From bania.piotr at gmail.com  Sun Jun  3 04:36:06 2007
From: bania.piotr at gmail.com (Piotr Bania)
Date: Sun, 03 Jun 2007 10:36:06 +0200
Subject: [Dailydave] Disinfectors for the calculator virus (ti89.Gaara)
Message-ID: <46627D76.607@gmail.com>


Hey,

For those who are interrested, i made two types of Gaara (the calculator 
virus) disinfectors. The first one patches the virus body, which causes 
to return the control to the host just when the EPO injection travels 
the control to the virus. So the virus will not get executed at all.
And the second one is trying to find an EPO injection by searching for 
BRA opcodes, and testing them for suitable conditions.


Here are the codes:
Dis1:
Source:
http://piotrbania.com/all/ti89/dis1.c

Binary:
http://piotrbania.com/all/ti89/dis1.89z

Dis2:
Source:
http://piotrbania.com/all/ti89/dis2.c

Binary:
http://piotrbania.com/all/ti89/dis2.89z


i hope you will find them somehow interresting.

best regards,
pb


-- 
--------------------------------------------------------------------
Piotr Bania - <bania.piotr at gmail.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A  BFA4 1FF6 689F BE43 AC33
http://www.piotrbania.com  - Key ID: 0xBE43AC33
--------------------------------------------------------------------

               - "The more I learn about men, the more I love dogs."


From z at bellua.com  Mon Jun  4 05:11:35 2007
From: z at bellua.com (Anthony Zboralski)
Date: Mon, 4 Jun 2007 16:11:35 +0700
Subject: [Dailydave] BCS'07 Call For Papers
In-Reply-To: <8ba599bc0705290221q1a0f914ek6ec5256f536f801d@mail.gmail.com>
References: <8ba599bc0705290221q1a0f914ek6ec5256f536f801d@mail.gmail.com>
Message-ID: <8ba599bc0706040211r4f911e30ya4befefff896672d@mail.gmail.com>

Here is BCS'07 announcement video. It covers previous event and can
give an idea of what Jakarta is like :)

http://www.youtube.com/watch?v=aVlrvTGDgS0


On 5/29/07, Anthony Zboralski <z at bellua.com> wrote:
> Dear Daily Dave readers,
>
> The call for papers and conference registration is now open for
> BCS'07, our third annual information security & hacking conference.
>
> From 30 to 31 October 2007, BCS'07 will be held at the Grand Melia in
> Jakarta, Indonesia.
>
> We invite proposals for paper presentations and demonstrations:
>
> Your submission should include:
>         1.      Name, title, address, email and phone number
>         2.      Draft of the proposed presentation (in PDF, PowerPoint or Keynote
> format), proof of concept for tools and exploits, etc.
>         3.      Short biography, qualification, occupation, achievement and
> affiliations (limit 150 words).
>         4.      Summary or abstract for your presentation (limit 150 words)
>         5.      Time (40-60 minutes). Include time for discussion and questions
>         6.      Technical requirements (video, internet, wireless, audio, etc.)
>
> We do not accept product, service or vendor related presentations.
>
> Please send your proposal to bcs07-cfp at bellua.com as soon as possible
> and no later than 30 June 2007.
>
> Proposals will be evaluated in the order received; submit early to
> maximise your chances of being selected.
>
> Links:
> http://www.bellua.net or http://www.bellua.com/bcs/
>
> Pictures from BCS2006:
> http://www.bellua.net/asia06.pictures/index.html
>
> Pictures from BCS2005:
> http://www.bellua.net/asia05.pictures/index.html
>
> Many thanks,
> Anthony Zboralski
>
> --
> Anthony C. Zboralski  <anthony.zboralski at bellua.com>
> PT Bellua Asia Pacific - http://www.bellua.com
> Bumi Daya Plaza 9th Floor, jl. Iman Bonjol No.61
> Jakarta 10310 Indonesia.
> Phone: +62 21 398 341 16 Fax: +62 21 398 341 14
> DDD52B1F - EDA5 61CB EC6A EE3F 05D6  7FB5 445A 1B9F DDD5 2B1F
>


-- 
Anthony C. Zboralski  <anthony.zboralski at bellua.com>
PT Bellua Asia Pacific - http://www.bellua.com
Bumi Daya Plaza 9th Floor, jl. Iman Bonjol No.61
Jakarta 10310 Indonesia.
Phone: +62 21 398 341 16 Fax: +62 21 398 341 14
DDD52B1F - EDA5 61CB EC6A EE3F 05D6  7FB5 445A 1B9F DDD5 2B1F

From dave.aitel at gmail.com  Mon Jun  4 23:52:31 2007
From: dave.aitel at gmail.com (Dave Aitel)
Date: Mon, 4 Jun 2007 23:52:31 -0400
Subject: [Dailydave] DKM is back :>
Message-ID: <b581b3220706042052v52e8392fpa9c126b981346f33@mail.gmail.com>

We live in some sort of alternate universe, where one of the best writers of
our time has a day job as an SQL Server designer. If you haven't read The
Long Run, or The Last Dancer [1], you should. Anyways, he emerged from the
depths and now has a weblog: http://danielkeysmoran.blogspot.com/ .

I was going to write a big long post about buying bugs, and valuing
vulnerabilities, and stuff like that, but I'll leave that for tomorrow.
Today is happy Mac Hunting Day! (Everyone is learning the hard way whether
or not mDNS can be exploited only from local networks now that CANVAS
Professional has been updated with the mDNS exploit ;>)

-dave

[1]
http://www.amazon.com/Long-Run-Tale-Continuing-Time/dp/1576466396/ref=pd_bbs_4/104-5280247-2871126?ie=UTF8&s=books&qid=1181014014&sr=8-4
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070604/e61a42ab/attachment.htm 

From cisoguy at gmail.com  Tue Jun  5 11:44:06 2007
From: cisoguy at gmail.com (Jeff Moore)
Date: Tue, 5 Jun 2007 08:44:06 -0700
Subject: [Dailydave] VA Vendor Tip?
Message-ID: <97775f7a0706050844w55010fcatff88df6d8020e1d9@mail.gmail.com>

Does anyone on the list have a good recommendation for a VA software
vendor?  I am currently an eEye Retina customer but need to find a better
solution with an actual development team in place to support that solution.
Is Tenable a good choice?


http://www.darkreading.com/document.asp?doc_id=125486&WT.svl=news1_4

"Preview represents the third "pillar" of eEye's business, says Marc
Maiffret, CTO and chief hacking officer for eEye, joining its flagship
Retina Network Scanner and Blink endpoint security software. eEye made a
name for itself after discovering, and naming, the infamous CodeRed worm in
2001. "

Third pillar?  The other two pillars are crumbling so they set up a third
one to prop up what is left.  As a Retina customer I am very dissatisfied to
see that eEye just fired the entire team responsible for Retina including
guys like Ryan Permeh.  They also cut their QA team which will make bad
products even worse.  Their engineering staff is down to three or four guys
and they want to jump in the professional services game?

What research team are you trying to sell?  The only researcher you have
left is this guy - http://datarescue.com/idabase/hallofshame.html and of
course chief hacking officer who has never discovered a bug.

"eEye made a name for itself after discovering, and naming, the infamous
CodeRed worm in 2001. "

It is now 2007.  What have you done lately eEye?  I don't think anyone cares
that you "discovered" a 6 year old worm.  Your customers want stability and
a future not a scheme (preview) for your VC to grab some extra cash before
they turn out the lights.

So while you are chasing 50K from those who are still impressed by CodeRed
and stolen copies of IDA your core customers, those who you have abandoned
like you did the engineers responsible for those products will take their
money to other more stable vendors that offer some sort of stability.

Maybe is time to throw in the towel.  If Retina is the flagship then that
ship has sailed into some rocks and sunk.

-J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070605/b7270299/attachment-0001.htm 

From sun at vakharia.info  Tue Jun  5 14:00:54 2007
From: sun at vakharia.info (The Sun)
Date: Tue, 5 Jun 2007 23:30:54 +0530
Subject: [Dailydave] VA Vendor Tip?
References: <97775f7a0706050844w55010fcatff88df6d8020e1d9@mail.gmail.com>
Message-ID: <BAY119-DS1FFF06237711ED784A74DBD270@phx.gbl>

I have used Retina, Internet Scanner, GFI LNSS, and Nessus. Recently I evaluated QualysGuard and would recommend it over all the others.
I have heard that nCircle has a good VA product too.

The reporting is excellent. Plus the updates are very quick.

  ----- Original Message ----- 
  From: Jeff Moore 
  To: dailydave at lists.immunitysec.com 
  Cc: full-disclosure at lists.grok.co.uk ; Higgins at DarkReading.com 
  Sent: Tuesday, June 05, 2007 9:14 PM
  Subject: [Dailydave] VA Vendor Tip?


  Does anyone on the list have a good recommendation for a VA software vendor?  I am currently an eEye Retina customer but need to find a better solution with an actual development team in place to support that solution.  Is Tenable a good choice? 


  http://www.darkreading.com/document.asp?doc_id=125486&WT.svl=news1_4

  "Preview represents the third "pillar" of eEye's business, says Marc Maiffret, CTO and chief hacking officer for eEye, joining its flagship Retina Network Scanner and Blink endpoint security software. eEye made a name for itself after discovering, and naming, the infamous CodeRed worm in 2001. " 

  Third pillar?  The other two pillars are crumbling so they set up a third one to prop up what is left.  As a Retina customer I am very dissatisfied to see that eEye just fired the entire team responsible for Retina including guys like Ryan Permeh.  They also cut their QA team which will make bad products even worse.  Their engineering staff is down to three or four guys and they want to jump in the professional services game? 

  What research team are you trying to sell?  The only researcher you have left is this guy - http://datarescue.com/idabase/hallofshame.html and of course chief hacking officer who has never discovered a bug.  

  "eEye made a name for itself after discovering, and naming, the infamous CodeRed worm in 2001. "

  It is now 2007.  What have you done lately eEye?  I don't think anyone cares that you "discovered" a 6 year old worm.  Your customers want stability and a future not a scheme (preview) for your VC to grab some extra cash before they turn out the lights. 

  So while you are chasing 50K from those who are still impressed by CodeRed and stolen copies of IDA your core customers, those who you have abandoned like you did the engineers responsible for those products will take their money to other more stable vendors that offer some sort of stability. 

  Maybe is time to throw in the towel.  If Retina is the flagship then that ship has sailed into some rocks and sunk.

  -J


------------------------------------------------------------------------------


  _______________________________________________
  Dailydave mailing list
  Dailydave at lists.immunitysec.com
  http://lists.immunitysec.com/mailman/listinfo/dailydave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070605/1d9bbea3/attachment.htm 

From trklisted at networksamurai.org  Thu Jun  7 10:57:31 2007
From: trklisted at networksamurai.org (mOses)
Date: Thu, 07 Jun 2007 10:57:31 -0400
Subject: [Dailydave] VA Vendor Tip?
In-Reply-To: <BAY119-DS1FFF06237711ED784A74DBD270@phx.gbl>
References: <97775f7a0706050844w55010fcatff88df6d8020e1d9@mail.gmail.com>
	<BAY119-DS1FFF06237711ED784A74DBD270@phx.gbl>
Message-ID: <46681CDB.2090505@networksamurai.org>

I used did a VA analysis for a large company (38,000 nodes). I think the
following are excellent products to look at.

Retina/REM (the ability to support 'dod' type environments by being able
to meet a 4 hour release cycle is important. Vulnerablity research is
pretty good at the company which is always a bonus, weather it meets up
to par with everyone....you can't please everyone right?)

Nexpose (runs on linux and windows, also can do some metasploit type
work and also some spi dynamics type xss stuff.... if you really need to
do that however purchase core/canvas or spi dynamics...though right?)

QualysGuard (an asp model... has its advantages such as everyone feeds
back data to one central point...like fingerprinting info...)

just my 2cents..

mOses
networksamurai.org

The Sun wrote:
> I have used Retina, Internet Scanner, GFI LNSS, and Nessus. Recently I
> evaluated QualysGuard and would recommend it over all the others.
> I have heard that nCircle has a good VA product too.
>  
> The reporting is excellent. Plus the updates are very quick.
>  
>
>     ----- Original Message -----
>     *From:* Jeff Moore <mailto:cisoguy at gmail.com>
>     *To:* dailydave at lists.immunitysec.com
>     <mailto:dailydave at lists.immunitysec.com>
>     *Cc:* full-disclosure at lists.grok.co.uk
>     <mailto:full-disclosure at lists.grok.co.uk> ;
>     Higgins at DarkReading.com <mailto:Higgins at DarkReading.com>
>     *Sent:* Tuesday, June 05, 2007 9:14 PM
>     *Subject:* [Dailydave] VA Vendor Tip?
>
>     Does anyone on the list have a good recommendation for a VA
>     software vendor?  I am currently an eEye Retina customer but need
>     to find a better solution with an actual development team in place
>     to support that solution.  Is Tenable a good choice?
>      
>      
>     http://www.darkreading.com/document.asp?doc_id=125486&WT.svl=news1_4
>     <http://www.darkreading.com/document.asp?doc_id=125486&WT.svl=news1_4>
>      
>     "Preview represents the third "pillar" of eEye's business, says
>     Marc Maiffret, CTO and chief hacking officer for eEye, joining its
>     flagship Retina Network Scanner and Blink endpoint security
>     software. eEye made a name for itself after discovering, and
>     naming, the infamous CodeRed worm in 2001. "
>      
>     Third pillar?  The other two pillars are crumbling so they set up
>     a third one to prop up what is left.  As a Retina customer I am
>     very dissatisfied to see that eEye just fired the entire team
>     responsible for Retina including guys like Ryan Permeh.  They also
>     cut their QA team which will make bad products even worse.  Their
>     engineering staff is down to three or four guys and they want to
>     jump in the professional services game?
>      
>     What research team are you trying to sell?  The only
>     researcher you have left is this guy -
>     http://datarescue.com/idabase/hallofshame.html and of course chief
>     hacking officer who has never discovered a bug. 
>      
>     "eEye made a name for itself after discovering, and naming, the
>     infamous CodeRed worm in 2001. "
>      
>     It is now 2007.  What have you done lately eEye?  I don't think
>     anyone cares that you "discovered" a 6 year old worm.  Your
>     customers want stability and a future not a scheme (preview) for
>     your VC to grab some extra cash before they turn out the lights.
>      
>     So while you are chasing 50K from those who are still impressed by
>     CodeRed and stolen copies of IDA your core customers, those who
>     you have abandoned like you did the engineers responsible for
>     those products will take their money to other more stable vendors
>     that offer some sort of stability.
>      
>     Maybe is time to throw in the towel.  If Retina is the flagship
>     then that ship has sailed into some rocks and sunk.
>      
>     -J
>
>     ------------------------------------------------------------------------
>     _______________________________________________
>     Dailydave mailing list
>     Dailydave at lists.immunitysec.com
>     http://lists.immunitysec.com/mailman/listinfo/dailydave
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>   


From daharrison at verisign.com  Thu Jun  7 14:40:54 2007
From: daharrison at verisign.com (Harrison, Daniel)
Date: Thu, 7 Jun 2007 11:40:54 -0700
Subject: [Dailydave] VA Vendor Tip?
In-Reply-To: <46681CDB.2090505@networksamurai.org>
Message-ID: <F9CBF2460233A94BA3BF19EA6076E8F320D713@MOU1WNEXMB02.vcorp.ad.vrsn.com>

 
Qualys's scanning is decent and pretty configurable (though you can't
create custom checks), but the reporting engine is a bit squishy (even
their reps will tell you they understand its limitations and are working
on it). You can generate reports and all that, and management usually
loves the summaries, but some of their trending options are a bit wacky
(but the support people are usually pretty good & responsive, and not
afraid to escalate if they don't know how to fix something). They do
have an api, so you can suck up the raw data and create your own custom
reports, etc.

