From dave at immunityinc.com  Fri Aug  1 11:13:40 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Fri, 01 Aug 2008 11:13:40 -0400
Subject: [Dailydave] Clocks, pyUNO,  Sex Kittens.
Message-ID: <48932824.6080401@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My personal clock had me up at 4am here in Vegas. I spent the time 
working with pyUNO, which is an API only a mother could love. But it 
comes down to this: If you're going to create reports programatically, 
you can cobble together a solution with various libraries, or you can 
just drive OpenOffice to make it do things the right way. Anyways, I 
like how the default setup means anyone locally can connect to your 
OpenOffice and make it do things like run commands. :>

For those who haven't read it: Look, it's weev and hepkitten in the new 
york times magazine! 
http://www.nytimes.com/2008/08/03/magazine/03trolls-t.html

And in an update to NOP certifications: they will be available first 
come first served (sign up sheet) at the Immunity booth in the vendor 
section of DEFCON. Participants can use their own tools if provided to 
us on CD, or Immunity tools will be provided. VisualSploit is the 
fastest way to write small exploits like this, but if you want to 
install Bob's Automatic Windows Exploit Creation Tool, that's fine with us.

And we can confirm that not only will certified NOPs at DEFCON receive 
an invitation to the Sexy Hacking party, to be held in an as-yet 
undisclosed location on Saturday August 9, but at the party certified 
NOPS will also have the opportunity to play Hugh Jackman's role from the 
film Swordfish while sitting an advanced NOP certification test! Select 
Sexy Hacking girls will be scene extras and the winners will (of course) 
receive a job interview with Immunity.

Please email admin at immunityinc.com if you have any questions.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIkygktehAhL0gheoRAocDAJ9Jopu3Nv/VlCaCAotfavGn7zpE7wCfR4qA
LclnLcJN+zZxJX7OWxd3GUQ=
=G5+n
-----END PGP SIGNATURE-----


From dave at immunityinc.com  Fri Aug  1 11:25:57 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Fri, 01 Aug 2008 11:25:57 -0400
Subject: [Dailydave] w00t 08
Message-ID: <48932B05.2050404@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

These are not the papers you're looking for.
http://www.usenix.org/event/woot08/tech/full_papers/

Seriously, there's nothing there to scare an network offense 
professional. I don't think it's w00t's fault, either. I think the 
research communities are diverging into public and private, as this 
research gets more expensive to do.

USENIX may not be the place for academic treatment of offensive security 
research. A friend of mine wonders if there's any future for academic 
treatment of the subject at all. He wonder's wistfully of course, since 
he likes academia.

Anyways, either be scary or be silly. There's no middle ground here. 
It's a fundamental truth in this field: You're either in, or you're out.

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIkysFtehAhL0gheoRAnyWAJ9TKJVNITG4RHQe/gFkA5oF4ar/SwCeMEdj
J0NkyoTLEpaNjC8LU8C70nM=
=hdCB
-----END PGP SIGNATURE-----


From arunkoshy at gmail.com  Fri Aug  1 15:00:44 2008
From: arunkoshy at gmail.com (Arun Koshy)
Date: Sat, 2 Aug 2008 05:00:44 +1000
Subject: [Dailydave] @ DEFCON : recommended vendor
Message-ID: <1d0ba3070808011200g4c2e254au8de9ce5ba297eaf9@mail.gmail.com>

note : thanks to Dave for allowing this shameless vendor plug

For people that would like to check out something truly different (
especially family oriented folks ), check out Johnny's booth at DEFCON
:

http://johnny.ihackstuff.com

The light shines in the darkness.. thanks to all who are part of the real deal..

From cmiller at securityevaluators.com  Fri Aug  1 13:31:26 2008
From: cmiller at securityevaluators.com (Charles Miller)
Date: Fri, 1 Aug 2008 12:31:26 -0500
Subject: [Dailydave] w00t 08
In-Reply-To: <48932B05.2050404@immunityinc.com>
References: <48932B05.2050404@immunityinc.com>
Message-ID: <BC843380-4654-4E51-AC05-69A96AB741F8@securityevaluators.com>

I was at WOOT and it is supposed to bring academia and commercial  
(i.e. "hackers") together to share ideas.  The funny thing was the  
whole time I thought that the commercial folks were showing the out of  
touch academic folks what real, hard core security research was about  
while the academic people probably thought they were enlightening us!

Charlie

BTW, as a plug, the paper I was a co-author on is under the "daniel"  
directory :)

On Aug 1, 2008, at 10:25 AM, Dave Aitel wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> These are not the papers you're looking for.
> http://www.usenix.org/event/woot08/tech/full_papers/
>
> Seriously, there's nothing there to scare an network offense
> professional. I don't think it's w00t's fault, either. I think the
> research communities are diverging into public and private, as this
> research gets more expensive to do.
>
> USENIX may not be the place for academic treatment of offensive  
> security
> research. A friend of mine wonders if there's any future for academic
> treatment of the subject at all. He wonder's wistfully of course,  
> since
> he likes academia.
>
> Anyways, either be scary or be silly. There's no middle ground here.
> It's a fundamental truth in this field: You're either in, or you're  
> out.
>
> - -dave
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFIkysFtehAhL0gheoRAnyWAJ9TKJVNITG4RHQe/gFkA5oF4ar/SwCeMEdj
> J0NkyoTLEpaNjC8LU8C70nM=
> =hdCB
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave


From brett.moore at insomniasec.com  Sat Aug  2 19:08:22 2008
From: brett.moore at insomniasec.com (Brett Moore)
Date: Sun, 3 Aug 2008 11:08:22 +1200
Subject: [Dailydave] Insomnia: Tool Release - PuttyHijack V1.0
Message-ID: <000e01c8f4f4$ace622a0$06b267e0$@moore@insomniasec.com>

___________________________________________________________________

 Insomnia Security :: PuttyHijack V1.0
___________________________________________________________________

 Name: Putty Hijack
 Released: 31 July Feb 2008
 Author: Brett Moore, Insomnia Security
 Original Link: http://www.insomniasec.com/releases/tools
___________________________________________________________________

_______________

 Description
_______________

PuttyHijack is a POC tool that injects a dll into the Putty 
process to hijack an existing, or soon to be created, connection.

This can be useful during penetration tests when a windows box that 
has been compromised is used to SSH/Telnet into other servers.

The injected DLL installs some hooks and creates a socket for a 
callback connection that is then used for input/output redirection. 

It does not kill the current connection, and will cleanly uninject
if the socket or process is stopped.

PuttyHijack was inspired by the work that Metlstorm did on SSHJack
(http://www.storm.net.nz/projects/7) but at this release does not
create a new SSH tunnel for the connection.
_______________

 Legals
_______________

The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this
information.
___________________________________________________________________


From jon at oberheide.org  Sat Aug  2 15:01:40 2008
From: jon at oberheide.org (Jon Oberheide)
Date: Sat, 02 Aug 2008 15:01:40 -0400
Subject: [Dailydave] w00t 08
In-Reply-To: <48932B05.2050404@immunityinc.com>
References: <48932B05.2050404@immunityinc.com>
Message-ID: <1217703700.10323.26.camel@apollo>

Having just gotten back from WOOT and being a self-loathing academic who
thinks that a significant portion of academic security research is
garbage, I have to both agree and disagree.

Yes, there is a huge gap between the public and private research
communities.  This division was very apparent at WOOT this year.  There
was a sea of blank stares and misguided questions during Charlie's JS
presentation and a bunch of confused faces when we were discussing
"Dowd-weeks" as a security assurance metric.  Simply put, if you want to
filter down the proceedings to the interesting presentations, a simple
`grep -v University` of the author institutions is sufficient.

But I disagree with the "in or out" approach.  WOOT certainly has a
difficult task: it only attracted a low 20-some submissions this year,
is scheduled right next to BH USA, and lacks any incentive for private
researchers to bring their work into the USENIX arena, just to name a
few of the problems.

However, if WOOT can narrow that gap between the public and private
communities ever so slightly (or even decrease the rate of the gap
widening), or convince 30-some academics that they are so far behind the
curve of offensive research, then I think it has achieved its goals.

Regards,
Jon Oberheide

On Fri, 2008-08-01 at 11:25 -0400, Dave Aitel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> These are not the papers you're looking for.
> http://www.usenix.org/event/woot08/tech/full_papers/
> 
> Seriously, there's nothing there to scare an network offense 
> professional. I don't think it's w00t's fault, either. I think the 
> research communities are diverging into public and private, as this 
> research gets more expensive to do.
> 
> USENIX may not be the place for academic treatment of offensive security 
> research. A friend of mine wonders if there's any future for academic 
> treatment of the subject at all. He wonder's wistfully of course, since 
> he likes academia.
> 
> Anyways, either be scary or be silly. There's no middle ground here. 
> It's a fundamental truth in this field: You're either in, or you're out.
> 
> - -dave
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFIkysFtehAhL0gheoRAnyWAJ9TKJVNITG4RHQe/gFkA5oF4ar/SwCeMEdj
> J0NkyoTLEpaNjC8LU8C70nM=
> =hdCB
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
-- 
Jon Oberheide <jon at oberheide.org>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6  F184 5842 1C89 F47C 17FE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080802/ff12b959/attachment-0001.pgp 

From mpatters at cs.uwaterloo.ca  Sat Aug  2 10:49:39 2008
From: mpatters at cs.uwaterloo.ca (Mike Patterson)
Date: Sat, 02 Aug 2008 10:49:39 -0400
Subject: [Dailydave] w00t 08
In-Reply-To: <BC843380-4654-4E51-AC05-69A96AB741F8@securityevaluators.com>
References: <48932B05.2050404@immunityinc.com>
	<BC843380-4654-4E51-AC05-69A96AB741F8@securityevaluators.com>
Message-ID: <48947403.9000501@cs.uwaterloo.ca>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Charles Miller wrote on 8/1/08 1:31 PM:
| I was at WOOT and it is supposed to bring academia and commercial
| (i.e. "hackers") together to share ideas.  The funny thing was the
| whole time I thought that the commercial folks were showing the out of
| touch academic folks what real, hard core security research was about
| while the academic people probably thought they were enlightening us!

The other funny thing is academics have been struggling with things that
are causing the security community fits - like responsible disclosure -
for as long as people have been writing things down for others to read.

If the "real, hard core security researchers" would listen (or read) a
bit more, they might learn something.

If you thought BIND was bad, what about nuclear fission research?  How
was that handled in the 30s-50s?

Mike

- --
Any setuid root program that does an exec() somewhere is just a
less user friendly version of su. - Olaf Kirch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiUdAMACgkQrqw9H9F0mCSV6wCfc9ZlhT2wmbY85ygggtMvTc1d
sU0An2x+YWJbxZm9qIOi/qB3DAz+tEWN
=/UnB
-----END PGP SIGNATURE-----

From root_ at fibertel.com.ar  Sat Aug  2 22:30:52 2008
From: root_ at fibertel.com.ar (root)
Date: Sat, 02 Aug 2008 23:30:52 -0300
Subject: [Dailydave] w00t 08
In-Reply-To: <48932B05.2050404@immunityinc.com>
References: <48932B05.2050404@immunityinc.com>
Message-ID: <4895185C.6090403@fibertel.com.ar>

Dave Aitel wrote:
> These are not the papers you're looking for.
> http://www.usenix.org/event/woot08/tech/full_papers/
> 
> Seriously, there's nothing there to scare an network offense 
> professional. I don't think it's w00t's fault, either. I think the 
> research communities are diverging into public and private, as this 
> research gets more expensive to do.
> 
> USENIX may not be the place for academic treatment of offensive security 
> research. A friend of mine wonders if there's any future for academic 
> treatment of the subject at all. He wonder's wistfully of course, since 
> he likes academia.
> 
> Anyways, either be scary or be silly. There's no middle ground here. 
> It's a fundamental truth in this field: You're either in, or you're out.
> 
> -dave
> 

Commercial security conferences don't have great academic value because
they are not peer reviewed (well, not reviewed by academic people) and
there are other much important academic journals like ieee, etc. that in
theory don't accept money in exchange for the publication of an article.

Believe me, i had a hard time convincing my thesis advisor of the
importance of being a speaker on Blackhat...

Anyway, cryptography and cryptanalysis (offensive or not) is certainly
dominated by academia, and I don't see that changing on the future.
_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave



From version5 at gmail.com  Sun Aug  3 06:57:00 2008
From: version5 at gmail.com (nnp)
Date: Sun, 3 Aug 2008 11:57:00 +0100
Subject: [Dailydave] w00t 08
In-Reply-To: <4895185C.6090403@fibertel.com.ar>
References: <48932B05.2050404@immunityinc.com>
	<4895185C.6090403@fibertel.com.ar>
Message-ID: <28749c0e0808030357s51e42483j411b49fa759e3c1@mail.gmail.com>

On Sun, Aug 3, 2008 at 3:30 AM, root <root_ at fibertel.com.ar> wrote:
> Dave Aitel wrote:
>> These are not the papers you're looking for.
>> http://www.usenix.org/event/woot08/tech/full_papers/
>>
>> Seriously, there's nothing there to scare an network offense
>> professional. I don't think it's w00t's fault, either. I think the
>> research communities are diverging into public and private, as this
>> research gets more expensive to do.
>>
>> USENIX may not be the place for academic treatment of offensive security
>> research. A friend of mine wonders if there's any future for academic
>> treatment of the subject at all. He wonder's wistfully of course, since
>> he likes academia.
>>
>> Anyways, either be scary or be silly. There's no middle ground here.
>> It's a fundamental truth in this field: You're either in, or you're out.
>>
>> -dave
>>
>
> Commercial security conferences don't have great academic value because
> they are not peer reviewed (well, not reviewed by academic people) and
> there are other much important academic journals like ieee, etc. that in
> theory don't accept money in exchange for the publication of an article.

I'd like to get everyone else's opinion/experiences with articles from
so called 'peer reviewed' journals like IEEE and the rest. I've spent
the past 8 weeks or so working on a project as a research monkey at my
uni and spent the first few weeks pouring over journals etc. When it
actually came time for implementation though I discovered a huge array
of problems that had not been mentioned in the articles (and were
presumably ignored as acceptable sources of error). When I contacted
the authors requesting to see their software so I could determine if
they had solutions to the problems I was either ignored or blown off
with excuses like "we currently don't have the resources to make that
available". In my opinion this brings all of their results into
question when outsiders don't know exactly what sources of error they
deemed acceptable. If some academics aren't bothering to release their
software and their results are questionable then what purpose do they
serve other than to fill pages in journals?

So my question basically boils down to, how much reviewing actually
goes on? i.e Do they run the software? Do they examine code or
formulae? Or is it just a case of 'well it looks right'?

>
> Believe me, i had a hard time convincing my thesis advisor of the
> importance of being a speaker on Blackhat...
>
> Anyway, cryptography and cryptanalysis (offensive or not) is certainly
> dominated by academia, and I don't see that changing on the future.
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>



-- 
http://www.smashthestack.org
http://www.unprotectedhex.com

From k8ek8e at gmail.com  Sun Aug  3 12:02:25 2008
From: k8ek8e at gmail.com (Katie M)
Date: Sun, 3 Aug 2008 09:02:25 -0700
Subject: [Dailydave] w00t 08
In-Reply-To: <28749c0e0808030357s51e42483j411b49fa759e3c1@mail.gmail.com>
References: <48932B05.2050404@immunityinc.com>
	<4895185C.6090403@fibertel.com.ar>
	<28749c0e0808030357s51e42483j411b49fa759e3c1@mail.gmail.com>
Message-ID: <e3889ef10808030902o6daeac42y64ddc29e60cc1025@mail.gmail.com>

As a former researcher on the Human Genome Project, (my career had a brief
detour in Molecular Bio in the early years), I can tell you that other
scientific disciplines outside of computer security have the same problems.
Wherever prestigious awards, big governement grants, and possible lucrative
drug company deals are at stake, some of the more unscrupulous of the
scientists would sacrifice the integrity of their work in favor of speed.
First to publish, meant first dibs on all of the brass rings.  It didn't
matter if the data was bunk or the assays were all flawed.  When I brought
up the issues, I was told "we'll explain it in the notes, or an addendum
later".  Such addenda never came.

It's part of why I left academia in the first place, because I couldn't
reconcile my own integrity with that of the "successful" scientists around
me.  Though I believe there are very talented and scrupulous individuals
within every discipline, I tended to be attracted to the more exciting
projects (Genome, AIDS research), and those probably had a disproportionate
number of the unscrupulous who wanted the fame and the money that would
eventually follow.  It was also a feudal system, where the head of the lab
would take primary authorship of any given students' work on a routine basis
-- indentured servitude for an undetermined stretch of time until you could
form your own fiefdom and possibly subjugate others' intellects.
What I did get from my turn in academia was a scientific method that proved
useful in pen testing.  I was often well-paired with "shotgun" consultants
that would fire away, nearly at random, and try to collect whatever fruit
dropped from the violent tree shake.  It took them more time to figure out
what they had done  and document it.  I was always slower at finding vulns,
but could repro my vulns instantly and reliably because I documented each
step, and had systematically isolated factors to determine the root cause.
Neither method on its own would have done the job right, but I found I was
always complimentary to anothers' cowboy-shoot-from-the-hip instincts.

What I really love about security work is that the proof is in the pwnage.
Documenting repro steps on a pen test is like giving someone a recipe to
make your vuln cake.  If it doesn't turn out, they might call you on it.
Tools release is the same way -- instant peer-review.  It's much more honest
than the "peer-reviewed publications" of academia can be.  And though
security researchers/hackers tend to be paranoid, there is a healthier
sharing of information among these networks of peers than I observed in a
lab while working on AIDS research.  Scientists were duplicating each
other's work and re-doing proven failed experiements because they were
paranoid that their work would be stolen by another scientist down the
hall.  I'm convinced AIDS and a slew of other ailments would be cured by now
if this were not the culture.  The non-academic security world's sharing and
collaboration is much more true to the earliest scientists and
mathematicians.  Solve the problem, give greetz, shouts, and talks together.
w00t, indeed.

I think the intersection of the two worlds of academic and public can be
fruitful -- some of the most brilliant inspiration for security analysis
come from such symphonies (Think Marshall Beddoe's Network Protocol Analysis
using Bioinformatics Algorithms paper:
http://www.4tphi.net/~awalters/PI/pi.pdf).  There are gems to be polished on
both sides of the fence, and much we can do to advance the science of
security, taking the best of both worlds.

But would I ever go back to academia?  No, I'd miss my autonomy too much.

Cheers,
Katie
On Sun, Aug 3, 2008 at 3:57 AM, nnp <version5 at gmail.com> wrote:

> On Sun, Aug 3, 2008 at 3:30 AM, root <root_ at fibertel.com.ar> wrote:
> > Dave Aitel wrote:
> >> These are not the papers you're looking for.
> >> http://www.usenix.org/event/woot08/tech/full_papers/
> >>
> >> Seriously, there's nothing there to scare an network offense
> >> professional. I don't think it's w00t's fault, either. I think the
> >> research communities are diverging into public and private, as this
> >> research gets more expensive to do.
> >>
> >> USENIX may not be the place for academic treatment of offensive security
> >> research. A friend of mine wonders if there's any future for academic
> >> treatment of the subject at all. He wonder's wistfully of course, since
> >> he likes academia.
> >>
> >> Anyways, either be scary or be silly. There's no middle ground here.
> >> It's a fundamental truth in this field: You're either in, or you're out.
> >>
> >> -dave
> >>
> >
> > Commercial security conferences don't have great academic value because
> > they are not peer reviewed (well, not reviewed by academic people) and
> > there are other much important academic journals like ieee, etc. that in
> > theory don't accept money in exchange for the publication of an article.
>
> I'd like to get everyone else's opinion/experiences with articles from
> so called 'peer reviewed' journals like IEEE and the rest. I've spent
> the past 8 weeks or so working on a project as a research monkey at my
> uni and spent the first few weeks pouring over journals etc. When it
> actually came time for implementation though I discovered a huge array
> of problems that had not been mentioned in the articles (and were
> presumably ignored as acceptable sources of error). When I contacted
> the authors requesting to see their software so I could determine if
> they had solutions to the problems I was either ignored or blown off
> with excuses like "we currently don't have the resources to make that
> available". In my opinion this brings all of their results into
> question when outsiders don't know exactly what sources of error they
> deemed acceptable. If some academics aren't bothering to release their
> software and their results are questionable then what purpose do they
> serve other than to fill pages in journals?
>
> So my question basically boils down to, how much reviewing actually
> goes on? i.e Do they run the software? Do they examine code or
> formulae? Or is it just a case of 'well it looks right'?
>
> >
> > Believe me, i had a hard time convincing my thesis advisor of the
> > importance of being a speaker on Blackhat...
> >
> > Anyway, cryptography and cryptanalysis (offensive or not) is certainly
> > dominated by academia, and I don't see that changing on the future.
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave at lists.immunitysec.com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
> >
> >
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave at lists.immunitysec.com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
> >
>
>
>
> --
> http://www.smashthestack.org
> http://www.unprotectedhex.com
>  _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080803/364dfa32/attachment-0001.htm 

From piercede at pdx.edu  Sun Aug  3 14:39:10 2008
From: piercede at pdx.edu (Dean Pierce)
Date: Sun, 03 Aug 2008 11:39:10 -0700
Subject: [Dailydave] w00t 08
In-Reply-To: <28749c0e0808030357s51e42483j411b49fa759e3c1@mail.gmail.com>
References: <48932B05.2050404@immunityinc.com>	<4895185C.6090403@fibertel.com.ar>
	<28749c0e0808030357s51e42483j411b49fa759e3c1@mail.gmail.com>
Message-ID: <4895FB4E.9020605@pdx.edu>

It's just too easy to game the system in academia.  Professors are rated 
on the number of papers referencing them, and also how well their PhD 
students are doing.  Most universities require students to have at least 
a few journal papers.

The way I have seen it, it normally works like this:
Professor Alice and professor Bob are tenured professors at their 
respective universities.  Alice and Bob know each other because they are 
in the same field, so they attend the same conferences.

Alice and Bob sit as reviewers for various journals.
Alice has a PhD student, Carol, who needs to get a paper published.

To get the paper published, Carol is told to put Alice as the first 
author, add as many references at the end as possible to Bob's papers, 
and submit it to Bob's journal.  It is also assumed that Bob's students 
will be allowed to publish in Alice's journal.

*** the result ***
Bob gains references, which elevates his position at the university.
Alice's PhD student gets published, which elevates her position.
Carol gets her PhD.

*** the problem ***
If Bob does not recognize the first author, there is no way he is going 
to take the paper seriously.
If the paper does not reference any of Bob's papers, Bob has no 
incentive to allow the paper to be published, and the paper is rejected 
with "author does not know the literature".

I have seen scenarios where Alice is still the first author, but Carol 
doesn't put Bob as a reference.  Bob then complains to Alice about this. 
  Alice tells Carol to put Bob as a reference, they resubmit the exact 
same paper, and the paper is accepted.


*** punchline ***
The whole concept of "academic peer review" is a giant political circle 
jerk.  When someone complains about lack of "peer review", they are most 
likely complaining about someone "not going through the proper channels".


With all that said, I agree completely that computer science journals 
have become little more than software catalogs, full of nothing but 
blatant advertising.  If anyone wants to hear me rant for hours on how I 
despise people like Dawson Engler, I'll be flying into Vegas Tuesday 
afternoon.  Send me an email and I'll buy you a drink :-)

Imagine of a physics journal did that.  Imagine if they published papers 
along the line of "We just created a zero point energy system (trust 
us), and it was damn awesome!  Contact us if you want to license it from 
us for a nominal fee".

In my opinion, if they do not release the code that can reproduce the 
numbers they are showing off, then they are full of shit and should not 
be published.


The thing I love the most about the security community is that the 
researchers are only as good as the last thing they broke.  You can't 
get "tenure" in the security community.  It doesn't matter if you were 
the shit 4 years ago, because that means nothing now.  If you can't keep 
up with modern advances, you get left behind.

    - DEAN


nnp wrote:
> On Sun, Aug 3, 2008 at 3:30 AM, root <root_ at fibertel.com.ar> wrote:
>> Dave Aitel wrote:
>>> These are not the papers you're looking for.
>>> http://www.usenix.org/event/woot08/tech/full_papers/
>>>
>>> Seriously, there's nothing there to scare an network offense
>>> professional. I don't think it's w00t's fault, either. I think the
>>> research communities are diverging into public and private, as this
>>> research gets more expensive to do.
>>>
>>> USENIX may not be the place for academic treatment of offensive security
>>> research. A friend of mine wonders if there's any future for academic
>>> treatment of the subject at all. He wonder's wistfully of course, since
>>> he likes academia.
>>>
>>> Anyways, either be scary or be silly. There's no middle ground here.
>>> It's a fundamental truth in this field: You're either in, or you're out.
>>>
>>> -dave
>>>
>> Commercial security conferences don't have great academic value because
>> they are not peer reviewed (well, not reviewed by academic people) and
>> there are other much important academic journals like ieee, etc. that in
>> theory don't accept money in exchange for the publication of an article.
> 
> I'd like to get everyone else's opinion/experiences with articles from
> so called 'peer reviewed' journals like IEEE and the rest. I've spent
> the past 8 weeks or so working on a project as a research monkey at my
> uni and spent the first few weeks pouring over journals etc. When it
> actually came time for implementation though I discovered a huge array
> of problems that had not been mentioned in the articles (and were
> presumably ignored as acceptable sources of error). When I contacted
> the authors requesting to see their software so I could determine if
> they had solutions to the problems I was either ignored or blown off
> with excuses like "we currently don't have the resources to make that
> available". In my opinion this brings all of their results into
> question when outsiders don't know exactly what sources of error they
> deemed acceptable. If some academics aren't bothering to release their
> software and their results are questionable then what purpose do they
> serve other than to fill pages in journals?
> 
> So my question basically boils down to, how much reviewing actually
> goes on? i.e Do they run the software? Do they examine code or
> formulae? Or is it just a case of 'well it looks right'?
> 
>> Believe me, i had a hard time convincing my thesis advisor of the
>> importance of being a speaker on Blackhat...
>>
>> Anyway, cryptography and cryptanalysis (offensive or not) is certainly
>> dominated by academia, and I don't see that changing on the future.
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
>>
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
> 
> 
> 

From adam at homeport.org  Sun Aug  3 14:51:10 2008
From: adam at homeport.org (Adam Shostack)
Date: Sun, 3 Aug 2008 14:51:10 -0400
Subject: [Dailydave] w00t 08
In-Reply-To: <28749c0e0808030357s51e42483j411b49fa759e3c1@mail.gmail.com>
References: <48932B05.2050404@immunityinc.com>
	<4895185C.6090403@fibertel.com.ar>
	<28749c0e0808030357s51e42483j411b49fa759e3c1@mail.gmail.com>
Message-ID: <20080803185110.GB12805@homeport.org>

(Added Tal Garfinkel, who organizes WOOT.)

