10 years
> more damaging than it is beneficial. The entire "binary
> planting" concept was flawed from the very beginning. If you
> can drop a binary file on a user's machine - make it an
> executable and be done with it. There's nothing fancy or
> innovative about forcing applications to use specific DLLs -
> script kiddies have been doing it for over 10 years to inject
> custom code in multiplayer games.
>
> On Thu, Sep 15, 2011 at 3:59 PM, Thor (Hammer of God)
> <thor@hammerofgod.com> wrote:
>
information from them in the future, now that rootkits as a threat to IOS is a
publis issue.
Cisco's "threats don't exist until our clients already know of them" strategy
is running out of steam, and will soon outlive its usefulness. Cisco is acting
pretty much like Microsoft did 10 years ago, they shouldn't be surprised if
security research treats them the same way as it treated Microsoft.
I know what their treatment made _me_ do psychologically, it made me not want
to reach out to them. It seems like the Michael Lynn way is the only way to go
with their current attitude--full disclosure.
installing systems (whether with Owl or not). Another secondary use is
for operating systems and/or computer security courses, which benefit
from the simple structure of Owl and from our inclusion of the complete
build environment.
This release marks roughly 10 years of our project - development started
in mid-2000, and Owl 0.1-prerelease was made public in 2001. Curiously,
most other "secure" Linux distros that appeared at about the same time
are no longer around. (EnGarde Secure Linux appears to be the only
exception, but it is completely different both in approach to security
and in functionality.)
http://lcamtuf.coredump.cx/chsplice/
2) I reported this to the vendor long time ago, and could not get them
to commit to a specific fix: Safari allows windows without the address
bar and other essential chrome, akin to the behavior of other browsers
circa 10 years ago. This essentially makes all other address spoofing
vulnerabilities redundant, as the attacker has the ability to decorate
windows arbitrarily (you can look up ancient proof-of-concept exploits
for Netscape or MSIE here).
/mz
Facts:
1. There are botnet attacks against .ge websites.
2. These attacks affect the .ge Internet infrastructure, but it's reachable.
3. It doesn't seem Internet infrastructure is directly attacked.
4. Every other political tension in the past 10 years, from a comic of the
Prophet Muhammad to the war in Iraq, were followed by online supporters
attacking targets which seem affiliated with the opposing side, and vise-versa.
Up to the Estonian war, such attacks would be called "hacker enthusiast
attacks" or "cyber terrorism" (of the weak sort). Nowadays any attack with a
they worked for) accepted US government money to put backdoors into
our network stack, in particular the IPSEC stack. Around 2000-2001.
Since we had the first IPSEC stack available for free, large parts of
the code are now found in many other projects/products. Over 10
years, the IPSEC code has gone through many changes and fixes, so it
is unclear what the true impact of these allegations are.
The mail came in privately from a person I have not talked to for
nearly 10 years. I refuse to become part of such a conspiracy, and
will not be talking to Gregory Perry about this. Therefore I am
image were infested with malware, and that either the infestation was not
detected at all (bad) or the infestation was detected, but incompletely
(or accidentially, when "%windir%\temp" was cleared) "removed" and a
compromised system used to build the system image (worse).
JFTR: MSFT initiated their "trustworthy computing" about 10 years ago!
To complete the picture: the ACLs on the directory "%windir%\temp" in
systems installed from this image/CD allow unprivileged users to create
a subdirectory "sso" in "%windir%\temp" and then the "ssoexec.dll",
>> more damaging than it is beneficial. The entire "binary
>> planting" concept was flawed from the very beginning. If you
>> can drop a binary file on a user's machine - make it an
>> executable and be done with it. There's nothing fancy or
>> innovative about forcing applications to use specific DLLs -
>> script kiddies have been doing it for over 10 years to inject
>> custom code in multiplayer games.
>>
>> On Thu, Sep 15, 2011 at 3:59 PM, Thor (Hammer of God)
>> <thor@hammerofgod.com> wrote:
>>
Intruders Tiger Team Security (http://www.intruders.com.br/) is a
SecurityLabs (http://www.security.org.br) division.
The Intruders Tiger Team Security (ITTS) is a group of researchers
with more than 10 years of experience, specialized in the development
of penetration tests.
All the penetration tests realized until the moment by the Intruders
Tiger Team Security had 100% of success.
> Seems to be a moot point to me---whether the PRNG is
> cryptographically weak or not because of the small sequence number
> space.
Around 10 years ago the PRNG used was id++.
I still think that the algorithm we invented as a group with Niels
Provos, David Mazieres, some researchers at Core SDI, and further
improved by David Wagner is better than what ISC is shipping. We've
been using our algorithm for 10+ years, too. Not just for DNS ID's
i'm hoping H1kari and Steve can be prevailed upon to give a potted
version of their GSM cracking talk, but at the least i'm sure they'll be
able to give us an update on progress...
Barkode is making a documentary about the last 10 years of the hacking
scene and will have a cameraman with him, so if you have any tales to
tell (or know someone who should be in it), please come along and
participate (note that if you are camera shy that will be respected -
filming will be discrete and optional).
|