Also you can't readily back up the data, at least without some steps.
Now Qualys does backups on their end, but I am not sure what the
retention policy is, or how long it takes to restore (hell, even if they
will do a restore). Using the api you can dump the data to a db, but
that seems a bit clunky to me.

You just have to be willing to spend sometime getting the kinks out (and
this has to be done with any product).

To add my $0.02 as well.

-dan


-----Original Message-----
From: dailydave-bounces at lists.immunitysec.com
[mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of mOses
Sent: Thursday, June 07, 2007 7:58 AM
To: dailydave at lists.immunitysec.com
Subject: Re: [Dailydave] VA Vendor Tip?

I used did a VA analysis for a large company (38,000 nodes). I think the
following are excellent products to look at.

Retina/REM (the ability to support 'dod' type environments by being able
to meet a 4 hour release cycle is important. Vulnerablity research is
pretty good at the company which is always a bonus, weather it meets up
to par with everyone....you can't please everyone right?)

Nexpose (runs on linux and windows, also can do some metasploit type
work and also some spi dynamics type xss stuff.... if you really need to
do that however purchase core/canvas or spi dynamics...though right?)

QualysGuard (an asp model... has its advantages such as everyone feeds
back data to one central point...like fingerprinting info...)

just my 2cents..

mOses
networksamurai.org

The Sun wrote:
> I have used Retina, Internet Scanner, GFI LNSS, and Nessus. Recently I

> evaluated QualysGuard and would recommend it over all the others.
> I have heard that nCircle has a good VA product too.
>  
> The reporting is excellent. Plus the updates are very quick.
>  
>
>     ----- Original Message -----
>     *From:* Jeff Moore <mailto:cisoguy at gmail.com>
>     *To:* dailydave at lists.immunitysec.com
>     <mailto:dailydave at lists.immunitysec.com>
>     *Cc:* full-disclosure at lists.grok.co.uk
>     <mailto:full-disclosure at lists.grok.co.uk> ;
>     Higgins at DarkReading.com <mailto:Higgins at DarkReading.com>
>     *Sent:* Tuesday, June 05, 2007 9:14 PM
>     *Subject:* [Dailydave] VA Vendor Tip?
>
>     Does anyone on the list have a good recommendation for a VA
>     software vendor?  I am currently an eEye Retina customer but need
>     to find a better solution with an actual development team in place
>     to support that solution.  Is Tenable a good choice?
>      
>      
>
http://www.darkreading.com/document.asp?doc_id=125486&WT.svl=news1_4
>     
> <http://www.darkreading.com/document.asp?doc_id=125486&WT.svl=news1_4>
>      
>     "Preview represents the third "pillar" of eEye's business, says
>     Marc Maiffret, CTO and chief hacking officer for eEye, joining its
>     flagship Retina Network Scanner and Blink endpoint security
>     software. eEye made a name for itself after discovering, and
>     naming, the infamous CodeRed worm in 2001. "
>      
>     Third pillar?  The other two pillars are crumbling so they set up
>     a third one to prop up what is left.  As a Retina customer I am
>     very dissatisfied to see that eEye just fired the entire team
>     responsible for Retina including guys like Ryan Permeh.  They also
>     cut their QA team which will make bad products even worse.  Their
>     engineering staff is down to three or four guys and they want to
>     jump in the professional services game?
>      
>     What research team are you trying to sell?  The only
>     researcher you have left is this guy -
>     http://datarescue.com/idabase/hallofshame.html and of course chief
>     hacking officer who has never discovered a bug. 
>      
>     "eEye made a name for itself after discovering, and naming, the
>     infamous CodeRed worm in 2001. "
>      
>     It is now 2007.  What have you done lately eEye?  I don't think
>     anyone cares that you "discovered" a 6 year old worm.  Your
>     customers want stability and a future not a scheme (preview) for
>     your VC to grab some extra cash before they turn out the lights.
>      
>     So while you are chasing 50K from those who are still impressed by
>     CodeRed and stolen copies of IDA your core customers, those who
>     you have abandoned like you did the engineers responsible for
>     those products will take their money to other more stable vendors
>     that offer some sort of stability.
>      
>     Maybe is time to throw in the towel.  If Retina is the flagship
>     then that ship has sailed into some rocks and sunk.
>      
>     -J
>
>
------------------------------------------------------------------------
>     _______________________________________________
>     Dailydave mailing list
>     Dailydave at lists.immunitysec.com
>     http://lists.immunitysec.com/mailman/listinfo/dailydave
>
> ----------------------------------------------------------------------
> --
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>   

_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

From dan at geer.org  Thu Jun  7 15:30:58 2007
From: dan at geer.org (dan at geer.org)
Date: Thu, 07 Jun 2007 15:30:58 -0400
Subject: [Dailydave] luckily, there are no dumb questions
Message-ID: <20070607193058.EBBC3341C7@absinthe.tinho.net>


Luckily, there are no dumb questions or this would
likely be one.

How is it so that MS Windows uses only Rings 0 & 3?
An engineering answer, a marketing answer, and/or
an historical answer would be welcome.  Don't know
why I never thought to ask before, but I'm asking
now.  (And if I'm really wrong, please tell me what
uses 1|2.)

Bemusedly,

--dan


From andreas at isecpartners.com  Thu Jun  7 16:35:48 2007
From: andreas at isecpartners.com (Andreas Junestam)
Date: Thu, 7 Jun 2007 13:35:48 -0700
Subject: [Dailydave] luckily, there are no dumb questions
References: <20070607193058.EBBC3341C7@absinthe.tinho.net>
Message-ID: <9A8B6F6543DCDE4DB331605EB1D03EB3344483@mail.isecpartners.com>

If memory servers me right, Alpha only supported to "rings" and therefore only 2 was used on Intel as well.

/andreas


-----Original Message-----
From: dailydave-bounces at lists.immunitysec.com on behalf of dan at geer.org
Sent: Thu 6/7/2007 12:30 PM
To: dailydave at lists.immunitysec.com
Subject: [Dailydave] luckily, there are no dumb questions
 

Luckily, there are no dumb questions or this would
likely be one.

How is it so that MS Windows uses only Rings 0 & 3?
An engineering answer, a marketing answer, and/or
an historical answer would be welcome.  Don't know
why I never thought to ask before, but I'm asking
now.  (And if I'm really wrong, please tell me what
uses 1|2.)

Bemusedly,

--dan

_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070607/a43ee519/attachment-0001.htm 

From cisoguy at gmail.com  Thu Jun  7 16:39:54 2007
From: cisoguy at gmail.com (Jeff Moore)
Date: Thu, 7 Jun 2007 13:39:54 -0700
Subject: [Dailydave] VA Vendor Tip?
In-Reply-To: <46681CDB.2090505@networksamurai.org>
References: <97775f7a0706050844w55010fcatff88df6d8020e1d9@mail.gmail.com>
	<BAY119-DS1FFF06237711ED784A74DBD270@phx.gbl>
	<46681CDB.2090505@networksamurai.org>
Message-ID: <97775f7a0706071339h4740d484k7ae626b64ad980ab@mail.gmail.com>

Apparently you didn't read my post.  You say you used to and that is the
point.  I am current Retina/REM customer and I have watched over the years
the product go backwards not forwards.  If you are still a customer like I
am you should be thinking of finding a new solution.  With the mass exodus
of employees over the last year there is nothing of value left.

OK research?  Yes, because I want to pay 50K to get details on a Yahoo IM
vulnerability.  No thank you.  Services like frsirt, secunia and even
symantec deep sight are years ahead and worth the investment.


On 6/7/07, mOses <trklisted at networksamurai.org> wrote:
>
> I used did a VA analysis for a large company (38,000 nodes). I think the
> following are excellent products to look at.
>
> Retina/REM (the ability to support 'dod' type environments by being able
> to meet a 4 hour release cycle is important. Vulnerablity research is
> pretty good at the company which is always a bonus, weather it meets up
> to par with everyone....you can't please everyone right?)
>
> Nexpose (runs on linux and windows, also can do some metasploit type
> work and also some spi dynamics type xss stuff.... if you really need to
> do that however purchase core/canvas or spi dynamics...though right?)
>
> QualysGuard (an asp model... has its advantages such as everyone feeds
> back data to one central point...like fingerprinting info...)
>
> just my 2cents..
>
> mOses
> networksamurai.org
>
> The Sun wrote:
> > I have used Retina, Internet Scanner, GFI LNSS, and Nessus. Recently I
> > evaluated QualysGuard and would recommend it over all the others.
> > I have heard that nCircle has a good VA product too.
> >
> > The reporting is excellent. Plus the updates are very quick.
> >
> >
> >     ----- Original Message -----
> >     *From:* Jeff Moore <mailto:cisoguy at gmail.com>
> >     *To:* dailydave at lists.immunitysec.com
> >     <mailto:dailydave at lists.immunitysec.com>
> >     *Cc:* full-disclosure at lists.grok.co.uk
> >     <mailto:full-disclosure at lists.grok.co.uk> ;
> >     Higgins at DarkReading.com <mailto:Higgins at DarkReading.com>
> >     *Sent:* Tuesday, June 05, 2007 9:14 PM
> >     *Subject:* [Dailydave] VA Vendor Tip?
> >
> >     Does anyone on the list have a good recommendation for a VA
> >     software vendor?  I am currently an eEye Retina customer but need
> >     to find a better solution with an actual development team in place
> >     to support that solution.  Is Tenable a good choice?
> >
> >
> >     http://www.darkreading.com/document.asp?doc_id=125486&WT.svl=news1_4
> >     <
> http://www.darkreading.com/document.asp?doc_id=125486&WT.svl=news1_4>
> >
> >     "Preview represents the third "pillar" of eEye's business, says
> >     Marc Maiffret, CTO and chief hacking officer for eEye, joining its
> >     flagship Retina Network Scanner and Blink endpoint security
> >     software. eEye made a name for itself after discovering, and
> >     naming, the infamous CodeRed worm in 2001. "
> >
> >     Third pillar?  The other two pillars are crumbling so they set up
> >     a third one to prop up what is left.  As a Retina customer I am
> >     very dissatisfied to see that eEye just fired the entire team
> >     responsible for Retina including guys like Ryan Permeh.  They also
> >     cut their QA team which will make bad products even worse.  Their
> >     engineering staff is down to three or four guys and they want to
> >     jump in the professional services game?
> >
> >     What research team are you trying to sell?  The only
> >     researcher you have left is this guy -
> >     http://datarescue.com/idabase/hallofshame.html and of course chief
> >     hacking officer who has never discovered a bug.
> >
> >     "eEye made a name for itself after discovering, and naming, the
> >     infamous CodeRed worm in 2001. "
> >
> >     It is now 2007.  What have you done lately eEye?  I don't think
> >     anyone cares that you "discovered" a 6 year old worm.  Your
> >     customers want stability and a future not a scheme (preview) for
> >     your VC to grab some extra cash before they turn out the lights.
> >
> >     So while you are chasing 50K from those who are still impressed by
> >     CodeRed and stolen copies of IDA your core customers, those who
> >     you have abandoned like you did the engineers responsible for
> >     those products will take their money to other more stable vendors
> >     that offer some sort of stability.
> >
> >     Maybe is time to throw in the towel.  If Retina is the flagship
> >     then that ship has sailed into some rocks and sunk.
> >
> >     -J
> >
> >
> ------------------------------------------------------------------------
> >     _______________________________________________
> >     Dailydave mailing list
> >     Dailydave at lists.immunitysec.com
> >     http://lists.immunitysec.com/mailman/listinfo/dailydave
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave at lists.immunitysec.com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
> >
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070607/17d85994/attachment.htm 

From andrewcu at windows.microsoft.com  Thu Jun  7 18:44:36 2007
From: andrewcu at windows.microsoft.com (Andrew Cushman)
Date: Thu, 7 Jun 2007 15:44:36 -0700
Subject: [Dailydave] luckily, there are no dumb questions
In-Reply-To: <9A8B6F6543DCDE4DB331605EB1D03EB3344483@mail.isecpartners.com>
References: <20070607193058.EBBC3341C7@absinthe.tinho.net>
	<9A8B6F6543DCDE4DB331605EB1D03EB3344483@mail.isecpartners.com>
Message-ID: <E916D501CB68D240A48B14E51C77BF1C042ACC95@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>

Not all chips have four rings.  Mips and alpha and i think ppc all had
user and supervisor modes.  x86 has four rings, and NT used three of
them for a while, but.... x64 has only user/supervisor when running in
64 bit mode.

 

 

 

From: dailydave-bounces at lists.immunitysec.com
[mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Andreas
Junestam
Sent: Thursday, June 07, 2007 1:36 PM
To: dan at geer.org; dailydave at lists.immunitysec.com
Subject: Re: [Dailydave] luckily, there are no dumb questions

 

If memory servers me right, Alpha only supported to "rings" and
therefore only 2 was used on Intel as well.

/andreas


-----Original Message-----
From: dailydave-bounces at lists.immunitysec.com on behalf of dan at geer.org
Sent: Thu 6/7/2007 12:30 PM
To: dailydave at lists.immunitysec.com
Subject: [Dailydave] luckily, there are no dumb questions


Luckily, there are no dumb questions or this would
likely be one.

How is it so that MS Windows uses only Rings 0 & 3?
An engineering answer, a marketing answer, and/or
an historical answer would be welcome.  Don't know
why I never thought to ask before, but I'm asking
now.  (And if I'm really wrong, please tell me what
uses 1|2.)

Bemusedly,

--dan

_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070607/29c0fff9/attachment.htm 

From johnycsh at gmail.com  Thu Jun  7 18:59:07 2007
From: johnycsh at gmail.com (johnny cache)
Date: Thu, 7 Jun 2007 18:59:07 -0400
Subject: [Dailydave] luckily, there are no dumb questions (dan@geer.org)
Message-ID: <470513db0706071559k366903c5obbc81b836fa0875d@mail.gmail.com>

Wouldn't a better question be: "how is it that -no- mainstream OS uses
more than 2 rings on x86?" Or  "How come nobody uses x86
segmentation(by default)?"

I think the simple answer is that most operating system developers
view these features as baggage that have no analogy on other platforms
and therefore are to be avoided. Segmentation (by-and-large) got the
axe on 64-bit x86 chips. Who's to say 4-rings wasn't next on the
chopping block? If the features have been there and haven't been used
in over a decade, its probably not a good idea to dust them off and
start depending on them now. Writing an OS that made effective use of
all 4 rings would not only be difficult, forward compatability on more
"sane" CPUs is almost certain not to happen.