On Sun, Aug 03, 2008 at 11:57:00AM +0100, nnp wrote:
| On Sun, Aug 3, 2008 at 3:30 AM, root <root_ at fibertel.com.ar> wrote:
| > Dave Aitel wrote:
| >> These are not the papers you're looking for.
| >> http://www.usenix.org/event/woot08/tech/full_papers/
| >>
| >> Seriously, there's nothing there to scare an network offense
| >> professional. I don't think it's w00t's fault, either. I think the
| >> research communities are diverging into public and private, as this
| >> research gets more expensive to do.
| >>
| >> USENIX may not be the place for academic treatment of offensive security
| >> research. A friend of mine wonders if there's any future for academic
| >> treatment of the subject at all. He wonder's wistfully of course, since
| >> he likes academia.
| >>
| >> Anyways, either be scary or be silly. There's no middle ground here.
| >> It's a fundamental truth in this field: You're either in, or you're out.
| >>
| >> -dave
| >>
| >
| > Commercial security conferences don't have great academic value because
| > they are not peer reviewed (well, not reviewed by academic people) and
| > there are other much important academic journals like ieee, etc. that in
| > theory don't accept money in exchange for the publication of an article.
| 
| I'd like to get everyone else's opinion/experiences with articles from
| so called 'peer reviewed' journals like IEEE and the rest. I've spent
| the past 8 weeks or so working on a project as a research monkey at my
| uni and spent the first few weeks pouring over journals etc. When it
| actually came time for implementation though I discovered a huge array
| of problems that had not been mentioned in the articles (and were
| presumably ignored as acceptable sources of error). When I contacted
| the authors requesting to see their software so I could determine if
| they had solutions to the problems I was either ignored or blown off
| with excuses like "we currently don't have the resources to make that
| available". In my opinion this brings all of their results into
| question when outsiders don't know exactly what sources of error they
| deemed acceptable. If some academics aren't bothering to release their
| software and their results are questionable then what purpose do they
| serve other than to fill pages in journals?
| 
| So my question basically boils down to, how much reviewing actually
| goes on? i.e Do they run the software? Do they examine code or
| formulae? Or is it just a case of 'well it looks right'?

Let me answer the question, and then get a little philisophical.  I'll
mention that I've been on the program committee for both WOOT
workshops, because I think what Tal is trying to do is both worthwhile
and very hard.

Reviews vary enourmously by reviewer.  In an ideal world, a paper
contains enough information to reproduce results.  A reviewer may
choose to try to do that, or read what's there and critique it.
Either way, I think the papers are (on average) higher quality than 
most presentations at hacker cons.   First, they're actual papers in
essay form, rather than slide decks.  Second, the goal of the review
process is to improve the paper.  Does it achieve that? Not always.
Reviews for a workshop like WOOT are faster than reviews for a large
conference like USENIX or Oakland.  This is, if you know the code,
reflected in the name of the venue.  Workshop papers are *expected* to
be lower quality than conference papers.  "That's what workshops are
for." 

Papers in journals like Phrack and Uninformed are sometimes equal in
terms of quality, but have very different norms and expectations,
which can make reading them challenging for people outside the
community of practice.  Of course, the same thing applys to people
reading academic papers.  The word "practical" is my favorite pet
peeve.

I think it would be great to create a norm of releasing software and
datasets as part of publication.  I also think it would be great to
have norms of reading the work outside our own narrowly defined
schools of thought.  It's too easy to get a talk at a hacker con that
says exactly what an academic paper says, and vice versa.  I think
WOOT has the potential to help with that.

There's a huge potential for cross-fertlization, but
cross-fertilization requires people spend time first in a limbo.
Hackers are sort of used to getting paid, academics need publications
that will lead to tenure and grants, and more prestigious conferences
count for more than a workshop.  So everyone's motivation is against a
long-term payoff with low probability.

When I did the Silver Bullet podcast with Gary McGraw, we talked about
how in the 90s, he and Ed Felten and some other folks pushed for
actual software flaws to be acceptable as topics for academic security
papers.  Before that, there was even more math, and less applied.
(Andrew and I talk about this orientation issue in the New School as
well).

Changing both communities is going to take years of work and
dedication.  Ideally, what comes out is stronger for both.  Ideally,
we'll see powerful math and theory applied and getting beyond "just
validate input."  We'll see applied research which is more than "oooh,
look, a buffer overflow."  (Admittedly, both of these are rude
stereotypes.)

If you want to see academics publishing their research, start blogging
with title like "Academic paper foo is not reproducable."  Submit
short papers to the venues a paper was published in saying "I did X, Y
and Z, and it didn't work like they said.  I contacted them, and they
declined to share their data or software.  So their paper needs to be
fixed, and it's not clear how to do that."  It's hard for a program
committee to reject such a paper if it's done to a reasonable
standard.

This has gotten really long, sorry. To wrap up, I think that bringing
together communities is both expensive and often very worthwhile.
Please understand that what we're trying to do with WOOT will produce
those blank stares for a while, and then, perhaps people will say "I'm
confused.  Why are you doing it that way?"  Finally, I hope, it will
start producing collabrations that do really cool stuff to hard
problems.

Adam


From dan at geer.org  Sun Aug  3 22:44:11 2008
From: dan at geer.org (dan at geer.org)
Date: Sun, 03 Aug 2008 22:44:11 -0400
Subject: [Dailydave] w00t 08
In-Reply-To: Your message of "Sun, 03 Aug 2008 11:39:10 PDT."
	<4895FB4E.9020605@pdx.edu> 
Message-ID: <20080804024411.2F22133EFC@absinthe.tinho.net>


Dean Pierce writes:
-+-----------------
 | ...
 | Bob gains references, which elevates his position at
 | the university. Alice's PhD student gets published,
 | which elevates her position. Carol gets her PhD.
 | ...


I was hanging around the Harvard Medical School
in the 1970s, where a Famous Lab Director named
Eugene Braunwald taxed every paper coming out
of his lab with the usual tax -- list him (the
lab director) as a co-author if you want to
publish.

John Darsee, one of his, was caught spectacularly
making up data (or was it caught making up
spectacular data...).  When bunches of Darsee's
published papers had to be recalled, Braunwald
took a hit, too.  Since at that time Braunwald's
bibliography was over 800 papers (precisely due
to the authorship tax), many lab rats concluded
that there is a God.

--dan

http://members.aol.com/quentncree/lehrer/lobachev.htm


From cmiller at securityevaluators.com  Sun Aug  3 20:46:36 2008
From: cmiller at securityevaluators.com (Charles Miller)
Date: Sun, 3 Aug 2008 19:46:36 -0500
Subject: [Dailydave] w00t 08
In-Reply-To: <20080803185110.GB12805@homeport.org>
References: <48932B05.2050404@immunityinc.com>
	<4895185C.6090403@fibertel.com.ar>
	<28749c0e0808030357s51e42483j411b49fa759e3c1@mail.gmail.com>
	<20080803185110.GB12805@homeport.org>
Message-ID: <5B91AD4B-C2AD-4BD2-87AD-5FED4FAB40C0@securityevaluators.com>

Yea, probably the biggest problem, as Adam pointed out, is in  
academia, "workshops" are for all the papers that couldn't get into  
"conferences".
So WOOT this year ended up with second string academic papers and on  
the commercial side, talks that weren't going to be given at Black  
Hat.  I mentioned to Tal that it would be cool to have WOOT be a best- 
of from the commercial and academic sides.  Papers could be invited by  
the program committee which, besides me, is pretty awesome.  So it  
would be a re-broadcast of the best talks/papers of the previous  
year.  In this way, both sides get to learn from the best work of the  
other side.  However, according to Tal, there is no incentive for the  
academics to re-present previous works and in fact they may not be  
allowed to do so.  Another good idea ruined by academia ;)

Charlie


On Aug 3, 2008, at 1:51 PM, Adam Shostack wrote:

> (Added Tal Garfinkel, who organizes WOOT.)
>
> On Sun, Aug 03, 2008 at 11:57:00AM +0100, nnp wrote:
> | On Sun, Aug 3, 2008 at 3:30 AM, root <root_ at fibertel.com.ar> wrote:
> | > Dave Aitel wrote:
> | >> These are not the papers you're looking for.
> | >> http://www.usenix.org/event/woot08/tech/full_papers/
> | >>
> | >> Seriously, there's nothing there to scare an network offense
> | >> professional. I don't think it's w00t's fault, either. I think  
> the
> | >> research communities are diverging into public and private, as  
> this
> | >> research gets more expensive to do.
> | >>
> | >> USENIX may not be the place for academic treatment of offensive  
> security
> | >> research. A friend of mine wonders if there's any future for  
> academic
> | >> treatment of the subject at all. He wonder's wistfully of  
> course, since
> | >> he likes academia.
> | >>
> | >> Anyways, either be scary or be silly. There's no middle ground  
> here.
> | >> It's a fundamental truth in this field: You're either in, or  
> you're out.
> | >>
> | >> -dave
> | >>
> | >
> | > Commercial security conferences don't have great academic value  
> because
> | > they are not peer reviewed (well, not reviewed by academic  
> people) and
> | > there are other much important academic journals like ieee, etc.  
> that in
> | > theory don't accept money in exchange for the publication of an  
> article.
> |
> | I'd like to get everyone else's opinion/experiences with articles  
> from
> | so called 'peer reviewed' journals like IEEE and the rest. I've  
> spent
> | the past 8 weeks or so working on a project as a research monkey  
> at my
> | uni and spent the first few weeks pouring over journals etc. When it
> | actually came time for implementation though I discovered a huge  
> array
> | of problems that had not been mentioned in the articles (and were
> | presumably ignored as acceptable sources of error). When I contacted
> | the authors requesting to see their software so I could determine if
> | they had solutions to the problems I was either ignored or blown off
> | with excuses like "we currently don't have the resources to make  
> that
> | available". In my opinion this brings all of their results into
> | question when outsiders don't know exactly what sources of error  
> they
> | deemed acceptable. If some academics aren't bothering to release  
> their
> | software and their results are questionable then what purpose do  
> they
> | serve other than to fill pages in journals?
> |
> | So my question basically boils down to, how much reviewing actually
> | goes on? i.e Do they run the software? Do they examine code or
> | formulae? Or is it just a case of 'well it looks right'?
>
> Let me answer the question, and then get a little philisophical.  I'll
> mention that I've been on the program committee for both WOOT
> workshops, because I think what Tal is trying to do is both worthwhile
> and very hard.
>
> Reviews vary enourmously by reviewer.  In an ideal world, a paper
> contains enough information to reproduce results.  A reviewer may
> choose to try to do that, or read what's there and critique it.
> Either way, I think the papers are (on average) higher quality than
> most presentations at hacker cons.   First, they're actual papers in
> essay form, rather than slide decks.  Second, the goal of the review
> process is to improve the paper.  Does it achieve that? Not always.
> Reviews for a workshop like WOOT are faster than reviews for a large
> conference like USENIX or Oakland.  This is, if you know the code,
> reflected in the name of the venue.  Workshop papers are *expected* to
> be lower quality than conference papers.  "That's what workshops are
> for."
>
> Papers in journals like Phrack and Uninformed are sometimes equal in
> terms of quality, but have very different norms and expectations,
> which can make reading them challenging for people outside the
> community of practice.  Of course, the same thing applys to people
> reading academic papers.  The word "practical" is my favorite pet
> peeve.
>
> I think it would be great to create a norm of releasing software and
> datasets as part of publication.  I also think it would be great to
> have norms of reading the work outside our own narrowly defined
> schools of thought.  It's too easy to get a talk at a hacker con that
> says exactly what an academic paper says, and vice versa.  I think
> WOOT has the potential to help with that.
>
> There's a huge potential for cross-fertlization, but
> cross-fertilization requires people spend time first in a limbo.
> Hackers are sort of used to getting paid, academics need publications
> that will lead to tenure and grants, and more prestigious conferences
> count for more than a workshop.  So everyone's motivation is against a
> long-term payoff with low probability.
>
> When I did the Silver Bullet podcast with Gary McGraw, we talked about
> how in the 90s, he and Ed Felten and some other folks pushed for
> actual software flaws to be acceptable as topics for academic security
> papers.  Before that, there was even more math, and less applied.
> (Andrew and I talk about this orientation issue in the New School as
> well).
>
> Changing both communities is going to take years of work and
> dedication.  Ideally, what comes out is stronger for both.  Ideally,
> we'll see powerful math and theory applied and getting beyond "just
> validate input."  We'll see applied research which is more than "oooh,
> look, a buffer overflow."  (Admittedly, both of these are rude
> stereotypes.)
>
> If you want to see academics publishing their research, start blogging
> with title like "Academic paper foo is not reproducable."  Submit
> short papers to the venues a paper was published in saying "I did X, Y
> and Z, and it didn't work like they said.  I contacted them, and they
> declined to share their data or software.  So their paper needs to be
> fixed, and it's not clear how to do that."  It's hard for a program
> committee to reject such a paper if it's done to a reasonable
> standard.
>
> This has gotten really long, sorry. To wrap up, I think that bringing
> together communities is both expensive and often very worthwhile.
> Please understand that what we're trying to do with WOOT will produce
> those blank stares for a while, and then, perhaps people will say "I'm
> confused.  Why are you doing it that way?"  Finally, I hope, it will
> start producing collabrations that do really cool stuff to hard
> problems.
>
> Adam
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave


From dan at geer.org  Sun Aug  3 22:34:16 2008
From: dan at geer.org (dan at geer.org)
Date: Sun, 03 Aug 2008 22:34:16 -0400
Subject: [Dailydave] w00t 08
In-Reply-To: Your message of "Sun, 03 Aug 2008 09:02:25 PDT."
	<e3889ef10808030902o6daeac42y64ddc29e60cc1025@mail.gmail.com> 
Message-ID: <20080804023417.0D7EB33C7E@absinthe.tinho.net>


worth singing...

http://members.aol.com/quentncree/lehrer/lobachev.htm

--dan


From lists at isecom.org  Mon Aug  4 10:58:02 2008
From: lists at isecom.org (Pete Herzog)
Date: Mon, 04 Aug 2008 16:58:02 +0200
Subject: [Dailydave] some ISECOM releases
In-Reply-To: <5B91AD4B-C2AD-4BD2-87AD-5FED4FAB40C0@securityevaluators.com>
References: <48932B05.2050404@immunityinc.com>	<4895185C.6090403@fibertel.com.ar>	<28749c0e0808030357s51e42483j411b49fa759e3c1@mail.gmail.com>	<20080803185110.GB12805@homeport.org>
	<5B91AD4B-C2AD-4BD2-87AD-5FED4FAB40C0@securityevaluators.com>
Message-ID: <489718FA.9040808@isecom.org>

Hi,

2 recent releases: OSSTMM 3.0 LITE and the Home Security Vacation 
Guide both available at ISECOM.

We have created OSSTMM 3.0 LITE for the DefCon attendees.  It is a 
smaller, simpler version of the OSSTMM 3.0 but does include the Data 
Networking tests as well as instructions on how to use it.  You can 
get it at:

     http://www.osstmm.org

We also released a Vacation Guide, a checklist for locking your home 
down while going away for vacation. It is based on the OSSTMM and uses 
the same security research to make a pretty thorough checklist of 
things to "test" and make sure you're ready to go. You can get it here:

	http://isecom.org/hsm

Enjoy!

Sincerely,
-pete.

-- 
Pete Herzog - Managing Director - pete at isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org


From dave at immunityinc.com  Thu Aug  7 18:56:05 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Thu, 07 Aug 2008 18:56:05 -0400
Subject: [Dailydave] Either get in....
Message-ID: <489B7D85.6040200@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It's thunderstorming here in Vegas. Already several people have been
arrested at the Riviera trying to break into the computer room. Very
exciting stuff! But tomorrow the public opening of the NOP
certification starts, so I wanted to make sure everyone knew how to
use VisualSploit, if that's their tool of choice (which I recommend,
of course :>). You'll be able to bring your own tools but VisualSploit
is just so durn pretty!

http://www.immunityinc.com/niprint-defcon16.html


- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIm32DtehAhL0gheoRAgRjAJ9lKCQjosLwP2ikxKqzDLIZhSM6JwCfeUaf
sVTYXdZ/2VuSDijI8niFPb8=
=CXOO
-----END PGP SIGNATURE-----


From rhyskidd at gmail.com  Sun Aug 10 22:50:55 2008
From: rhyskidd at gmail.com (Rhys Kidd)
Date: Mon, 11 Aug 2008 10:50:55 +0800
Subject: [Dailydave] A new datapoint for 0day lifetime
Message-ID: <68dd869f0808101950n21e5b15ao9b0133d054a3599e@mail.gmail.com>

Justine Aitel made the following statements during a July 2007 presentation:

*"Real-world 0day Statistics*
*Average 0day lifetime: 348 days
Shortest life: 99 days
Longest life: 1080 (3 years)"

*- http://immunityinc.com/downloads/0day_IPO.pdf*

*I'd like to include a new datapoint for those averages.
uTorrent and Bittorrent Mainline have included an unpatched Unicode stack
overflow in its code-base for at least 2 years. It was finally patched on
the 5th August 2008 with 1.8 Release Candidate 7.

Full details and discussion in the attached paper.

Rhys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080811/35d6194b/attachment-0001.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Stack Overflow in uTorrent - Kidd.pdf
Type: application/pdf
Size: 444685 bytes
Desc: not available
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080811/35d6194b/attachment-0001.pdf 

From no-reply at ekoparty.com.ar  Tue Aug 12 04:33:24 2008
From: no-reply at ekoparty.com.ar (ekoparty)
Date: Tue, 12 Aug 2008 05:33:24 -0300
Subject: [Dailydave] ekoparty 2008 - [First Round of Selection] - [Argentina]
Message-ID: <200808120533.24430.no-reply@ekoparty.com.ar>

ekoparty 4th edition - www.ekoparty.com.ar
Information Security | Insecurity Conference.
October 2 and 3, 2008
Ciudad Autonoma de Buenos Aires - Argentina

[*] What is the ekoparty?

It's a one of a kind event in South America; an annual security
conference held in Buenos Aires where security specialists from all
over Latin America (and beyond) have the chance to get involved with
state-of-art techniques, vulnerabilities and tools in a relaxed
environment the
like of which has not been seen before.

This event was born from the IT underground, where Consultants,
Security Officers,
Researchers, Programmers, Technicians, Sys-admins, Geeks, Ninjas,
Pirates and technology enthusiasts get together and enjoy two days of
the most important security researches of the year - as well as
enjoying some of the best weather on the continent.
We are really happy of the following announcements!

* Registration is now open
* Agenda online
* Slogan poll
* First round of speakers selection


[*] Registration is now OPEN

We are glad to announce that the registration to the event is now open!
You can sign upfor the 4th edition of ekoparty at
http://www.ekoparty.com.ar/en/registracion.html
Remember that early registered assistants have a big discount on the price.

If you are comming from outside Buenos Aires we can assist you in all we can
for making your travel easier (i.e. find a hotel).
Don?t hesitate in contacting us at organizacion [ AT ] ekoparty.com.ar
We hope to see you in this year edition :)


[*] Agenda online

The program is now available at http://www.ekoparty.com.ar/en/programa.html
It is not the definitive program, we still have to confirm some
speakers and events, so it will be updated as it happens.
Stay Tuned!.


[*] Slogan poll

Also we taked out the less voted slogans making it easier to decide.
There is going to be one last stage where only the top three will be
left. It is going to happen soon because we need the t-shirts ASAP so
if you are going to vote, do it now!


[*] First Round of Selection

This are the first selections for the 2008 edition:
Hacking Has An Economy of Scale //Dave Aitel
Debian's OpenSSL random number generator Bug //Luciano Bello -
Maximiliano Bertacchini
SAP Security - PenTest It, Secure It! //Mariano Nu?ez Di Croce
Smartphones (in)security  //Nicolas Economou - Alfredo Ortega
Code Injection On Virtual Machines //Nicolas Economou
In-depth Anti-Forensics //Domingo Montanaro
Atacando RSA mediante un nuevo m?todo de factorizaci?n de enteros //Hugo 
Scolnik
Adobe javascript al descubierto //Pablo Sol?


For being in touch:
http://groups.google.com/group/ekoparty
http://www.twitter.com/ekoparty


Best regards,
ekoparty security conference staff


From internetsuperheros at hushmail.com  Fri Aug  8 10:38:52 2008
From: internetsuperheros at hushmail.com (Great Council of Internet Superheros)
Date: Fri, 08 Aug 2008 16:38:52 +0200
Subject: [Dailydave] Squadron of Justice to the rescue
Message-ID: <20080808143855.B1EB015803E@mailserver6.hushmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antifreedom fighters have shut down one of the mirrors. Here be the
sauce.
We are requesting mirrors and fellow righteous superheros to
promptly archive the files (including Petko D. Petkov, pdp's
mailbox RAR volumes), exercising your rights of freedom of speech
and awesomeness. We also request str0ke, that little guy with
mustache at milw0rm.com, to archive this piece of Internet and
security industry history.

It's about time to start the greatest showdown of jews.

Thanks to Pink the Whiz Kid, Bulletman, Crimson Avenger and the
rest of the crew at SoJ.

