Full Disclosure mailing list archives
Re: Google Groups e-mail disclosure in plain text
From: n3td3v <n3td3v () gmail com>
Date: Wed, 19 Apr 2006 21:20:17 +0100
On 4/19/06, Matthew Murphy <mattmurphy () kc rr com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 n3td3v wrote: [...]Furthermore, Secunia are the biggest "scene whore" professional website in the industry.There's no such thing as a "professional scene whore"
Until Secunia setup shop.
Theres nothing on their site that wasn't available via other public sources.DUH. It's called *competition*. Should my neighborhood dollar store go out of business because, DUH, it's all available at Wal-Mart anyway? No. We call those monopolies. In the software industry, we call this monopoly Microsoft.
The Secunia is no competition for Securityfocus. Theres nothing original post on their website. On Securityfocus, at least people post directly to it, rather than go stealing advisories from other sites to verify, like Secunia do.
Since you're so anti-corporate and all, you should already *know* that. That really takes an anti-corporate personality (or a lifetime in a cave) to call me "pro-Microsoft", now doesn't it? Especially amongst people here, I'm a pretty tough-to-please Microsoft critic.
I'm not anti corporate. I'm anti people working within them making bad security choices, like Yahoo do. I'm anti Secunia, as they host FD, only because of the footer URL. If there was no footer URL, they wouldn't even have thought about hosting FD.
With Secunia, its all about republish, republish, republish peoples shiz.You're slighting Secunia. At least Secunia does SOME original research.
Show me their original research. The list on their website is claimed to be, but isn't. Its a purely scene whore website, with no Secunia original content. Maybe some folks reading the site haven't seen some content elsewhere, but thats more because Secunia don't state the original source, but they do state on their website at the bottom of advisories that their content is taken from third party websites, groups, researchers etc.
Further, the service that Secunia provides is one of centralization and organization. There are hundreds of points of delivery and discussion for original research, Secunia itself being one of them.
List your claim of their original research, thanks.
SecurityTracker, and a whole load of other similar services make an entire business out of mining those sources of information, *verifying* it (and believe me, I've seen flat-out wrong vuln reports before), and presenting it in a consistent, usable format.
SecurityTracker, a sister site of the main professional scene whore website. Secunia, king of the scene whores. As for format, their layout and stuff is unsightly on the eye. No one uses Secunia for any serious purpose, its very much an eye sore, as is that Secunia URL at the footer of FD messages.
Is it a simple, almost trivial chore? Probably. Is it tedious and time consuming? You bet. If you'd ever administered a network with a few hundred or so machines with (if you're lucky) a handful of other people on your staff, you'd know. Each individual business or institution with assets to secure cannot feasibly afford the costs of doing independent intel gathering, even with something as basic as an alerting service. Otherwise, folk like Secunia wouldn't have a market.
Secunia do none of the above. Go research on what they actually do, than reading their carefully crafted wording on their website(s).
And you want everyone to thank them for "secure" hosting? Don't kid a kidder...Yeah... secure enough. And, oh by the way... it's free. Didn't your mommy teach you how to say "thank you" like a good little boy when strangers do nice things for you?
It is not free. Secunia have given FD so much money, for the hidden agenda of the URL in the footer message. If they are hosting FD and its secure, its very much to protect their illegal spamming of thousands of mail boxes.
Or do you just extort favors from people with your six-machine botnet from the latest Google Groups spam run? We're really shakin' now.
I don't have a botnet. Google designed a secure web application, thats very much secure from bot networks. I uncovered a hole in their "secure application", where botnets have been visiting their web application headers and grabbing the e-mail address. You make it sound like the e-mail address is all together like user () domain com. No it was more complicated than that. The user and the domain was very much in different places on the header, and it would take some interesting php to harvest the e-mail. There was very much a vulnerability, which the e-mail address was exposed in plain text, but only under certain conditions, such as e-mail forwarding from a gmail account. In today's world, an e-mail address is becoming second to a password disclosure in plain text, thats why Google take the threat of e-mail disclosure via their web applications very seriously. Google have hidden all e-mail addresses under normal circumstances on their web application, so much, you can only view a user e-mail via a word verfication system. The hole I found was very much a needle in a hay stack, and it had gone unnoticed by the GG2 team. The GG2 team are very thankful for me letting them know about this vulnerability I have uncovered, and invite security researchers to do all they can to report similar bot network friendly bugs in their web applications in the future. Its not coincidence that Google, the world leader in web apps has taken the threat of plain text e-mail disclosure on thier applications very seriously, bot networks are perhaps the biggest internet threat right now according to the folks over at http://www.securityfocus.com/columnists/398 and thats folsk like Google are obscuring e-mail addresses and setting up word verfication systems, to make their web applications as secure as possible within their products. Thanks, n3td3v.