Just my 2c.
-jc


> Date: Thu, 07 Jun 2007 15:30:58 -0400
> From: dan at geer.org
> Subject: [Dailydave] luckily, there are no dumb questions
> Luckily, there are no dumb questions or this would
> likely be one.
>
> How is it so that MS Windows uses only Rings 0 & 3?
> An engineering answer, a marketing answer, and/or
> an historical answer would be welcome.  Don't know
> why I never thought to ask before, but I'm asking
> now.  (And if I'm really wrong, please tell me what
> uses 1|2.)
>

From schallee at gmail.com  Thu Jun  7 23:35:19 2007
From: schallee at gmail.com (Ed Schaller)
Date: Thu, 7 Jun 2007 22:35:19 -0500
Subject: [Dailydave] luckily, there are no dumb questions (dan@geer.org)
In-Reply-To: <470513db0706071559k366903c5obbc81b836fa0875d@mail.gmail.com>
References: <470513db0706071559k366903c5obbc81b836fa0875d@mail.gmail.com>
Message-ID: <97fe139a0706072035u1b206434m65d0cdeb3317a634@mail.gmail.com>

VMS on the vax did use more than two rings. The lack of that feature
caused some control systems to never upgrade from vms on vax.

Xen virtualization, and I imagine others, utilizes multiple rings as well.



On 6/7/07, johnny cache <johnycsh at gmail.com> wrote:
> Wouldn't a better question be: "how is it that -no- mainstream OS uses
> more than 2 rings on x86?" Or  "How come nobody uses x86
> segmentation(by default)?"
>
> I think the simple answer is that most operating system developers
> view these features as baggage that have no analogy on other platforms
> and therefore are to be avoided. Segmentation (by-and-large) got the
> axe on 64-bit x86 chips. Who's to say 4-rings wasn't next on the
> chopping block? If the features have been there and haven't been used
> in over a decade, its probably not a good idea to dust them off and
> start depending on them now. Writing an OS that made effective use of
> all 4 rings would not only be difficult, forward compatability on more
> "sane" CPUs is almost certain not to happen.
>
> Just my 2c.
> -jc
>
>
> > Date: Thu, 07 Jun 2007 15:30:58 -0400
> > From: dan at geer.org
> > Subject: [Dailydave] luckily, there are no dumb questions
> > Luckily, there are no dumb questions or this would
> > likely be one.
> >
> > How is it so that MS Windows uses only Rings 0 & 3?
> > An engineering answer, a marketing answer, and/or
> > an historical answer would be welcome.  Don't know
> > why I never thought to ask before, but I'm asking
> > now.  (And if I'm really wrong, please tell me what
> > uses 1|2.)
> >
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

From joanna at invisiblethings.org  Fri Jun  8 04:35:53 2007
From: joanna at invisiblethings.org (Joanna Rutkowska)
Date: Fri, 08 Jun 2007 10:35:53 +0200
Subject: [Dailydave] luckily, there are no dumb questions
In-Reply-To: <20070607193058.EBBC3341C7@absinthe.tinho.net>
References: <20070607193058.EBBC3341C7@absinthe.tinho.net>
Message-ID: <466914E9.20004@invisiblethings.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

dan at geer.org wrote:
> Luckily, there are no dumb questions or this would
> likely be one.
> 
> How is it so that MS Windows uses only Rings 0 & 3?
> An engineering answer, a marketing answer, and/or
> an historical answer would be welcome.  Don't know
> why I never thought to ask before, but I'm asking
> now.  (And if I'm really wrong, please tell me what
> uses 1|2.)
> 

There is no advantage of using any more rings on current IA32 platforms,
as we do not have something called IOMMU, which means that even if we
decided to e.g. kept all device drivers in ring 1, then they could still
compromise the (micro)kernel memory (i.e. ring0 thing) using DMA.

The other question is -- even if we had IOMMU, would it be really
profitable to keep device drivers in ring 1, while all the rest of the
code (usermode apps + services) in ring 3? I'm not sure, probably it
would be equally possible (i.e. from the performance point of view) to
keep everything in ring 3. (Somebody can please correct me on this?)

AFAIK this is what MINIX3 does (i.e. all drivers and system services are
kept in separated address spaces in ring 3). Even though today it
doesn't offer too much of security (due to lack of IOMMU -- see above),
but IOMMU is coming to everybody houses in 2008 or so!

joanna.
-----BEGIN PGP SIGNATURE-----

iQEVAwUBRmkU58wG7MOLAMOlAQJOywf/ckpmgCZpS+aYXDJ9vMthiNmUBYO4Vf9L
cDRwwZHSk1eq2sS6iNjD0/ARQ+3/UKtYWQBLBR3q8tLmuWtEmUHUz85wVbjQU69/
2f802dlP6XeoeHjljCrzhdmSEu7J1Y80UjFmFbYeP8FbZBIQlVZJK7IDqw+1WskO
fEJlmz1TeXM+br5+NRNyjeD/nRxQ497C8ASStmozg1062bwzfgKUPnl2YydtPmOW
qK60zXd6Q0usUTInNud4Za7+PzQ/MADDCzI+3VLlOJahBWxgxGqCMA/VfE1/aAyW
qoBTjQhFz/0aV/g0whovYXQInoBsy5vTyxizr6MfomDwzzlH9z1odw==
=ENC0
-----END PGP SIGNATURE-----

From philippelanglois at free.fr  Fri Jun  8 06:58:00 2007
From: philippelanglois at free.fr (Philippe Langlois)
Date: Fri, 8 Jun 2007 12:58:00 +0200
Subject: [Dailydave] luckily, there are no dumb questions (dan@geer.org)
In-Reply-To: <470513db0706071559k366903c5obbc81b836fa0875d@mail.gmail.com>
References: <470513db0706071559k366903c5obbc81b836fa0875d@mail.gmail.com>
Message-ID: <64081D27-3A67-417D-83A1-25EC948AFAAB@free.fr>

If I recall well, LSE/OS used all four rings, and ring 1 and 2 can be  
used to run drivers, and then ring 3 for users.	 LSE/OS was described  
as a "nano kernel", and used a state machine hardware (using the  
hardware context switch).

Quite interesting project :)

Sources:
http://sourceforge.net/projects/lseos/

Docs & presentations:
http://lseos.sourceforge.net/

Best,
Philippe.


On 08 Jun 2007, at 00:59, johnny cache wrote:

> Wouldn't a better question be: "how is it that -no- mainstream OS uses
> more than 2 rings on x86?" Or  "How come nobody uses x86
> segmentation(by default)?"
>
> I think the simple answer is that most operating system developers
> view these features as baggage that have no analogy on other platforms
> and therefore are to be avoided. Segmentation (by-and-large) got the
> axe on 64-bit x86 chips. Who's to say 4-rings wasn't next on the
> chopping block? If the features have been there and haven't been used
> in over a decade, its probably not a good idea to dust them off and
> start depending on them now. Writing an OS that made effective use of
> all 4 rings would not only be difficult, forward compatability on more
> "sane" CPUs is almost certain not to happen.
>
> Just my 2c.
> -jc
>
>
>> Date: Thu, 07 Jun 2007 15:30:58 -0400
>> From: dan at geer.org
>> Subject: [Dailydave] luckily, there are no dumb questions
>> Luckily, there are no dumb questions or this would
>> likely be one.
>>
>> How is it so that MS Windows uses only Rings 0 & 3?
>> An engineering answer, a marketing answer, and/or
>> an historical answer would be welcome.  Don't know
>> why I never thought to ask before, but I'm asking
>> now.  (And if I'm really wrong, please tell me what
>> uses 1|2.)
>>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>


From dan at geer.org  Fri Jun  8 08:23:41 2007
From: dan at geer.org (dan at geer.org)
Date: Fri, 08 Jun 2007 08:23:41 -0400
Subject: [Dailydave] luckily, there are no dumb questions
In-Reply-To: Your message of "Fri, 08 Jun 2007 10:35:53 +0200."
	<466914E9.20004@invisiblethings.org> 
Message-ID: <20070608122341.8B8D933C6E@absinthe.tinho.net>


At about this point, I might say two things

1. thanks for all the replies; I mean that

2. Multics had 64 (software) rings and/or 8 (hardware) rings


--dan


From eballen1 at qwest.net  Fri Jun  8 11:16:21 2007
From: eballen1 at qwest.net (Bruce Ediger)
Date: Fri, 8 Jun 2007 09:16:21 -0600 (MDT)
Subject: [Dailydave] luckily, there are no dumb questions
In-Reply-To: <20070607193058.EBBC3341C7@absinthe.tinho.net>
References: <20070607193058.EBBC3341C7@absinthe.tinho.net>
Message-ID: <Pine.LNX.4.62.0706080852200.7748@stratigery>

On Thu, 7 Jun 2007 dan at geer.org wrote:

> How is it so that MS Windows uses only Rings 0 & 3?
> An engineering answer, a marketing answer, and/or
> an historical answer would be welcome.  Don't know
> why I never thought to ask before, but I'm asking
> now.  (And if I'm really wrong, please tell me what
> uses 1|2.)

Here's some (now quite amusing!) material from 1998:
http://www.windowsitlibrary.com/Content/435/01/1.html

"To effectively support both RISC and Intel CPUs, Windows NT uses only two
  rings in its design, Rings 0 and 3."

I don't know how much credence to lend to early material about NT.  It's pretty
obvious that marketing drove most of the "technical" stuff available. For
example, obvious NT predecessors like Unix and Mach and VMS hardly got a
mention in the 1st Edition of "Inside Windows NT".

This collection of papers from the "DEC Technical Journal":
http://www.hpl.hp.com/hpjournal/dtj/vol4num4/toc.htm
doesn't seem to mention "rings" at all, which seems strange.
The "RISC" CPU mentioned in the 1998 material is the Alpha.
DEC clearly wanted VMS to run on Alpha CPUs, and VMS needed
4 rings.  Looks like maybe DEC used "PALcode" to do rings
for OpenVMS on Alphas.


From dave.aitel at gmail.com  Sat Jun  9 13:52:45 2007
From: dave.aitel at gmail.com (Dave Aitel)
Date: Sat, 9 Jun 2007 13:52:45 -0400
Subject: [Dailydave] The Anti-Virus/IDS fantasy world
Message-ID: <b581b3220706091052l2ef7002t3e41b9f15f6c89a3@mail.gmail.com>

The weblog snippet below shows the attitude I love about the anti-virus and
IDS companies. The "I'm better than you both technically and morally"
fantasy they live in is quite amazing. It's like when people derisively say
"script kiddie" and 100% of the time they mean "someone who's way better at
security than I'll ever be". The reality is that writing malware is
incredibly hard, and the people who do it are amazingly talented.

http://www.sophos.com/security/blog/2007/05/120.html

"""

The fact is, whatever the motivation, writing malware is not 'clever', on
the whole it's not even particularly difficult. Although this particular
author seems to have trouble because the sample we received didn't work.

It takes a lot more skill to identify and remove malware, but in this case,
even that wasn't difficult. So my message to the author is, don't bother,
get a real job, but don't bother applying to join SophosLabs. In fact
judging by the poor quality of what was submitted, I would recommend a
completely different career.

Update 4th June - If anyone other than malware authors want to join
SophosLabs, we're
recruiting<http://www.sophos.com/companyinfo/careers/uk/822857832455.html>

Mark Harris - Director of SophosLabs
"""


-dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070609/067a1293/attachment.htm 

From admin at digibase.ca  Sat Jun  9 14:39:04 2007
From: admin at digibase.ca (Kradorex Xeron)
Date: Sat, 9 Jun 2007 14:39:04 -0400
Subject: [Dailydave] The Anti-Virus/IDS fantasy world
In-Reply-To: <b581b3220706091052l2ef7002t3e41b9f15f6c89a3@mail.gmail.com>
References: <b581b3220706091052l2ef7002t3e41b9f15f6c89a3@mail.gmail.com>
Message-ID: <200706091439.05317.admin@digibase.ca>

On Saturday 09 June 2007 13:52, Dave Aitel wrote:
> The weblog snippet below shows the attitude I love about the anti-virus and
> IDS companies. The "I'm better than you both technically and morally"
> fantasy they live in is quite amazing. It's like when people derisively say
> "script kiddie" and 100% of the time they mean "someone who's way better at
> security than I'll ever be". The reality is that writing malware is
> incredibly hard, and the people who do it are amazingly talented.
>

Agreed. Said companies are only interested in marketting and selling their 
products and will do anything they can to make what they want a reality.

That's why security companies often like causing FUD among those who aren't as 
in-tune to security as most of us on this list are, to cause people to run 
out to buy their products with little to no question.

Furthermore, said companies never act in collective unison with eachother to 
fight malware, but rather they are disjointed, doing their own thing thus 
there are time gaps between each other as well as malware some detect, while 
others do not. Thus no antimalware being perfect and detecting everything 
known, because those companies are too busy and too proud acting superior to 
eachother to work collectively.

As I've posted elsewhere before, large-scale security companies are too busy 
developing on the interface, making their software large and bloated instead 
of what it should be: streamlined and resource-efficient.

My appologies on ranting, just whenever I see security companies acting 
stupidly like this it brings me back to what I've stated above, so I leave 
one question:

If security companies are supposed to be so smart. Why aren't they many steps 
ahead of the malware authors?

> http://www.sophos.com/security/blog/2007/05/120.html
>
> """
>
> The fact is, whatever the motivation, writing malware is not 'clever', on
> the whole it's not even particularly difficult. Although this particular
> author seems to have trouble because the sample we received didn't work.
>
> It takes a lot more skill to identify and remove malware, but in this case,
> even that wasn't difficult. So my message to the author is, don't bother,
> get a real job, but don't bother applying to join SophosLabs. In fact
> judging by the poor quality of what was submitted, I would recommend a
> completely different career.
>
> Update 4th June - If anyone other than malware authors want to join
> SophosLabs, we're
> recruiting<http://www.sophos.com/companyinfo/careers/uk/822857832455.html>
>
> Mark Harris - Director of SophosLabs
> """
>
>
> -dave

From toby00 at gmail.com  Sun Jun 10 21:41:30 2007
From: toby00 at gmail.com (toby)
Date: Sun, 10 Jun 2007 18:41:30 -0700
Subject: [Dailydave] The Anti-Virus/IDS fantasy world
In-Reply-To: <b581b3220706091052l2ef7002t3e41b9f15f6c89a3@mail.gmail.com>
References: <b581b3220706091052l2ef7002t3e41b9f15f6c89a3@mail.gmail.com>
Message-ID: <747811030706101841s2e177ad8vcefbde259f01a30c@mail.gmail.com>

I would suggest you are talking about different people.
The malware analysts at any AV company probably dig through more malware
samples than you do on a regular basis. They are likely talking about the
average quality of code they get.
You (I suspect) are talking more about the ability to write good, subtle
malware.

Underestimating your opponents is a fatal mistake either way. The best
malware analysts I know are well aware of the skills of the authors.
Likewise so are the authors I know aware of the skills of the analysts.

t

On 6/9/07, Dave Aitel <dave.aitel at gmail.com> wrote:
>
> The weblog snippet below shows the attitude I love about the anti-virus
> and IDS companies. The "I'm better than you both technically and morally"
> fantasy they live in is quite amazing. It's like when people derisively say
> "script kiddie" and 100% of the time they mean "someone who's way better at
> security than I'll ever be". The reality is that writing malware is
> incredibly hard, and the people who do it are amazingly talented.
>
> http://www.sophos.com/security/blog/2007/05/120.html
>
> """
>
> The fact is, whatever the motivation, writing malware is not 'clever', on
> the whole it's not even particularly difficult. Although this particular
> author seems to have trouble because the sample we received didn't work.
>
> It takes a lot more skill to identify and remove malware, but in this
> case, even that wasn't difficult. So my message to the author is, don't
> bother, get a real job, but don't bother applying to join SophosLabs. In
> fact judging by the poor quality of what was submitted, I would recommend a
> completely different career.
>
> Update 4th June - If anyone other than malware authors want to join
> SophosLabs, we're recruiting<http://www.sophos.com/companyinfo/careers/uk/822857832455.html>
>
> Mark Harris - Director of SophosLabs
> """
>
>
> -dave
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070610/0d04371b/attachment-0001.htm 

From rhyskidd at gmail.com  Tue Jun 12 12:27:04 2007
From: rhyskidd at gmail.com (Rhys Kidd)
Date: Wed, 13 Jun 2007 00:27:04 +0800
Subject: [Dailydave] One more thing.. memory corruption in Apple Safari
Message-ID: <68dd869f0706120927p1fee7908k2d191fb2f851188a@mail.gmail.com>

[ Note, I was going to hold off releasing this text for a few days... but as
I said below, I'm not the only one to find these bugs. Currently, trying to
establish how much cross-over Maynor, Aviv & myself have on these. ]

I've never really been interested in looking for security bugs in Apple
products. But recently I decided I'd buy a Macbook Pro when I return to Uni
after holidays next month. I love the hardware design, and they have some
great feature. I waited out until after Steve's impressive keynote at WWDC
yesterday to make sure I didn't kick myself for getting an end-of-revision
model, and low and behold a Safari 3.0 Beta was released.