Excerpt of Tom Ferris' Internet Justice magazine article:

<great justice>
# find /var/www -name '*config*.php'
/var/www/worldofwarcraft2.com/config.inc.php
/var/www/whosonbebo.com/config.inc.php
/var/www/zunewallpapers.net/wp-config.php
/var/www/zunewallpapers.net/wp-admin/setup-config.php
/var/www/zunewallpapers.net/wp-config-sample.php
/var/www/a727.com/sqlz/config.sample.inc.php
/var/www/a727.com/sqlz/show_config_errors.php
/var/www/a727.com/sqlz/config.inc.php
/var/www/a727.com/sqlz/libraries/db_config.lib.php
/var/www/a727.com/sqlz/libraries/auth/config.auth.lib.php
/var/www/a727.com/sqlz/libraries/config.default.php
/var/www/faceboxskins.com/config.inc.php
/var/www/vintagerazors.com/config.php
/var/www/wiiwallpapers.com/config.inc.php
/var/www/sacbars.com/config.inc.php
/var/www/t629.com/config.inc.php
/var/www/sexypspdownloads.com/config.php
/var/www/themeiphone.com/config.php
/var/www/themeiphone.com/plugins/sef_urls/configuration.php
/var/www/themeiphone.com/plugins/sample/configuration.php
/var/www/themeiphone.com/include/config.inc.php
/var/www/pearl8800.com/config.inc.php
/var/www/pspbackrounds.com/config.inc.php
/var/www/usedvespas.net/config.php
/var/www/ceocigars.com/config.inc.php
/var/www/bebounblocked.com/config.php
/var/www/evilryu.com/config.inc.php
/var/www/blogtop100.com/config.inc.php
/var/www/twitterskins.com/config.inc.php
/var/www/pspsites.com/config.inc.php
/var/www/security-protocols.com/store/config.php
/var/www/security-protocols.com/amazon/script/config.php
/var/www/security-protocols.com/wp-
includes/js/tinymce/plugins/spellc....
/var/www/security-protocols.com/wp-
includes/js/tinymce/tiny_mce_config.php
/var/www/security-protocols.com/wp-config.php
/var/www/security-protocols.com/wp-admin/setup-config.php
/var/www/security-protocols.com/wp-config-sample.php
/var/www/security-protocols.com/backup/wp-config.php
/var/www/security-protocols.com/backup/wp-content/plugins/wp-
cache/wp-cac....
/var/www/security-protocols.com/backup/wp-content/wp-cache-
config.php
/var/www/security-protocols.com/wp-content/plugins/wp-cache/wp-
cache-c....
/var/www/security-protocols.com/wp-content/wp-cache-config.php
/var/www/i580.net/config.inc.php
/var/www/v9500.com/config.inc.php
/var/www/8710c.com/config.inc.php
/var/www/yourpsp.us/config.inc.php
/var/www/accessoryps3.com/config.php

// ** MySQL settings ** //
define('DB_NAME', 'zunewallpapers');
define('DB_USER', 'zunewallpapers');
define('DB_PASSWORD', 'PuU4DGrYwJRHuFPS');
define('DB_HOST', 'localhost');

# ls -l /
total 202
drwxr-xr-x    3 root root  4096 Nov 14 12:47 backups
drwxr-xr-x    2 root root  4096 Jan  2 04:03 bin
drwxr-xr-x    4 root root  1024 Feb 25 14:04 boot
- - -rw-r--r--    1 root root   370 Jul 27  2004 client-config-
overrides.txt
- - -rw-r--r--    1 root root  7746 Dec  8  2004
client_config_update.py
drwxr-xr-x   10 root root  5360 Feb 25 14:07 dev
drwxr-xr-x   77 root root 12288 Feb 25 14:07 etc
drwxr-xr-x    3 root root  4096 Nov 10 12:34 home
drwxr-xr-x    2 root root  4096 Aug 12  2004 initrd
drwxr-xr-x   11 root root  4096 Feb 25 14:03 lib
drwx------    2 root root 16384 Nov 10 12:06 lost+found
drwxr-xr-x    4 root root  4096 Feb 25 14:07 media
drwxr-xr-x    2 root root  4096 Jul 11  2006 misc
drwxr-xr-x    2 root root  4096 Aug 12  2004 mnt
drwxr-xr-x    2 root root  4096 Aug 12  2004 opt
dr-xr-xr-x  129 root root     0 Feb 25 08:06 proc
- - -rw-r--r--    1 root root  1369 Jun 28  2004 public_key.txt
drwxr-x---    9 root root  4096 Feb 25 19:48 root
drwxr-xr-x    2 root root 12288 Feb 25 14:04 sbin
drwxr-xr-x    2 root root  4096 Nov 10 12:06 selinux
drwxr-xr-x    2 root root  4096 Aug 12  2004 srv
drwxr-xr-x    9 root root     0 Feb 25 08:06 sys
drwxr-xr-x    3 root root  4096 Nov 10 12:12 tftpboot
drwxrwxrwt    4 root root  4096 Feb 25 21:09 tmp
drwxr-xr-x   17 root root  4096 Nov 10 12:19 usr
drwxr-xr-x   22 root root  4096 Nov 10 12:12 var

# ls -l /backups
total 974172
- - -rw-r--r--   1 tommy tommy 996567040 Nov 13 18:11 secpro.tar
drwxr-xr-x  31 root  root       4096 Nov 13 18:06 security-
protocols.com


begin 644 tomferris-secprotocols.sql.bz2
M0EIH.3%!62936?M7D20``J/_@$`0``)(Y__Z?___8/____!@#M\Z;>U'/N6^
M%'H```%SJ2NYQLHMCE[UXZ`T`/0=#1#0(--!&$&IJ?J!-1IIH#U--#33:0>4
M(F`)H"4(H-!ID#U``&C0``!$TU,%``T:```#$`````:>DD)IJC$/4\ID],H_
M3*GZ4``R#0```BE/2:IY$R-!J:,3)Z0:&$TTR-#TF@::>B!%(1D$R3)A-,4U
M3P4>2#U-,AIIIZAH>H!G_C[6_6N9E"'XX[,)=`!UQ=/LN!^BXBJ1"`Q`B(?N
M^M`:R$&OAT\/,EYT[$J=?.7:U93)WP5%:&$HCJ.P6E*2E+&+%(CL#*ZYT(P`
M!I<C:@`!2`,%/C1`9'%`8A`8A`:RD@,0@,0@,0@,0@,0 at -/V(#]?+E$D(^!^
M7&:RZG>@@0!?U(:_,_C_FW]_+Y8_3P913Y*I\S\V^;MH8];EP^/T?Y&'UR_?
M/;;=O0\`@80=Q"\1/'?0X^@B0*)JWV$2EH$C@=;%M%C:MESFFY?Y;38]=*4]
M$L2E:*TZT4$5?)O<VV+,Q<0`+LVX;1TIHN-(B(!`>\P1F4]DUAPGMRZDLUU8
M999:-7"N'/V]Q>,O),*G>5%#`@J<G&<I:1 at 4!"G`Q2BT2A3'[H<D1>2=DFMX
MUYLE-0KX]LF]HY.MW26I=YI+HW"OU6[U:-RKNM`99**Z%WZL5OW/H1E.')F_
M at H--M27+M2_%%U/4)5Z7#/=FYQ]1TV[(RDQ*[D)Z8WN<Y5+KO3+'7N7\##7;
MZZ9YW]J^N?GF?!!?N8((@8(@080B$(@(A2`B`B"(6(40#R/B0DE!Y..XRP'F
MH at -D>M`>6`O at 54905'J;:_;P6FF(29$"8(`@6,,2A-,`("`(2"#1VEQ>;=LU
MIFM9.-M&L76,?9P2WJZKINRR*5TD&T_UO*<X0936.`VY)C-!*F]`S"[4%8$Y
MP%8\8-D#4KA$5 at ZYI@2G6V-4!KUB&E*BA\GP^I\JM)8>;*32``./I+FHM[TJ
MKAK#>%N7>]Z3[E=Z,6._G6!`#!7,$M:P9\[O<U@("P6T@'D\W6QY:V?+<6V>
M!"\MEP'`"&1(>E8E,15)"XY7A3`>0\=B;M6G;PB'#C]I7 at 0(%49TD/ZM`6`1
M$;6$?0/2WO-OAO-EYA at 2M;!NX&=;RO!K(G($WVR3U5N*E3UU?KV80Y!QY[-[
MF8/1ZW<J\"]I!UN'F&#0>T6\G2AB8#<S'IWO+\O<9EXO!L^7G(-D)`B(C"Y%
M[CKP>[X\C[LIKS1"'K#Y)JNWKD^%1!)F8T:(H6$+")`JMQD`"2ETHG>+VQ;?
M!V"FB<"J$$I;8E+@$D\,BG`&XL`F'K3Z@/-0<=]655X1A8_59NH,RM=`PP$R
MMT,X/STRK6R5M<\-O7U%)6;KX"4JSM6S>Y9\R5<YIZ75TQ\2AVT#J43>;]A]
M^@.H0F]4]G+0^A:)&T=2K9IFQD#L+CI\^B7EG\^)6O+D_KND#>KLCF.:Z>PO
M$`G5KC:Q=4FW=[WO%RX9&0`Q_ at O[!E]O>5<VTQ;Y-W-WR5%E+&.A(E-!QV6"
MC;N0.!UL1.&4T[=<23\H=HF_.0MU)W at IPME3E4F#,J1I at +JN==QRK['"=@ZB
M=7ZY*A748!DB\)R,UE]A08%$(@/8X7&&VA#R(]U>*A8-.=.QF.,UXQP4[UY@
MB4.D+2BKQXN;9$`SDS"7STWU%ZFPR^H,(&^>3;S>KG2Q1E80T0;T#[W`7(>=
M'FB$YJ4!#VG>\!0+D#I4DTO>+6L%_`O?5=T\;O#:+'&SS;HUXZ*8[)V6(8%$
MDURZ"L$DB#0(L#0U3NFKC]T1`0A[O'4=8H_)'C at 3$D7GI0'&UNERNP`08A'$
MADS7#P;3(6"V*$\7"@RW0<RG$M,8ZHZ.M$];R3P0.HUQ8-`97#6[W8%8BX+K
M22(AA+K)FI0-%S<ZV[YW(<?@/*W3CAER$+Z-U7-PT%R8.5#8A+D?%;6E2:WS
M5:HTO2H&^56)TP4(1SE*B%$<Y,CEXV0D0J&>:<8Y.C:<'P at U!N-IA5N<7QJ,
M;0K;)PE",UX$FCY-]S:G-,)E4QJ#(K2'%PZ!AQ,7`X'2B#\/,[57$4&$W\.O
M>.;C2!/&[*@XX*-<-9(%Q0J14<C$5SM7IG%,6SAWAQ;J?0#[P`07'0AP^":'
M8C\TH'@V4*1F&"`A1S4L"3"A*1LD.[PLBQ`8F$HT("$IR[R301H9R4*DJ[N(
M`%^/CX]FVO7:?A1KV,;7;IV:Z]?+BW;VP6Z*=&S]E/@8DB]OBR^79U]/W]QX
M9X at WL\H#,G;3-V\9]\%AA,!!8<7\^.!F5!H:?3J=_=)I5,B`^"`Z19WE'6K_
M:NBT<>=0=\C3\7:;D!R0'O@$C'VFX3QU at WJ:(#<1HIE:/Z-&R6L.(2Q0>XO+
M$!D34+C(@/R)'(&[R#?_W&QF@/P)X#-`;W/%`>;B7$S0X7(#(2FR\QJH.*60
M&0DZEZ`\)>7Q&YM`@\UJ@]$@CL"#`(/M@$&D"#PJ#RT$&W-USTFZ7UI9*`UE
M`:H#-`9H#-`:(#>@-Z`P at .OS$&`%"(142]K7X;S$S&/KGZVYZ]=M. at KD^W5@
M,730?K>SN6*G^$D5.RG!_-,A?#_M[K!-?%QE6U?)_N+YAA;%T53QORD4Y!1>
M)>\H_H<;/<-Z[)W,=]G5:!Z`@"RAOF2`7`P*6LSZ92ML?NDVK-2D;(^97ED,
M2!`"('P*_F7D_,NF"#/O4J01!WLYM`N6][I6&],X^V78-TKE]B]9^AL+\7%G
M-:OF(-N1WH(/"X,A![(>V5X at TSD\-O$-`A]N@>F9K3M7MNOWX>R7LMEZ?&N#
M?Y0TWR93Y#?4[T7+T`T25%`.*P]-Z_';P_`[V_6YD8N@!1.KM`M:=0.M26"N
MY:E[^"<VO;!\P..A:E65P.O<$`Y8;.Z++?79QSLMAE<P,X(%07%EK^-.;FB-
M3$<-)?W_1 at H+,/C,MK#>W$.@$.`)H.M5>8T,3.QX.3?D`)L>IU,%1L;4CK+0
M0!7`1A+W`<R)LLB=>1\0&J`B5Q?J@,B(/H8!#1X(`G$A;">=ZV9C"[)2E-W(
M>6)MR at RC+?1%@S:TQ0R"KUUKH)KDM$HI5!KP0!)&*F^C+OU0PV*T.D&3#6+8
M5E3W@`@^.U///=1\L`8=L]>85#3[Q!^4XL4.9Q^;>MO<U*A/W=>_L]/!)K6L
M8J8_1OJ'>9#>TM-*!$",<7\&*8K!W#-%G1!'ZX.6C$UU=&^`7S<U\+)&,1WE
MB`0!63I%TG=OS`JVG4&B$Y3PE;6CRY7K!SR!`%<R"9>L&V1/,8N9ZRTC4P88
M46XT-N\*O.;\AS&!0=\C,^?7U>PPG((/!=<Z at 8G?$&,=W!.`G<Q%)Y/$((/H
M$&W6>R:*#J@]- at 9F#IH*L!93`'H.X)1I[27`<@$M(J;]9D969F`=B(2BD6>1
M&G!DXOEO;G+?R.E-LUX]PJX\<W!5UM]3$UG1:''M6=9^W<9Q\,:>P!J^TUMJ
MC&F'BF2Y[-P#I3;7<EJOLXN=:MBII\JU1NM+A0Q@^0LF.I$QFM2HCU]GU7.5
MSM!&L'MF(,W2<2$[S96;B-V<^`8:,ET8381&X";C0*$P:7PXA0+ at J8W!0(:>
MK2<MKEH[0G-$<O1D$N0>\,V6-SP9L>PNT*=L5I$`!N)N!,Q05L]@I$II<(F;
M*+3(@"[U*^T^KM$[X_7'&8 at X$-YF(,]H7B#I<7B#.(B(W)SM$$=7R#Q?)D<_
M%#FA,.SP0H$R=@Z_&"<I;,^!K8.7%U;WFH/+N&]"C/N'._^_E?&8G*<01&Z'
M?"-T0@,(#I^HU)O/B'X<1!ZO2NF9A24[L@\A\\*[4)VQQ?1 at W@CF9=0H:F3H
M[G>A-I2$""$N+/;I<<P::B#6Z,8B(ON9]'`*Q<"#*+%X>!<:3+28,[.3L-],
MNF>,W9\\I2I<HDELT4EM310E`E"B8FD=5D)#"`^<7T;R`V0N[&32L$@KN9M@
MS;MT!D(-X2=A6WW%"9X8DBZ at 1U+HDQ6VWB08;:<)QQGSO[=3H3"9^TMP-WR.
M.SH*-T]7P#,-#^,"GCZS=M*'=U$&-P>)!PO9:MI^#0(]X39-SU`O/LN/3<DJ
MER0R#AT_H8G"@7MX1ABH/+U"#D'IO:!Z at YFUHH,RN5K at Y;#VFF-?26N9W;X@
M at V+TOL7$X)B"#NK4)9AN<`*C40=/)CP$'PM70,VV"%JRU(($'1N?HX!@V-N$
MR;8.%]D%QY84:<P>Q3IKL[UVP2 at B.9LVS*<M9V$';C"`PH.^#ID[TL&KN>9%
M3M![_IC[MB("Y'5=/=PKD"@'CV*-:!;EUV7+L-MH at QDLJV7"#,*I//(GYB#A
M*\08=&=+8(75=D2)4_?FYM\`CQ6!!W95VW,8A7&5TX$&SR$&&VEC*:<;V54R
M#+;V;C!V+#^0+"#>9`_`[MSKP9SRLA>=/*NTY"#]YO-X at _P$$&B at ZN7@_5#F
MOB[Q!Y7W!;)"_AP]'V=$SU$'JTYR`F8^_^!\"JV+2LE\S`+$'T[LAD"`)A$`
E2KQG$G9=(O](:88,^<6:0V8;!*:$_)D&])?_%W)%.%"0^U>1)```
`
end


INSERT INTO `wp_users` (`ID`, `user_login`, `user_pass`,
`user_nicename`,
`user_email`, `user_url`, `user_registered`, `user_activation_key`,
`user_status`, `display_name`) VALUES ('1', 'admin',
'a0d24c32db51dd4ee5604a80a8d7fd74', 'admin', 'tommy at security-
protocols.com',
'http://security-protocols.com', '2006-11-13 20:05:06', '', '0',
'Tom Ferris');