If they did something special with their website like Securityfocus does, then I might be able to bare their illegal footer message spam"Illegal"? What planet/drug are you on? There's a small problem with your "legal theory" here. Secunia's sneaky footer insertion attack that renders e-mails to F-D oh-so-totally useless has a perfectly legal explanation, you see. THEY OWN THE SERVER. As in, you know, bought it, paid for it, and maintain it?
They own the server, because they knew it would give them many years of spam. Secunia weren't being oh so friendly or doing FD a favour, they are very much thinking on their own agenda mind thought process of big spam dollars.
I hope that's not too complicated for you. Next time you feel like criticizing Secunia (or anyone else), try finding a criticism that makes sense.
You're the only one who doesn't seem to understand my stance and why it makes sense. Trust me, i'm not alone on this one. Folks I speak to everyday from the big dot-coms off list are in complete agreement. So while you are trying to impress folks like Robert Lemos right now, perhaps you should think before you post, and who really agrees with you, rather than a small cross section of the industry who posts on FD, a lot of the time just to bait someone they don't admire very much, kinda reminds me of you.
and their scene whore republication of advisories they claim are Secunia exclusives.I'm not going to be one to defend Secunia here, but I don't think they claim that the raw information in MOST of their advisories is "exclusive".
Well, this thread was about Secunia, rather than any general comment about other companies. You say you're not going to defend Secunia, but thats all you've been doing throughout your post. If you're not defending Secunia, then why are you defending them, and what is your actual point? And yes, they do try and be an exclusive original source of security information via the Secunia website, but they're not. Granted, they sometimes make mistakes on crediting sources
and supplementing information, but I haven't heard them make a claim that something public was "exclusive". Even in the case of their own research, they publicize it for the community and other normative sources rip it off in turn.
I have no idea what you're saying here. Perhaps you should concentrate on passing college first, before you try and take digs out of senior members of the security community. You found a bug in Microsoft, thats not uncommon these days. However, I believe you've not found a vulnerability in a corporate network yet, so I guess theres more MM vulns to come, or maybe you just got lucky, a one hit wonder, if you will.
The only semi-exclusive work they do (to my knowledge) is the data plotting (charting, graphing, etc.) that examines a few trends (number of advisories, risk levels of vulnerabilities, patches available, etc.) for specific products.
Semi exclusive? Theres no such thing, and you were the one who questioned my professional scene whore wording. Unbelieveable. The more I read your post, the more you seemed to be pro n3td3v in my anti Secunia "mind think", because you've just repeated all the bad things I was saying about them, just in different wording with a sinister anti n3td3v twist, but essentially, in your post, you've just highlighted all the things I was saying about them. I think to begin with you were very much looking to stab me, but the more you wrote, the more it exposed you were sub-consciously agreeing with me. BTW, good luck on passing college ;-) I'll send Robert Lemos another 50 bucks to mention your name, since theres no one else to write about in his articles right now. Its a dead time of year in the media right now, so I guess that explains everything. Regards, n3td3v _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Google Groups e-mail disclosure in plain text, (continued)
- Re: Google Groups e-mail disclosure in plain text Aaron Gray (Apr 18)
- Re: Google Groups e-mail disclosure in plain text Aaron Gray (Apr 18)
- Message not available
- Re: Google Groups e-mail disclosure in plain text n3td3v (Apr 18)
- Re: Google Groups e-mail disclosure in plain text Randal T. Rioux (Apr 18)
- Re: Google Groups e-mail disclosure in plain text n3td3v (Apr 18)
- Re: Google Groups e-mail disclosure in plain text Rodrigo Barbosa (Apr 18)
- Re: Google Groups e-mail disclosure in plain text Randal T. Rioux (Apr 19)
- Re: Google Groups e-mail disclosure in plain text GroundZero Security (Apr 18)
- Re: Google Groups e-mail disclosure in plain text Valdis . Kletnieks (Apr 19)
- Re: Google Groups e-mail disclosure in plain text Matthew Murphy (Apr 19)
- Re: Google Groups e-mail disclosure in plain text n3td3v (Apr 19)
- Re: Google Groups e-mail disclosure in plain text Dave "No, not that one" Korn (Apr 22)
- Re: Google Groups e-mail disclosure in plain text Aaron Gray (Apr 18)
- RE: Google Groups e-mail disclosure in plain text Paul Nickerson (Apr 18)