Below are scant details on two memory corruption bugs inside Apple Safari,
found approximately 6 hours after Safari 3.0 Beta's release. They have both
already been reported to Apple in the manner they request (
product-security at apple.com). I'm going to refrain from using the abused
buzzword '0day' to describe them. They aren't particularly difficult bugs to
find and there are plenty of other very intelligent, clever people who could
also find these bugs, and may have already. I won't release windbg output or
stack information publicly, but remote code execution appears possible.


Crash 1:
md5:  4a28b6fdc557b346db365c467dcf958f
sha1: 45d82277f1975feff0b9d385393420d0f9a256cf

Affected
    Safari 3.0   (522.11)   Mac OS X 10.4.9 (PPC)
    Safari 3.0   (522.11.3) Windows Vista
    Safari 2.0.4 (419.3)    Mac OS X 10.4.9 (Intel)
    Safari 2.0.4 (419.3)    Mac OS X 10.4.9 (PPC)


Crash 2:
md5:  9a99eb9c276fe40ebb721fbec4f6cdb9
sha1: 607cdcac55dc6e6c44ad5906b1095bf5340e206c

Affected
    Safari 3.0   (522.11.3) Windows Vista


I don't want this to become hyperbole fuel in a zealot blog flame war, but
I'm a realist & so I've got to expect that this will occur. Frankly, it is
easier to find new software vulnerabilities in Apple rather than Microsoft
products these days. The many talented people at Microsoft (MSRC, Michael
Howard, Dave Ladd, SDL team et al) have really improved the quality of the
code MS produces. Apple you are a long way behind Microsoft on security, and
I wish you'd stop releasing blatantly misleading adverts saying otherwise.
There are positives, take note Steve Jobs, if Apple consciously decided to
pursue a program of improving their ability to write secure code I believe
great strides could be made. Your customers would appreciate it.

If you are a Windows user and want to keep your computer secure, don't
install this piece of Apple software yet. If you're a Mac user, I'd suggest
browsing in Firefox, or perhaps telnet until patches are released by Apple.

- Rhys

PS. To Apple PR: I am not interested in publicly trading insults with you
tit-for-tat. Like you I am a reasonable person, who undertook this work for
free, I don't expect any reward from Apple other than a better browser;
which all the Internet community benefits from. Your Engineering department
has already confirmed these bugs really exist. I did not 'break' Safari, it
was already broken when you chose to release it to the public. I will not
release further technical details publicly until you have shipped patches,
or in the eventuality that you do not wish to fix these bugs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070613/c37f7069/attachment-0001.htm 

From thomas at coseinc.com  Tue Jun 12 14:58:24 2007
From: thomas at coseinc.com (Thomas Lim)
Date: Wed, 13 Jun 2007 02:58:24 +0800
Subject: [Dailydave] Windows Oday release
Message-ID: <466EECD0.8020907@coseinc.com>

dear all

SChannel Off-By-One Heap Corruption
===================================

Discovery Date:
28th August 2006

Date reported to Microsoft:
19th March 2007

Summary:
The Secure Channel (SChannel) library on WinXP-SP1/SP2 is vulnerable to
a off-by-one heap buffer overwrite. The SChannel library implements
PCT/TLS/SSL protocols exported via the Security Service Provider Interface
(SSPI). It is one of several Security Service Providers loaded-in and 
supported
by the privileged Local Security Authority (Lsass.exe) process.

In SChannel's implementation of the client-side SSLv3 handshake protocol,
specifically in the processing of the server-key-exchange SSL handshake
record, there is insufficient checks for malformed server-sent digital 
signature,
with its length-field set to 0. This results in a allocation of a 
0-length heap
buffer (with a valid heap address). A reverse memory copy is then 
performed to
copy-in the digital signature, by decrementing the 0-length by 1. This 
results in
an integer-underflow, causing the heap-buffer pointer to decrement 
before its start
address, ultimately leading to an overwrite of exactly one-byte of 
user-controlled
value, into the heap control-block. Depending on the robustness of the 
application
in question, this may lead to an unrecoverable heap corruption 
condition, causing
the application to terminate. In the case of Lsass.exe on WinXP-SP2, we 
can crash
it locally after several iterations, from a less-privileged user, 
causing a system
reboot. Vulnerable code although also exists in WinXP-SP1 but it does 
not cause an
unrecoverable heap corruption in Lsass.exe.

Vendor Affected:
Microsoft


Systems Affected:
========
WinXP-SP2 (DOS/Reboot)
WinXP-SP1 (minimal impact)


Exploitation:
=============
1) For local machine reboot via normal user account, on WinXP-SP2
   OR
   For remote machine reboot by enticing user to visit HTTPS site via IE,
   on WinXP-SP2 (but over 2000 iterations required)
     
     
POC (crash-test/reboot):
========================
1) Run sctest.exe from a normal user account, on client machine
   running WinXP-SP2.
  
2) sctest.exe will attempt to use SChannel's SSL implementation to
   parse pre-generated malformed SSL handshake records, over
   several iterations, causing multiple off-by-one overwrites with
   0xFF byte, within the Lsass.exe process.

3) Attach Debugger to Lsass.exe to see crash. The system will notify
   the user and perform a 60sec. reboot count-down, after detecting
   the Lsass.exe crash.
    
** Lsass.exe crash-test can also be done by forcing/enticing Internet 
Explorer
   to access a HTTPS site, serving out the same malformed SSL handshake
   records (as shown in source code below). However, over 2000 iterations
   are needed (IE needs to access HTTPS site over 2000 times), before 
Lsass.exe
   heap corruption occurs.

          
Vuln Analysis:
==============
(Based on schannel.dll/v5.1.2600.2180/WinXP-SP2)
The vulnerability exists in schannel.dll component, that implements the 
SSPI-compliant
PCT/TLS/SSL protocol handling implementation. For more information on 
SSPI and
how it relates to LSA, refer to 
1) 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/authentication_packages.asp
2) 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/sspi.asp

Essentially, in the case of SSPI authentication libraries like schannel, 
kerberos, msv1_0 (ntlm),
data is exchanged between less-privileged user applications requring 
authentication, and Lsass.exe.
With LSA providing the authentication back-end support. Both LSA and the 
less-privileged application
communicate indirectly via the SSPI interface. Specifically, in SSL 
authentication, untrusted SSL
record packets are passed from the less-privileged application to the 
privileged LSA. While extensive
efforts are made in LSA to validate the SSL records, on WinXP's version 
of schannel, an off-by-one
vulnerability exists in the parsing of the less-common and less-used SSL 
server-key-exchange record.
The vulnerability can hence be triggered via less-privileged client 
applications utilizing the
schannel's client-side SSL protocol implementation. This includes 
Internet Explorer, whenever the user
uses IE to browse a HTTPS site.

The vulnerable code exists in the _ReverseMemCopy() function and is 
reachable from Ssl3ParseServerKeyExchange():
(via SPProcessHandshake()->PkcsGenerateClientExchangeValue())

; On WinXP-SP1, the code below is located at 0x767FF976 (no symbols 
available)
Ssl3ParseServerKeyExchange()
...                                                           
.text:767FFFC8                 movzx   ebx, byte ptr [esi]      ; 
MSB-byte of malformed signature length field               
.text:767FFFCB                 movzx   eax, byte ptr [esi+1]    ; 
LSB-byte of malformed signature length field
.text:767FFFCF                 shl     ebx, 8
.text:767FFFD2                 add     ebx, eax
.text:767FFFD4                 push    ebx                      ; size=0
.text:767FFFD5                 call    _SPExternalAlloc at 4       ; 
HeapAlloc will return a valid 0-length heap buffer address
.text:767FFFDA                 test    eax, eax
.text:767FFFDC                 mov     [ebp+pbSignature], eax
.text:767FFFDF                 jz      loc_768000B9
.text:767FFFE5                 push    ebx                      ; size=0
.text:767FFFE6                 lea     ecx, [esi+2]             ; 
address of the signature data in our malformed record
                                                                ; 
containing 0xFF,0x41,0x41...
.text:767FFFE9                 push    ecx
.text:767FFFEA                 push    eax                      ; 
0-length heap buffer
.text:767FFFEB                 call    _ReverseMemCopy at 12
        _ReverseMemCopy()
        .text:767FF46F                 mov     edi, edi
        .text:767FF471                 push    ebp
        .text:767FF472                 mov     ebp, esp
        .text:767FF474                 mov     eax, [ebp+arg_8]
        .text:767FF477                 mov     ecx, [ebp+arg_4]
        .text:767FF47A                 push    esi
        .text:767FF47B                 mov     esi, [ebp+arg_0]
        .text:767FF47E                 lea     eax, [esi+eax-1]         
; EAX=0, ESI which points to 0-length heap buffer
                                                                        
; is decremented to, before start of heap buffer
        .text:767FF482                 mov     dl, [ecx]
        .text:767FF484                 mov     [eax], dl                
; Off-by-one overwrite with 0xFF from our signature data
        .text:767FF486                 dec     eax
        .text:767FF487                 inc     ecx
        .text:767FF488                 cmp     eax, esi
        .text:767FF48A                 jnb     short loc_767FF482       
; Just one-byte overwrite!     
        .text:767FF48C                 pop     esi
        .text:767FF48D                 pop     ebp
        .text:767FF48E                 retn    0Ch


Discovered by:
Steven
Security Researcher
Vulnerability Research Lab
COSEINC

-- 
Thank you
Thomas Lim
COSEINC Private Limited

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

mQGiBEQM9cARBADvlIe8Ck5/u2EtX3ikd/eKjI7uZKyIFHNLxEYBB1AaHmEvYCPi
VpvNr7ArKjbqlEpdsl6c9gQUY8vir5Lfk/p6siCD1aIYfCdPa64gKJQ66UVIUy7a
hIlE8sJ86mcbvVGzA4f1LjwPUPwymeKEQeDJyRLlRnPkxWzaoiZqHuEa/QCg/2/t
IAlQdVT7Q+ss51/NcL87RoEEANcf+ChnlH6vhXLSwnH1iXUMBbGA6t2F0/q29ROR
lsMoUQW5hvjuOw+4yDzGzmBDQUYbN0GI7pNOBs7UwerGOInTGCFD6nan0JpONT51
bp5sfF93PNH12I1qVFf+h/qdX4me2mhyKfSNvc0qQMydwfsCJ3vBbEWTF7CqWZFO
VadVA/9uJTKjJ7ZnN1enBBGUhLl6bA9estqH6lyP69B6Y1tGahDSqVyDe9Q9zs0T
XDcM6aS+PRnybzX9gfgPfSYtDzX3AU6C7N2XgSK5DnjVZVr2Tdd/2ttM7ApvzaeV
+ifO/nLGIQ38ik7mKlul5vlXsISShzHpUIdswuQtMp0R2sa+6bQfVGhvbWFzIExp
bSA8dGhvbWFzQGNvc2VpbmMuY29tPokAXQQQEQIAHQUCRAz1wAcLCQgHAwIKAhkB
BRsDAAAABR4BAAAAAAoJELxffA89J0fkz+cAn3cklzVq/VYiD9wgH0J2ULsuTbMl
AJ9NMdYJHBlunYjbPJIcRgGwhAkY4LkCDQREDPXAEAgA9kJXtwh/CBdyorrWqULz
Bej5UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHT
UPj1WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq
01uejaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O
9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcK
ctaGxAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TIL
OwACAggAwTip4JFx4LCDazFSyTG7qzIlZonEf3QTHNH4jP15CLvVFxjaHE8g2EgL
pt2+E6XDg7IGuZ2iXS9gwHkyLKzGR4bwpanAHyMZZbcQOglPHUkxuJZW+AjfcfOD
5jB+cUOtxk97ca/z9Fz+2qS8Q3sz2QSkHcZgBBxTS07cvd2P60ecVECBKG+dgxGw
X13e5hgw2tzFRMqnty66lKXYEIUj4ZSl70UPAmy5xUaU4EahLURN29f3zM+EPy72
374v28ud28yO59iyRqoUGiHr3c87wumrDtjwm8qKIkWHsi+7AiES29nCqtm4zN45
3yXkalvQ/O97ZJSinzZb851ToowyFIkATAQYEQIADAUCRAz1wAUbDAAAAAAKCRC8
X3wPPSdH5MLbAKCIYtkvUPIoxm15I4UlvCIZjT8hdACdEWiQKWdlwZCJTePk4CF9
swkS3cQ=
=Q3SR
-----END PGP PUBLIC KEY BLOCK-----


From usanonymous at gmail.com  Tue Jun 12 17:33:09 2007
From: usanonymous at gmail.com (No Body)
Date: Tue, 12 Jun 2007 15:33:09 -0600
Subject: [Dailydave] The Anti-Virus/IDS fantasy world
Message-ID: <4945bec00706121433j7fa76056k7df09115fb089cc3@mail.gmail.com>

I'm curious:  what exactly makes writing malware difficult?  Consider a
sophisticated modern mass-mailer with a backdoor.  In my experience, it
consists of:

A)  Code to inject a thread into explorer.exe;  that thread then contains:
B)  Code to report to a central server via HTTP;
C)  A SOCKS proxy thread and/or remote file system viewer;
D)  A routine to scour the disk for email addresses;
E)  An SMTP client;
F)  Code to ensure that the worm starts every time the system boots (almost
always via the registry), and maybe
G)  Code to make sure its registry key / executable are not deleted.
Each component is no more than 1,000 lines of code, and each is easily
testable.  For good measure, the binaries is are usually packed with either
FSG or UPX.

Your standard IRC trojan is even less sophisticated.  Trojan downloaders are
literally less than ten lines of C code to write.  BHOs, as well, are much
easier to write than they are to analyze (if you don't believe me, try it).
SymbianOS malware is excruciatingly difficult to analyze, while the malware
authors have an emulator and an SDK with a rich collection of examples to
work with.