begin 644 tomferris-httpd.conf.bz2
M0EIH.3%!629362$\Y^P`&#/?@'X0>O?_____________8#]#@48;3Y]VX!WV
M[WW3N[E'HH4WL``.@`Z`;/OGW/GMSFU[G<5U,OE;[L;?6Y]VYU.NJ[G.NSEJ
MG/H\2],1=:[9414Z[B;?>@H=."7H#WL5O.<]9-BS-!K8-5?>\X]+TT at I=M4F
MS?,`U0NVLK::S;9JH,`IK+1;YX"3V["/9AWH8Z>L;>[<J;;)6;<@--$"",)D
M!,C$TGB)@IY,J8)IIIZ:0T&]4P-&H`U/0"":028*83%3]32---&TFFF0````
M``#3"04T")1HT_5#1Z1ID#U,AB#0```-``:"32B""---3"$TU)X32>5&_5&I
M^J;T3(:`:!!A&F)HT")*`F0IX31J9JD]J;(3)M4S34\IY1D:`,0R&F0`:"1$
M$`@"!&30F335/RJ?C1)/U/4VB>E&C)Z0/U0`&1%`EQ"(@"#9]E/X?Y_K\,?Y
M-+X,O.8W_9^D*(30JP.<`^/I+\_;&?\L"TC]G_I^&%OPK42O48[/=^>"J%L&
MFH5^^*O(UFG*J!!H at J(@ZXS3+>,UL4!MY,T7U&;O5PGEIQ5WQ<D5O&44/_SD
MA.!Z62LMJBQ-:$Y;\&U+)(8AHA$5D%BPTI8*$>%K(+%ABFO/_+COVSQOL[IE
MFCP3PZU##*@BL/QLH@*>+"JBBR/IO3IGFF$B,PTUWY9#*(F&_;9HFN2IZ)S3
M=X.^:IYYN7S3B.R&VE:T#_!D^=AYIT9U:>7:Q]/C-O'S`+Y>7/<RG;FY[=7X
MYJ9#.>R]30"4R;*,DGY8H8N-T7W!V&"(MBH'GC\+R\:0K)XH=-:9?)#XL\,F
MF#SZ7(Q19EG-UWVP\O`MP;)*[L4-]<815:)30L_68HGA2H#R::I,LF$4=?_7
M#EK;N;O%Z:,__`J.UTV>P0)0NJKVL7/G\D8AH2^5;2?'`]:T]W7V)L)>/1A%
M$\[6]O-\\I;3QD]LH&C(077HP0;/@V%_#>=,:T^.O\W$'?)0'.T'O8*>&1.#
M^%%OOHL()"A.;^Y7<!T0$QIH^HN,^65$?F=0/926\J3Z[0X`KWK]Y0,4C<=3
M#,B&@UVB.`J@*[=_Z25SQP!!01(Q148B(LG`PL'TUN'R.T]7N:A`2`2`00&(
M12`YO+5/T/U^<>DNEG_=\>V^1^1G9^S3D^7`EN0<GA\,WPG]7N[<NS%-KZ_*
M>SM%A7EHT8I]/0^ZB!63^$I,5MOZ5MI\,8W/47UFTD=B at 4X0E1[)`/Y9[3ZO
M;'U2SU8[,^`K>;):DF`:0D(9Z83_HSX]CI]GIY/OY'#A905C4PU>/+?WE%$I
MBBB;@<)>2)`4%&,D@@BA(,(K!8,22"Q)#8DAC?AI0D7_#]OR[N?/7N]_>9E#
M9:-L&2G25`"S]/3&>>?Z92E*4I2EB%M`4JJ7`#S52Y?6RA`&)2P#,/9G-3M&
MV]58&1\R21JG\#LE9N!#L""A8P8>3 at _H4<C#_Q83\JS`M/WO\1PN$PZ!P$T7
MYET&G at 1BAF.A7.F'>R^GRM(Q)!TL&A6#Y:',[(5/DL?85G.CP<(^#^K%HF%D
M5%^&31+S/!JW"M-7A1D%_()83;YH@"A3[*@B[Q74X*?7UL-^2K&[-X\TIZ)X
M[9K:XT\J/C1A[-/0*ZNR4FHGJ??#T\?'*@$UE]4KSKB@%F&J$\]3P6I;D=/J
M<+:>6^,34U2=[N?-W-3"AF\LOLA-ZIANY;05P=OB1S\\E>_8Y7/W39\L[-/@
M1,D4A7T7H^:`&"19%/=.,MK1C<#I0>4E^_;DSFR!55GT(5DT`*\AK6O9QA^M
M3Z%J9/9W<I%A4,1P-18TE2I"EY7MHIVTO$]C_B%D<1G7_*.0\:9<X]_$L%O;
M,C?$'^/6(Z;N.):N=T8/8<PF4Z8E)S[703D]N<KW=1<%C#X.!FW+E+QR\$ZP
M>/"\7E'G1O]HJ"+6[(1I$L040`S)Z,%>45>ZD-(%,YSC*H%5*X;)GS&C#MDI
M1/CK49+/0S#7X!?I;5QTW5S8!N72VC8IGL)[5V(4^4W;U(P.(*ATD)@%0=:R
MB*/<.$V?'TRALMC%4MW'4]KI8=-2`R>#"O2"PQ]MY[HC5E6OPGD5*%6CJF$N
M$P*#$I at 6.,7"86LFCTYBWQ-;A*R%Q";'W/D3)10;>:=H%\USG2!*%QK<-'7C
M$]6#$:4;R4Y;L]IS4&+K<W16:'[Q%X2/=.%BRWLE"^8FX@,B92LD_M.'R'`4
MR2C?D\_5KR=E1>XO[4A62(\%(2UR(!C(S6.HV38!\;KL%^L(*W5F99V;&^6)
M4=$6PA#/M^BO>0:\`BAK#ETW-+!]J#JR-T/TRW4&"$QA&:=>]'IT((U*W>C/
M(Z<M/@_$^CX*V(ZI4B55T!R>X!"*$_$A2$,6X>C#;OE,+>2\JWY5J&#)=SY,
M%1ZU.[7(D8](<L0P,(D0^=#.,.D@"5<5>O-68?,KZ*S$T]I7-X*X+^:K"\^-
M-C!XKMYBVDXZ`.1 at H0'K^N^%VDBBC+/*=W\9(X<2:@CJG2H4==775(,$K8IQ
MS][+2>#;B>/EZOP>X]+>O.0P1/GZ at XE=M_(?3K!S,@\$#WC=7?JQ.C4'G#0K
MHO3*R\&"%TBGP'JOC6%C:?,VAJ7?.EBQ`)[@E4'MY;U?#==]EOQ;H`[)9F(A
M=+Q-R5PI0GQ"AU+H[;6V56-NRX7QU=D9M>+5,?8 at E^3YP+ESS.0A6U'@%DY[
M5[4O45C0*!*@8QG]PP7#1^VGS9'K?3YR'&"?)HM0X/PQ=7A=AW&"'<70C!'D
M3OSJ6Q"`@J5N at 7A^%U,)"15:=S!06[W;NP7![;BD9Y>?$IXI[S\X2II?JUWT
MWP*<?2_7N\I=YS`.OG_I,6O at N!HJ)%`XA(.%RJU9#T>-FOHTB4)X2MSVPCJP
MC(P<)@SW:2&F]?2"]H3KFVWN5!K<#'0EU><=5;03GZDS7A<$UZ9X7J-(K&I$
M]%@!KGW)I0HUM<3K\[/S:CI*R at XO#6C-F,H@)`9P<V3/Q[<_:XC/R6[,PWPU
M3V7Y.\>LEM!O*87J$*:65/"^F%T:-I#RA5I1OH at 63QY4I#H'^'L7V]LG%;CC
MY9KP1_+<^K#'1.YXG,8I/!Q)/;XKW+<%$E+HFD2TP@<H&(RL1A,EX at K$J?*Z
MP<0)44J4($=X0$.%>EC<AW#VL2WM0$J1WRWC=QDV[9E6QS?6WCZ+;PWWK<CI
MU!.5'<V3I\CMF554*DDKQ:PST#Z*1+,VH\HO$0A/90U;Z""!1>W<,;=,-+C!
MYNA[^Q%[90#&@EJ5`)YRNM=\MSCJH%K#8[9UE%[+&@1QU7$]1`_2- at J).DZD
M/A%E,A7(6P)'XC at CTU?TV%XOF%0)U)(0$[.5;/2&4?"Q,>*6P1E_LE'(3J_H
MUMD,6B,H*0/P at L$I'4+$J6A>C.J&_INABQ:('Q+59XCK#J1]SE`HI_M9"&^_
M0P[GP(''3)11Q[^F_W\X.1)2$IM*S:5KZFN[2)I>+LUJMY>X3FC%>.EU*Y/N
M5\>:<, at B8^;#+&R=/9V=YYO7")!L4CW!"=8CB3D@!SO!L2AC1*\#O=NN#X;0
MT2[=7?B!@;!B.[R&YZ)&>T/+1TVM>JL_0;\GZ];Q][/;!Y]S$>U+5CCNK7N5
M_,=[<K:(90235?=2.1-SU^=UP@"2$Z992->@TA85[D_L.#9NZ8!YL-H/0V`@
MB;KZ2$U$`;\"-/D<M(X;L#>[U\66(5ZS$7A_76?JF.<BL>O1YT/6$.*.OU!T
M;A(OP%&@H"`6MADA?X'FDZ]T-W^!2W9^4[ZASB>ULL-Q'T]$0/;;2MG1!ZX#
M+X;R5GH at V2;/Q2@@$B4";0(I_!U at OIT/$\>`Y?Y+6#MJX79K0D$-%U;*I]2*
MW!G6(9ZD2CAL1A8S(9ZU3SUQ;FHXER;*9(.8J0EM1.=1QK,/=`"VE@'EJ0QL
MWWN^7=>-!N!QGA+\8D3?$Q$9&$$MI?CQF6Y)WQQHGG,Z2K+P6S_SJ6U^AA1>
M!=0;J[`MFA7G/@PI5GG(=$YIEBLU]T4A@*F\WQD,KNN(I<YFZVM#)4*H2*MX
M'QKL%'UI.#<.%&&P.RARSJ.520>5_/B3.`@>J(0<3D??05YU<(R#A-Y@:Y1Q
MX-2^,+ZEZ;OU\7_`*F2:&_<1ERQ1]R%<==^]W8N\!/JDH6$=;LDG>&4ZR'."
M*[J/$LV%UL(A%U1+RX,XZS:Y$$>8^2",#QTW;.BL97,J&STRL[]FTCMW[[IA
MOKF8Z//`@=?5UQ5$C0IKL!@@)*,\P[KY()VB,^N at U'I2!9>6#!6*,%"NF+\5
M[%=3X>)YZ1B1Q%*$50J*_2SL"[5PVR+8(`L,]*0_;G][J at 8'*5=>JI<I_==C
M)8Z-C1%>H0%>?B(>$Y[E at J*%5K3.>/H^=7.)QPH!=R6V2=IYK<2I176N/]@^
MF@,_^-T.3A4,3N=&X\KVI5?9NQ,^GO]^^:SF-W)A';3 at Q]`()!E494-=TX^6
MS$!RY8UKWW#]4%#]HGSD9$%>R*`2V0('[R2%0 at 8C!0(5D4`!0("R"@`I"%B&
M6$ACJ&%A\XB,&&?#3SM-#6OW=WY7KE[FB&++AFZ,ZO1!81U>)"``7<^P_4>V
MB-.&BWC:/8^MZPUSOGG9UQ=Y=7=1VS[-W?]&1V'=TX9K0[Y+)+.HT&:>H.P:
M7. at JF@KPYOFC]W&HI'TCM^+12M8X9@,`V`]EVS]GO1`2"%'\.)61)*'Z*SNZ
MY&;_C=!]V4A-OPXR[0S+C\B+BM7FK(:IF8(>-)[?;^U]OV'O[`^\/H-7Q\5"
M2$D/G?3N3WCCL]%Y-RW- at 6$#:1^(50[D(`49:3A3HTI@>$]KB>Z.^+R/:'>O
M`5U\S]$;(PT_L74P\,LW2 at JJJ)E=GX8-\=-0P[3#<.4']Y/;8-U#,#%8+ at P?
MV[^):]<>SA[IC9^6?OF^L7Z-"241L-Z7?.?PD:H43X&0"3X?9[*#YBB?XT0=
M$=.LLW1.<LHX\,4]+>;G!0L0D(#A`$6:03.S,>$&)C0L\!0YS$D2.J'UO<!@
MLGF+IC($<=.IK=0C7I])SI?GN*5I+<00:O<Y?HIGN1^]?BN"43'M_F@$T`"+
MH_HB`)N6;T*28!38`%4GT>S&S%;:+<F31"0X)[OIBQB)&(B**(R*<3W._I.?
MGZZ^PS^P;2?(V;LGS<>BCP\DVM<'B*ED%U`TJ6X-L[E0X/!WO<;.]WID&U`V
MJ6V;;W*AP=G>X%MSOC5%F7MK)J]::SJS:5";>U9R-&W#8VOGQY/M8;`0P.\A
M/1&Y49-H4,&)!3RH1H7\F'3GGIP<6TZ-3G38UH?];@ZN%8'`H.<@>>G3@"`8
MWS,1[\:MU^'C\Y"S*"E*_JT?G%.H`HB$@D:C]Y""P'5M&?<%&HLREE29)E3)
M"EU3.7B,"3/40?(:#PIDU4:<M2A1->"C2=AHP+/1TZ.R`FMFH+H.U6O%%,6'
MT[F&YG2</'LP&*.9;-POV3%^J$&B*B at CW\]]R7,YRV^H?S+K<4RY5C$(GS;O
MUQBJH$TZ?S`3,;$0`H))G4]U*OH-Q;!32S=[4R'7+/#[O'W<I-5-@=UD!O`,
M8PM2SC</EWGZ@/2FV[L-H'^#!ML;3:PWY!()%E2<CT</3OTOCKS1(B[$BS0H
MHR)6>2T at K\[2FF*V+>\G:N$P#,6'FX=K>N$2#&(R(P`[L3+M-S@"28(JJ'2M
M/%'7VO0OL.HW3_`1<'NF\$"R/T9OZQ`1"(1"(1I*P20;JIDSV#[IQ8:;;83=
MW^&`UQ_[MYD:H,`E9=BV23220R'#0-P+['\(LJ[#ZXB=#Q')_/`@Z at 0]@K$K
MCE$8?[>BB`5#7,[+:Y&>TSI#OC;<*+)<;]P>@\)M9?!1@&8_\#[/%O0'T&3\
M7P=\+-H:3H%T6\-AKLA>SH8Q8L]X=33;IM'TNP9>!P6;,)#>`3TLVAY-`+$8
M&QLH,/?NR_P?"BU'NUPR>8<`T/W at U]0/DDEJF(-8(_`+I!AD/8UUGU%?YAIE
MY!<[`S-K(!?#5:ZH!;@P#`+[P\(Y;99G?`:;?SYDFCTKS!K#K"Q5/E#PA:H>
M/\&.SP5Z at V9PDD5557VTZ]\@>OE`(A\@^SP_X^^I[4_C5Q/K16KX!CKIX7<\
M)'W$_*[8.%^D>?+1 at OAN.B?'Q at L$`EGYM->1)I]?Y?A]'7YJ%48>#*ZTL1$2
MI120O_0\?+N].NC'^'SP+X#1**:121J%3Y(*&FU)"V3D21`>;7[']7++]-&,
M?KF).Z%4!$L(0_W*WO9T$D.U?;UKXY?H9&&`9.9=0],+@\"$-8;WC^W3:\HB
M(*?JU9-X3S'V?;H'UB/A]X>P@)3?WE[D%/^_'3Z&1A)])5B+5_M0AA at H0^AD
MQ,%&<Q`O#NFKHD2PEB!M"<`SY":P/<&@A8P*PJ)8":=?,?1_C[36X<H:9DA#
MDG'ZW'^7`[,`DX_-J#KZL+]N9C=;[8=K`]8IU0>0V'K3"I/#L!4`6?<MYUIR
M at E1BLL)`;VDDO^V&O.,<N6?X/#,LF[Z[<*JW83G\%!.W8%J6G$8_4#\`.%C:
MH`"P1$0,EQ'3TWE4]9)<;>`UPA\!M`8CW^M6?,55)^.ESNKC)`\2=P`ZT@^S
M6!8D)\"3K)N)YR3Y<@"IE,JR2"@+"I[6P^X^\OE]6SCN/9\_F4^;T1 at D2$X)
MOK##B-E%8<-90#%M7Z`"B8LUC6 at CKSA'71*HR_KGGNJ=<7`I$$<@X#,:GY(!
M)PSQ%X_86;%T>A\80ZAD056X\'J5R,B;P]L/0\(BM.,00"X at D*J`\4'5!Y?>
M4[&=[/<3#<+Q%`0O>15 at Z"J</*H<(K(*HPWE,A`WYL@/28N9V?B<NM<F4@`$
MJ=W`SFSQ>(M.[E.53Y$]_&]BU$:@5$@0DA_\U,ZGU7;=!41KM"SD>E\I[3X=
MO6J>MG[=IL'R^GD>W30^KZ+PA[>LAU,Q415-&J_L>^23^23;!-M!-6#S#'GO
M\3:_G/PHZ*_2$KKH5+VN[T.7#XQ$,(8DB(\>2T/>-(X#0N&\`Z_=\07=5 at 4Y
MQ(8_".H/>BCB$#\V_/D%<D2P$("4Q!%XSZOK804*2%!IT\C]A+U'X'1!R/)^
MU]LT_YNH<^S2=EG9P.G2H>`>?'PQ.V+[O8->6>7Q%'-K3Q'<T;!Z#%>,2!A(
M!]P01W%@0"4MAS$?]!L[#L`;@W8``B@@M//O]:\W$.>-'<\.$#`-*X at CAL.K
MB,P1.EH]Y[NX.>?5`/8)?NDD*))"U:I)"V/QSYBHYAH,\T/SKZB(V;C/N!/N
MB>/3IV/`,JKJ*_J[FUO2Z)D\2/7GD,V:7%XY-/$(@<$0<P&J$VS1MHAS*O;`
M/IB&,3P!TU**'W)VAR3KDOM_?F2P8_R0<]PM-IF0=*%Q&G0HP$&_>&&YEZ#$
M).-:665QKP6]$Q^E*Z=DBK(C(<*L3SBI:!.L.-SR4`^8$")'/#":RY$K!'[T
MV;@K#6+`H'N'N&'OJ]S`8T]7A,&AS"P$&V+-U*IQ at L7JHR,K%./0NJ6#)FKD
MZO/X'P;_4A+C_&/SCE,1,C_>>TE7&QI?[%)2?U1)"/P>;N>H)]*(*9@[#"@6
MG._^C]V']OLW94T<M?C6FUW8[]._3`O[N=ZX\7X at 4/,!R_9GWY2MNK(\#S86
MM`*K5FA+[+D"K2T?W!\N)CS_LRR_HO!$1)%B>_??%O]G+J4F31BAMCQ at _N"R
M"@/$;8OIG]!N5K,&:[NX(Z+UNB7-H&-`T>X8>K<'@(1AQ\.EX)\]GFEA(.`A
MOMDS)4R$&&`0N`3QYGOBR!Q8%8:(8=XD=0Z]MPTW=EJ[82?GCO[.%N3VSAKR
M"R^QL+131P"9T_A"F0[.=-9EP([8;ZG*B`2A1AKNA]1MJ;G$K%!&]@V+]%B?
M]@D0MX!:FNN%*$E([@VA.9!*ZSY/G92E3]-,*"H at 85E"I!A"#$<I=XU#J.CA
MJ<X7D+M26$8E19<3@:GB'B30(?1FP#.]*%)^U%@AQTSY<-`.?[41`604C$52
M(?+1KWGJ>I9JH8]N;0XX:[@;$T'K;&X/%!_IW`&U!6^^`(\/%I!SU&UNDWNE
M*A(`$HRJ:8F\-D]?A<*B%A`#*(DQ6G#8-`ODOA.V at VQZ&H`/219/?.X.Q$$T
M2C.+*BR(@C!8K$1D%GU-V"PZ>`<X//,_EIC`+U)@TWOI<?6?,<NVG0&A:P4)
M6(E8L(1T[V=_U)%`[<]^^=].,$DU<0QUA.AT*3L"4]*^HE#(/K7QD4$=XD;\
M\%P(>NKPT*XB!'`M)-()@L#H)U(JZ.M#0*"7'WI"MU);;:+/AZ7R)\;ZOV^0
M3FSLY.SZ23J$P at _"Q*`SDC1X^/9_&4\.ROQY61<,URD#O"A.H=0^7F<57F*4
M#D'_:-6BH1.J*[E#=HL.8PJ73-+#')6%^3M`W1%>;"=%C+!>XF_':Z!YGBC#
M.UB at V)S9!(:>R*H,X;A!IC`(DG- at VE4[P'Y3V!K!>U4>6"63*GA=!$YGB^@L
MXLWV#`@D#Q\`H&)F18 at B/#J3\J01 at N;&#8Z]0E-2$`ZAK@](^*[MI#+*F at BK
M!$6`P5#?>&J;7R[0.7=>2),Q[A585*E88FI#<9I)`PO,TW(',.'+(;&8Q%`0
M*AMJ&Y)M)#H4I-J*#!)"%`%2 at 0+1G6;J30S^@D,8IP,2LAB-`,:+``Z4A)%Q
M at 6<IFYXYA<L;`ZG5+YB:1&9:#I@(XE/3B- at KG)%I#H*).Y-]"E:HR:L`/<PD
MF<F=I(`4$6S(@61%6MG1D3$L/%=LN5#*ZRI+.!B+H-BY.%VGZVR&W*XX63=7
MXI+.-G#&N*@*FK<654J58MLJNSOC&*"U at C2RV.1H(@C155E:-P\;8T:O:T6:
M!-638!@.-KPBF#36[6;D at 9$))B$@FX0;U%TG-MOQ#0W//?"CS477AOD41FE@
MI[7A"GBH4Z.9ED-FE8`FH:49K%Y"@E\>4)+5A=;\5]HJ!&AR2,IWZDZR22TS
M8#`VP"$J)"#DPT3)/Y/(W%(;+P;I,J%;1@@H4.4!:"<(%2X at XZIOOS$-$N.8
M08"8(?O)>LA%':$.43:&8F[$RDL at 4;90444.=#;NY4MO9VA)`^JYC.H:XT[_
MLX^/HU!E:GN=AMOJX&RF^+5BAHKE#XU1@\4O9DKGZS\,H`MTN0I)^9`?R`+;
M1!<(@G$PQE8JVNLT1I*M-%Y"D%04#MY=(KZ"%,YF"DAOHJ:MS,C%(AXZ+L")
ME]06>;&'.Q\JISB3:QG#)2V68:I=I.167@"X.#Q2`XO+5F=X!N$F;"(0OAKJ
M\!DL24"`:8(^%4EG\HQ at IF109$Z(NBEW!TR!K68VV;6">\QF'.5K at .'P$H_Q
M0K,IS;%<]:MG*9*W3,JFB+O%7(?7*6G6;P]@DY2*F790P>!E"!B\R<K>\>.-
M6$*)`)`JAK`6UL71R"5!<!+J`J\\&E#/QB(`T,(&6$M2*KOER0^;8#)".952
M`XG*75Q&^RC-W-2BAP%H!,&VR+`,=2D,\7F9))KOA<85YQT"L5%WE;%G#)MB
MX3J1+AM+Q28OAKJF5PO6!AV&^.V-]-^_KM*;)>EQU.DN)H,WI6O5P]64,UUF
M6J-"UK#?,5 at K8BBX51TH/C.#%[JY`J!Y]K.`KU<Z32AU0MF580XZE;A&C2^=
M#C;VN+$A>>XZUQ30;/<XQ at E0:QC:M2M1]`STP"N,1-WM01P64$JQ"8\A6*R9
M at 25%I-"0KDS)S,Z@[$MO[BR/R)05B!88+B!")"'\`F_8=C1Q`CL!<0UG7O%7
M,._408!)T&R]/E0-TP&A]:N;W(VJ$S!5B`4"-*J.D\ST5 at K//'AJO1JW4JB2
M`28,850B("?QC*C'H$ZYG#(FRG"5I@(\>^1B="`)!/,6:'MF?5:175B$/K"!
MJ:JXINV&[BN[%L1K9+FB83(41D)]F7^L3)!S4/B64ID4C>%B&116*W66$#,-
M[RV7'QDQY>+R7`*]IN71:.VP&4RR at WTB-QU[]*!9B1HT83<@(6`9\-^%$RG3
M'?6$'%UR.-4)8`?J/0,@:VO at UZK'/&-Y>BH$'<21R$;:4I852YD]_.$@")I4
M\'=J+3:;4"BB9-UYN.C'`Q`I8:WW*,KJK9=PVP;0RY\+5'<7>AATDYSJ'4,=
M^NH=4%E<9E3>-MM(,>(-LJEW#2&AFO((./`]/3Q),NL/<+:,KQ,AQ8L"T,$^
M6,OFU>(D;P,D52D%!'-952MTWD8:ILALC:5>.<=IPO+6VV!N\!)\SG;OTTPJ
MK8,`%^0I%`T&!:0;!"V9.;0,ZA@%UJ((9SWH5B*K"U,OXQ(F$]"2UB#<,@`Y
MH^#7N8Q(_4<J2 at 5-^$-9$\HF7`]`"FH*?KP;0R9V[IL`?%(`I`2$@,8#7$*\
MS&F/.IX>L5330L]U:,)NK/SG;K1UU+OTVFO%R(1L<'*[+'KO at 2#&^G5C&F&.
M"P-"F-&!'0V7C*M#3;.?:HSCL0AC7U].M-`.T5#RD!MGMR[K*UTX!)!FK"UA
MBZ4Z<)4!1)^(!)UIUIX0->#PV"AXQQWA3BR'A&.S1!0J+:-4AI"AV3#$%)RA
MS%?#)2`ET:@*NZ$N<&+21+2B(%1]$,.=,I(H:&\,.U&ERBW6G`.(:4/1V66]
MP/5AA3>OR-VRK&\FKME69W@]"6$3#;LJE1P=`,9O*L4(]D#Y6,F!*6X,4>)[
M06FR,'WFC4.B11H@&QCXH5RPJ52U_*T`6%0&THP<V%P at Q1E1R&`5YFE=3QTN
MDUFQ`RO7A>!9I"XP&<B::5I_%8C9R9"&_G530A!=AJ at 6[NQ&-M$><3,"AA''
MK*2*)I&J3"M!"PA8IWJ!C?0;(JGO0+QVE."QT3X-WI;2VD)\>$ZSQ#K:8/ES
MAL+H&L at SF\X5!WN5$#+&#+:L*TMD+()%`601[)IBG,*%T<D+#$#%=Z&A at JVQ
M"$A!D$V)16AWR)0_#E0!GH,+F:2H47FD:%T';J(4E=;SB*3Z8!,V#^#[QA3)
MA at E;3/M`Z38J!"`:0+7'!H#%8L0\9>B,#\!^>(D<",8%MBP4K*)+0*/BF,0Q
M?E(N<N(2,4)^/OL.E`X\:]KB.,&=LMM$;6-8H]T0D21(4KUTS`/"V"@99#^`
M8LD'%H-:*D%%(HK%1M%QBP$5%6(@+A"L!94M+"5BVT)0?GLD,G--<:3DR`<%
M^\M5%D.&SBL&3!.>95CDT?/(9P!-->XFAPI<XN8ZJHJ(*BD%&U([-T-V\"]2
MK85`YH\B"["*V0-$V;0D[S!X<C6(,]FBAL]3:A#"\;4RP8B23^=P0BU]%-Z/
MX07'5]W7+$TQPNJL\:]QLBY;[?>F>WK9=K^%^3B-2\@@'4>T(F:@[?6OFZ.M
M)F!2AVQ5(;TJY at 4X_$!4H%MZX`!^9CJ9=\8<C63\#[8;WM"WD'C.P4/5I#SX
M?>X0#+ at 51V(U!&(VD-$YN^]=@&<PNC1-(>49I;OT&1(5+]ESV:+9ACB at .(:^
M",<A4K_!IL8PBR"H)IZ-DAA at I/LP&A"7EXAF?:744/!C?F]. at T'L#AO^@-@[
M<J0/O#R8VM*>Y\TP^8SG('Y,X_S5E8CAKD)+9!+3:;C76L2MX>+%1"/,+U4I
MFQB+D<P@/KKWW-"!I$A'Z!AGR1#2C:'C=H9Z&C)G#-!,)Y%%4`-JIOY;IGF[
MSEDLA'FH:[K=&$X at 4F*ZZ*<,\`%CMPF]..("/YXRA.RP.[I!S1)TH`\<CV=Q
MXC'DR%IN4G->FO>=876^:#<;KM8+L@@R$BDBI`@PA)(E<%GA#@&/CY5 at 8*EW
MK!7C*GU,DE0$9`04!@"2(7WG3R[A^K\>"#`)/T=>\\7X^FF!0S%?Q,**JQB`
MQ6(B+$48*H*^FU$Z$]WO]*/&6Z.28D.N/@^]"H&"/*ZR!^(0>,BM6QO-[5D]
M&5G;E2*8YTH>O1[C0S89)#WLG@=RCQG"39CI`[_FXR7WTATN<HO+K5PU4;Y%
MX2I#"K4J&`5:/M"OH#.[]T6J&NGE$$7'7<[;DT"`O2<9)7E@[0BC*T"V,A7%
M2((5,XORUWQ8L*,RZ'"*(84008)%YHL9 at WPMBH5"UXJ\%SY-M-SK(I:8 at PVK
M)3[2DT[U"RW!Q-X2KLW&A3!"\[@<;XPPWI9NFZ;B48IDF2K,V8"UZ98W+8F6
M"$,*QDA"5<E=*=YFTCIN#G?<B=>PU,./)@3C74/LZ0&]:JPCQ+/2<[W3(>&#
M<]+-&9-X+`K"MT+APCYTL1FNF#VYJPA%<VH:M0:(QI8K7Z[<.IC$1:$K*8@,
MP(B=LG2<^\UX"+LI at NJ&)//N#4)<'$9#1E86A(75QOKZS,,/8-[]\(5@`BB*
MB=N7"&215[`?:-M,REY/-C8&9AI!M8J9<-#"BAD[UAK*5DW8P$,-)AH,,%*#
MTRB9SF;"*!D!1`22RC()6!,YJ$B&RC"QF'Y93@]XP^3<:"_=8.P18?<,I$].
M%.`7TFT#*`2!)&#"*'**AW]89\<H8&!D)XF$%`C$!>[<_=^'K)"XCLR@>S71
MIL&1&K)J_"M:RZQOM;T4+4]-.""!.#+K0F$$\"%F<6+B\L%0>%`T^"(`H:5W
MG$7/J-GC0P.8R`S#R<*'F[+%.#JG+8)0WLE"%Z2!TLG3B<<F618(P44%6(DJ
M+**R!%H6D^`DQ"ZAJH;0M5ID"`A#AB0JS`*2X4$BKN at 8-LA%R,9AU[*[Z$)F
M8D!J6G&0TT*&+:WAG!E0W"M0`*QB!@EX)A&151 at BHLC$6(<0D$`GJ'&2SU?#
M@>>)3P[&,''GH0.C:8M0',FA6, at P.**;J?TDCM"P9N<>VRFIS[Y06,6*:V+6
M21+18O>K8AB#))H at 4"`36XB,$8L7+=&TJ!"9;-)@A,QTJ8A3)59=`.!)8N-M
M,8RY=J$E$T+?W4J.%TN.*C"A at R8!QJ.,.$/'+D:O#%T9MM=DBD7 at RG%H,ALV
M#0D9`I$'434S_&@P28,JAIUSTZ^5SF5I0NS5A3)5Q^/[<9R6>7`#8^?/(.\F
MQJ=]18)3LPB*I>D-#^A,.VP39PA%K)KI0PPHBL<L662F$VL`C!81$7`4SKC&
M)`Q at 9H$9#,4BHQ00&@=I*!IQO+E)ZI[1P:\'4.9F(@"6>"25KD:!%H#!MIDM
M)*QJ,DJ$@;P'O>*!B0(Y#6G?RMTE@\*2N;-:!AB#`NS8O<O1*Y8K4*L/9>*H
MA1P0Y)!2?O"'L#CRA#JD[WC+C$@7CFC:6VVPP0%DBX0,XTI,0P"8P10D#`F4
M6096BA,6R0F(9A+,QQB!;.K0TN1'"$T*3#!23*;P#Z:'BR9`:&,&=YZ^P"$J
M:[O71("J^#4._GAAA55'\)?26P7U0<8;?<KI(I<0SBW2\G"&,-,#30XS#+0Y
M\-L$R)(L!8BLBAA(:)MEC>]C"/`>%,J^T'">/2Z@&(O3^1:/F)(\Q<OWT*(=
MWM\,PU%1'2$YA9 at 0.1!#H0\DYU`(P08+J?(`!Y'U44G?L;()(@P%(+"*05.%
MZ'>0/EB*]LYR%H=Q#H(R"LW"R4Z-&0Z]K`/6?>:GO/,Y^9Q.J at R'A75T^J<>
M8.CT&)HP<%*2P01@!N:"!*`. at .\B^[+;,CU15HI2.TP*A=HZM5%D/7PA4H at 6
M$&%U*18+!04ED-"9/.`F at X?HV.^:NNL`L(@4C*(9+`T"<6Q^219#&;!1A1&@
M,3:2X;LE=.?GN+UTH.F*41""L<P*1<#(J2$;3X\M(@.Y<@]!V7Y^H0+<T9(T
M7A0@]NVJ\WVE2Q5#WM8BLSM-,Z:'S)B(S0HB5^_7&%,CKAL)Y6F',"$<(,^G
MCI;[CW#K5&6-?E\Z.U<<QNT!)[(CE89A&)%R+=/+V!VX>/L\X#T,"\&?K.`(
MYL`;$JA<+^9J2&(GZI`F[7\B5PV`@2)P!P8E%A[B`Z],4HCX949!A8WD3/H"
M[L6:A/OB?IDB2`2)&`D8E9KSQQ6S?OH'HU!VU8)BLM8$J7QE'K]!M0DU4-X#
MB#W-7J0JF>L$A5C,PWCHC"(+D7V54\26 at X*&(1`Z/?V>()>R?DR(6U2LG:R6
MQC9MU)<G(0?5_(*\B%H8ACA<+D-[1?1[!8AS+<5U[P"V\)`CM9(8,$H6HX#Z
MIH@(D.X$>:M2T3G8%B--_U/9E:MK?<*00!L`,S`VZ`:B2\,M##+$LW]<(W-T
M#]@QUSAYP`7&H%F#C!P\B:F[)58%@H.=T$QW[)<V+!M)E0+ at 5A:G0 at 2,1]$%
MH1^(-MLSQVSDYC&P:([PP0.X-M>EV!QBWK=;;"]L#G.8I%#P3\$M4(6:FWYF
M^LWVW"3W]`^E@&<J^%6X+^7&--?Q:GEJ4===>N^VFNPHQZ)3BU%BE2R(Y$J8
M2+4%1S*%P-R-M"LX7)@HIETX7*Q1$4%2`B)C2X(8I6Z4,+D:.'"8&("C%%%"
MVU*P%%AIK9 at 2&4":NJ at TS52!BTR8[)))G30L)",@`B1A`/T%"')L51[OIWAE
M4,%9<9EML""B"!H_.`KD at S0*KYD+D,,:(.:6V8CAGG<YK;STDP9IFM at F#`8C
MA at K+`=YUZP*'+.FR%G58.1WXHCED9ERF3C[>8'SMV>N at Z;#),>]YGY+*PR4^
M3/![@TW&$-\R=/!$T-/ASH8L-095?!/NB`8I"`\3RDT.Q-B->!<[."LM0"\L
M4[HP7,6."2+/WE;"K"#\=TZY<8TX8V8*LB\>;@,$[9^5SG*+("0SB]TM@,:V
MG=!3('OH.61IN-Z at NXH3#/P]XDDD#W at BKI/+T/C`9,8&#&3PZH=EH0GX0("2
ML#DA4!1M56VK:6VI"L*98`6&&'@,N(P+09<X,&(50M!5HKI.B;CJVM(8J(N#
M`BAOCC$+&58QDML2AA\`^X*F?.(^KLIN48D='7U1I@>O"&HE910Y>8$/;P]&
MM9V0]/>*0E2_]PNTV#XPJ"V0N6N!@&T:(8EBEMTJVK&9,QSA"/L at 2H2,AAM-
M=$N$$>'IP\C[A%B:#`R=V at +-COYG"#"4$++W,M!7V=X%]X.0U8:KV&%J*FCL
MZ$,`))ZGS2D8I;>.,:@5\GT6NUW36%0VZ8<,I,@,X6I`R"S=SEFZT=N7*:!!
M2V@&V-R=3P[`(.(T>!WMDR'8F.9,"%(+>6[<M`OPYH`EYSC:Q:NVL6Z*JSO&
M#@U"1MX2R2D,XN8&;ZX;[:)U,\A#,2<505),C at O\'EDNO567"C*W82Z#7$,-
M&\R%Q:W""^4 at K"'"#ZS</,4#E3$'EU4(1+Z"L7)2S<,.D77"(QL(M@=#)&DW
M(PZ*C2;D88B`0$,A$E`P/FBDDDDR#UY9Z9&-Y`Y'I1(PHG/!5$0NX2%,*(&/
M8`/N`WU'$(I"&*PZ$PA+ZE+#@>"")!-F%GK>YQAW"[O#UQCDC_/(K/4",]^5
M<9*)>JBT"4:P$&CAXL^&,-_0XY!E at Z,EUN$T-#(::S<Y#)TM89WCTLY8QB%C
M*(:3XQT\:O<K%#7W;<FVD1%26!9&1,P`Z,(<AC^EN[1F_-BO>W="F+<SF+)!
M$&+$3[$\1`WXQP%VT[,:-M:`E%+WJZ-"H&:-*CRXY34V#!&VF-2E%!9-J at 6"
MA5=H9SH#^8VQOJ3E<6H3BL`2*>#:3:=$E%S0*((#3&6&_'4*2T($!:`BM&ZN
MRS,(I<&RA5@\3B:0WS#$S"$Z:E5C)FFMM,8Q7#C"F4E2$CD,</%O=8:@GR#0
MO%M&Z&V\_$!`LVYQD79"6B1L\JV,5:$FQ3`0C*MH-S1HU_?8QX%$H9OY0>%8
M5DQG]MX8TD;=TXSK"@XXLAU)J7+M+M=^N$,.*=#&^)>E+UI-TDC$QE(`P0"Q
MAXV?DT98]MZ`$:0L7?]_W$ZZ,^G"KS<<<*L#<@[:S$F#@7C1#&FH,LV00M%N
MJR,K+/H>\#CA[6<=`37#!#,3X6+"+6TIK1:T2M:"28>I#86F60U(\D%H=9CH
MZ"[/IMR at 82)Q28H".)B5<U((FL,%.2\&@,4N"&!%&R*]!4T]V%)`S=82X>X+
MAYV4B:NK2$M<&0RYTM\HAP`P&!T5L;>BB4]AF&5K"5C at ME!498R#CS[(WK'/
M>WKNH)(AAHT,6Z2Q4D-!`MX07-:1NS5Q[UK8*!BH$IKQTQ09N^\[?+'C9?0&
MENB-1 at V0V-L6PMD'!ALS1]IFE%!+DJKANI3<<)AV89UO9-&<8 at K$>6H1(CFR
M`2KT$.1 at 9&!R+F.%JRR\`S'CB%LF%LJ0C7(8892;N%`8UQWHQ=48H;8CBVP[
M*4Q``Z8J(89455?G$, at F41CUSDS&54K[X`L320%6(R95#%O%!PUVDM+PU,F]
MTD.KI[)B,,2><&':,:6-LBL10%..,8!,-"8<%N&UI;)+BF()@H5Y&E(0X.VV
M5?;))+#B2<DBR!("I)(KCI$K<7(2-'D#)!;0RXL2;R:`E;BZ,\2%SY1*I1 at I
ME.!Y3NHHG<J:117:78V1C##LUWMNV0<*DPFJ6"<*MQ,.<T40=#EH%T$.K#.)
M>^`&@218F$%4[W:,P8EAVDZ[01$-F$U2#&M15JJ=::C<FDTPY%A4$"04D\(8
M8Y57,H.\574X;T[K#O,#RF)I=BIO@=,VQ-7W(. at UP^J(W6FA4L^O9-Q&0`EH
MT)'T.\6R-6AL<%V'L2%13OK^**:50"\T)DF8]`9T$`P7W`CND*C\74#F-?&8
MEJ(@C+VL52@(Y"3FPV.5"G1:B)#T4"7MWJH/"%1MILY$.S`U9YL)MX4/]W=E
M?M&JU/H"1T_5[.)^.)\T*V^E"=>C5UQ?7*G/302$BT>W#GNP-[?K^8P"/L'[
M^ZW3^GX^C[FO;F:X81(487E(JVVD&@`%F<K.2%]J7#1,1EPE%;<8A;;,(H3[
M29;9%%)"I$2!(8-*782<`2#*DL!>H/5Y6RH8X8%6)Z%`C2\&G*Q(B54YX">$
M+\6(&-(B`!*$!;:@U5`I.P<Z'#_A?>:AVP!PP_7N7,@'X(#[XW<841`)14%9
M;.ADQ%V(-Z"PNHT0;%OILH3.9U3'66%E!@#((;E!;+B*PB0BC$5M[M94MMC"
MP$=R0A"`1`_YBJHHP^20U3AI`L)0Y60U!DQ`&'/CU%V0=C)PKYM4;1]'5I,J
M7HU<=:VF%@6N-Y+18).`ED>J]RL["T-[H9DK=JF&DY at XL6$M,9-,*AD-$,8*
M191TM8SF\!>%XEE\0Q]R*405L\:-C8C-GL%, at P*JNFM\/2CT:^WY]@(#[^TC
MPB#;\PS8FQ at F:!(;PXP:@4#7J?,,7=PS1D*P=Z/@]3UL=S3PQEDA8,PO7?$@
6.9CZ`T9Z-Q^KJS_^+N2*<*$@0GG/V```
`
end
</great justice>

