Another ExploitLabs.com Advisory (was: Vote Today)

["mattmurphy () kc rr com" <mattmurphy () kc rr com>]

> If I go to the mailbox and get my private letter from you and I open
> it and read it, drop it on the ground and walk away, that is not
> against the law.

In fact it is, it is negligent -- particularly if that message contains
information that was not intended for general viewing.  I'm certain that I
could find a privacy invasion law that applies to this case.  Even if I
weren't able to do so, I remind you that copying messages (whether copied
to multiple people or not, they were NOT intended for the list) without my
permission with the sole intent of using them against me was completely
immature, tasteless, and immoral, and will only further stiffen your
opponents' viewpoints.

> Furthermore you copied and sent it to someone else,
> not privliged information. 

I sent a message to multiple recipients, Donnie and Len Rose.  I did not
send them to Full-Disclosure or any other mailing list, and they were
implicitly private communication.

> This is all bull Im tired of defendding my
> actions , only to have others defend me and now I am the issue. I have
> only defended myself in a open hostile market through no ill intent on
> my behalf.

"No ill intent", Mr. Werner?  You've re-posted confidential communication,
and worse accused me of "blackballing" you in a public forum based on that
communication.  You continue to throw nothing but insults at posters to
Full-Disclosure.  I will be looking at legal definitions of "privacy
invasion" and "slander" -- be warned, Mr. Werner, un-substantiated
accusations (further, accusations based upon confidential communications)
do nothing but put another black mark on your reputation.

> I have never sent threatning mail to any one, I did not
> accuse you.

You may not have threatened me, but you certainly did accuse...  Let me
quote something from your open, archived post to Full-Disclosure, Donnie,
just to help you remember:

"Ladies and Gentleman... I am being systematicly blackballed,
If I coment on one white hat, I get threats from two more.."

preceded by your unauthorized excerpt of my e-mail to yourself and Len Rose.

> I believe you sent 2 emails Matt, on solely addressed to,
> and the other cc'ed. Yours to me remains in confidence. 

I have no idea where you got this concept from.  I sent e-mail to you,
CC'ed to Len Rose.  At no point was my e-mail intended to be displayed as
some propaganda tool to Full-Disclosure and your pathetic "0day" list.  I
never sent a second e-mail Donnie, so if that is your story, you might want
to reconsider.

> Do not fall
> into the group as I have. I am, and have only defended fallacies of me
> or my work.

Your "work" has exposed users to a security vulnerability the size of which
you do not even begin to comprehend.  If you had deployed your own code
--your failure to do so shows a lack of confidence in its stability and
security in my opinion -- you would have exposed yourself to a greater risk
than all of the "security issues" you have un-covered thus far could hope
to pose.

P.S. - Donnie, your exploit scanner has more problems.  This time in the
host blocking mechanism.  Your comparison is a full string comparison, not
regexp.  A system with a wildcard "A" record, like my production server,
could be blocked at typical domain names:

www.techie.hopto.org
techie.hopto.org

but, an attacker scanning:

hackhere.techie.hopto.org

would reach the same system and bypass the detection of a banned site. 
Secondly, your site blocker and scanner have huge XSS issues in them -- you
can make them spit anything out in "host", eg:

http://www.exploitlabs.com/cgi-bin/nph-exploitscanget.cgi?host=%3Cscript%3Ea
lert%28document%2Ecookie%29%3C%2Fscript%3E&port=80&idsbypass=0&errchk=1

Not to mention that a CGI-based exploit scanner allowing the user to scan
arbitrary hosts is a horrendous idea.  It would be much simpler to regexp
block sites, so that:

*techie.hopto.org

would block potential wildcard-based filtering bypass attacks.  Also, an
OPT-IN mechanism for scanning makes more sense, because of the abuse
potential noted above.

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html