I just don't see the "incredibly hard" part in writing malware:  are you
referring to some other class of malware than the ones I've described?  I
agree with Sophos (while at the same time thinking AV is snake-oil):
statically analyzing malware is substantially harder than writing it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070612/b1d78bb4/attachment.htm 

From joanna at invisiblethings.org  Wed Jun 13 06:10:23 2007
From: joanna at invisiblethings.org (Joanna Rutkowska)
Date: Wed, 13 Jun 2007 12:10:23 +0200
Subject: [Dailydave] Windows Oday release
In-Reply-To: <20070612202156.GE4179@linuxbox.org>
References: <466EECD0.8020907@coseinc.com> <20070612202156.GE4179@linuxbox.org>
Message-ID: <466FC28F.3090307@invisiblethings.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ge at linuxbox.org wrote:
> On 2007-06-13 02:58+0800, Thomas Lim wrote:
>> dear all
> 
> Dear all, this is not a 0day, it is a public release of a responsibly
> disclosed vulnerability.
> 

Yes, indeed it *seems* so:
http://www.microsoft.com/technet/security/Bulletin/MS07-031.mspx

But, of course we can not be sure that the bug that was addressed by
this patch is actually the same one as presented in Thomas' post,
without analyzing the patch (or a patched system). If Thomas says it's a
0day, then maybe somebody should check it. Why would Thomas tell it's a
0day if it was already fixed?

Obviously I'm far from punishing anybody for publishing a 0day -- after
all the potential attack vector would have existed even if the 0day was
not made public.

What is funny however, is that Microsoft, the great supporter of
"responsible disclosure" actually is the main sponsor ("patron") of the
SyScan conference: http://syscan.org/ which is organized by Thomas.
Maybe it's a sign that Microsoft realized that free "responsible
disclosure" idea is a bit artificial? (at last!)

The time line is also interesting, BTW:

>> Discovery Date:
>> 28th August 2006
>>
>> Date reported to Microsoft:
>> 19th March 2007
>>

One (I guess some "responsible disclosure" purist) could ask why they
waited 6 months before reporting this vulnerability to the vendor? What
were they doing with this exploit for the whole 6 months?

Obviously I'm far from being a "security responsible" crusader and I
think that they had a full right to wait with reporting the bug to the
vendor (if the vendor was not their client) as long as they wanted and
that MS should be happy that they eventually decided to do that.
(Needles to say MS is grateful as we see in the bulletin).

What seems more interesting however, is why Thomas actually made the
discovery date public? After all, they could just wrote the "reported to
vendor" date, but they intentionally gave also the discovery date,
risking the possibility of potential accusations of being "not
responsible"...

Anyway congrats to mysterious Steven:

> Discovered by:
> Steven
> Security Researcher
> Vulnerability Research Lab
> COSEINC

Interestingly, the MS bulletin credits Thomas Lim for the discovery and
not Steven, which may suggest that Steven is some sort of a program
(maybe another fuzzer) for bug hunting...

joanna.
-----BEGIN PGP SIGNATURE-----

iQEVAwUBRm/CjswG7MOLAMOlAQKt7Qf/cCKmRGZJcs467h4+/79X/luNdx+dRh10
pcx1PjqlbbPnonjney0+kYjSG7uvm7h0kntffP60am/JKceUk/M/Hgw0LUdWPCEL
2qCKPnOypZzE5YimJiUWrxy97pa+SInUyvoAJswHzu5v3TMLKZpJkqHj3M8PwsDz
xseh3ON+eDZ4L6XpUWxwUSgP2AlRxQ3/RQIwAbyVZAYPHgp3qKSMWmOxDDv6dWQr
7UJB4HozXiwgSTpI1vbuADC/nKCFbasoAmAo857nKtfjvgqAjgN3M9zc8YkuyT9h
wSFrK/GiN5hPAfhQBfpexPEO3521CABqAL16F6dax42fOYuBhvdACg==
=jETT
-----END PGP SIGNATURE-----

From halvar at gmx.de  Wed Jun 13 17:19:01 2007
From: halvar at gmx.de (Halvar Flake)
Date: Wed, 13 Jun 2007 23:19:01 +0200
Subject: [Dailydave] MS07-031 schannel
Message-ID: <002801c7ae00$778d7220$0301000a@D1NQ6Z1J>

Hey all,

for those of you that are bored and want to watch some moving pictures,

http://www.sabre-security.com/files/schannel.swf

Cheers,
Halvar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070613/eb7b9d3e/attachment.htm 

From arunkoshy at gmail.com  Thu Jun 14 20:50:20 2007
From: arunkoshy at gmail.com (Arun Koshy)
Date: Fri, 15 Jun 2007 10:50:20 +1000
Subject: [Dailydave] off-topic : Real Hacking
Message-ID: <1d0ba3070706141750v1adaafddo35c7f21f95c09e47@mail.gmail.com>

This really warmed up my day :

http://johnny.ihackstuff.com/uganda/

Johnny's a great friend to me personally and I think we geeks can
learn much from him outside of err .. using Google :-).

From nathan.landon at digitaloperatives.com  Fri Jun 15 09:03:21 2007
From: nathan.landon at digitaloperatives.com (Nathan Landon)
Date: Fri, 15 Jun 2007 09:03:21 -0400
Subject: [Dailydave] The Anti-Virus/IDS fantasy world
In-Reply-To: <747811030706101841s2e177ad8vcefbde259f01a30c@mail.gmail.com>
References: <b581b3220706091052l2ef7002t3e41b9f15f6c89a3@mail.gmail.com>
	<747811030706101841s2e177ad8vcefbde259f01a30c@mail.gmail.com>
Message-ID: <37837550706150603q61ffc812ga34b18e8fb2177a8@mail.gmail.com>

Antivirus is so 1999!  I'd be incredibly surprised to see if half of the
people on this list actually pay for Antivirus for their client machines and
believe that it somehow protects them from being infected at a cost benefit
to the resource utilization of modern antivirus software.  If somebody tells
me that they are having issues with their system being too slow,  9 times
out of 10 it is because the AV software is abusing it's right to be on the
system.

Antivirus is like home owners insurance,  it makes you feel better about the
"what ifs," but doesn't protect you from the Hurricane Katrina's.

On 6/10/07, toby <toby00 at gmail.com> wrote:

> I would suggest you are talking about different people.
> The malware analysts at any AV company probably dig through more malware
> samples than you do on a regular basis. They are likely talking about the
> average quality of code they get.
> You (I suspect) are talking more about the ability to write good, subtle
> malware.
>
> Underestimating your opponents is a fatal mistake either way. The best
> malware analysts I know are well aware of the skills of the authors.
> Likewise so are the authors I know aware of the skills of the analysts.
>
> t
>
>  On 6/9/07, Dave Aitel <dave.aitel at gmail.com> wrote:
>
> > The weblog snippet below shows the attitude I love about the anti-virus
> > and IDS companies. The "I'm better than you both technically and morally"
> > fantasy they live in is quite amazing. It's like when people derisively say
> > "script kiddie" and 100% of the time they mean "someone who's way better at
> > security than I'll ever be". The reality is that writing malware is
> > incredibly hard, and the people who do it are amazingly talented.
> >
> > http://www.sophos.com/security/blog/2007/05/120.html
> >
> > """
> >
> > The fact is, whatever the motivation, writing malware is not 'clever',
> > on the whole it's not even particularly difficult. Although this particular
> > author seems to have trouble because the sample we received didn't work.
> >
> > It takes a lot more skill to identify and remove malware, but in this
> > case, even that wasn't difficult. So my message to the author is, don't
> > bother, get a real job, but don't bother applying to join SophosLabs. In
> > fact judging by the poor quality of what was submitted, I would recommend a
> > completely different career.
> >
> > Update 4th June - If anyone other than malware authors want to join
> > SophosLabs, we're recruiting<http://www.sophos.com/companyinfo/careers/uk/822857832455.html>
> >
> > Mark Harris - Director of SophosLabs
> > """
> >
> >
> > -dave
> >
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave at lists.immunitysec.com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
> >
> >
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>


-- 
Nathan Landon
Digital Operatives
www.digitaloperatives.com
Phone: 808-221-9172
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070615/4301e694/attachment-0001.htm 

From pmelson at gmail.com  Fri Jun 15 09:18:47 2007
From: pmelson at gmail.com (Paul Melson)
Date: Fri, 15 Jun 2007 09:18:47 -0400
Subject: [Dailydave] The Anti-Virus/IDS fantasy world
In-Reply-To: <747811030706101841s2e177ad8vcefbde259f01a30c@mail.gmail.com>
References: <b581b3220706091052l2ef7002t3e41b9f15f6c89a3@mail.gmail.com>
	<747811030706101841s2e177ad8vcefbde259f01a30c@mail.gmail.com>
Message-ID: <000c01c7af4f$b52f94a0$0202fea9@ad.priorityhealth.com>

> I would suggest you are talking about different people.
> The malware analysts at any AV company probably dig through more malware
samples than you do on a 
> regular basis.

I would hope so, seeing as it's at the top of their job description.  But
you know who's probably not elbow-deep in malware these days?  Mark Harris.


> Underestimating your opponents is a fatal mistake either way. The best
malware analysts I know are well 
> aware of the skills of the authors. Likewise so are the authors I know
aware of the skills of the 
> analysts. 

In fairness to Mark Harris, the malware submission that sparked his post 1)
didn't run and 2) contained furry pr0n.  Maybe he's not underestimating in
this one case.

PaulM



From erikam at gmail.com  Fri Jun 15 10:44:44 2007
From: erikam at gmail.com (Erika Mendoza)
Date: Fri, 15 Jun 2007 07:44:44 -0700
Subject: [Dailydave] Breakpoint Security Conference - Monterrey, N.L. Mexico
Message-ID: <5fe3b72c0706150744v4635e4bte6b92e0899715704@mail.gmail.com>

It is our pleasure to introduce everyone to Breakpoint Security's first
event held in downtown Monterrey, Nuevo Leon, Mexico aka (Barrio Antiguo).
The Call for Papers opens today Friday June 15, 2007.  A few private invites
have already been accepted please tune to the website for speaker/topic
updates.  Below are the conference details.

[ Event ]

Breakpoint Security hopes to bring to Monterrey an entertaining,
coordinated, information filled environment for security practitioners,
professionals and hobbyists.  It is our priority to keep the event fun,
organized and suited for anyone willing to learn and share.

"The center of nightlife in Monterrey is definitely Barrio Antiguo, but
there is plenty of action spread out over the rest of the city." -
http://www.allaboutmonterrey.com/nightlife.htm

When?
November 17 and 18, 2007.

Where?
http://tinyurl.com/2yuql2
And for the paranoid -
http://www.mapquest.com/maps/map.adp?address=&city=Monterrey&state=Nuevo%20Leon&zipcode=&country=MX&title=%3cb%3e%3cspan%20style%3d%22display%3ainline%3bmargin%2dbottom%3a0px%3b%22%20class%3d%22locality%22%3eMonterrey%3c%2fspan%3e%2c%20%3cspan%20style%3d%22display%3ainline%3bmargin%2dbottom%3a0px%3b%22%20class%3d%22region%22%3eNuevo%20Leon%3c%2fspan%3e%20%3cspan%20style%3d%22display%3ainline%3bmargin%2dbottom%3a0px%3b%22%20class%3d%22country%2dname%22%3eMX%3c%2fspan%3e%3c%2fb%3e%3c%2fspan%3e&cid=lfmaplink2&name=&dtype=s

Where exactly?
http://www.hotel-ancira.com

Standard Topics Apply:

*       Reverse Engineering
*       Spyware, Phishing and Botnets (Modern bots please!)
*       Wireless Network and Security
*       Modern Software Auditing Practices
*       GSM, GPRS and CDMA Security
*       World Wide Domination
*       Writing Malicious Code (Case Studies Wanted)
*       Cryptanalysis / Cryptography
*       Forensics
*       Predictions
*       Information Security and the Legal System[s]

[ Submission ]

There are ten slots total, a single track and all talks are 60 - 70 minutes,
translators will be available unless you prefer to do your talk in Spanish,
in which case no translation will be necessary.

Abstract Submission deadline:    September 7th, 2007.
Detailed Submission deadline:        October 19th, 2007.

Proposals should contain the following information:

* Topic, title and a short description
* Speaker information:
    -Full name
    -Country of current residence
    -Contact information including, phone number and physical address
* Employer, specify independent researcher
* A biography and any publications that you've authored or coauthored
* Is this a full paper, slides or both

[ Speaker Benefits ]
A growing list of speaker benefits includes the following:

1) Pre-conference Dinner and Drinks on Friday November 16, 2007
2) Three meals will be covered as the hotel will cater
3) Hotel is covered (2 nights, 3rd May be covered if necessary must send
request in advanced)
4) You get to drink with us in Mexico!  When else can you do this? :)

Thank you and we hope to hear back from you soon.

Erika Mendoza
cfp at breakpointsecurity.net
http://www.breakpointsecurity.net

<!--
[ Special Note ]

If you feel as Mr. Paul Wouters does  (
http://archives.neohapsis.com/archives/dailydave/2007-q2/0127.html) keep
your 0-day at home, we don't need it... :)

As an example of the original content you can look forward to, see below.

PS. I found this 2 days ago when I decided to release a gift with the CFP,
with that said, that bug may have been previously found by someone else.  If
so, please claim and prove it and I'll release another since I would then
owe everyone a gift.

http://breakpointsecurity.net/unictr.tgz - Happy father's day CA!
 -->
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070615/cf5e5843/attachment.htm 

From nahual at 0hday.org  Fri Jun 15 11:48:04 2007
From: nahual at 0hday.org (El Nahual)
Date: Fri, 15 Jun 2007 10:48:04 -0500
Subject: [Dailydave] The Anti-Virus/IDS fantasy world
In-Reply-To: <4945bec00706121433j7fa76056k7df09115fb089cc3@mail.gmail.com>
References: <4945bec00706121433j7fa76056k7df09115fb089cc3@mail.gmail.com>
Message-ID: <4672B4B4.1070101@0hday.org>

I have to disagree with you (I tried to get out of this one since I used 
to work for an AV company) but I agree with Dave completly.

If sophos is correct why aren't they detecting 100% of the project mimic 
from 29a which is over 5 years old? metamorphic was designed and used on 
malware, also covert channels ARE used in malware and I have seen 
malware use 0hday on java to inject itself.

Obviously that takes a little more skill than what you are writting 
here, since most of antivirus just hook into functions and try to 
analize what you are doing and scan if you look like a virus based on 
next instructions (That is why antivirus didn't really like Vista's 
antihook protection, they just couldn't hook themselves, a no no since 
they have their own API!)

I saw someone that is a Genius (gotta say it), Oded Horowitz (did I get 
the last name right) 3 years ago with a code that blowed my mind, a 
binary analizer and detected not changes but other stuff (I promised not 
to disclose the complete stuff) but I think it would be a good time to 
have him on this conversation.

BTW didn't @stake have a binary decompiler/detection tool? did THAT ever 
work?