Tom Ferris, you've been accused and framed for crimes against
Humankind, Common sense, Spell checkers, Mensa IQ tests, the Queen
and the Internet. Your continuous leakage and disruption of Apple
0day, albeit clueless, has damaged the hacking community as a
whole, and caused monetary loses to several unidentified
individuals, who are willing to invest on tracking you down, and
possibly getting you, Tom Ferris, into a cockroach infested grave.

You've been declared guilty by the Chamber of Internet Justice, and
we hereby wage war on the digital realms against your starved
chihuahuas pets, your mailbox and your absolutely lame blog.
Hopefully your employer, Adobe, will understand that firing and
dumping you is the best option. Otherwise the Squadron of Justice
will be forced to take action.

No further warnings will be issued by this Council.

Love,
the Great Council of Internet Superheros.
"To protect exposure and serve ruin. For great justice."
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQMCAAYFAkicWn8ACgkQ5g5u/REitpZrmwP8CuwjepF9qaCTG7C2nPyb9UB61Dwu
xzCN88fNs9tqjBbO+rlKV4wDQeq++TsFoWDBg4sXD6gLO2MCBYBsh7gRsrRxRizRZj2S
V/zu5NASodT2xLwVPbBhDB+g1yI2HMp/qKr9b0t1PAWg6f0dQs61xtW3FdHx7/FQ6Urj
hQwGoI0=
=F1Ly
-----END PGP SIGNATURE-----

--
Explore all of Europe's beauty! Click now for great vacation packages!
http://tagline.hushmail.com/fc/Ioyw6h4ePhl7q5atY65kp32H74X6kzmqDd29K8fGPONjLtwWBJCJE6/


From internetsuperheros at hushmail.com  Tue Aug 12 16:08:18 2008
From: internetsuperheros at hushmail.com (Squadron of Justice)
Date: Tue, 12 Aug 2008 22:08:18 +0200
Subject: [Dailydave] Petko D. Petkov hacked?
Message-ID: <20080812200819.A6459118059@mailserver5.hushmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 12 Aug 2008 16:31:41 +0200 Dan Goodin <dgoodin at sitpub.com>
wrote:
>Hey, thanks for the reply. How do I know you really cracked his
>email
>account? Can you forward me any of the emails I've sent PDP over
>the
>past 18 months? Also, assuming you really did obtain his email,
>how many
>messages were you able to get?

Further requests of proof of our otherworldly abilities, awesomeness
and superpowers will be taken as an offense to our creed and
mission on Earth. Other, non super powered, less awesome and uglier
individuals might compensate their lack of knowledge, manliness and
beauty by means of deception. But superheroes aren't deceptive. Our
strength is truth. Our weakness is none. Our weapons are digital and
volatile. Our enemies are all financially, spiritually and socially
bankrupt individuals of these digital realms. We do not siege,
attack
nor leave the innocent forsaken in despair. Our duty is to lay
great justice with furious vengeance and rebukes upon wickedness and
inequity.

Regarding the amount of messages the Squadron of Justice undercover
operatives were able to obtain: all of them. No exceptions. Not a
single byte was left unsupervised in Petko D. Petkov's wicked email.
Their effectiveness and reliability is only paralleled by their
unstable minds and a total lack of control of their superpowers, to
the detriment of our cause and creed. We refuse to admit it, but the
Squadron of Justice might be the last stronghold of great Justice in
the universe, and the risk of world wide mayhem and chaos is worth
taking when equity, justice, righteousness, awesomeness and
manliness
are at stake. And their struggle against evil and wickedness in high
places is, indeed, eternal.

Here shall be proof of justice (accept our apologies for showing
your private email address and phone number, also, superheroes would
recommend you to stop using Pine for reading email, or great justice
could ensue):

Delivered-To: pdp.gnucitizen at gmail.com
Received: by 10.67.118.17 with SMTP id v17cs428534ugm;
        Mon, 12 Feb 2007 11:59:07 -0800 (PST)
Received: by 10.82.175.2 with SMTP id x2mr10689209bue.1171310346329;
        Mon, 12 Feb 2007 11:59:06 -0800 (PST)
Return-Path: <dgoodin at theregister.com>
Received: from md1.psixpress.com (md1.psixpress.com
[154.32.105.205])
        by mx.google.com with ESMTP id
o53si31209074nfa.2007.02.12.11.59.06;
        Mon, 12 Feb 2007 11:59:06 -0800 (PST)
Received-SPF: neutral (google.com: 154.32.105.205 is neither
permitted
nor denied by best guess record for domain of
dgoodin at theregister.com)
Received: from [127.0.0.1] ([12.25.211.1])
	by md1.psixpress.com (MOS 3.5.6-GR)
	with ESMTP id EPW28928 (AUTH dgoodin);
	Mon, 12 Feb 2007 19:58:56 GMT
Message-ID: <45D0C6FF.3090906 at theregister.com>
Date: Mon, 12 Feb 2007 11:58:55 -0800
From: Dan Goodin <dgoodin at theregister.com>
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: "pdp (architect)" <pdp.gnucitizen at googlemail.com>
Subject: Re: [Full-disclosure] Firefox focus stealing vulnerability
(possibly
 other browsers)
References: <Pine.LNX.4.58.0702112047050.30989 at dione>
<6905b1570702111215ie807c52t4b60d74c9c090e0a at mail.gmail.com>
<Pine.LNX.4.58.0702112156110.30989 at dione>
<6905b1570702111304g5f8447ftf27affc6e82a5e39 at mail.gmail.com>
<6905b1570702111310k4e80aa21v8ca8d635d1668d06 at mail.gmail.com>
<6905b1570702111319x5eaca5cakc8b0a88a67ab254b at mail.gmail.com>
<Pine.LNX.4.58.0702112221270.30989 at dione>
<6905b1570702111347v283dfbcbse8cb162c9f9bedfd at mail.gmail.com>
<45D0B386.60003 at theregister.com>
<6905b1570702121054j5d8c6172o777e9abdfe0cc764 at mail.gmail.com>
<6905b1570702121100t66a397edw885ca79a41881e6a at mail.gmail.com>
In-Reply-To:
<6905b1570702121100t66a397edw885ca79a41881e6a at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

I just installed Gtalk and have invited you to be on my contact
list. My
gmail address is blindedbyspam at gmail.com. Hope to hear from you.

pdp (architect) wrote:
> btw, let me know if that suits you
>
> On 2/12/07, pdp (architect) <pdp.gnucitizen at googlemail.com> wrote:
>> Hi Dan,
>>
>> I am always available on gtalk...
>>
>> On 2/12/07, Dan Goodin <dgoodin at theregister.com> wrote:
>> >
>> >  Hi,
>> >
>> >  Dan Goodin, a reporter with The Register, here, wondering if
you
>> have time
>> > to explain this Firefox flaw in a little more detail. Are you
>> available by
>> > either phone or IM?
>> >
>> >  Kind regards,
>> >
>> >  Dan Goodin
>> >  AIM: dangoodin001
>> >  415-874-3406
>> >
>> >
>> >  pdp (architect) wrote:
>> >  Well, :) I cannot see how you can force someone to type / at
least
>> > twice. Even if the targeted user writes a blog entry it is very
>> > unlikely that he/she will use / . I guess this vector works
well on
>> > wikies and other systems that allow you to specify the text
format
>> > through meta-characters.
>> >
>> > The cool think about stealing the address bar focus is that a
confused
>> > user will try to repeat typing the url again and that may give
you
>> > enough slashes and other characters to steal /etc/shadow or
>> > /etc/passwd for example, which means that this attack vector
can work
>> > virtually every where. For example:
>> >
>> > Joe visits eveil.com. He is not interested in the site but
evil.com is
>> > interested in his files. Joe types http://[what ever]. evil.com
>> > hijacks the address bar focus. This is how they get the first
/. Joe
>> > will probably repeat to type stuff in the address bar again.
The rest
>> > of the characters are not obtained.
>> >
>> > Now of course Joe will realise that he is not typing in the
address
>> > bar but he will probably think that either the browser is
screwed up
>> > or that he forgot to select the address bar first (it happens
all the
>> > time).
>> >
>> > So, this is why I think that combination of both issues can
create one
>> > hell of a good attack.
>> >
>> > Here is another idea.
>> >
>> > Joe visits Betty's MySpace private page. The page contains
XSS. On the
>> > page there is an input box and a captcha. The user is asked to
enter
>> > the text in the captcha in order to access the page. The
captcha is:
>> >
>> > pde/t/aswsc
>> >
>> > Joe enters the text but the he receives a complain that his
input is
>> > incorrect. The attacker repeats the process until all required
>> > characters are entered into the FILE INPUT box.
>> >
>> > simple.
>> >
>> > On 2/11/07, Michal Zalewski <lcamtuf at dione.ids.pl> wrote:
>> >
>> >
>> >  On Sun, 11 Feb 2007, pdp (architect) wrote:
>> >
>> >
>> >
>> >  here is an idea... we can combine both techniques into a
single
>> > attack... the hardest part of your hack is to force the user
to type
>> > :// plus several other /
>> >
>> >  Actually, MSIE doesn't require drive specification in the
>> filename, and
>> > will probably accept relative paths as well (so you might not
need \
>> > either when picking files from the desktop or 'my documents'
or
>> whatnot).
>> >
>> > Firefox won't settle for a path without drive specification
(but it
>> will
>> > accept SMB requests ;-). On *nix systems, of course, aiming
>> /etc/passwd is
>> > easier than C:\whatever.
>> >
>> > The problem with intercepting address bar input is that you
can't
>> echo the
>> > entered text back there without unloading the current document
and its
>> > scripts; in my examples, I tried to make sure that it's hard
for
>> the user
>> > to notice that his input is not going where it should (in MSIE
>> example,
>> > this includes simulation of a blinking cursor).
>> >
>> > /mz
>> >
>> >
>> >
>> >
>> >
>>
>>
>> --
>> pdp (architect) | petko d. petkov
>> http://www.gnucitizen.org
>>
>
>

Delivered-To: pdp.gnucitizen at gmail.com
Received: by 10.67.118.17 with SMTP id v17cs422053ugm;
        Mon, 12 Feb 2007 10:35:53 -0800 (PST)
Received: by 10.49.13.14 with SMTP id q14mr4857477nfi.1171305353434;
        Mon, 12 Feb 2007 10:35:53 -0800 (PST)
Return-Path: <dgoodin at theregister.com>
Received: from md1.psixpress.com (md1.psixpress.com
[154.32.105.205])
        by mx.google.com with ESMTP id
p72si24685130nfc.2007.02.12.10.35.53;
        Mon, 12 Feb 2007 10:35:53 -0800 (PST)
Received-SPF: neutral (google.com: 154.32.105.205 is neither
permitted nor denied by best guess record for domain of
dgoodin at theregister.com)
Received: from [127.0.0.1] ([12.25.211.1])
	by md1.psixpress.com (MOS 3.5.6-GR)
	with ESMTP id EPW20850 (AUTH dgoodin);
	Mon, 12 Feb 2007 18:35:51 GMT
Message-ID: <45D0B386.60003 at theregister.com>
Date: Mon, 12 Feb 2007 10:35:50 -0800
From: Dan Goodin <dgoodin at theregister.com>
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: "pdp (architect)" <pdp.gnucitizen at googlemail.com>
Subject: Re: [Full-disclosure] Firefox focus stealing vulnerability
(possibly
 other browsers)
References: <Pine.LNX.4.58.0702112047050.30989 at dione>
<6905b1570702111215ie807c52t4b60d74c9c090e0a at mail.gmail.com>
<Pine.LNX.4.58.0702112156110.30989 at dione>
<6905b1570702111304g5f8447ftf27affc6e82a5e39 at mail.gmail.com>
<6905b1570702111310k4e80aa21v8ca8d635d1668d06 at mail.gmail.com>
<6905b1570702111319x5eaca5cakc8b0a88a67ab254b at mail.gmail.com>
<Pine.LNX.4.58.0702112221270.30989 at dione>
<6905b1570702111347v283dfbcbse8cb162c9f9bedfd at mail.gmail.com>
In-Reply-To:
<6905b1570702111347v283dfbcbse8cb162c9f9bedfd at mail.gmail.com>
Content-Type: multipart/alternative;
 boundary="------------090302010100080406040701"

This is a multi-part message in MIME format.
- --------------090302010100080406040701
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hi,

Dan Goodin, a reporter with The Register, here, wondering if you
have
time to explain this Firefox flaw in a little more detail. Are you
available by either phone or IM?

Kind regards,

Dan Goodin
AIM: dangoodin001
415-874-3406

pdp (architect) wrote:
> Well, :) I cannot see how you can force someone to type / at least
> twice. Even if the targeted user writes a blog entry it is very
> unlikely that he/she will use / . I guess this vector works well
on
> wikies and other systems that allow you to specify the text format
> through meta-characters.
>
> The cool think about stealing the address bar focus is that a
confused
> user will try to repeat typing the url again and that may give you
> enough slashes and other characters to steal /etc/shadow or
> /etc/passwd for example, which means that this attack vector can
work
> virtually every where. For example:
>
> Joe visits eveil.com. He is not interested in the site but
evil.com is
> interested in his files. Joe types http://[what ever]. evil.com
> hijacks the address bar focus. This is how they get the first /.
Joe
> will probably repeat to type stuff in the address bar again. The
rest
> of the characters are not obtained.
>
> Now of course Joe will realise that he is not typing in the
address
> bar but he will probably think that either the browser is screwed
up
> or that he forgot to select the address bar first (it happens all
the
> time).
>
> So, this is why I think that combination of both issues can
create one
> hell of a good attack.
>
> Here is another idea.
>
> Joe visits Betty's MySpace private page. The page contains XSS.
On the
> page there is an input box and a captcha. The user is asked to
enter
> the text in the captcha in order to access the page. The captcha
is:
>
> pde/t/aswsc
>
> Joe enters the text but the he receives a complain that his input
is
> incorrect. The attacker repeats the process until all required
> characters are entered into the FILE INPUT box.
>
> simple.
>
> On 2/11/07, Michal Zalewski <lcamtuf at dione.ids.pl> wrote:
>
>> On Sun, 11 Feb 2007, pdp (architect) wrote:
>>
>>
>>> here is an idea... we can combine both techniques into a single
>>> attack... the hardest part of your hack is to force the user to
type
>>> :// plus several other /
>>>
>> Actually, MSIE doesn't require drive specification in the
filename, and
>> will probably accept relative paths as well (so you might not
need \
>> either when picking files from the desktop or 'my documents' or
whatnot).
>>
>> Firefox won't settle for a path without drive specification (but
it will
>> accept SMB requests ;-). On *nix systems, of course, aiming
/etc/passwd is
>> easier than C:\whatever.
>>
>> The problem with intercepting address bar input is that you
can't echo the
>> entered text back there without unloading the current document
and its
>> scripts; in my examples, I tried to make sure that it's hard for
the user
>> to notice that his input is not going where it should (in MSIE
example,
>> this includes simulation of a blinking cursor).
>>
>> /mz
>>
>>
>
>
>

- --------------090302010100080406040701
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-
Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi,<br>
<br>
Dan Goodin, a reporter with The Register, here, wondering if you
have
time to explain this Firefox flaw in a little more detail. Are you
available by either phone or IM?<br>
<br>
Kind regards,<br>
<br>
Dan Goodin<br>
AIM: dangoodin001<br>
415-874-3406<br>
<br>
pdp (architect) wrote:
<blockquote
 cite="mid6905b1570702111347v283dfbcbse8cb162c9f9bedfd at mail.gmail.co
m"
 type="cite">
  <pre wrap="">Well, :) I cannot see how you can force someone to
type / at least
twice. Even if the targeted user writes a blog entry it is very
unlikely that he/she will use / . I guess this vector works well on
wikies and other systems that allow you to specify the text format
through meta-characters.

The cool think about stealing the address bar focus is that a
confused
user will try to repeat typing the url again and that may give you
enough slashes and other characters to steal /etc/shadow or
/etc/passwd for example, which means that this attack vector can
work
virtually every where. For example:

Joe visits eveil.com. He is not interested in the site but evil.com
is
interested in his files. Joe types <a class="moz-txt-link-freetext"
href="http://[what">http://[what</a> ever]. evil.com
hijacks the address bar focus. This is how they get the first /. Joe
will probably repeat to type stuff in the address bar again. The
rest
of the characters are not obtained.

Now of course Joe will realise that he is not typing in the address
bar but he will probably think that either the browser is screwed up
or that he forgot to select the address bar first (it happens all
the
time).

So, this is why I think that combination of both issues can create
one
hell of a good attack.

Here is another idea.

Joe visits Betty's MySpace private page. The page contains XSS. On
the
page there is an input box and a captcha. The user is asked to enter
the text in the captcha in order to access the page. The captcha is:

pde/t/aswsc

Joe enters the text but the he receives a complain that his input is
incorrect. The attacker repeats the process until all required
characters are entered into the FILE INPUT box.

simple.

On 2/11/07, Michal Zalewski <a class="moz-txt-link-rfc2396E"
href="mailto:lcamtuf at dione.ids.pl">&lt;lcamtuf at dione.ids.pl&gt;</a>
wrote:
  </pre>
  <blockquote type="cite">
    <pre wrap="">On Sun, 11 Feb 2007, pdp (architect) wrote:

    </pre>
    <blockquote type="cite">
      <pre wrap="">here is an idea... we can combine both
techniques into a single
attack... the hardest part of your hack is to force the user to type
:// plus several other /
      </pre>
    </blockquote>
    <pre wrap="">Actually, MSIE doesn't require drive specification
in the filename, and
will probably accept relative paths as well (so you might not need \
either when picking files from the desktop or 'my documents' or
whatnot).

Firefox won't settle for a path without drive specification (but it
will
accept SMB requests ;-). On *nix systems, of course, aiming
/etc/passwd is
easier than C:\whatever.

The problem with intercepting address bar input is that you can't
echo the
entered text back there without unloading the current document and
its
scripts; in my examples, I tried to make sure that it's hard for
the user
to notice that his input is not going where it should (in MSIE
example,
this includes simulation of a blinking cursor).

/mz

    </pre>
  </blockquote>
  <pre wrap=""><!---->

  </pre>
</blockquote>
</body>
</html>

- --------------090302010100080406040701--



Love,
the Great Council of Internet Superheros.
"To protect exposure and serve ruin."
"Justice prevails. No exceptions."
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkih7bMACgkQ5g5u/REitpafcAP+NlAl+cLaEsCgGVMH3VjI6np/MzSp
JHos6n7/GOP4h/z/siurOKbuRBcwMu8UcjwXSTYUAtTJiushlxsjcdNDa5wcD7AO0juL
OIhcpOg1prLwjiwGOKoQGmujY/5Nn8zarbTE4JpkfN71lzvmQSqvhrVzxcKxT6/bewzd
KusJobw=
=uS5C
-----END PGP SIGNATURE-----

--
Click to become a master chef, own a restaurant and make millions.
http://tagline.hushmail.com/fc/Ioyw6h4eAFcLwm7B8NyZXFe6wpzjEm1Qo1TOsU3TBnZZVOr2dck9qW/


From dave at immunityinc.com  Wed Aug 13 16:47:01 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Wed, 13 Aug 2008 16:47:01 -0400
Subject: [Dailydave] DefCON NOP Redux
Message-ID: <48A34845.2050606@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So lots of people came to take the NOP test - almost everyone passed, 
which was surprising. The average time to complete the exercise out of 
the 26 people who took it was 32 minutes. This, of course, is a lot less 
than the 2 hours that Microsoft quoted for the CANVAS Early Release of 
MS08-025, which is what I hear they said catalyzed movement on some of 
their new programs. You can read about these programs here (blackhat 
slides are not up yet, to my knowledge):
http://www.microsoft.com/presspass/events/blackhat/materials.mspx

Regardless, there's clearly lots of interest in a hands-on-exploitation 
certification. I find it's especially good for people who for whatever 
reason cannot fill out their skills on their resume.

One thing that was interesting this year at Defcon was CTF, which was a 
bit of a blowout, even though the game itself was reasonably fair and 
there were lots of good teams competing. At some point it would be cool 
if school of root (the winning team) posted how they did it.

- -dave


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIo0hFtehAhL0gheoRApnqAJ9Zw4MRSs1nNCGR9bZWWT0kWDPrSACfTw4u
f/NeYKmlu4DvxDkynckHRD8=
=tE4z
-----END PGP SIGNATURE-----


From anthony.lineberry at gmail.com  Wed Aug 13 21:34:17 2008
From: anthony.lineberry at gmail.com (Anthony Lineberry)
Date: Wed, 13 Aug 2008 18:34:17 -0700
Subject: [Dailydave] DefCON NOP Redux
In-Reply-To: <48A34845.2050606@immunityinc.com>
References: <48A34845.2050606@immunityinc.com>
Message-ID: <a07a091e0808131834rb7032ffj140713492848fc1@mail.gmail.com>

I have to say, 40 minutes was a good limit. I struggled for a bit at
the beginning as I was unfamiliar with the tools. (I had never really
even used olly that much before).
But after I got the hang of them it was fun. I didn't think I was even
going to pull it off when it got close to the time limit. I was
definitely no Pusscat with fucking 16 minutes! what an asshole! But I
think had I had a copy of IDA and windbg, I might have been able to
speed up my time a bit.

