Full Disclosure mailing list archives
Another ExploitLabs.com Advisory (was: Vote Today)
From: "mattmurphy () kc rr com" <mattmurphy () kc rr com>
Date: Thu, 12 Jun 2003 21:43:20 -0400
If I go to the mailbox and get my private letter from you and I open it and read it, drop it on the ground and walk away, that is not against the law.
In fact it is, it is negligent -- particularly if that message contains information that was not intended for general viewing. I'm certain that I could find a privacy invasion law that applies to this case. Even if I weren't able to do so, I remind you that copying messages (whether copied to multiple people or not, they were NOT intended for the list) without my permission with the sole intent of using them against me was completely immature, tasteless, and immoral, and will only further stiffen your opponents' viewpoints.
Furthermore you copied and sent it to someone else, not privliged information.
I sent a message to multiple recipients, Donnie and Len Rose. I did not send them to Full-Disclosure or any other mailing list, and they were implicitly private communication.
This is all bull Im tired of defendding my actions , only to have others defend me and now I am the issue. I have only defended myself in a open hostile market through no ill intent on my behalf.
"No ill intent", Mr. Werner? You've re-posted confidential communication, and worse accused me of "blackballing" you in a public forum based on that communication. You continue to throw nothing but insults at posters to Full-Disclosure. I will be looking at legal definitions of "privacy invasion" and "slander" -- be warned, Mr. Werner, un-substantiated accusations (further, accusations based upon confidential communications) do nothing but put another black mark on your reputation.
I have never sent threatning mail to any one, I did not accuse you.
You may not have threatened me, but you certainly did accuse... Let me quote something from your open, archived post to Full-Disclosure, Donnie, just to help you remember: "Ladies and Gentleman... I am being systematicly blackballed, If I coment on one white hat, I get threats from two more.." preceded by your unauthorized excerpt of my e-mail to yourself and Len Rose.
I believe you sent 2 emails Matt, on solely addressed to, and the other cc'ed. Yours to me remains in confidence.
I have no idea where you got this concept from. I sent e-mail to you, CC'ed to Len Rose. At no point was my e-mail intended to be displayed as some propaganda tool to Full-Disclosure and your pathetic "0day" list. I never sent a second e-mail Donnie, so if that is your story, you might want to reconsider.
Do not fall into the group as I have. I am, and have only defended fallacies of me or my work.
Your "work" has exposed users to a security vulnerability the size of which you do not even begin to comprehend. If you had deployed your own code --your failure to do so shows a lack of confidence in its stability and security in my opinion -- you would have exposed yourself to a greater risk than all of the "security issues" you have un-covered thus far could hope to pose. P.S. - Donnie, your exploit scanner has more problems. This time in the host blocking mechanism. Your comparison is a full string comparison, not regexp. A system with a wildcard "A" record, like my production server, could be blocked at typical domain names: www.techie.hopto.org techie.hopto.org but, an attacker scanning: hackhere.techie.hopto.org would reach the same system and bypass the detection of a banned site. Secondly, your site blocker and scanner have huge XSS issues in them -- you can make them spit anything out in "host", eg: http://www.exploitlabs.com/cgi-bin/nph-exploitscanget.cgi?host=%3Cscript%3Ea lert%28document%2Ecookie%29%3C%2Fscript%3E&port=80&idsbypass=0&errchk=1 Not to mention that a CGI-based exploit scanner allowing the user to scan arbitrary hosts is a horrendous idea. It would be much simpler to regexp block sites, so that: *techie.hopto.org would block potential wildcard-based filtering bypass attacks. Also, an OPT-IN mechanism for scanning makes more sense, because of the abuse potential noted above. -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Another ExploitLabs.com Advisory (was: Vote Today) mattmurphy () kc rr com (Jun 12)