BTW I could say the same thing on AVs and analisis:

- Registry Hook - 100 lines of code
- mail*() hook - 150 lines of code
- _write(), _read(), _open() hooks - 500 lines of code
- Heristics engine - Bought from F-Prot
- Getting owned by a 1024 uppercase zip file name - PRICELESS

That is why most AVs have to blacklist, and why then you have signature 
variations, Kaspersky has smaller sigs because the way they use the 
engine, but still, everything can be tricked.

my $0.02

//Nahual


No Body wrote:
>
> I'm curious:  what exactly makes writing malware difficult?  Consider 
> a sophisticated modern mass-mailer with a backdoor.  In my experience, 
> it consists of:
>
> A)  Code to inject a thread into explorer.exe;  that thread then contains:
> B)  Code to report to a central server via HTTP;
> C)  A SOCKS proxy thread and/or remote file system viewer;
> D)  A routine to scour the disk for email addresses;
> E)  An SMTP client;
> F)  Code to ensure that the worm starts every time the system boots 
> (almost always via the registry), and maybe
> G)  Code to make sure its registry key / executable are not deleted.
>
> Each component is no more than 1,000 lines of code, and each is easily 
> testable.  For good measure, the binaries is are usually packed with 
> either FSG or UPX. 
>  
> Your standard IRC trojan is even less sophisticated.  Trojan 
> downloaders are literally less than ten lines of C code to write.  
> BHOs, as well, are much easier to write than they are to analyze (if 
> you don't believe me, try it).  SymbianOS malware is excruciatingly 
> difficult to analyze, while the malware authors have an emulator and 
> an SDK with a rich collection of examples to work with.
>
> I just don't see the "incredibly hard" part in writing malware:  are 
> you referring to some other class of malware than the ones I've 
> described?  I agree with Sophos (while at the same time thinking AV is 
> snake-oil):  statically analyzing malware is substantially harder than 
> writing it.
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070615/3389be2c/attachment.htm 

From valsmith at offensivecomputing.net  Sun Jun 17 12:30:20 2007
From: valsmith at offensivecomputing.net (val smith)
Date: Sun, 17 Jun 2007 10:30:20 -0600
Subject: [Dailydave] The Anti-Virus/IDS fantasy world
In-Reply-To: <000c01c7af4f$b52f94a0$0202fea9@ad.priorityhealth.com>
References: <b581b3220706091052l2ef7002t3e41b9f15f6c89a3@mail.gmail.com>
	<747811030706101841s2e177ad8vcefbde259f01a30c@mail.gmail.com>
	<000c01c7af4f$b52f94a0$0202fea9@ad.priorityhealth.com>
Message-ID: <f60c0c200706170930m34dfa679vc0f43c737d838409@mail.gmail.com>

What I find interesting is the lack of insight into what AV companies
actually do behind the scenes. Peter Szor's book was a great look into some
things but AV's don't really publish what they actually do very often. How
do they analyze samples? How do they deal with packers? I can make some
educated guesses but I'm still very curious. We pretty much publish our
techniques, but we're not an AV company so maybe that doesn't count.

We've got many tens of thousands of samples both old and new that we've been
through both automagically and manually. The common thing that I've seen is
that malware sucks. Its not sophisticated, it uses dirt simple, often
ancient techniques, and its slow to adopt new things. For example, Joanna,
us, and others have released numerous techniques for VM detection. These
techniques are multiple years old and not too difficult. What do I see most
often in my collection for VM detection? Putting the output of "net start"
into a text file and searching for "vmware". Where are all the awesome
anti-analysis/anti-vmware samples out there?

Why does malware suck? Because it still works. AV sucks at detecting it,
users suck at avoiding it, so why bother making it sophisticated? However I
would say don't underestimate malware authors just because the bulk of whats
out there isn't very good. It has moved from the kid or "researcher"
screwing around to a professional business. Occasionally we see
"commercially" developed malware that IS very sophisticated. Rustock is a
good example of this. Lots of the spyware out there is actually pretty good
too.

I would venture to say it takes some skill to release a "software product"
to millions of users and have it work consistently. A lot of malware
archives this one simple goal that occasionally even professional software
vendors fail at.

V.

On 6/15/07, Paul Melson <pmelson at gmail.com> wrote:
>
> > I would suggest you are talking about different people.
> > The malware analysts at any AV company probably dig through more malware
> samples than you do on a
> > regular basis.
>
> I would hope so, seeing as it's at the top of their job description.  But
> you know who's probably not elbow-deep in malware these days?  Mark
> Harris.
>
>
> > Underestimating your opponents is a fatal mistake either way. The best
> malware analysts I know are well
> > aware of the skills of the authors. Likewise so are the authors I know
> aware of the skills of the
> > analysts.
>
> In fairness to Mark Harris, the malware submission that sparked his post
> 1)
> didn't run and 2) contained furry pr0n.  Maybe he's not underestimating in
> this one case.
>
> PaulM
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>



-- 
******************************************
* Val Smith
* CTO Offensive Computing, LLC
* http://www.offensivecomputing.net
*******************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070617/afcab489/attachment-0001.htm 

From krahmer at suse.de  Tue Jun 19 08:23:37 2007
From: krahmer at suse.de (Sebastian Krahmer)
Date: Tue, 19 Jun 2007 14:23:37 +0200 (CEST)
Subject: [Dailydave] PrivSep
Message-ID: <Pine.LNX.4.64.0706191419540.12164@wotan.suse.de>



Not to mix up with Priv Sepp wich is me (maybe only a funny joke in 
german:)

http://c-skills.blogspot.com/2007/06/note-on-privilege-separation.html

Especially the recursive aspect of sneaking into a session makes this
a real problem.

l8er,
Sebastian

-- 
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer at suse.de - SuSE Security Team
~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)


From phatbuckett at gmail.com  Tue Jun 19 19:16:44 2007
From: phatbuckett at gmail.com (Darren Spruell)
Date: Tue, 19 Jun 2007 16:16:44 -0700
Subject: [Dailydave] PrivSep
In-Reply-To: <Pine.LNX.4.64.0706191419540.12164@wotan.suse.de>
References: <Pine.LNX.4.64.0706191419540.12164@wotan.suse.de>
Message-ID: <839aec700706191616h4eec005fl8e09d3e931299c9a@mail.gmail.com>

On 6/19/07, Sebastian Krahmer <krahmer at suse.de> wrote:
>
>
> Not to mix up with Priv Sepp wich is me (maybe only a funny joke in
> german:)
>
> http://c-skills.blogspot.com/2007/06/note-on-privilege-separation.html
>
> Especially the recursive aspect of sneaking into a session makes this
> a real problem.

Interesting, but is there ever an assumption that these sessions are
"secured" from the superuser in Unix in the first place?

- root has direct access to memory to retrieve session keying material
- root can read the shadow password file
- root can trojan/patch sshd to collect credentials and session data
- root can read/write the pty
- ...

Seems like fearing root on a (local or remote) system you're logging
into is a little redundant.

DS

From krahmer at suse.de  Wed Jun 20 02:27:34 2007
From: krahmer at suse.de (Sebastian Krahmer)
Date: Wed, 20 Jun 2007 08:27:34 +0200 (CEST)
Subject: [Dailydave] PrivSep
In-Reply-To: <839aec700706191616h4eec005fl8e09d3e931299c9a@mail.gmail.com>
References: <Pine.LNX.4.64.0706191419540.12164@wotan.suse.de>
	<839aec700706191616h4eec005fl8e09d3e931299c9a@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.0706200806380.15205@wotan.suse.de>

On Tue, 19 Jun 2007, Darren Spruell wrote:

hi,

> 
> Interesting, but is there ever an assumption that these sessions are
> "secured" from the superuser in Unix in the first place?
No, of course not. It is not an exploit.

> 
> - root has direct access to memory to retrieve session keying material
> - root can read the shadow password file
> - root can trojan/patch sshd to collect credentials and session data
> - root can read/write the pty
But it is a difference (in the workload) to peek and rebuild keys
on a system wich has ASLR and on a daemon which zeroes out
temporary key storage for security reasons but which passes
the login tokens for free. If strace is installed you
could use that at the end. Locally, the keying material is
not really important.

Honestly, if someone owns your PrivSep'ed sshd remotely; with all the
kernel exploits once in a while; will this really protect you?
It rather adds a complexity which leads to comments such as
'Fix a bug in the sshd privilege separation monitor that weakened its 
verification of successful authentication. ...' in the ChangeLog.

thx,
Sebastian

-- 
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer at suse.de - SuSE Security Team
~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)


From djm at mindrot.org  Wed Jun 20 19:50:30 2007
From: djm at mindrot.org (Damien Miller)
Date: Thu, 21 Jun 2007 09:50:30 +1000 (EST)
Subject: [Dailydave] PrivSep
In-Reply-To: <Pine.LNX.4.64.0706200806380.15205@wotan.suse.de>
References: <Pine.LNX.4.64.0706191419540.12164@wotan.suse.de>
	<839aec700706191616h4eec005fl8e09d3e931299c9a@mail.gmail.com>
	<Pine.LNX.4.64.0706200806380.15205@wotan.suse.de>
Message-ID: <Pine.BSO.4.64.0706210945150.24121@fuyu.mindrot.org>

On Wed, 20 Jun 2007, Sebastian Krahmer wrote:
> 
> Honestly, if someone owns your PrivSep'ed sshd remotely; with all the
> kernel exploits once in a while; will this really protect you?

No, and Niels' original privsep paper made this quite clear. It does
reduce the risk a little: an attacker who has gained control over the
unprivileged process sees a smaller system attack surface than one 
who can open random /dev nodes, exec() setuid binaries, etc.

> It rather adds a complexity which leads to comments such as
> 'Fix a bug in the sshd privilege separation monitor that weakened its 
> verification of successful authentication. ...' in the ChangeLog.

Actually, it was item #1 on openssh-4.5's release notes and clearly
marked as a security bug - not buried in a Changelog.

-d

From dave at immunityinc.com  Fri Jun 22 10:45:12 2007
From: dave at immunityinc.com (Dave Aitel)
Date: Fri, 22 Jun 2007 10:45:12 -0400
Subject: [Dailydave] libdisassemble 2.0 release note
In-Reply-To: <200706211645.14410.atlas@r4780y.com>
References: <46795CBD.5060608@immunityinc.com>
	<200706211645.14410.atlas@r4780y.com>
Message-ID: <467BE078.3080200@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PUBLIC RELEASE ANNOUNCEMENT

 
Immunity and friends have released version 2.0 of LIBDISASSEMBLE, a
100%  Python opcode disassembly library for x86 processors. Almost all
work on this release was done by Matt Carpenter, of Intelguardians,
and atlas.
 
Disassembly routines are essential parts of debuggers, disassemblers
and a variety of other important tools. libdisassemble fills the need for
the many security-related products and projects which are being
developed using the Python language. Since libdisassemble is 100%
Python, the code remains fairly easy to read and interface with. It is
self-documenting using Python's built-in tool Pydoc, and maintains
relatively high speed. It's not C, but it's not C either.
 
This version aims to provide a complete disassembly of IA32
instruction set. Future versions will include the addition of IA64/32
instruction set.
 
Immunity is a software security and consulting company.
(www.immunityinc.com)
 
Intelguardians Network Intelligence LLC is a vendor independent
Information Security Consultancy based in Washington D.C.
(www.intelguardians.com)
 
atlas is, well, atlas. (http://atlas.r4780y.com/cgi-bin/atlas)
 
Download LIBDISASSEMBLE v2.0 at:
http://www.immunityinc.com/resources-freesoftware.shtml
http://www.immunityinc.com/downloads/libdisassemble2.0.tar.gz (direct
link)

Please feel free to send bug reports to atlas and Matt Carpenter (or
dave will forward messages to them for you).
 
http://atlas.r4780y.com/cgi-bin/atlas/2007/06/21#070621-libdisassemble

Thanks,
The libdisassemble team.




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGe+B2B8JNm+PA+iURAr/3AJ4lw0zszm0aN1yKd+UlwsBQZcqrsgCgktdO
qMJuo4RhPYob4TZFoekVpiA=
=QznD
-----END PGP SIGNATURE-----


From dave.aitel at gmail.com  Sun Jun 24 15:29:51 2007
From: dave.aitel at gmail.com (Dave Aitel)
Date: Sun, 24 Jun 2007 15:29:51 -0400
Subject: [Dailydave] With great responsibility comes great power.
Message-ID: <b581b3220706241229q261acaf0kbb25ead2159c3264@mail.gmail.com>

Right now we're in the midst of some sort of weird publicity push from the
US Military regarding cyberwar, which started before the Estonians got
DDoSed last week. Most of the articles point out how China is beefing up
their forces with frankly inane titles such as "China Cyberware Alert!":

http://edition.cnn.com/2007/TECH/internet/06/13/china.cyberspace.reut/index.html
http://www.defensetech.org/archives/003548.html
There's a NYT article today too, but they make it impossible to link to
them.

In March, Stratfor had an article about it as well:
http://www.stratfor.com/products/premium/read_article.php?id=286304
They concluded:
"""
Ultimately, much about cyberwarfare efforts will remain classified.
Cartwright's comments are more illustrative of a military that is accustomed
to dominating the battle space preparing for a new offensive in cyberspace.
STRATCOM's staff judge advocate -- the command's legal representative --
likely has advised Cartwright that his efforts to bring offensive
cyberwarfare measures to bear have reached the point at which they require
congressional oversight and approval -- the only real motivation for
Cartwright to share his command's efforts with the public.
"""

If you listen to John Arquilla, of the Naval Postgraduate school, he also
mentions China first as the leading integrator of cyberwarfare into their
overall strategy [1]. Oddly he believes there's only a few dozen master
hackers in the world, a number I think is far too small, but perhaps we have
different definitions or just a different circle of friends. His estimate is
that half of the master hackers are American, a number I would say is
irrelevant. You can't judge the length of a sword by the sharpness of the
point.

My opinion is that any cyberwar waged against the United States would be
one-sided. As Admiral Yamamoto learned the hard way[2], one of the US
Military's defining characteristics is extensive propaganda efforts to get
the opponent to underestimate them. But as a somewhat useful metric, you can
fit the attendees of all the non-US information security conferences each
month into any one US conference.

-dave

[1] http://www.worldpoliticsreview.com/podcast.aspx?id=30 - I started
listening to this sure he would be full of it, but it's really quite good.
[2] http://en.wikipedia.org/wiki/Isoroku_Yamamoto and
http://en.wikipedia.org/wiki/Isoroku_Yamamoto%27s_sleeping_giant_quote
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070624/85efcdb3/attachment.htm 

From trklisted at networksamurai.org  Sun Jun 24 18:31:49 2007
From: trklisted at networksamurai.org (mOses)
Date: Sun, 24 Jun 2007 18:31:49 -0400
Subject: [Dailydave] With great responsibility comes great power.
In-Reply-To: <b581b3220706241229q261acaf0kbb25ead2159c3264@mail.gmail.com>
References: <b581b3220706241229q261acaf0kbb25ead2159c3264@mail.gmail.com>
Message-ID: <467EF0D5.8060000@networksamurai.org>

The question is weather that is as scary as this:

http://www.boston.com/news/nation/articles/2007/06/04/3_plead_guilty_in_tech_export_case/

Chi Mak who in 2005 was arrested for espionage. He was allegedly sending
documents from his job as a defense contractor over to china. The CD's
that where found contained propulsion systems for a new submarine and
lot more juicy things you can imagine.

I wonder how much far forward the Chinese got because of this person and
people like him.....