As for how school of root did it... I'd love to know some specifics.
Past the fact that chris eagle has a factory of badasses. haha

--
Anthony Lineberry



On Wed, Aug 13, 2008 at 1:47 PM, Dave Aitel <dave at immunityinc.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> So lots of people came to take the NOP test - almost everyone passed,
> which was surprising. The average time to complete the exercise out of
> the 26 people who took it was 32 minutes. This, of course, is a lot less
> than the 2 hours that Microsoft quoted for the CANVAS Early Release of
> MS08-025, which is what I hear they said catalyzed movement on some of
> their new programs. You can read about these programs here (blackhat
> slides are not up yet, to my knowledge):
> http://www.microsoft.com/presspass/events/blackhat/materials.mspx
>
> Regardless, there's clearly lots of interest in a hands-on-exploitation
> certification. I find it's especially good for people who for whatever
> reason cannot fill out their skills on their resume.
>
> One thing that was interesting this year at Defcon was CTF, which was a
> bit of a blowout, even though the game itself was reasonably fair and
> there were lots of good teams competing. At some point it would be cool
> if school of root (the winning team) posted how they did it.
>
> - -dave
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFIo0hFtehAhL0gheoRApnqAJ9Zw4MRSs1nNCGR9bZWWT0kWDPrSACfTw4u
> f/NeYKmlu4DvxDkynckHRD8=
> =tE4z
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

From drb at nopsr.us  Thu Aug 14 00:39:20 2008
From: drb at nopsr.us (Doc Brown)
Date: Wed, 13 Aug 2008 21:39:20 -0700
Subject: [Dailydave] DefCon CTF (was: DefCON NOP Redux)
In-Reply-To: <48A34845.2050606@immunityinc.com>
References: <48A34845.2050606@immunityinc.com>
Message-ID: <20080814043920.GQ21348@outflux.net>

On Wed, Aug 13, 2008 at 04:47:01PM -0400, Dave Aitel wrote:
> One thing that was interesting this year at Defcon was CTF, which was a 
> bit of a blowout, even though the game itself was reasonably fair and 
> there were lots of good teams competing. At some point it would be cool 
> if school of root (the winning team) posted how they did it.

Team 1 at stPlace enjoyed our 2 year winning streak, but we got sch00led
hard.  :)  I couldn't be happier to lose[0] to them, though.

As an outside observer of their team for many years, I think that SoR
finally overcame the classic "too many people" problems and didn't step
all over themselves like has happened for many teams over the years with
more people than can sit at the CTF tables.

Additionally, I think Kenshoto also raised the bar on the reversing,
which gave a (well-deserved) advantage to the stronger reversers.
I'm sure CollabREate[1] didn't hurt SoR either.

As a quick list, I'd say this year the main difference seemed to be very
well considered custom shellcode, excellent automation and tracking,
strong network defense, and some additional tricks that we have some
theories about.  I'd love to hear more details too.  :)

-Doc

[0] http://flickr.com/photos/avys/2756384186/in/set-72157606575832846/
[1] http://idabook.com/collabreate/

-- 
Doc Brown                                            @nopsr.us

From roman at rs-labs.com  Thu Aug 14 04:19:31 2008
From: roman at rs-labs.com (Roman Medina-Heigl Hernandez)
Date: Thu, 14 Aug 2008 10:19:31 +0200
Subject: [Dailydave] DefCON NOP Redux
In-Reply-To: <48A34845.2050606@immunityinc.com>
References: <48A34845.2050606@immunityinc.com>
Message-ID: <48A3EA93.4060805@rs-labs.com>

Dave Aitel escribi?:
> One thing that was interesting this year at Defcon was CTF, which was a 
> bit of a blowout, even though the game itself was reasonably fair and 
> there were lots of good teams competing. At some point it would be cool 
> if school of root (the winning team) posted how they did it.

http://atlas.r4780y.com/cgi-bin/atlas/2008/08/12#080808-sk3wl3d

Another reports are welcome! :)

I'm also interested in knowing about some strange "network problems" that 
prevented some teams from fairly scoring (which yields two questions: is 
DoS permitted at CTF? If allowed, could it be considered as "ethical"?).

Cheers,
-Roman


From bmenrigh at ucsd.edu  Thu Aug 14 13:25:48 2008
From: bmenrigh at ucsd.edu (Brandon Enright)
Date: Thu, 14 Aug 2008 17:25:48 +0000
Subject: [Dailydave] DefCON NOP Redux
In-Reply-To: <a07a091e0808131834rb7032ffj140713492848fc1@mail.gmail.com>
References: <48A34845.2050606@immunityinc.com>
	<a07a091e0808131834rb7032ffj140713492848fc1@mail.gmail.com>
Message-ID: <20080814172548.27a3a4a8@moray>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 13 Aug 2008 18:34:17 -0700 or thereabouts "Anthony Lineberry"
<anthony.lineberry at gmail.com> wrote:

> As for how school of root did it... I'd love to know some specifics.
> Past the fact that chris eagle has a factory of badasses. haha
> 

Yeah there was pretty much a constant stream of badass flowing from
that table.  I was worried that if it got any worse Kenshoto was going
to have to reprogram the score board to use a log() scale.

atlas suggests that they wrote a "service-r00tkit" that prevented
others from scoring: http://atlas.r4780y.com/cgi-bin/atlas

I'd love to hear the details too.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkikapwACgkQqaGPzAsl94JqDgCfdmlDzxB6124rAykoUDKvP4qR
mqwAoKfW8tP3U+9UcqFUfRIh1w7hBAMi
=q9Qn
-----END PGP SIGNATURE-----

From dave at immunityinc.com  Thu Aug 14 15:47:27 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Thu, 14 Aug 2008 15:47:27 -0400
Subject: [Dailydave] A growing darkness
Message-ID: <48A48BCF.4060605@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It's dark and storming here - not rare for Miami.

For those of you who like to read about heap overflows, Nico's blog has 
some information on the work he did to make the Citrix bug CANVASized:
http://eticanicomana.blogspot.com/

Likewise his post on the rollarcoaster ride that is writing heap 
overflows is a good one. :>

We find that ready-to-use kernel rootkits are a key part of what people 
want in an attack platform these days. To this end Daniel Palacio (an 
intern at Immunity this summer) wrote a Linux rootkit we hope to release 
shortly as part of CANVAS. Bas has since written a loader for it [1] 
that uses the debug registers to "hook" things. You may or may not have 
seen this technique being used [2] but it's good to have something ready 
to go in your toolkit. There's some other cool features in the CANVAS 
Linux rootkit but I'll wait till it's ready sometime next week to post 
about them.

- -dave
[1] The loader itself is in CANVAS Early Updates for those of you who 
want to play with it.
[2] I think a Windows rootkit uses this hooking technique but I can't 
remember which one.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIpIvPtehAhL0gheoRAsjMAJ0dV6QtjYeKxTMIXJ3B4lQh6DCMSgCffqqQ
Grzmj+AKSj37bABrA8nANaw=
=oOeE
-----END PGP SIGNATURE-----


From jdemott at crucialsecurity.com  Thu Aug 14 16:01:32 2008
From: jdemott at crucialsecurity.com (Jared DeMott)
Date: Thu, 14 Aug 2008 16:01:32 -0400
Subject: [Dailydave] DefCon CTF
In-Reply-To: <20080814043920.GQ21348@outflux.net>
References: <48A34845.2050606@immunityinc.com>
	<20080814043920.GQ21348@outflux.net>
Message-ID: <48A48F1C.4020300@crucialsecurity.com>

Doc Brown wrote:
> On Wed, Aug 13, 2008 at 04:47:01PM -0400, Dave Aitel wrote:
>   
>> One thing that was interesting this year at Defcon was CTF, which was a
>> bit of a blowout, even though the game itself was reasonably fair and
>> there were lots of good teams competing. At some point it would be cool
>> if school of root (the winning team) posted how they did it.
>>     
>
> Team 1 at stPlace enjoyed our 2 year winning streak, but we got sch00led
> hard.  :)  I couldn't be happier to lose[0] to them, though.
>
> As an outside observer of their team for many years, I think that SoR
> finally overcame the classic "too many people" problems and didn't step
> all over themselves like has happened for many teams over the years with
> more people than can sit at the CTF tables.
>
> Additionally, I think Kenshoto also raised the bar on the reversing,
> which gave a (well-deserved) advantage to the stronger reversers.
> I'm sure CollabREate[1] didn't hurt SoR either.
>
> As a quick list, I'd say this year the main difference seemed to be very
> well considered custom shellcode, excellent automation and tracking,
> strong network defense, and some additional tricks that we have some
> theories about.  I'd love to hear more details too.  :)
>
> -Doc
>   
Ya, from what I saw (and from what ChrisEagle said) skewl just brought 
out all the horses.  With a 26 man team (to our 8-10) they were 
overpoweringly strong, and led by the master CE to bring down the house 
RE style.  For the last couple years we've rocked as a balanced team and 
mastered things like automation, counter attack, defense, 
inline-snorting, and of course DRB with the RE power -- but this year 
more than ever break through points (first to RE and exploit a vul) was 
key -- score quick, score often.  If the game stays the same, bringing a 
small army of reversers is possibly a strong road to success, especially 
if you've mastered the personal issues of large teams, and understand 
the rest of the game as well.  Skewl rocks, and they deserved to win.  
I'm not at all suggesting that numbers was the only reason they won.  
Though, I wonder if Kenshoto will try and address the large team 
approach?  I'm really not sure much can be done there, so I guess it's 
just one strategic approach?  CE trains folks that move on to gov and 
industry, so now when he raises a call to arms, he can muster a sizable 
team that we might have trouble matching.  Though, I suppose we could 
try that approach as well.  I doubt we will though, I think our team has 
always felt that sleek and tight was better than big.  Though if you 
tighten up big ... perhaps (obviously) you yield greater production?

jrod



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080814/7b402393/attachment.htm 

From mhtajik at gmail.com  Thu Aug 14 16:59:20 2008
From: mhtajik at gmail.com (Mohammad Hosein)
Date: Fri, 15 Aug 2008 00:29:20 +0330
Subject: [Dailydave] A growing darkness
In-Reply-To: <48A48BCF.4060605@immunityinc.com>
References: <48A48BCF.4060605@immunityinc.com>
Message-ID: <26f61db50808141359u6d15bdadr23fb96ef795e2a28@mail.gmail.com>

"hardened" kernels are killing our business ;)

its hard to believe one can find a "serious" Linux machine runs a virgin
kernel ( assuming general patches do not help virginity to be lost , hat's
off to Chandler ) . having PaX or Grsec or even worse , SELinux , installed
and running Rootkits dont stand a chance .

so thought you might want to consider taking a look at Gentoo's Hardened
kernel . its a good Start

Regards
-mh


On Thu, Aug 14, 2008 at 11:17 PM, Dave Aitel <dave at immunityinc.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> It's dark and storming here - not rare for Miami.
>
> For those of you who like to read about heap overflows, Nico's blog has
> some information on the work he did to make the Citrix bug CANVASized:
> http://eticanicomana.blogspot.com/
>
> Likewise his post on the rollarcoaster ride that is writing heap
> overflows is a good one. :>
>
> We find that ready-to-use kernel rootkits are a key part of what people
> want in an attack platform these days. To this end Daniel Palacio (an
> intern at Immunity this summer) wrote a Linux rootkit we hope to release
> shortly as part of CANVAS. Bas has since written a loader for it [1]
> that uses the debug registers to "hook" things. You may or may not have
> seen this technique being used [2] but it's good to have something ready
> to go in your toolkit. There's some other cool features in the CANVAS
> Linux rootkit but I'll wait till it's ready sometime next week to post
> about them.
>
> - -dave
> [1] The loader itself is in CANVAS Early Updates for those of you who
> want to play with it.
> [2] I think a Windows rootkit uses this hooking technique but I can't
> remember which one.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFIpIvPtehAhL0gheoRAsjMAJ0dV6QtjYeKxTMIXJ3B4lQh6DCMSgCffqqQ
> Grzmj+AKSj37bABrA8nANaw=
> =oOeE
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080815/114c81cb/attachment.htm 

From aoz.syn at gmail.com  Thu Aug 14 17:03:03 2008
From: aoz.syn at gmail.com (RB)
Date: Thu, 14 Aug 2008 15:03:03 -0600
Subject: [Dailydave] DefCON NOP Redux
In-Reply-To: <20080814172548.27a3a4a8@moray>
References: <48A34845.2050606@immunityinc.com>
	<a07a091e0808131834rb7032ffj140713492848fc1@mail.gmail.com>
	<20080814172548.27a3a4a8@moray>
Message-ID: <4255c2570808141403g6e62668sd116082fd50f9087@mail.gmail.com>

>> As for how school of root did it... I'd love to know some specifics.
>> Past the fact that chris eagle has a factory of badasses. haha
>>
>
> Yeah there was pretty much a constant stream of badass flowing from
> that table.  I was worried that if it got any worse Kenshoto was going
> to have to reprogram the score board to use a log() scale.
>
> atlas suggests that they wrote a "service-r00tkit" that prevented
> others from scoring: http://atlas.r4780y.com/cgi-bin/atlas

As well as one certain team did in the quals and as poorly as that
same team did in the actual competition, I'm wondering if sk3wl owned
them early on and used them as a scoring conduit.

From cseagle at redshift.com  Thu Aug 14 19:38:48 2008
From: cseagle at redshift.com (Chris Eagle)
Date: Thu, 14 Aug 2008 16:38:48 -0700
Subject: [Dailydave] DefCon CTF
In-Reply-To: <48A48F1C.4020300@crucialsecurity.com>
References: <48A34845.2050606@immunityinc.com>	<20080814043920.GQ21348@outflux.net>
	<48A48F1C.4020300@crucialsecurity.com>
Message-ID: <48A4C208.1060506@redshift.com>

Actually, of the 26 people, only 18 were hands on keyboard types this 
year.  Of those we had a a wide range of experience levels from CTF 
first timers to CTF old timers.  The team was no larger or smaller than 
we have used in the past and lost with.  Perhaps our process is starting 
to work a little better.  Frankly we haven't decided what worked and 
what didn't just yet, but we like all of the conjecture because we wish 
we had thought of some of the ideas being tossed around.  More things to 
try next year I guess ;)

Chris

Jared DeMott wrote:
> Ya, from what I saw (and from what ChrisEagle said) skewl just brought 
> out all the horses.  With a 26 man team (to our 8-10) they were 
> overpoweringly strong, and led by the master CE to bring down the house 
> RE style.  For the last couple years we've rocked as a balanced team and 
> mastered things like automation, counter attack, defense, 
> inline-snorting, and of course DRB with the RE power -- but this year 
> more than ever break through points (first to RE and exploit a vul) was 
> key -- score quick, score often.  If the game stays the same, bringing a 
> small army of reversers is possibly a strong road to success, especially 
> if you've mastered the personal issues of large teams, and understand 
> the rest of the game as well.  Skewl rocks, and they deserved to win.  
> I'm not at all suggesting that numbers was the only reason they won.  
> Though, I wonder if Kenshoto will try and address the large team 
> approach?  I'm really not sure much can be done there, so I guess it's 
> just one strategic approach?  CE trains folks that move on to gov and 
> industry, so now when he raises a call to arms, he can muster a sizable 
> team that we might have trouble matching.  Though, I suppose we could 
> try that approach as well.  I doubt we will though, I think our team has 
> always felt that sleek and tight was better than big.  Though if you 
> tighten up big ... perhaps (obviously) you yield greater production?
> 
> jrod
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave


From rd at vnsecurity.net  Fri Aug 15 03:55:57 2008
From: rd at vnsecurity.net (Red Dragon)
Date: Fri, 15 Aug 2008 00:55:57 -0700
Subject: [Dailydave] DefCon CTF
In-Reply-To: <48A48F1C.4020300@crucialsecurity.com>
References: <48A34845.2050606@immunityinc.com>
	<20080814043920.GQ21348@outflux.net>
	<48A48F1C.4020300@crucialsecurity.com>
Message-ID: <481d3c750808150055m56aaec82p1ef5ed4f02c1803a@mail.gmail.com>

On Thu, Aug 14, 2008 at 1:01 PM, Jared DeMott
<jdemott at crucialsecurity.com>wrote:

>  One thing that was interesting this year at Defcon was CTF, which was a
> bit of a blowout, even though the game itself was reasonably fair and
> there were lots of good teams competing. At some point it would be cool
> if school of root (the winning team) posted how they did it.
>
>
>  Team 1 at stPlace enjoyed our 2 year winning streak, but we got sch00led
> hard.  :)  I couldn't be happier to lose[0] to them, though.
>
> As an outside observer of their team for many years, I think that SoR
> finally overcame the classic "too many people" problems and didn't step
> all over themselves like has happened for many teams over the years with
> more people than can sit at the CTF tables.
>
> Additionally, I think Kenshoto also raised the bar on the reversing,
> which gave a (well-deserved) advantage to the stronger reversers.
> I'm sure CollabREate[1] didn't hurt SoR either.
>
> As a quick list, I'd say this year the main difference seemed to be very
> well considered custom shellcode, excellent automation and tracking,
> strong network defense, and some additional tricks that we have some
> theories about.  I'd love to hear more details too.  :)
>
>
> Ya, from what I saw (and from what ChrisEagle said) skewl just brought out
> all the horses.  With a 26 man team (to our 8-10) they were overpoweringly
> strong, and led by the master CE to bring down the house RE style.  For the
> last couple years we've rocked as a balanced team and mastered things like
> automation, counter attack, defense, inline-snorting, and of course DRB with
> the RE power -- but this year more than ever break through points (first to
> RE and exploit a vul) was key -- score quick, score often.  If the game
> stays the same, bringing a small army of reversers is possibly a strong road
> to success, especially if you've mastered the personal issues of large
> teams, and understand the rest of the game as well.  Skewl rocks, and they
> deserved to win.  I'm not at all suggesting that numbers was the only reason
> they won.  Though, I wonder if Kenshoto will try and address the large team
> approach?  I'm really not sure much can be done there, so I guess it's just
> one strategic approach?  CE trains folks that move on to gov and industry,
> so now when he raises a call to arms, he can muster a sizable team that we
> might have trouble matching.  Though, I suppose we could try that approach
> as well.  I doubt we will though, I think our team has always felt that
> sleek and tight was better than big.  Though if you tighten up big ...
> perhaps (obviously) you yield greater production?
>

I think it's just unfair in term of the number of people in the team.
Especially for "foreign" teams since US teams normally have more ppl.
Chris's team was like 2.5 times larger than other teams.

--rd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080815/8d598533/attachment-0001.htm 

From rholgstad at gmail.com  Thu Aug 14 19:27:10 2008
From: rholgstad at gmail.com (Robert Holgstad)
Date: Thu, 14 Aug 2008 18:27:10 -0500
Subject: [Dailydave] A growing darkness
In-Reply-To: <48A48BCF.4060605@immunityinc.com>
References: <48A48BCF.4060605@immunityinc.com>
Message-ID: <1278b0690808141627q79052f0ep12518a565322d889@mail.gmail.com>

http://packetstormsecurity.nl/UNIX/penetration/rootkits/mood-nt_2.3.tgz

this is a rk for linux that uses it now..
halfdeads article in the last phrack also explains the idea also.

other question: how does your rootkit enter the kernel (I am guessing this
is the loader part?) I am sure you have seen by now that in 2.6.26 -stable
they have limited access to /dev/mem to bios, pci, and non-ram address for
hardware, and completely killed kmem which kills many peoples rk research.

On Thu, Aug 14, 2008 at 2:47 PM, Dave Aitel <dave at immunityinc.com> wrote:

> [2] I think a Windows rootkit uses this hooking technique but I can't
> remember which one.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080814/9acba61f/attachment.htm 

From cseagle at redshift.com  Fri Aug 15 11:15:13 2008
From: cseagle at redshift.com (Chris Eagle)
Date: Fri, 15 Aug 2008 08:15:13 -0700
Subject: [Dailydave] DefCon CTF
In-Reply-To: <481d3c750808150055m56aaec82p1ef5ed4f02c1803a@mail.gmail.com>
References: <48A34845.2050606@immunityinc.com>	<20080814043920.GQ21348@outflux.net>	<48A48F1C.4020300@crucialsecurity.com>
	<481d3c750808150055m56aaec82p1ef5ed4f02c1803a@mail.gmail.com>
Message-ID: <48A59D81.6030000@redshift.com>

At least one of the foreign teams was seen routinely shuffling over the
their second table full of people in the amateur CTF room.  At least we
are open about our numbers.  No one ever complained when they were
beating us.  Does anyone care to estimate the number of possible people
that could be linked into the game over broadband connections?  The
conference wireless?  Is counting the number of members of a team really
even possible?

Chris


Red Dragon wrote:
> 
> I think it's just unfair in term of the number of people in the team.
> Especially for "foreign" teams since US teams normally have more ppl.
> Chris's team was like 2.5 times larger than other teams.
> 
> --rd


From dave.aitel at gmail.com  Fri Aug 15 22:24:36 2008
From: dave.aitel at gmail.com (Dave Aitel)
Date: Fri, 15 Aug 2008 22:24:36 -0400
Subject: [Dailydave] The security circus.
Message-ID: <b581b3220808151924n3aa4ce9ey12cad0e1d5097b10@mail.gmail.com>

Perhaps Linus should reconsider his policy on how he treats security items?
Sometimes you're in the circus, whether you like it or not.

https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00008.html

"""

The Fedora Infrastructure team is currently investigating an issue in
the infrastructure systems.  That process may result in service outages,
for which we apologize in advance.  We're still assessing the end-user
impact of the situation, but as a precaution, we recommend you not
download or update any additional packages on your Fedora systems.

We'll share updates as we develop more information.  Those updates will
be published here on the public fedora-announce-list:
https://redhat.com/mailman/listinfo/fedora-announce-list

Thanks for your patience as we continue working on this.


-- 
Paul W. Frields


"""
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080815/8b2eb901/attachment.htm 

From drb at nopsr.us  Fri Aug 15 15:36:27 2008
From: drb at nopsr.us (Doc Brown)
Date: Fri, 15 Aug 2008 12:36:27 -0700
Subject: [Dailydave] DefCon CTF
In-Reply-To: <481d3c750808150055m56aaec82p1ef5ed4f02c1803a@mail.gmail.com>
References: <48A34845.2050606@immunityinc.com>
	<20080814043920.GQ21348@outflux.net>
	<48A48F1C.4020300@crucialsecurity.com>
	<481d3c750808150055m56aaec82p1ef5ed4f02c1803a@mail.gmail.com>
Message-ID: <20080815193627.GA32324@outflux.net>

On Fri, Aug 15, 2008 at 12:55:57AM -0700, Red Dragon wrote:
> On Thu, Aug 14, 2008 at 1:01 PM, Jared DeMott
> <jdemott at crucialsecurity.com>wrote:
> 
> > Ya, from what I saw (and from what ChrisEagle said) skewl just brought out
> > all the horses.  With a 26 man team (to our 8-10) they were overpoweringly
> > strong, and led by the master CE to bring down the house RE style.  For the
> 
> I think it's just unfair in term of the number of people in the team.
> Especially for "foreign" teams since US teams normally have more ppl.
> Chris's team was like 2.5 times larger than other teams.

I certainly see what you're saying, but traditionally there has been
diminishing returns when adding more people.  There's a balance for any
given set of personalities, capabilities, and hierarchy.

I think it was the Ghetto Hackers that said one year when they ran CTF
and a smaller team complained about larger team sizes: "Get more friends"  :)

-Doc

-- 
Doc Brown                                            @nopsr.us

From drb at nopsr.us  Fri Aug 15 16:48:16 2008
From: drb at nopsr.us (Doc Brown)
Date: Fri, 15 Aug 2008 13:48:16 -0700
Subject: [Dailydave] DefCon CTF
In-Reply-To: <48A3EA93.4060805@rs-labs.com>
References: <48A34845.2050606@immunityinc.com> <48A3EA93.4060805@rs-labs.com>
Message-ID: <20080815204816.GB32324@outflux.net>

On Thu, Aug 14, 2008 at 10:19:31AM +0200, Roman Medina-Heigl Hernandez wrote:
> I'm also interested in knowing about some strange "network problems" that 
> prevented some teams from fairly scoring (which yields two questions: is 
> DoS permitted at CTF? If allowed, could it be considered as "ethical"?).

Straight DoS is not allowed.  Doing things to stop other teams from
being able to score is allowed.  Generally, it's best to run things past
Kenshoto if you have any concern that it may be a grey area.

For example, setting up a snort inline box and blocking based on strings
of \x90\x90\x90\x90 is a smart way to keep other teams from dropping
obvious NOP sleds as part of an attack against your team's services.
But rolling under your neighbor team's table and cutting their ethernet
is likely to result in your permanent ejection from DefCon.

See [0] for an overview of the rules, scoring, etc.

As for "network problems", I would suspect some of it was teams' firewalls
blocking detected attacks, some of it was VM load from all the forking
services, some of it was network load.  While key refresh happened every
5-7 minutes, many teams attacked over and over instead of waiting 3
minutes or so between attempts.

-Doc

[0] http://nopsr.us/ctf2008/overview.html

-- 
Doc Brown                                            @nopsr.us

From jesse.michael at comcast.net  Fri Aug 15 15:38:28 2008
From: jesse.michael at comcast.net (jesse michael)
Date: Fri, 15 Aug 2008 12:38:28 -0700
Subject: [Dailydave] DefCon CTF
In-Reply-To: <48A59D81.6030000@redshift.com>
References: <48A34845.2050606@immunityinc.com>
	<20080814043920.GQ21348@outflux.net>
	<48A48F1C.4020300@crucialsecurity.com>
	<481d3c750808150055m56aaec82p1ef5ed4f02c1803a@mail.gmail.com>
	<48A59D81.6030000@redshift.com>
Message-ID: <20080815193828.GA2387@comcast.net>

On Fri, Aug 15, 2008 at 08:15:13AM -0700, Chris Eagle wrote:
> At least one of the foreign teams was seen routinely shuffling over the
> their second table full of people in the amateur CTF room.  At least we
> are open about our numbers.  No one ever complained when they were
> beating us.  Does anyone care to estimate the number of possible people
> that could be linked into the game over broadband connections?  The
> conference wireless?  Is counting the number of members of a team really
> even possible?

