a name in, amongst others, the
> complexity theorems that keep the cryptography used nowadays secure, so,
> please, stop acting childishly over something as stupid as the name of
> the attack and concentrate instead on the exposed issue.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