Dave Aitel wrote:
>
> Right now we're in the midst of some sort of weird publicity push from
> the US Military regarding cyberwar, which started before the Estonians
> got DDoSed last week. Most of the articles point out how China is
> beefing up their forces with frankly inane titles such as "China
> Cyberware Alert!":
>
> http://edition.cnn.com/2007/TECH/internet/06/13/china.cyberspace.reut/index.html
> http://www.defensetech.org/archives/003548.html
> There's a NYT article today too, but they make it impossible to link
> to them.
>
> In March, Stratfor had an article about it as well:
> http://www.stratfor.com/products/premium/read_article.php?id=286304
> They concluded:
> """
> Ultimately, much about cyberwarfare efforts will remain classified.
> Cartwright's comments are more illustrative of a military that is
> accustomed to dominating the battle space preparing for a new
> offensive in cyberspace. STRATCOM's staff judge advocate -- the
> command's legal representative -- likely has advised Cartwright that
> his efforts to bring offensive cyberwarfare measures to bear have
> reached the point at which they require congressional oversight and
> approval -- the only real motivation for Cartwright to share his
> command's efforts with the public.
> """
>
> If you listen to John Arquilla, of the Naval Postgraduate school, he
> also mentions China first as the leading integrator of cyberwarfare
> into their overall strategy [1]. Oddly he believes there's only a few
> dozen master hackers in the world, a number I think is far too small,
> but perhaps we have different definitions or just a different circle
> of friends. His estimate is that half of the master hackers are
> American, a number I would say is irrelevant. You can't judge the
> length of a sword by the sharpness of the point.
>
> My opinion is that any cyberwar waged against the United States would
> be one-sided. As Admiral Yamamoto learned the hard way[2], one of the
> US Military's defining characteristics is extensive propaganda efforts
> to get the opponent to underestimate them. But as a somewhat useful
> metric, you can fit the attendees of all the non-US information
> security conferences each month into any one US conference.
>
> -dave
>
> [1] http://www.worldpoliticsreview.com/podcast.aspx?id=30 - I started
> listening to this sure he would be full of it, but it's really quite
> good.
> [2] http://en.wikipedia.org/wiki/Isoroku_Yamamoto and
> http://en.wikipedia.org/wiki/Isoroku_Yamamoto%27s_sleeping_giant_quote
> <http://en.wikipedia.org/wiki/Isoroku_Yamamoto%27s_sleeping_giant_quote>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>   


From mwollenweber at gmail.com  Sun Jun 24 22:07:42 2007
From: mwollenweber at gmail.com (matthew wollenweber)
Date: Sun, 24 Jun 2007 22:07:42 -0400
Subject: [Dailydave] With great responsibility comes great power.
In-Reply-To: <467EF0D5.8060000@networksamurai.org>
References: <b581b3220706241229q261acaf0kbb25ead2159c3264@mail.gmail.com>
	<467EF0D5.8060000@networksamurai.org>
Message-ID: <42210a440706241907o76024ae9w7f89d59d8b1793b8@mail.gmail.com>

I've never seen anything at all to make me think that the US is even a major
player in the cyber warfare spectrum. Maybe top 10, but top 5? I'm not
inclined to think so.

Dave makes a good point regarding the number of participants at foreign
infosec conferences, but I'm not sure that's a good metric. There's no doubt
BH/Defcon are flooded with Feds but those conferences aren't about cyber
warfare. Hacking, exploitation, etc are all parts of cyber warfare but it's
a much larger topic and one that I've never seen the government discuss in
any detail in open channels.

On 6/24/07, mOses <trklisted at networksamurai.org> wrote:
>
> The question is weather that is as scary as this:
>
>
> http://www.boston.com/news/nation/articles/2007/06/04/3_plead_guilty_in_tech_export_case/
>
> Chi Mak who in 2005 was arrested for espionage. He was allegedly sending
> documents from his job as a defense contractor over to china. The CD's
> that where found contained propulsion systems for a new submarine and
> lot more juicy things you can imagine.
>
> I wonder how much far forward the Chinese got because of this person and
> people like him.....
>
>
> Dave Aitel wrote:
> >
> > Right now we're in the midst of some sort of weird publicity push from
> > the US Military regarding cyberwar, which started before the Estonians
> > got DDoSed last week. Most of the articles point out how China is
> > beefing up their forces with frankly inane titles such as "China
> > Cyberware Alert!":
> >
> >
> http://edition.cnn.com/2007/TECH/internet/06/13/china.cyberspace.reut/index.html
> > http://www.defensetech.org/archives/003548.html
> > There's a NYT article today too, but they make it impossible to link
> > to them.
> >
> > In March, Stratfor had an article about it as well:
> > http://www.stratfor.com/products/premium/read_article.php?id=286304
> > They concluded:
> > """
> > Ultimately, much about cyberwarfare efforts will remain classified.
> > Cartwright's comments are more illustrative of a military that is
> > accustomed to dominating the battle space preparing for a new
> > offensive in cyberspace. STRATCOM's staff judge advocate -- the
> > command's legal representative -- likely has advised Cartwright that
> > his efforts to bring offensive cyberwarfare measures to bear have
> > reached the point at which they require congressional oversight and
> > approval -- the only real motivation for Cartwright to share his
> > command's efforts with the public.
> > """
> >
> > If you listen to John Arquilla, of the Naval Postgraduate school, he
> > also mentions China first as the leading integrator of cyberwarfare
> > into their overall strategy [1]. Oddly he believes there's only a few
> > dozen master hackers in the world, a number I think is far too small,
> > but perhaps we have different definitions or just a different circle
> > of friends. His estimate is that half of the master hackers are
> > American, a number I would say is irrelevant. You can't judge the
> > length of a sword by the sharpness of the point.
> >
> > My opinion is that any cyberwar waged against the United States would
> > be one-sided. As Admiral Yamamoto learned the hard way[2], one of the
> > US Military's defining characteristics is extensive propaganda efforts
> > to get the opponent to underestimate them. But as a somewhat useful
> > metric, you can fit the attendees of all the non-US information
> > security conferences each month into any one US conference.
> >
> > -dave
> >
> > [1] http://www.worldpoliticsreview.com/podcast.aspx?id=30 - I started
> > listening to this sure he would be full of it, but it's really quite
> > good.
> > [2] http://en.wikipedia.org/wiki/Isoroku_Yamamoto and
> > http://en.wikipedia.org/wiki/Isoroku_Yamamoto%27s_sleeping_giant_quote
> > <http://en.wikipedia.org/wiki/Isoroku_Yamamoto%27s_sleeping_giant_quote>
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave at lists.immunitysec.com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
> >
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>



-- 
Matthew  Wollenweber
mwollenweber at gmail.com | mjw at cyberwart.com
www.cyberwart.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070624/b8818f6f/attachment-0001.htm 

From halvar at gmx.de  Mon Jun 25 04:21:40 2007
From: halvar at gmx.de (Halvar Flake)
Date: Mon, 25 Jun 2007 10:21:40 +0200
Subject: [Dailydave] With great responsibility comes great power.
References: <b581b3220706241229q261acaf0kbb25ead2159c3264@mail.gmail.com><467EF0D5.8060000@networksamurai.org>
	<42210a440706241907o76024ae9w7f89d59d8b1793b8@mail.gmail.com>
Message-ID: <019601c7b704$584ea610$7802a8c0@D1NQ6Z1J>

I'd safely assume that any war with the US would be a short-lived affair:
The US spends as much on defence as the rest of the world together. Now, given the
unlikely scenario that the rest of the world gangs up, they haven't had the same economies
of scale as the US, and will get stomped into the ground nonetheless.

In essence, no conventional war against the US can be a long-lived affair really, as
long as the US is not forced into an occupying role that negates a good bit of their
technological advantage.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070625/ea96660b/attachment.htm 

From security at sligoinc.com  Mon Jun 25 09:46:34 2007
From: security at sligoinc.com (Security Guy)
Date: Mon, 25 Jun 2007 09:46:34 -0400
Subject: [Dailydave] With great responsibility comes great power.
In-Reply-To: <019601c7b704$584ea610$7802a8c0@D1NQ6Z1J>
References: <b581b3220706241229q261acaf0kbb25ead2159c3264@mail.gmail.com>
	<467EF0D5.8060000@networksamurai.org>
	<42210a440706241907o76024ae9w7f89d59d8b1793b8@mail.gmail.com>
	<019601c7b704$584ea610$7802a8c0@D1NQ6Z1J>
Message-ID: <92db0b590706250646k56d9adadyfd7d6b568492566a@mail.gmail.com>

On 6/25/07, Halvar Flake <halvar at gmx.de> wrote:
>
>
> I'd safely assume that any war with the US would be a short-lived affair:


Not to turn this in to (too) political a discussion, but that highly
depends on your definition of victory. Then again, an attempted
conventional invasion of the US would be comically short (I'm
imagining thousands of little boats from N. Korea here)

> In essence, no conventional war against the US can be a long-lived affair
> really, as
> long as the US is not forced into an occupying role that negates a good bit
> of their
> technological advantage.
>

There will be few, if any purely conventional wars in the future.

The US does have a huge amount of money to spend on cyber defense, but
are we sure it's being spent wisely?
http://www.theregister.co.uk/2007/06/25/sweaty_spooks_power_problems/

From falcor at netassassin.com  Mon Jun 25 15:49:01 2007
From: falcor at netassassin.com (Falcor)
Date: Mon, 25 Jun 2007 14:49:01 -0500
Subject: [Dailydave] With great responsibility comes great power.
In-Reply-To: <42210a440706241907o76024ae9w7f89d59d8b1793b8@mail.gmail.com>
References: <b581b3220706241229q261acaf0kbb25ead2159c3264@mail.gmail.com>	<467EF0D5.8060000@networksamurai.org>
	<42210a440706241907o76024ae9w7f89d59d8b1793b8@mail.gmail.com>
Message-ID: <46801C2D.3020209@netassassin.com>

Yes and no.  There is no standing ability if they had to start today; 
yes you are probably most correct.  But the US has a vast history of 
ramping down, and even completely mothballing, warfare divisions only to 
reincarnate them later as far more powerful and able units.  Then, 
mothball and forget the lessons learned... a little like shampooing your 
hair basically. Just wash, rinse, and repeat.  We had the same thing 
with cryptographers and code breakers up until the end of WWII when they 
decided to keep such Intelligence units operational full time.  (But you 
could also argue that was more due to the Cold War than being proactive.) 

I believe the US has limited assets currently that are actively training 
/ working in this area.  But the talent pool to pull from, in the event 
they are needed, is massive.  Granted, there is good speculation that 
China (Dave opened the door) has been formally organizing and working 
its assets for a number of years now.  Having offensive and defensive 
teams established with standard operating procedures and training and 
even real-life experience in working as an organized unit.  I do not 
believe the US has this, nor has looked all that much into it on a large 
scale setup.  So yea, I too would put us in the top 10 perhaps, but not 
in higher.  With of course the reservation that th US would "climb to 
#1" if the need arose.

For now, the DHS could use a few good InfoSec engineers let alone cyber 
warfare specialists.  ;) 

matthew wollenweber wrote:

> I've never seen anything at all to make me think that the US is even a 
> major player in the cyber warfare spectrum. Maybe top 10, but top 5? 
> I'm not inclined to think so.
>
> Dave makes a good point regarding the number of participants at 
> foreign infosec conferences, but I'm not sure that's a good metric. 
> There's no doubt BH/Defcon are flooded with Feds but those conferences 
> aren't about cyber warfare. Hacking, exploitation, etc are all parts 
> of cyber warfare but it's a much larger topic and one that I've never 
> seen the government discuss in any detail in open channels.
>
> On 6/24/07, *mOses* <trklisted at networksamurai.org 
> <mailto:trklisted at networksamurai.org>> wrote:
>
>     The question is weather that is as scary as this:
>
>     http://www.boston.com/news/nation/articles/2007/06/04/3_plead_guilty_in_tech_export_case/
>     <http://www.boston.com/news/nation/articles/2007/06/04/3_plead_guilty_in_tech_export_case/>
>
>     Chi Mak who in 2005 was arrested for espionage. He was allegedly
>     sending
>     documents from his job as a defense contractor over to china. The CD's
>     that where found contained propulsion systems for a new submarine and
>     lot more juicy things you can imagine.
>
>     I wonder how much far forward the Chinese got because of this
>     person and
>     people like him.....
>
>
>     Dave Aitel wrote:
>     >
>     > Right now we're in the midst of some sort of weird publicity
>     push from
>     > the US Military regarding cyberwar, which started before the
>     Estonians
>     > got DDoSed last week. Most of the articles point out how China is
>     > beefing up their forces with frankly inane titles such as "China
>     > Cyberware Alert!":
>     >
>     >
>     http://edition.cnn.com/2007/TECH/internet/06/13/china.cyberspace.reut/index.html
>
>     > http://www.defensetech.org/archives/003548.html
>     > There's a NYT article today too, but they make it impossible to link
>     > to them.
>     >
>     > In March, Stratfor had an article about it as well:
>     > http://www.stratfor.com/products/premium/read_article.php?id=286304
>     > They concluded:
>     > """
>     > Ultimately, much about cyberwarfare efforts will remain classified.
>     > Cartwright's comments are more illustrative of a military that is
>     > accustomed to dominating the battle space preparing for a new
>     > offensive in cyberspace. STRATCOM's staff judge advocate -- the
>     > command's legal representative -- likely has advised Cartwright that
>     > his efforts to bring offensive cyberwarfare measures to bear have
>     > reached the point at which they require congressional oversight and
>     > approval -- the only real motivation for Cartwright to share his
>     > command's efforts with the public.
>     > """
>     >
>     > If you listen to John Arquilla, of the Naval Postgraduate school, he
>     > also mentions China first as the leading integrator of cyberwarfare
>     > into their overall strategy [1]. Oddly he believes there's only
>     a few
>     > dozen master hackers in the world, a number I think is far too
>     small,
>     > but perhaps we have different definitions or just a different circle
>     > of friends. His estimate is that half of the master hackers are
>     > American, a number I would say is irrelevant. You can't judge the
>     > length of a sword by the sharpness of the point.
>     >
>     > My opinion is that any cyberwar waged against the United States
>     would
>     > be one-sided. As Admiral Yamamoto learned the hard way[2], one
>     of the
>     > US Military's defining characteristics is extensive propaganda
>     efforts
>     > to get the opponent to underestimate them. But as a somewhat useful
>     > metric, you can fit the attendees of all the non-US information
>     > security conferences each month into any one US conference.
>     >
>     > -dave
>     >
>     > [1] http://www.worldpoliticsreview.com/podcast.aspx?id=30 - I
>     started
>     > listening to this sure he would be full of it, but it's really quite
>     > good.
>     > [2] http://en.wikipedia.org/wiki/Isoroku_Yamamoto and
>     >
>     http://en.wikipedia.org/wiki/Isoroku_Yamamoto%27s_sleeping_giant_quote
>     >
>     <http://en.wikipedia.org/wiki/Isoroku_Yamamoto%27s_sleeping_giant_quote>
>     >
>     ------------------------------------------------------------------------
>
>     >
>     > _______________________________________________
>     > Dailydave mailing list
>     > Dailydave at lists.immunitysec.com
>     <mailto:Dailydave at lists.immunitysec.com>
>     > http://lists.immunitysec.com/mailman/listinfo/dailydave
>     >
>
>     _______________________________________________
>     Dailydave mailing list
>     Dailydave at lists.immunitysec.com
>     <mailto:Dailydave at lists.immunitysec.com>
>     http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
>
>
> -- 
> Matthew  Wollenweber
> mwollenweber at gmail.com <mailto:mwollenweber at gmail.com> | 
> mjw at cyberwart.com <mailto:mjw at cyberwart.com>
> www.cyberwart.com <http://www.cyberwart.com>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Dailydave mailing list
>Dailydave at lists.immunitysec.com
>http://lists.immunitysec.com/mailman/listinfo/dailydave
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070625/104a74cd/attachment.htm 

From genericjohnsmith at gmail.com  Mon Jun 25 18:55:47 2007
From: genericjohnsmith at gmail.com (John Smith)
Date: Mon, 25 Jun 2007 22:55:47 +0000
Subject: [Dailydave] With great responsibility comes great power.
In-Reply-To: <42210a440706241907o76024ae9w7f89d59d8b1793b8@mail.gmail.com>
References: <b581b3220706241229q261acaf0kbb25ead2159c3264@mail.gmail.com>
	<467EF0D5.8060000@networksamurai.org>
	<42210a440706241907o76024ae9w7f89d59d8b1793b8@mail.gmail.com>
Message-ID: <32EF5265-1368-42A2-B40F-01722D34842E@gmail.com>


On Jun 25, 2007, at 2:07 AM, matthew wollenweber wrote:

> I've never seen anything at all to make me think that the US is  
> even a major player in the cyber warfare spectrum. Maybe top 10,  
> but top 5? I'm not inclined to think so.
>
you say this because...you have security clearances from 4-9  
governments in addition to the US, and are familiar with all national  
attack capabilities? Sheesh, talk about talking out your butt! I'm  
curious who you think the top 5 are even.