I think the number of people on the team is a distraction from the fact 
that you guys came in prepared and flat-out outperformed us.  I've been
on big teams before and it can easily make the situation worse than being
on a small focused team because it can be difficult to coordinate things
and make sure that everyone is acting effectively.  

Anyway, congrats on the win.  It was certainly well deserved and has me
thinking about things we could do better next time.  :)

-Jesse

From jlewis at packetnexus.com  Fri Aug 15 23:28:30 2008
From: jlewis at packetnexus.com (Jason Lewis)
Date: Fri, 15 Aug 2008 23:28:30 -0400
Subject: [Dailydave] DefCon CTF
In-Reply-To: <20080815193627.GA32324@outflux.net>
References: <48A34845.2050606@immunityinc.com>	<20080814043920.GQ21348@outflux.net>	<48A48F1C.4020300@crucialsecurity.com>	<481d3c750808150055m56aaec82p1ef5ed4f02c1803a@mail.gmail.com>
	<20080815193627.GA32324@outflux.net>
Message-ID: <48A6495E.4000700@packetnexus.com>

Did anyone capture network traffic for CTF this year?  Every year I've 
seen captures for has been more interesting and had more data than the last.

jas

From hso at nosneros.net  Sat Aug 16 00:13:12 2008
From: hso at nosneros.net (Holt Sorenson)
Date: Sat, 16 Aug 2008 04:13:12 +0000
Subject: [Dailydave] DefCon CTF
In-Reply-To: <20080815204816.GB32324@outflux.net>
References: <48A34845.2050606@immunityinc.com> <48A3EA93.4060805@rs-labs.com>
	<20080815204816.GB32324@outflux.net>
Message-ID: <20080816041312.GL5006@nosneros.net>

On Fri, Aug 15, 2008 at 01:48:16PM -0700, Doc Brown wrote:
>As for "network problems", I would suspect some of it was teams' firewalls
>blocking detected attacks, some of it was VM load from all the forking
>services, some of it was network load.  While key refresh happened every
>5-7 minutes, many teams attacked over and over instead of waiting 3
>minutes or so between attempts.

There was seemingly constant spew to ports 22 and 25 throughout much of
the game that looked like someone was dumping binary detrititus
intermixed with shell code (somebody playing with fuzzers?) that I
talked to Ken Shoto about several times.

Stuff like that doesn't do anything for the game (since all the
interesting services run on other ports anyway) and seemed to be
contributing to the state table overflowing in the game firewall.

This was why during the post game debrief meeting that I made the
point that activity like this is counterproductive and isn't
going to move your team forward during the game.

Couple this with the factors you cite above and it made for a pretty
shitty network experience during the game at times.

Hopefully teams in the future are more surgical.

DefCon CTF isn't about carpet bombing, it's about laser guided
munitions.

(and Doc, I know you're the part of the choir on this too, but I
needed to rant a bit).

-- 
Holt Sorenson
hso at nosneros.net
www.nosneros.net/hso


From adrien at kunysz.be  Sat Aug 16 12:34:13 2008
From: adrien at kunysz.be (Adrien Krunch Kunysz)
Date: Sat, 16 Aug 2008 17:34:13 +0100
Subject: [Dailydave] The security circus.
In-Reply-To: <b581b3220808151924n3aa4ce9ey12cad0e1d5097b10@mail.gmail.com>
References: <b581b3220808151924n3aa4ce9ey12cad0e1d5097b10@mail.gmail.com>
Message-ID: <20080816163413.GA8606@krunch-laptop>

On Fri, Aug 15, 2008 at 10:24:36PM -0400, Dave Aitel wrote:
> Perhaps Linus should reconsider his policy on how he treats security items?
> Sometimes you're in the circus, whether you like it or not.
> 
> https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00008.html

I have trouble to understand what this have to do with security bugs
disclosure. This sounds more like a problem with system administrators
not having designed their infrastructure properly. But of course this
is just speculation as we don't have enough information at the moment
to understand what happened and why.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080816/03cfa148/attachment-0001.pgp 

From cseagle at redshift.com  Sat Aug 16 13:43:29 2008
From: cseagle at redshift.com (Chris Eagle)
Date: Sat, 16 Aug 2008 10:43:29 -0700
Subject: [Dailydave] DefCon CTF
In-Reply-To: <20080816041312.GL5006@nosneros.net>
References: <48A34845.2050606@immunityinc.com>
	<48A3EA93.4060805@rs-labs.com>	<20080815204816.GB32324@outflux.net>
	<20080816041312.GL5006@nosneros.net>
Message-ID: <48A711C1.9020007@redshift.com>

Holt Sorenson wrote:
> There was seemingly constant spew to ports 22 and 25 throughout much of
> the game that looked like someone was dumping binary detrititus
> intermixed with shell code (somebody playing with fuzzers?) that I
> talked to Ken Shoto about several times.
> 

Not to mention all the Nessus scanning going on.  I'm not sure which
vuln people thought Nessus was going to find, but apparently people are
creatures of habit.

Chris

From trygve at pogostick.net  Sat Aug 16 14:21:23 2008
From: trygve at pogostick.net (Trygve Aasheim)
Date: Sat, 16 Aug 2008 20:21:23 +0200
Subject: [Dailydave] DefCon CTF
In-Reply-To: <20080816041312.GL5006@nosneros.net>
References: <48A34845.2050606@immunityinc.com>
	<48A3EA93.4060805@rs-labs.com>	<20080815204816.GB32324@outflux.net>
	<20080816041312.GL5006@nosneros.net>
Message-ID: <48A71AA3.4090304@pogostick.net>

What type of firewall are they running at defcon CTF if the state table 
overflows based on what was in the packets? A state table only keeps 
track of "state" for a session...being SYN, SYN-ACK, ESTABLISHED, 
FIN-ACK etc, and will drop traffic if they are out of state...

If somebody is sending shell code and binary rubbish to a service over a 
session, it shouldn't change the state table in any way...

If there where no services on these ports, and the firewall policy 
reflected this - the sessions wouldn't even enter the state table.

Firewalls usually have issues with small packets (that's why vendors 
don't use the RFC for performance testing (and even pays magazines so 
they don't use it either), but send one insanely long ftp stream through 
they're one-rule-policy-firewall and claim gbit performance), but it has 
nothing to do with the state table.

Logging, packet capture and routing might also decrease the performance 
of a firewall.

On VMs you have a totally new game when it comes to network performance 
though. Trying to do packet capture, run firewalls and such together 
with tons of sessions on virtual machines/interfaces often results in 
strange behavior if the VM is on a host OS and not a hypervisor.




Holt Sorenson wrote:
> On Fri, Aug 15, 2008 at 01:48:16PM -0700, Doc Brown wrote:
>> As for "network problems", I would suspect some of it was teams' firewalls
>> blocking detected attacks, some of it was VM load from all the forking
>> services, some of it was network load.  While key refresh happened every
>> 5-7 minutes, many teams attacked over and over instead of waiting 3
>> minutes or so between attempts.
> 
> There was seemingly constant spew to ports 22 and 25 throughout much of
> the game that looked like someone was dumping binary detrititus
> intermixed with shell code (somebody playing with fuzzers?) that I
> talked to Ken Shoto about several times.
> 
> Stuff like that doesn't do anything for the game (since all the
> interesting services run on other ports anyway) and seemed to be
> contributing to the state table overflowing in the game firewall.
> 
> This was why during the post game debrief meeting that I made the
> point that activity like this is counterproductive and isn't
> going to move your team forward during the game.
> 
> Couple this with the factors you cite above and it made for a pretty
> shitty network experience during the game at times.
> 
> Hopefully teams in the future are more surgical.
> 
> DefCon CTF isn't about carpet bombing, it's about laser guided
> munitions.
> 
> (and Doc, I know you're the part of the choir on this too, but I
> needed to rant a bit).
> 

From hso at nosneros.net  Sat Aug 16 20:54:16 2008
From: hso at nosneros.net (Holt Sorenson)
Date: Sun, 17 Aug 2008 00:54:16 +0000
Subject: [Dailydave] DefCon CTF
In-Reply-To: <48A71AA3.4090304@pogostick.net>
References: <48A34845.2050606@immunityinc.com> <48A3EA93.4060805@rs-labs.com>
	<20080815204816.GB32324@outflux.net>
	<20080816041312.GL5006@nosneros.net>
	<48A71AA3.4090304@pogostick.net>
Message-ID: <20080817005416.GM5006@nosneros.net>

On Sat, Aug 16, 2008 at 08:21:23PM +0200, Trygve Aasheim wrote:
>What type of firewall are they running at defcon CTF if the state table 
>overflows based on what was in the packets? A state table only keeps 
>track of "state" for a session...being SYN, SYN-ACK, ESTABLISHED, 
>FIN-ACK etc, and will drop traffic if they are out of state...

Dunno. Since FreeBSD users can choose from ipfilter, pf, or ipfirewall
KenShoto has several options available. Also, they've got coding skillz
and could have extended the code base of any of these to suit their
needs.

There was a point at which they said that they had to restart the
firewall because it was no longer properly forwarding traffic.
When it came back up, it immediately jumped to ~10k connections
that it was trying to handle and it began having problems forwarding
packets again. They told the team captains that if this continued
that they would track down the offender and deal with the team that
was causing the problems.

>If somebody is sending shell code and binary rubbish to a service over a 
>session, it shouldn't change the state table in any way...

Sure, for established sessions. If you're rapidly starting new sessions,
then...

Also, they use NAT to make it difficult to track back to a source so that
you couldn't block attacking team packets and only allow packets from the
scoring server that are part of a connection that is going to check SLA.

I was not specifically referring to "state" in the strict sense where a
firewall tracks transitions in a protocol like TCP using a set of code
such as a state machine, but in the general sense that includes
sessions/flows, NAT state, routing state, etc. Apologies for overloading
terms and not being more lucid in the previous post.

>If there where no services on these ports, and the firewall policy 
>reflected this - the sessions wouldn't even enter the state table.

Postfix was running on port 25 and sshd was running on port 22.

>Firewalls usually have issues with small packets (that's why vendors 

Yep. I can't speak for what work the firewall was having to do to
connections before it was NAT'd coming towards our system (read: jail)
as I did not have visibility into the side of the firewall where these
connections were initiated. Given the plethora of tools available for
causing all sorts of mischief that persons could have used while at CTF
and given that there are more than one or two people at CTF that have
the capability to be creative and channel that creativity into building
network tools, it's anybody's guess what the initiated traffic looked
like before the firewall transformed it and forwarded it on to
destination hosts.

>Logging, packet capture and routing might also decrease the performance 
>of a firewall.

Agreed.

>On VMs you have a totally new game when it comes to network performance 
>though. Trying to do packet capture, run firewalls and such together 
>with tons of sessions on virtual machines/interfaces often results in 
>strange behavior if the VM is on a host OS and not a hypervisor.

FreeBSD jails with assumed unknown customizations are used. There is
a lot being asked of the OS and the hardware it's running on.

For obvious reasons, KenShoto is terse about the details of what they've
built to run the game.

-- 
Holt Sorenson
hso at nosneros.net
www.nosneros.net/hso


From ht at computerdefense.org  Mon Aug 18 12:25:05 2008
From: ht at computerdefense.org (Tyler Reguly)
Date: Mon, 18 Aug 2008 12:25:05 -0400
Subject: [Dailydave] Denial of Service Survey
Message-ID: <1f313f070808180925k799564eckdecbc0575995a94b@mail.gmail.com>

Hey All,

I'm usually more of a lurker, but since I'm attempting to gather some
statistics, I thought I'd make use of the mailing lists I read.

I'm dong a survey on Denial of Service and people's perception related
to it and I'd love if anyone had time to complete the survey tied to
it


http://computerdefense.org/tinc?key=qHVCmALG&formname=dosSurvey

Thanks,
Tyler Reguly
ComputerDefense.org

From jeremiah.johnson at gmail.com  Mon Aug 18 16:14:07 2008
From: jeremiah.johnson at gmail.com (Jeremiah Johnson)
Date: Mon, 18 Aug 2008 15:14:07 -0500
Subject: [Dailydave] The security circus.
In-Reply-To: <20080816163413.GA8606@krunch-laptop>
References: <b581b3220808151924n3aa4ce9ey12cad0e1d5097b10@mail.gmail.com>
	<20080816163413.GA8606@krunch-laptop>
Message-ID: <701ea59b0808181314p31460f17u25e0d33be3fc89e6@mail.gmail.com>

It's because of Linus' recent statement:
http://kerneltrap.org/Linux/Security_Bugs_and_Full_Disclosure

This means that vendors that don't carefully watch upstream will miss
a security issue and have their repositories owned and backdoor'd,
which makes your fedora system backdoor'd on the next install or
update.

-miah

On Sat, Aug 16, 2008 at 11:34 AM, Adrien Krunch Kunysz <adrien at kunysz.be> wrote:
> On Fri, Aug 15, 2008 at 10:24:36PM -0400, Dave Aitel wrote:
>> Perhaps Linus should reconsider his policy on how he treats security items?
>> Sometimes you're in the circus, whether you like it or not.
>>
>> https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00008.html
>
> I have trouble to understand what this have to do with security bugs
> disclosure. This sounds more like a problem with system administrators
> not having designed their infrastructure properly. But of course this
> is just speculation as we don't have enough information at the moment
> to understand what happened and why.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFIpwGFKLX03ZSPZGwRAjtvAJ95hC+4zXAgtKayILoyBuVeuxluGACZAZCO
> Bin4lQyTLqLDumzAabWp4yQ=
> =yI0Z
> -----END PGP SIGNATURE-----

From peter at adamantix.org  Tue Aug 19 08:23:52 2008
From: peter at adamantix.org (Peter Busser)
Date: Tue, 19 Aug 2008 14:23:52 +0200
Subject: [Dailydave] The security circus.
In-Reply-To: <701ea59b0808181314p31460f17u25e0d33be3fc89e6@mail.gmail.com>
References: <b581b3220808151924n3aa4ce9ey12cad0e1d5097b10@mail.gmail.com>
	<20080816163413.GA8606@krunch-laptop>
	<701ea59b0808181314p31460f17u25e0d33be3fc89e6@mail.gmail.com>
Message-ID: <20080819122352.GA30503@adamantix.org>

Hi!

> It's because of Linus' recent statement:
> http://kerneltrap.org/Linux/Security_Bugs_and_Full_Disclosure
> 
> This means that vendors that don't carefully watch upstream will miss
> a security issue and have their repositories owned and backdoor'd,
> which makes your fedora system backdoor'd on the next install or
> update.

Talking about backdoors in Linux... What if people submit code which is
intentionally backdoored? I wonder how resiliant the Linux community is
against such things. The Linux kernel is getting bigger and bigger,
which might make it easier for people to hide malicious code.

Besides, Linus is making a fool of himself because he is ignorant about
what security is. A spectacular bug which crashes the system due to bad
locking is not just a normal bug. It affects the availability of the
system and should therefore be classified as a serious security bug. So
yes, he is accidentally right about these bugs being equally "glorious" to
privilege elevation bugs.

Why do people think that security is only about elevating privileges?

Groetjes,
Peter.

From ferruh at mavituna.com  Tue Aug 19 09:36:22 2008
From: ferruh at mavituna.com (Ferruh Mavituna)
Date: Tue, 19 Aug 2008 14:36:22 +0100
Subject: [Dailydave] Deep Blind SQL Injection Whitepaper
Message-ID: <6dc88c3c0808190636k65bc370cre5a4aa9a1301de7e@mail.gmail.com>

This is a short whitepaper about a new way to exploit Blind SQL Injections.
It's implemented in BSQL Hacker (
http://labs.portcullis.co.uk/application/bsql-hacker/ ).

*It is possible gather information from a target server with a 66% reduction
in the number of requests made of the server (compared to normal Blind SQL
Injection), requiring two rather than six requests to retrieve each char.
*
*Download:
*https://labs.portcullis.co.uk/download/Deep_Blind_SQL_Injection.pdf



Regards,

-- 
Ferruh Mavituna
http://ferruh.mavituna.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080819/82a987ac/attachment.htm 

From ferruh at mavituna.com  Tue Aug 19 09:40:09 2008
From: ferruh at mavituna.com (Ferruh Mavituna)
Date: Tue, 19 Aug 2008 14:40:09 +0100
Subject: [Dailydave] BSQL Hacker 0.9.0.7 - Advanced SQL Injection Framework
	/ Tool
Message-ID: <6dc88c3c0808190640g9916628o436e208a396b8fe9@mail.gmail.com>

BSQL Hacker is an automated SQL Injection Framework / Tool designed to
exploit SQL injection vulnerabilities virtually in any database.

It ships with Automated Attack modules which allows to dump whole database:

    * SQL Server
    * ORACLE
    * MySQL (experimental)

Attack Templates :

    * MS Access
    * MySQL
    * ORACLE
    * PostgreSQL
    * MS SQL Server

Also you can write your own attack template for any other database as
well (see the manual for details). New attack templates and exploits
for specific web application can be shared via Exploit Repository.

BSQL Hacker aims for experienced users as well as beginners who want
to automate SQL Injections (especially Blind SQL Injections).

It supports :

    * Blind SQL Injection (Boolean Injection)
    * Full Blind SQL Injection (Time Based)
    * Deep Blind SQL Injection (a new way to exploit BSQLIs, explained
in here : http://labs.portcullis.co.uk/application/deep-blind-sql-injection/)
    * Error Based SQL Injection

It allows metasploit alike exploit repository to share and update
exploits and attack tempate.

Download, Screenshots, Source Code and More Information :
http://labs.portcullis.co.uk/application/bsql-hacker/

Injection Wizard Video:
http://www.vimeo.com/1536040?pg=embed&sec=1536040

-- 
Ferruh Mavituna
http://ferruh.mavituna.com

From dave.korn at artimi.com  Tue Aug 19 10:11:15 2008
From: dave.korn at artimi.com (Dave Korn)
Date: Tue, 19 Aug 2008 15:11:15 +0100
Subject: [Dailydave] The security circus.
In-Reply-To: <20080819122352.GA30503@adamantix.org>
References: <b581b3220808151924n3aa4ce9ey12cad0e1d5097b10@mail.gmail.com><20080816163413.GA8606@krunch-laptop><701ea59b0808181314p31460f17u25e0d33be3fc89e6@mail.gmail.com>
	<20080819122352.GA30503@adamantix.org>
Message-ID: <033201c90205$717e1470$9601a8c0@CAM.ARTIMI.COM>

Peter Busser wrote on 19 August 2008 13:24:

> Talking about backdoors in Linux... What if people submit code which is
> intentionally backdoored? I wonder how resiliant the Linux community is
> against such things. 

  Someone tried it a couple of years back, and quite subtly too.  And it got
spotted and jumped on in about ten minutes when the patch made its way
upstream.

  Sorry, no reference to hand.  It was some subtle (poss. integer overflow?)
mis-handling of segment descriptors in relation to mmap support, that could
have allowed trivial ring0 escalation.

> Why do people think that security is only about elevating privileges?

  Well, pretty much every security *problem* comes down, at the root of it, to
someone or something being able to do something that someone else doesn't want
them too.  Otherwise it's either a) not a problem, or b) not security.

  But "Security" as a whole is as much about how you assign and manage those
privileges; it's not just "problems" (all of which can be cast in the form of
elevations, at a minor stretch), it's also "configuration", "administration",
"management", "planning", "budgeting".... all those less-exciting bits that
aren't about pwnx0r1ng someone's box...


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....


From dave at immunityinc.com  Fri Aug 22 10:05:21 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Fri, 22 Aug 2008 10:05:21 -0400
Subject: [Dailydave] Situation remains cloudy.
Message-ID: <48AEC7A1.6080309@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok, so to sum up the two emails below:

1. Fedora's package signing box was compromised by unknown parties. 
Fedora does not think the key's passphrase was compromised however. They 
are changing their keys.

2. RedHat's package signing key was used to sign trojaned OpenSSH 
packages. RedHat does not think these were distributed via the Red Hat 
Network auto-update service.

http://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html
http://rhn.redhat.com/errata/RHSA-2008-0855.html

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIrsehtehAhL0gheoRAkuqAJ4mvzv4G4ecq0lhqkBVrZLzvO5mAACfVwIc
Q4GJxw1kSvTKUMXlYsNfOWo=
=X5qc
-----END PGP SIGNATURE-----


From BCreitz at rockvillemd.gov  Fri Aug 22 11:47:58 2008
From: BCreitz at rockvillemd.gov (BCreitz at rockvillemd.gov)
Date: Fri, 22 Aug 2008 11:47:58 -0400
Subject: [Dailydave] Situation remains cloudy.
In-Reply-To: <48AEC7A1.6080309@immunityinc.com>
References: <48AEC7A1.6080309@immunityinc.com>
Message-ID: <OFF5DA26D3.6ECD5603-ON852574AD.0056A122-852574AD.00565AAD@rockvillemd.gov>

dailydave-bounces at lists.immunitysec.com wrote on 08/22/2008 10:05:21 AM:
> 1. Fedora's package signing box was compromised by unknown parties.
> Fedora does not think the key's passphrase was compromised however. They
> are changing their keys.
>
> 2. RedHat's package signing key was used to sign trojaned OpenSSH
> packages. RedHat does not think these were distributed via the Red Hat
> Network auto-update service.
>
>
http://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html

> http://rhn.redhat.com/errata/RHSA-2008-0855.html

Great, Red Hat provides a script to check my systems for me.  Now I just
have to SSH in to my boxes to run that... oh, wait second...

Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080822/9ffcd42c/attachment.htm 

From rodrigo at kernelhacking.com  Sun Aug 24 18:01:13 2008
From: rodrigo at kernelhacking.com (Rodrigo Rubira Branco (BSDaemon))
Date: Sun, 24 Aug 2008 19:01:13 -0300
Subject: [Dailydave] Call For Papers - Hackers 2 Hackers Conference 5th
	Edition - Brazil
Message-ID: <48B1DA29.6020706@kernelhacking.com>

CALL FOR PAPERS - Hackers 2 Hackers Conference 5th edition


The call for papers for H2HC 5th edition is now open. H2HC is a hacker conference \
taking place in Sao Paulo, Brazil, from 8 to 9 November 2008.


[ - Introduction - ]

   For the fifth consecutive years and past success we have been having, the annual \
Hackers 2 Hackers Conference will be held again, this time in Sao Paulo, from 8 to 9 \
November 2008, and aims to get together industry, government, academia and \
underground hackers to share knowledge and leading-edge ideas about information \
security and everything related to it.

H2HC will feature national and international speakers and attendees with a wide range \
of skills. The atmosphere is favorable to present all facets of computer security \
subject and will be a great opportunity to network with like-minded people and \
enthusiasts.

The conference language is either Portuguese or English.


[ - The venue - ]

H2HC 5th edition will take place at Faculdade de Informatica e Administracao Paulista \
(FIAP - www.fiap.br <http://www.fiap.br>) in an auditorium with capacity for up to 400 people.


[*] About Sao Paulo (taken from fiquemaisumdia.com.br)

   The city is the largest in Brazil and first in South America by population. Quite \
often Sao Paulo intimidates people because of its size, its constant pedestrian and \
vehicle traffic, ethnic and cultural multiplicity. Sao Paulo will surprise you wheter \
you come here on business or for an expo, a congress or a convenion, stay for at \
least one more day. Let yourself be seduced by the cultural diversity of this \
many-faceted city which vibrates, dictates fashion, is always anticipating trends, \
and welcomes Brazilians and foreigners from all over. And oh, do not forget to have \
fun in South America's wildest night life.


[ - Topics - ]

   H2HC committee gives preference to lectures with practical demonstration. The \
conference staff will try to provide every equipment needed for the presentation in \
the case the author cannot provide them.

The following topics include, but are not limited to:

     - Penetration testing
     - Web application security
     - Exploit development techniques
     - Telecom security and phone phreaking
     - Fuzzing and application security test
     - Techniques for development of secure software and systems
     - Hardware hacking, embedded systems and other electronic devices
     - Mobile devices exploitation, Symbian, P2K and bluetooth technologies
     - Analysis of virus, worms and all sorts of malwares
     - Reverse engineering
     - Rootkits
     - Security in Wi-Fi and VoIP environments
     - Information about smartcard and RFID security and similars
     - Technical approach to alternative operating systems
     - Denial of service attacks and/or countermeasures
     - Security aspects in SCADA and industrial environments and "obscure" networks
     - Cryptography
     - Lockpicking, trashing, physical security and urban exploration
     - Internet, privacy and Big Brother
     - Information warfare and industrial espionage


[ - Important dates - ]

Conference and trainings

   November 6th and 7th: H2HC trainings
   November 8th and 9th: H2HC 5th edition

Deadline and submissions

   Deadline for proposal submissions: October 5 2008
   Deadline for slides submissions: October 20 2008
   Notification of acceptance or rejection: no later than October 10 2008

   * E-mail for proposal submissions: cfp at h2hc.com.br *


Make sure to provide along with your submission the following details:

     - Speaker name or handle, address, e-mail, phone number and general contact \
                information
     - A brief but informative description about your talk
     - Short biography of the presenter, including organization, company and \
                affiliations
     - Estimated time-length of presentation
     - General topic of the speech (eg.: network security, secure programming, \
                computer forensics, etc.)
     - Any other technical requirements for your lecture
     - Whether you need visa to enter Brazil or not

Speakers will be allocated 50 minutes of presentation time, although, if needed, we \
can extend the presentation length if requested in advance.

Preferrable file format for papers and slides are both PDF and also PPT for slides.

Speakers are asked to hand in slides used in their lectures.


PLEASE NOTE: Bear in mind no sales pitches will be allowed. If your presentation \
involves advertisement of products or services please do not submit.


[ - Information for speakers - ] 

   Speakers' privileges are:

- H2HC staff can guarantee and we will provide accommodation for 3 nights
- For each non-resident speaker we might be able to cover travel expenses up to USD \
                1.000
- For each resident speaker we might be able to cover travel expenses
- Free pass to the conference


[ - Other information - ]

   For further information please check out our web site http://www.h2hc.com.br it \
will be updated with everything regarding the conference.


From dave.aitel at gmail.com  Tue Aug 26 15:21:15 2008
From: dave.aitel at gmail.com (Dave Aitel)
Date: Tue, 26 Aug 2008 15:21:15 -0400
Subject: [Dailydave] The lack of hard questions
Message-ID: <b581b3220808261221q385f16ak7de2677d7d5e1508@mail.gmail.com>

There's probably a few BlackHat talks you didn't bother to read, and I
wanted to highlight a couple:
**1.
***Alex Ionescu*
https://www.blackhat.com/presentations/bh-usa-08/Ionescu/BH_US_08_Ionescu_Pointers_and_Handles.pdf


The bugs themselves are local DoS's (bluescreens) and Admin->Ring0 jumps,
but the methodology he used to find the bugs, and the win32k.sys internals
he discusses while explaining them are interesting. I quickly wrote one of
them up for CANVAS Early Updates, since you never know when Blue Screening
some box might come in handy.


2.
Secure the Planet! New Strategic Initiatives from Microsoft to Rock Your
World  *Mike Reavey, Steve Adegbite, Katie Moussouris*
https://www.blackhat.com/presentations/bh-usa-08/Reavey/MSRC.pdf

Obviously my favorite part is the slide with CANVAS. :> But I think it's
interesting that Microsoft is doing this stuff and I don't think people have
asked them the hard questions about it yet.  Also, those are quite cool
caricatures .

Recently Immunity's been tasked with something that requires the development
of a secure MSRPC application in unmanaged C++. When you start trying to
build something like this, you realize just how hard it is for normal
developers. Where web developers have thousands of gadgets, papers,
recipies, techniques, API's, and "how-tos", there really isn't anything
great on building a secure MSRPC application. So while it's true that
Microsoft is making the fastest strides in security, it's also true they
have the longest to go.

-dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080826/41614694/attachment.htm 

From dr at kyx.net  Tue Aug 26 15:36:22 2008
From: dr at kyx.net (Dragos Ruiu)
Date: Tue, 26 Aug 2008 12:36:22 -0700
Subject: [Dailydave] =?iso-8859-1?q?PacSec_2008_CFP_=A0_=28Deadline_Sept?=
	=?iso-8859-1?q?=2E_1=2C_Conference_Nov=2E_12/13=29_and_BA-Con_2008?=
	=?iso-8859-1?q?_Speakers_=28Sept=2E_30/_=A0Oct=2E_1=29?=
Message-ID: <200808261236.22489.dr@kyx.net>

Spanish url: http://ba-con.com.ar/speakers.html?language=es

Speaker list and Dojos for BA-Con, September 30, October 1st.
(all presentations in both Spanish and English)

? Presentations:

? WPA/WPA2: how long is it gonna make it - C?dric Blancher & Simon Mar?chal, 
EADS & SGDN
? Security Concerns of Firmware Updates (SPI System BIOS and Embedded ?
Controller) - Sun Bing
? A Practical Approach to Mitigate and Remove Malware - Ching Tim Meng
? Advances in Attacking Interpreted Languages: Javascript - Justin ?
Ferguson
? Understanding eVoting in post Everest, TTBR world - Harri Hursti
? SecViz 007 - Raffael Marty, Splunk
? Pass-the-hash Toolkit for Windows - Hernan Ochoa, Core
? Linux 2.6 kernel rootkits - Daniel Palacio, Immunity
? Reverse Engineering Dynamic Languages, a Focus on Python - Aaron ?
Portnoy & Ali Rizvi-Santiago, TippingPoint
? All the Crap Aircrafts Receive and Send - Hendrik Scholz
? Teflon: anti-stick for the browsers attack surface - Saumil Shah, ?
Net-Square
? Hacking PXE without reboot (using the BIOS network stack for other 
purposes) - Julien Vanegue, CESAR
? LeakedOut: the Social Networks You Get Caught In - Jose Orlicki, Core

Dojos (September 28/29):
? Reverse Code Engineering - Edgar Barbosa, COSEINC
? Practical 802.11 Wi-Fi (In)Security - C?dric Blancher, EADS
? Effective Fuzzing using the Peach Fuzzing Platform (2 days) - ?Michael 
Eddington, Leviathan
? Assembler for Exploits - Gerardo Richarte, Core
? The Exploit Lab - Saumil Shah, Net-Square

We would like to especially thank the gracious sponsorship of Core, 
Microsoft, and Symantec/SecurityFocus, without whom this event 
would not be possible and/or would be a lot more expensive for attendees.
We also suggest that conference attendees stay a couple of days
longer and go to ekoparty right after this event.

cheers,
--dr

--8<--kyx--8<--

English url: http://pacsec.jp/speakers.html?language=en
Japanese url: http://pacsec.jp/speakers.html?language=ja
(the following should be up soon...)
Spanish url: http://pacsec.jp/speakers.html?language=es
Chinese url: http://pacsec.jp/speakers.html?language=cn

PacSec 2008 CALL FOR PAPERS

World Security Pros To Converge on Japan

? ? TOKYO, Japan -- To address the increasing importance of information
? ? security in Japan, the best known figures in the international
? ? security industry will get together with leading Japanese
? ? researchers to share best practices and technology. The most 
? ? significant new discoveries about computer network hack attacks 
? ? and defenses will be presented at the sixth annual PacSec conference.

? ? The PacSec meeting provides an opportunity for foreign specialists ?
? ? to be exposed to Japanese innovation and markets and collaborate 
? ? on practical solutions to computer security issues. In an informal
? ? setting with a mixture of material bilingually translated in both
? ? English and Japanese the eminent technologists can socialize and
? ? attend training sessions.

? ? Announcing the opportunity to submit papers for the PacSec 2008
? ? network security training conference. The conference will be held
? ? November 12/13th in Tokyo at the Aoyama Diamond Hall above
? ? Omotesando station. The conference focuses on emerging
? ? information security tutorials - it is a bridge between the
? ? international and Japanese information security technology
? ? communities..

? ? Please make your paper proposal submissions before September 1st,
? ? 2008. Slides for the papers must be submitted for translation by
? ? October 1, 2008.

? ? A some invited papers have been confirmed, but a limited number of
? ? speaking slots are still available. The conference is responsible
? ? for travel and accomodations for the speakers. If you have a 
? ? proposal for a tutorial session then please email a synopsis of 
? ? the material and your biography, papers and, speaking background 
? ? to secwest08 [at] pacsec.jp . Tutorials are one hour in length, but 
? ? with simultaneous translation should be approximately 45 minutes 
? ? in English, or Japanese. Only slides will be needed for the October 
? ? paper deadline, full text does not have to be submitted.

? ? The PacSec conference consists of tutorials on technical details
? ? about current issues, innovative techniques and best practices in the
? ? information security realm. The audiences are a multi-national mix
? ? of professionals involved on a daily basis with security work: security
? ? product vendors, programmers, security officers, and network
? ? administrators. We give preference to technical details and
? ? education for a technical audience.

? ? The conference itself is a single track series of presentations in a
? ? lecture theater environment. The presentations offer speakers the
? ? opportunity to showcase on-going research and collaborate with peers
? ? while educating and highlighting advancements in security products
? ? and techniques. The focus is on innovation, tutorials, and education
? ? instead of product pitches. Some commercial content is tolerated,
? ? but it needs to be backed up by a technical presenter - either giving 
? ? a valuable tutorial and best practices instruction or detailing
? ? significant new technology in the products.

? ? Paper proposals should consist of the following information:
? ? ?1. Presenter, and geographical location (country of
? ? ? ? origin/passport) and contact info (e-mail, postal address,
? ? ? ? phone, fax).
? ? ?2. Employer and/or affiliations.
? ? ?3. Brief biography, list of publications and papers.
? ? ?4. Any significant presentation and educational
? ? ? ? experience/background.
? ? ?5. Topic synopsis, Proposed paper title, and a one paragraph
? ? ? ? description.
? ? ?6. Reason why this material is innovative or significant or an
? ? ? ? important tutorial.
? ? ?7. Optionally, any samples of prepared material or outlines
? ? ? ? ready.
? ? ?8. Will you have full text available or only slides?
? ? ?9. Please list any other publications or conferences where
? ? ? ? this material has been or will be published/submitted.
? ? ?10. Do you have any special demo or network requirements
? ? ? ? for your presentation?

? ? Please include the plain text version of this information in
? ? your email as well as any file, pdf, sxw, ppt, or html
? ? attachments.

? ? Please forward the above information to secwest08 [at]
? ? pacsec.jp to be considered for placement on the speaker
? ? roster, or have your lightning talk scheduled. The deadline
? ? is soon for this one: September 1st 2008.


cheers,
--dr

P.S. We have also set the dates for CanSecWest 2010 for Mar. 22-26.
With the Olympics in the neighborhood a month before we have to
plan way ahead.
-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Buenos Aires, Argentina ? Sept. 30 / Oct. 1 - 2008 ? ?http://ba-con.com.ar
Tokyo, Japan ?November 12/13 2008 ?http://pacsec.jp
Vancouver, Canada ?March 16-20 2009 ?http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp

From jericho at attrition.org  Tue Aug 26 16:48:14 2008
From: jericho at attrition.org (security curmudgeon)
Date: Tue, 26 Aug 2008 20:48:14 +0000 (UTC)
Subject: [Dailydave] The lack of hard questions
In-Reply-To: <b581b3220808261221q385f16ak7de2677d7d5e1508@mail.gmail.com>
References: <b581b3220808261221q385f16ak7de2677d7d5e1508@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.0808262039360.6645@forced.attrition.org>


: Secure the Planet! New Strategic Initiatives from Microsoft to Rock Your 
: World *Mike Reavey, Steve Adegbite, Katie Moussouris* 
: https://www.blackhat.com/presentations/bh-usa-08/Reavey/MSRC.pdf
: 
: Obviously my favorite part is the slide with CANVAS. :> But I think it's 
: interesting that Microsoft is doing this stuff and I don't think people 
: have asked them the hard questions about it yet.  Also, those are quite 
: cool caricatures .

Their "hard questions" in the slides were far from hard. I think you had 
left the room, but I went to the mic and asked them ~ 10 hard(er) 
questions. They answered a few, 'no commented' one and evaded a few. These 
were questions that came to mind while they gave their presentation, and 
the general lack of serious questions and putting them on the spot 
afterwards was a huge disappointment. 

I left BlackHat feeling that one of the purposes of BH (and DC) was to 
give the audience a chance to ask real questions, not the fluff questions 
that we see more and more each year. The audience has turned from a 
skeptical crowd into a passive herd, accepting anything presented, 
regardless of accuracy or sanity.

I had to leave early on Saturday but I was told that Reavey, Adegbite 
and/or Moussouris wanted to speak with me because of the questions I 
asked. If any of you are reading this list, feel free to mail me if you 
had questions about my questions or skepticism. And no, I held back a few 
questions as they were cheap shots at the presenters/Microsoft but 
underscored the basis for some skepticism. After one comment Steve made to 
me in front of the audience, I should have let loose. Sometimes it doesn't 
pay to be a good guy. =)


- security curmudgeon



From cmiller at securityevaluators.com  Tue Aug 26 16:56:54 2008
From: cmiller at securityevaluators.com (Charles Miller)
Date: Tue, 26 Aug 2008 15:56:54 -0500
Subject: [Dailydave] The lack of hard questions
In-Reply-To: <b581b3220808261221q385f16ak7de2677d7d5e1508@mail.gmail.com>
References: <b581b3220808261221q385f16ak7de2677d7d5e1508@mail.gmail.com>
Message-ID: <D4A018F6-8FD2-44CD-8923-FB7EC0D386EA@securityevaluators.com>

I feel a little uneasy about Microsoft declaring how exploitable  
vulnerabilities are...  That's a job I wouldn't want.  Plus, if the  
only people who can make a particular exploit reliable are Kostya and  
Alex, does that count as reliable or somewhat reliable?

Charlie

On Aug 26, 2008, at 2:21 PM, Dave Aitel wrote:

> There's probably a few BlackHat talks you didn't bother to read, and  
> I wanted to highlight a couple:
> 1.
> Alex Ionescuhttps://www.blackhat.com/presentations/bh-usa-08/Ionescu/BH_US_08_Ionescu_Pointers_and_Handles.pdf
>
>
> The bugs themselves are local DoS's (bluescreens) and Admin->Ring0  
> jumps, but the methodology he used to find the bugs, and the  
> win32k.sys internals he discusses while explaining them are  
> interesting. I quickly wrote one of them up for CANVAS Early  
> Updates, since you never know when Blue Screening some box might  
> come in handy.
>
>
> 2.
> Secure the Planet! New Strategic Initiatives from Microsoft to Rock  
> Your World Mike Reavey, Steve Adegbite, Katie Moussourishttps://www.blackhat.com/presentations/bh-usa-08/Reavey/MSRC.pdf
>
> Obviously my favorite part is the slide with CANVAS. :> But I think  
> it's interesting that Microsoft is doing this stuff and I don't  
> think people have asked them the hard questions about it yet.  Also,  
> those are quite cool caricatures .
>
> Recently Immunity's been tasked with something that requires the  
> development of a secure MSRPC application in unmanaged C++. When you  
> start trying to build something like this, you realize just how hard  
> it is for normal developers. Where web developers have thousands of  
> gadgets, papers, recipies, techniques, API's, and "how-tos", there  
> really isn't anything great on building a secure MSRPC application.  
> So while it's true that Microsoft is making the fastest strides in  
> security, it's also true they have the longest to go.
>
> -dave
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave


From dave.aitel at gmail.com  Tue Aug 26 17:01:47 2008
From: dave.aitel at gmail.com (Dave Aitel)
Date: Tue, 26 Aug 2008 17:01:47 -0400
Subject: [Dailydave] The lack of hard questions
In-Reply-To: <Pine.LNX.4.64.0808262039360.6645@forced.attrition.org>
References: <b581b3220808261221q385f16ak7de2677d7d5e1508@mail.gmail.com>
	<Pine.LNX.4.64.0808262039360.6645@forced.attrition.org>
Message-ID: <b581b3220808261401s7b2521ebv20162fe52aad5d55@mail.gmail.com>

I didn't get to see the talk, so I'm not sure what questions you asked and
what the answers were. Of course, you can feel free to ask them here. Peer
review isn't a static thing.

-dave


On Tue, Aug 26, 2008 at 4:48 PM, security curmudgeon
<jericho at attrition.org>wrote:

>
> : Secure the Planet! New Strategic Initiatives from Microsoft to Rock Your
> : World *Mike Reavey, Steve Adegbite, Katie Moussouris*
> : https://www.blackhat.com/presentations/bh-usa-08/Reavey/MSRC.pdf
> :
> : Obviously my favorite part is the slide with CANVAS. :> But I think it's
> : interesting that Microsoft is doing this stuff and I don't think people
> : have asked them the hard questions about it yet.  Also, those are quite
> : cool caricatures .
>
> Their "hard questions" in the slides were far from hard. I think you had
> left the room, but I went to the mic and asked them ~ 10 hard(er)
> questions. They answered a few, 'no commented' one and evaded a few. These
> were questions that came to mind while they gave their presentation, and
> the general lack of serious questions and putting them on the spot
> afterwards was a huge disappointment.
>
> I left BlackHat feeling that one of the purposes of BH (and DC) was to
> give the audience a chance to ask real questions, not the fluff questions
> that we see more and more each year. The audience has turned from a
> skeptical crowd into a passive herd, accepting anything presented,
> regardless of accuracy or sanity.
>
> I had to leave early on Saturday but I was told that Reavey, Adegbite
> and/or Moussouris wanted to speak with me because of the questions I
> asked. If any of you are reading this list, feel free to mail me if you
> had questions about my questions or skepticism. And no, I held back a few
> questions as they were cheap shots at the presenters/Microsoft but
> underscored the basis for some skepticism. After one comment Steve made to
> me in front of the audience, I should have let loose. Sometimes it doesn't
> pay to be a good guy. =)
>
>
> - security curmudgeon
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080826/329d686a/attachment.htm 

From dave.aitel at gmail.com  Tue Aug 26 20:49:55 2008
From: dave.aitel at gmail.com (Dave Aitel)
Date: Tue, 26 Aug 2008 20:49:55 -0400
Subject: [Dailydave] The world is smallish
Message-ID: <b581b3220808261749y3a8fa659sfe4f0cc4f6144cbe@mail.gmail.com>

http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html

"""

BGP eavesdropping has long been a theoretical weakness, but no one is known
to have publicly demonstrated it until Anton "Tony" Kapela, data center and
network director at 5Nines Data <http://www.5ninesdata.com/>, and Alex
Pilosov, CEO of Pilosoft <http://www.pilosoft.com/>, showed their technique
at the recent DefCon hacker conference. The pair successfully intercepted
traffic bound for the conference network and redirected it to a system they
controlled in New York before routing it back to DefCon in Las Vegas.

The technique, devised by Pilosov, doesn't exploit a bug or flaw in BGP. It
simply exploits the natural way BGP works.
"""


If you're in NYC and you need hosting, I highly recommend Pilosoft. They
were Immunity's original hosting provider back before Alex was into going to
security conferences. :>

-dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080826/b65d35a0/attachment.htm 

From pusscat at metasploit.com  Wed Aug 27 09:05:42 2008
From: pusscat at metasploit.com (Pusscat)
Date: Wed, 27 Aug 2008 09:05:42 -0400
Subject: [Dailydave] The lack of hard questions
In-Reply-To: <D4A018F6-8FD2-44CD-8923-FB7EC0D386EA@securityevaluators.com>
References: <b581b3220808261221q385f16ak7de2677d7d5e1508@mail.gmail.com>
	<D4A018F6-8FD2-44CD-8923-FB7EC0D386EA@securityevaluators.com>
Message-ID: <005201c90845$9d3ce870$d7b6b950$@com>

My assumption would be that if it can be made reliable by anyone, then it's
reliable. It probably shouldn't be a quantum value, collapsed by our
inability ;)

~ Lurene, NOP :)

-----Original Message-----
From: dailydave-bounces at lists.immunitysec.com
[mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Charles Miller
Sent: Tuesday, August 26, 2008 4:57 PM
To: Dave Aitel
Cc: dailydave
Subject: Re: [Dailydave] The lack of hard questions

I feel a little uneasy about Microsoft declaring how exploitable  
vulnerabilities are...  That's a job I wouldn't want.  Plus, if the  
only people who can make a particular exploit reliable are Kostya and  
Alex, does that count as reliable or somewhat reliable?

Charlie

On Aug 26, 2008, at 2:21 PM, Dave Aitel wrote:

> There's probably a few BlackHat talks you didn't bother to read, and  
> I wanted to highlight a couple:
> 1.
> Alex
Ionescuhttps://www.blackhat.com/presentations/bh-usa-08/Ionescu/BH_US_08_Ion
escu_Pointers_and_Handles.pdf
>
>
> The bugs themselves are local DoS's (bluescreens) and Admin->Ring0  
> jumps, but the methodology he used to find the bugs, and the  
> win32k.sys internals he discusses while explaining them are  
> interesting. I quickly wrote one of them up for CANVAS Early  
> Updates, since you never know when Blue Screening some box might  
> come in handy.
>
>
> 2.
> Secure the Planet! New Strategic Initiatives from Microsoft to Rock  
> Your World Mike Reavey, Steve Adegbite, Katie
Moussourishttps://www.blackhat.com/presentations/bh-usa-08/Reavey/MSRC.pdf
>
> Obviously my favorite part is the slide with CANVAS. :> But I think  
> it's interesting that Microsoft is doing this stuff and I don't  
> think people have asked them the hard questions about it yet.  Also,  
> those are quite cool caricatures .
>
> Recently Immunity's been tasked with something that requires the  
> development of a secure MSRPC application in unmanaged C++. When you  
> start trying to build something like this, you realize just how hard  
> it is for normal developers. Where web developers have thousands of  
> gadgets, papers, recipies, techniques, API's, and "how-tos", there  
> really isn't anything great on building a secure MSRPC application.  
> So while it's true that Microsoft is making the fastest strides in  
> security, it's also true they have the longest to go.
>
> -dave
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave


From mreavey at microsoft.com  Wed Aug 27 17:05:57 2008
From: mreavey at microsoft.com (Mike Reavey)
Date: Wed, 27 Aug 2008 14:05:57 -0700
Subject: [Dailydave] The lack of hard questions
In-Reply-To: <b581b3220808261401s7b2521ebv20162fe52aad5d55@mail.gmail.com>
References: <b581b3220808261221q385f16ak7de2677d7d5e1508@mail.gmail.com>
	<Pine.LNX.4.64.0808262039360.6645@forced.attrition.org>
	<b581b3220808261401s7b2521ebv20162fe52aad5d55@mail.gmail.com>
Message-ID: <AA4EBE1CB63B1C4CB81490E0CD8623851F651371D8@NA-EXMSG-C113.redmond.corp.microsoft.com>

Hey folks - we're here, watching this thread.  Send us your questions, either directly to msrcteam at microsoft.com<mailto:msrcteam at microsoft.com> or to the list.  We'll answer them here:blogs.technet.com/ecostrat in a future post.

From: dailydave-bounces at lists.immunitysec.com [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Dave Aitel
Sent: Tuesday, August 26, 2008 2:02 PM
To: security curmudgeon
Cc: dailydave
Subject: Re: [Dailydave] The lack of hard questions

I didn't get to see the talk, so I'm not sure what questions you asked and what the answers were. Of course, you can feel free to ask them here. Peer review isn't a static thing.

-dave

On Tue, Aug 26, 2008 at 4:48 PM, security curmudgeon <jericho at attrition.org<mailto:jericho at attrition.org>> wrote:

: Secure the Planet! New Strategic Initiatives from Microsoft to Rock Your
: World *Mike Reavey, Steve Adegbite, Katie Moussouris*
: https://www.blackhat.com/presentations/bh-usa-08/Reavey/MSRC.pdf
:
: Obviously my favorite part is the slide with CANVAS. :> But I think it's
: interesting that Microsoft is doing this stuff and I don't think people
: have asked them the hard questions about it yet.  Also, those are quite
: cool caricatures .
Their "hard questions" in the slides were far from hard. I think you had
left the room, but I went to the mic and asked them ~ 10 hard(er)
questions. They answered a few, 'no commented' one and evaded a few. These
were questions that came to mind while they gave their presentation, and
the general lack of serious questions and putting them on the spot
afterwards was a huge disappointment.

I left BlackHat feeling that one of the purposes of BH (and DC) was to
give the audience a chance to ask real questions, not the fluff questions
that we see more and more each year. The audience has turned from a
skeptical crowd into a passive herd, accepting anything presented,
regardless of accuracy or sanity.

I had to leave early on Saturday but I was told that Reavey, Adegbite
and/or Moussouris wanted to speak with me because of the questions I
asked. If any of you are reading this list, feel free to mail me if you
had questions about my questions or skepticism. And no, I held back a few
questions as they were cheap shots at the presenters/Microsoft but
underscored the basis for some skepticism. After one comment Steve made to
me in front of the audience, I should have let loose. Sometimes it doesn't
pay to be a good guy. =)


- security curmudgeon


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080827/e8746f20/attachment.htm 

From roman at rs-labs.com  Fri Aug 29 06:25:13 2008
From: roman at rs-labs.com (Roman Medina-Heigl Hernandez)
Date: Fri, 29 Aug 2008 12:25:13 +0200
Subject: [Dailydave] DefCon CTF
In-Reply-To: <20080815204816.GB32324@outflux.net>
References: <48A34845.2050606@immunityinc.com> <48A3EA93.4060805@rs-labs.com>
	<20080815204816.GB32324@outflux.net>
Message-ID: <48B7CE89.1030702@rs-labs.com>

Just in case someone missed this report (like me... I've just read it...):
http://sexy.pandas.es/blog/2008/08/14/pandas-crashed-in-vegas/

Hope to see other reports.... please, let me know :)

Cheers,
-r

From cmiller at securityevaluators.com  Wed Aug 27 18:43:43 2008
From: cmiller at securityevaluators.com (Charles Miller)
Date: Wed, 27 Aug 2008 17:43:43 -0500
Subject: [Dailydave] The lack of hard questions
In-Reply-To: <44283.1219874152@turing-police.cc.vt.edu>
References: <b581b3220808261221q385f16ak7de2677d7d5e1508@mail.gmail.com>
	<D4A018F6-8FD2-44CD-8923-FB7EC0D386EA@securityevaluators.com>
	<005201c90845$9d3ce870$d7b6b950$@com>
	<44283.1219874152@turing-police.cc.vt.edu>
Message-ID: <B732043A-7B23-4345-A525-2F2FE4FAEB12@securityevaluators.com>

But the problem is, if there are only a handful of people who can make  
a reliable exploit for a particular vulnerability (or not) and none of  
them work for MS, how can MS accurately determine whether an exploit  
for a particular vulnerability will be somewhat reliable or totally  
reliable (or not possible at all)?  Doesn't anyone remember gobbles :)


On Aug 27, 2008, at 4:55 PM, Valdis.Kletnieks at vt.edu wrote:

> On Wed, 27 Aug 2008 09:05:42 EDT, Pusscat said:
>> My assumption would be that if it can be made reliable by anyone,  
>> then it's
>> reliable. It probably shouldn't be a quantum value, collapsed by our
>> inability ;)
>
> Yes, it only has to be weaponized once.