Falcor hit it on the head. Even though there are a bunch of small red  
teams scattered about the govt, if the US wanted to get serious, how  
many contractors could they pull in on the drop of a hat? How many  
private companies like Dave's with known offensive capability would  
they simply make new NDA contracts for? And since you probably think  
that countries having cyber criminals makes them an effective power,  
keep in mind that if you're talking general vigilantism, there will  
always be plenty of that on both sides, and it will be largely wasted  
since it won't be channeled to any central points of control for more  
effective utilization.

John


From mwollenweber at gmail.com  Mon Jun 25 19:20:34 2007
From: mwollenweber at gmail.com (matthew wollenweber)
Date: Mon, 25 Jun 2007 19:20:34 -0400
Subject: [Dailydave] Fwd:  With great responsibility comes great power.
In-Reply-To: <42210a440706251620u3b2edf8dp9e4ec3fea47c72b6@mail.gmail.com>
References: <b581b3220706241229q261acaf0kbb25ead2159c3264@mail.gmail.com>
	<467EF0D5.8060000@networksamurai.org>
	<42210a440706241907o76024ae9w7f89d59d8b1793b8@mail.gmail.com>
	<32EF5265-1368-42A2-B40F-01722D34842E@gmail.com>
	<42210a440706251620u3b2edf8dp9e4ec3fea47c72b6@mail.gmail.com>
Message-ID: <42210a440706251620r4ee214e1s76b712988e3ba95f@mail.gmail.com>

Actually yes I'm fairly up to date on the US and cyber warfare. I'm former
NSA and currently a contractor in the Baltimore/Washington area. I've been
on 3 red teams including for the government.

No, I can't support anything in this forum but neither can anyone else that
really knows anything at all about this topic.

If you work at all with the DoD or the IC you'd understand how implausible
it is to simply take private companies into the cyber warfare spectrum.
Aside from the government being slow and cautious there are major legal
hurdles in the way. So  thanks for the thought, but it's not really
applicable under current US law and procedures.

On 6/25/07, John Smith <genericjohnsmith at gmail.com> wrote:
>
>
> On Jun 25, 2007, at 2:07 AM, matthew wollenweber wrote:
>
> > I've never seen anything at all to make me think that the US is
> > even a major player in the cyber warfare spectrum. Maybe top 10,
> > but top 5? I'm not inclined to think so.
> >
> you say this because...you have security clearances from 4-9
> governments in addition to the US, and are familiar with all national
> attack capabilities? Sheesh, talk about talking out your butt! I'm
> curious who you think the top 5 are even.
>
> Falcor hit it on the head. Even though there are a bunch of small red
> teams scattered about the govt, if the US wanted to get serious, how
> many contractors could they pull in on the drop of a hat? How many
> private companies like Dave's with known offensive capability would
> they simply make new NDA contracts for? And since you probably think
> that countries having cyber criminals makes them an effective power,
> keep in mind that if you're talking general vigilantism, there will
> always be plenty of that on both sides, and it will be largely wasted
> since it won't be channeled to any central points of control for more
> effective utilization.
>
> John
>
>


-- 
Matthew  Wollenweber
mwollenweber at gmail.com | mjw at cyberwart.com
www.cyberwart.com


-- 
Matthew  Wollenweber
mwollenweber at gmail.com | mjw at cyberwart.com
www.cyberwart.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070625/aac50570/attachment-0001.htm 

From famato at infobyte.com.ar  Tue Jun 26 09:48:07 2007
From: famato at infobyte.com.ar (Francisco Amato)
Date: Tue, 26 Jun 2007 10:48:07 -0300
Subject: [Dailydave] [ISR] :: Demo bypassing IBM ISS Proventia :: release
	(ISR-sqlget.pl) v1.0.0
Message-ID: <000901c7b7f8$a14981b0$9b01a8c0@BYFXA011461>

Hello, I'd like to announce the first release. I wrote the core during a
pentest because
i need to take advance about knew  bypassing features and no common backend
database sql-injection exploiting
In ./ISR-sqlget/examples you can find some configuration examples.

Feel free to contribute with this project, please don't hesitate to contact
me.

Regards,

-- ISR - Infobyte Security Research
-- | ISR-sqlget v1.0.0 | www.infobyte.com.ar |

..DEMO

    -  Demo features (bypassing IBM ISS Proventia IPS)
    http://www.infobyte.com.ar/demo/ISR_sqlget_ISS_proventia_bypass.html

..:: DESCRIPTION

ISR-sqlget: It's a blind SQL injection tool developed in Perl.
It lets you get databases schemas and tables rows.
Using a single GET/POST you can access quietly the database structure
and using a single GET/POST you can dump every table row to a csv-like file.

Databases supported:

    - IBM DB2
    - Microsoft SQL Server
    - Oracle
    - Postgres
    - Mysql
    - IBM Informix
    - Sybase
    - Hsqldb (www.hsqldb.org)
    - Mimer (www.mimer.com)
    - Pervasive (www.pervasive.com)
    - Virtuoso (virtuoso.openlinksw.com)
    - SQLite
    - Interbase/Yaffil/Firebird (Borland)
    - H2 (http://www.h2database.com)
    - Mckoi (http://mckoi.com/database/)
    - Ingres (http://www.ingres.com)
    - MonetDB (http://www.monetdb.nl)
    - MaxDB (www.mysql.com/products/maxdb/)
    - ThinkSQL (http://www.thinksql.co.uk/)
    - SQLBase (http://www.unify.com)

Evasion features:

    - Full-width/Half-width Unicode encoding
    - Apache non standard CR bypass
    - mod_security bypass
    - Random uppercase request transform
    - PHP Magicquotes: encode every string using db CHR function or similar.
    - Convert requests to hexadecimal values
    - Avoid non-space replacing for /**/ or (\t) tab
    - Avoid non || or + concatenation using db concat function or similar.
    - Random user-agent
    - Random proxy-server
    - Random delay request

Common features:

    - Database schemate download blacklist
    - Cookie array support
    - SSL support
    - Proxy server support
    - Database information dumped in csv format


Reporting:

    - Database structure graphication to create impact executive reports
    require Graphviz library (http://www.graphviz.org/)


..AUTHOR

Francisco Amato - famato+at+infobyte+dot+com+dot+ar

..:: DOWNLOAD

http://www.infobyte.com.ar/development.html


From kristian.hermansen at gmail.com  Tue Jun 26 09:09:31 2007
From: kristian.hermansen at gmail.com (Kristian Hermansen)
Date: Tue, 26 Jun 2007 09:09:31 -0400
Subject: [Dailydave] 6 Month Vista Vuln Report, Debunked
Message-ID: <fe37588d0706260609i7a00c997n54ba911c9dcd2401@mail.gmail.com>

This report from Microsoft's  Jeff R. Jones is ludicrous:

http://www.csoonline.com/pdf/6_Month_Vista_Vuln_Report.pdf

The Microsoft "researcher" claims that Windows Vista is exponentially
less vulnerable than many Linux distributions and Mac OS X.  It may be
true that the default Vista installation has had less public
vulnerability reports, and that Linux has had many more, but this is
due to the nature of Open Source.  Jeff does not include any "silently
fixed" vulnerabilities that have been patched since Vista was released
and Microsoft has not disclosed such vulnerabilities publicly.

Here is a per section debunking of his paper broken down by topic,
because I feel Jeff really needs to perform another less exaggerated
analysis.

"Window Vista - The First 6 Months"

Let's remember that Vista was released to business partners earlier
than home users.  He does not account for this gap, and thus, this
could soften the exposure of the official Vista code to many
researchers for analysis.

"Teredo"

Teredo is also a major hole, and they are leaving it wide open.  The
community feels this is a flaw, but Microsoft doesn't seem to care.
Also, the entire networking stack was rewritten for Vista, and that
means lots of new bugs are present.  I have already spoken to other
researchers who have not disclosed such flaws publicly.  However, a
good start for learning about some is the Symantec paper that analyzed
Vista during the BETA phases and revealed numerous issues.

"Windows XP"

Windows XP, touted as the most secure OS to date on release.  Also,
touted as secure in SP1, and again most secure in SP2.  We are now
seeing it again with Vista.  Are we really supposed to believe that
somehow this mantra is going to change just because Microsoft tells us
so?  In defense of Microsoft, however, they have focused their efforts
to really clean things up, and that is commendable.

"Red Hat Enterprise Linux 4 Workstation"

OK.  The claims here are just plain insulting.  The 100+
vulnerabilities include such software as PostgreSQL, MySQL, mailman,
squid, and emacs.  None of this software is installed in a default
installation of RHEL4.  I think the guy clicked on "Install
Everything" and went to town with vulnerability reports :-)

"RHEL4 Reduced Component List"

This analysis more closely assimilates with Vista, but is still
bloated in that many of the vulnerabilities he reports are very small
bugs in Firefox, which don't result in a compromise of the host.
Again, the nature of bug reporting in open versus closed source
software.

"Ubuntu"

Again, the nature of open versus closed source bug reporting.
However, even the kernel flaws reported are only relevant when such
modules are loaded in the system and that surface is exposed.  Again,
the results are inflated, even in the "reduced" set.

"Novell"

More of the same.  The vulnerabilities are shared between all the
distros of course!

"Mac OS X"

Even though OS X claims to be secure, researchers have obviously shown
that Apple will have flaws too.  This is nature of software, and it
affects all code.  However, the paper claims that things like the
vulnerability below are relevant...

<snip>
A bug in AFP Server when using an ACL-enabled storage volume may in
certain situations result in an ACL remaining attached when a file
with POSIX-only permissions is copied.
</snip>

"Putting It All Together"

* insert nice graphs here *

The conclusions that are drawn are built on a lack of understanding by
the Microsoft researcher.  I highly encourage him to go back and take
another look, and pare down the results to essential information that
is absolutely critical to the conclusions, rather than just "Other
OS's have more bugs, see, look at my graphs"...
-- 
Kristian Hermansen

From dave at immunityinc.com  Tue Jun 26 16:38:04 2007
From: dave at immunityinc.com (Dave Aitel)
Date: Tue, 26 Jun 2007 16:38:04 -0400
Subject: [Dailydave] Avant-Garde Dance and Microsoft Tuesday
Message-ID: <4681792C.9010007@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I like to make up my own definitions for things sometimes. For
example, I was hanging out with some professional modern dancers (if
you just say "dancers" people assume you mean strippers) in Bern a
couple weeks ago. My definition of avant-garde dance is "You're going
to see someone's nipples". While this might not be the preferred
definition for most people, I stick to it since it's a simple and easy
metric even if "You're going to see someone's nipples and there will
be some loud non-melodic electronica" is much more accurate.

Likewise, I read with interest the weblog here:
http://www.avertlabs.com/research/blog/index.php/2007/06/26/zero-day-threats-part-3-when-how-are-they-released/

In it, Craig Schmugar of Avert Labs (McAfee) posits that 0day means:
The public availability of exploit information on the same day that a
vulnerability is publicly disclosed.

I know there are a lot of people's opinions on what "0day" means, but
that's more off-base than my nipple definition for avant-garde dance.

There are other problems with his analysis. He's testing the following
theory: "Some concluded that many zero day threats are strategically
released very close to Patch Tuesday as a means to maximize the Window
of Vulnerability". But somehow he thinks that you would detect an
exploit immediately after it was being widely used, and that for some
reason it's valuable to include every potential Microsoft
vulnerability in the survey, as opposed to just remotely exploitable
IE bugs.

Everything else in the blog post is a confused muddle. Certainly
someone could do some real research here with the numbers, but this
isn't it.

If you want to maximize the use of an 0day, you use it selectively on
targets for a long time, then you go nuts with it right before you
think it will be killed or right after it's been killed. Even then, it
will probably take the AV/IDS community a week to notice it. So my
expected curve has a peak about 7 days after Microsoft Tuesday, given
that I think the bug will die next month and I'm likely to release it
on Patch Weds. If people are widely using 0day right before MS
Tuesday, this would indicate they've owned Microsoft and know when
bugs are about to be patched.

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGgXkqB8JNm+PA+iURAoADAKCePHCUwa5bqrsl84NiJpQBK98ioACgwAqp
3xL2E/b4/Y7e/Sp8bJzxk88=
=xnJT
-----END PGP SIGNATURE-----


From lyndons at paradise.net.nz  Tue Jun 26 20:02:12 2007
From: lyndons at paradise.net.nz (lyndon sutherland)
Date: Wed, 27 Jun 2007 12:02:12 +1200
Subject: [Dailydave] With great responsibility comes great power.
In-Reply-To: <b581b3220706241229q261acaf0kbb25ead2159c3264@mail.gmail.com>
References: <b581b3220706241229q261acaf0kbb25ead2159c3264@mail.gmail.com>
Message-ID: <4681A904.5030306@paradise.net.nz>

The best? I think only history might hold the answer, but I don't think
it's a simple case of he with the largest budget wins. If you were to
think ebay, yahoo and Mafiaboy in the same sentence it should make some
sense. Surely, cyberspace could be reasonably viewed as the optimal
arena for asymmetrical warfare. Ingenuity of course comes to mind and it
seems there's still room for better mousetraps.

Along the same lines, I doubt Dave has the biggest R&D budget in the
industry, but he does pretty well don't you think.

Surely also, isn't actual defense arguably a more critical aspect? It'd
be rather disturbing to have a huge offensive capability, sitting on top
of swiss cheese infrastructure.

Lacking is a good definition of cyberwar. In cyberspace, it seems a
virtual butterfly flapping its wings is qualified as an act of war.

More seriously though, the paper "Cyber Warfare, An analysis of the
means and motivations of selected nation states" from Dartmouth provides
some insights:
http://www.ists.dartmouth.edu/directors-office/cyberwarfare.pdf
The paper is dated December 2004 so could be considered a little dated
but certainly in my opinion worth a read.

Quite an interesting subject.

Cheers
L

From halvar at gmx.de  Thu Jun 28 03:45:36 2007
From: halvar at gmx.de (Halvar Flake)
Date: Thu, 28 Jun 2007 09:45:36 +0200
Subject: [Dailydave] With great responsibility comes great power.
References: <C2A835A4.1EE7C%adriel@netragard.com>
Message-ID: <078a01c7b958$521580b0$98b2a8c0@D1NQ6Z1J>

Re: [Dailydave] With great responsibility comes great power.Hey Adriel,

I also underestimate the power of exchange rates -- the same budget buys a 
lot more in .cn than it
buys in the US, both in materials and in manpower ;)

Nonetheless, I still think that budget correlates to power, especially in 
military matters, and that there
are economies of scale to be harvested.

Anyhow, this is a bit of a moot discussion. The reality of politics and war 
is very nuanced, and very
complex (gladly so - any sane person shies away from the complexity 
associated with waging war :),
and quite honestly, I think we all know jack shit about it :) (at least I 
do).

Side note:

A war between the US and any d