Re: Google Groups e-mail disclosure in plain text

[n3td3v <n3td3v () gmail com>]

On 4/19/06, Matthew Murphy <mattmurphy () kc rr com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> n3td3v wrote:
> [...]
> > Furthermore, Secunia are the biggest "scene whore" professional
> > website in the industry.
>
> There's no such thing as a "professional scene whore"

Until Secunia setup shop.

> > Theres nothing on their site that wasn't available via other public sources.
>
> DUH.  It's called *competition*.  Should my neighborhood dollar store go
> out of business because, DUH, it's all available at Wal-Mart anyway?
> No.  We call those monopolies.  In the software industry, we call this
> monopoly Microsoft.

The Secunia is no competition for Securityfocus. Theres nothing
original post on their website. On Securityfocus, at least people post
directly to it, rather than go stealing advisories from other sites to
verify, like Secunia do.

> Since you're so anti-corporate and all, you should already *know* that.
>  That really takes an anti-corporate personality (or a lifetime in a
> cave) to call me "pro-Microsoft", now doesn't it?  Especially amongst
> people here, I'm a pretty tough-to-please Microsoft critic.

I'm not anti corporate. I'm anti people working within them making bad
security choices, like Yahoo do.  I'm anti Secunia, as they host FD,
only because of the footer URL. If there was no footer URL, they
wouldn't even have thought about hosting FD.


> > With Secunia, its all about republish, republish, republish peoples shiz.
>
> You're slighting Secunia.  At least Secunia does SOME original research.

Show me their original research. The list on their website is claimed
to be, but isn't. Its a purely scene whore website, with no Secunia
original content. Maybe some folks reading the site haven't seen some
content elsewhere, but thats more because Secunia don't state the
original source, but they do state on their website at the bottom of
advisories that their content is taken from third party websites,
groups, researchers etc.

>  Further, the service that Secunia provides is one of centralization and
> organization.  There are hundreds of points of delivery and discussion
> for original research, Secunia itself being one of them.

List your claim of their original research, thanks.

> SecurityTracker, and a whole load of other similar services make an
> entire business out of mining those sources of information, *verifying*
> it (and believe me, I've seen flat-out wrong vuln reports before), and
> presenting it in a consistent, usable format.

SecurityTracker, a sister site of the main professional scene whore
website. Secunia, king of the scene whores. As for format, their
layout and stuff is unsightly on the eye. No one uses Secunia for any
serious purpose, its very much an eye sore, as is that Secunia URL at
the footer of FD messages.

> Is it a simple, almost trivial chore?  Probably.  Is it tedious and time
> consuming?  You bet.
>
> If you'd ever administered a network with a few hundred or so machines
> with (if you're lucky) a handful of other people on your staff, you'd
> know.  Each individual business or institution with assets to secure
> cannot feasibly afford the costs of doing independent intel gathering,
> even with something as basic as an alerting service.  Otherwise, folk
> like Secunia wouldn't have a market.

Secunia do none of the above. Go research on what they actually do,
than reading their carefully crafted wording on their website(s).
> > And you want everyone to thank them for "secure" hosting? Don't kid a kidder...
>
> Yeah... secure enough.  And, oh by the way... it's free.  Didn't your
> mommy teach you how to say "thank you" like a good little boy when
> strangers do nice things for you?

It is not free. Secunia have given FD so much money, for the hidden
agenda of the URL in the footer message. If they are hosting FD and
its secure, its very much to protect their illegal spamming of
thousands of mail boxes.

> Or do you just extort favors from people with your six-machine botnet
> from the latest Google Groups spam run?  We're really shakin' now.

I don't have a botnet.
Google designed a secure web application, thats very much secure from
bot networks. I uncovered a hole in their "secure application", where
botnets have been visiting their web application headers and grabbing
the e-mail address. You make it sound like the e-mail address is all
together like user () domain com. No it was more complicated than that.
The user and the domain was very much in different places on the
header, and it would take some interesting php to harvest the e-mail.
There was very much a vulnerability, which the e-mail address was
exposed in plain text, but only under certain conditions, such as
e-mail forwarding from a gmail account. In today's world, an e-mail
address is becoming second to a password disclosure in plain text,
thats why Google take the threat of e-mail disclosure via their web
applications very seriously. Google have hidden all e-mail addresses
under normal circumstances on their web application, so much, you can
only view a user e-mail via a word verfication system. The hole I
found was very much a needle in a hay stack, and it had gone unnoticed
by the GG2 team. The GG2 team are very thankful for me letting them
know about this vulnerability I have uncovered, and invite security
researchers to do all they can to report similar bot network friendly
bugs in their web applications in the future. Its not coincidence that
Google, the world leader in web apps has taken the threat of plain
text e-mail disclosure on thier applications very seriously, bot
networks are perhaps the biggest internet threat right now according
to the folks over at http://www.securityfocus.com/columnists/398 and
thats folsk like Google are obscuring e-mail addresses and setting up
word verfication systems, to make their web applications as secure as
possible within their products. Thanks, n3td3v.

> > If they did something special with their website like Securityfocus
> > does, then I might be able to bare their illegal footer message spam
>
> "Illegal"?  What planet/drug are you on?  There's a small problem with
> your "legal theory" here.  Secunia's sneaky footer insertion attack that
> renders e-mails to F-D oh-so-totally useless has a perfectly legal
> explanation, you see.  THEY OWN THE SERVER.  As in, you know, bought it,
> paid for it, and maintain it?

They own the server, because they knew it would give them many years
of spam. Secunia weren't being oh so friendly or doing FD a favour,
they are very much thinking on their own agenda mind thought process
of big spam dollars.

> I hope that's not too complicated for you.
>
> Next time you feel like criticizing Secunia (or anyone else), try
> finding a criticism that makes sense.

You're the only one who doesn't seem to understand my stance and why
it makes sense. Trust me, i'm not alone on this one. Folks I speak to
everyday from the big dot-coms off list are in complete agreement. So
while you are trying to impress folks like Robert Lemos right now,
perhaps you should think before you post, and who really agrees with
you, rather than a small cross section of the industry who posts on
FD, a lot of the time just to bait someone they don't admire very
much, kinda reminds me of you.

> > and their scene whore republication of advisories they claim are
> > Secunia exclusives.
>
> I'm not going to be one to defend Secunia here, but I don't think they
> claim that the raw information in MOST of their advisories is
> "exclusive".

Well, this thread was about Secunia, rather than any general comment
about other companies. You say you're not going to defend Secunia, but
thats all you've been doing throughout your post. If you're not
defending Secunia, then why are you defending them, and what is your
actual point? And yes, they do try and be an exclusive original source
of security information via the Secunia website, but they're not.

Granted, they sometimes make mistakes on crediting sources
> and supplementing information, but I haven't heard them make a claim
> that something public was "exclusive".  Even in the case of their own
> research, they publicize it for the community and other normative
> sources rip it off in turn.

I have no idea what you're saying here. Perhaps you should concentrate
on passing college first, before you try and take digs out of senior
members of the security community. You found a bug in Microsoft, thats
not uncommon these days. However, I believe you've not found a
vulnerability in a corporate network yet, so I guess theres more MM
vulns to come, or maybe you just got lucky, a one hit wonder, if you
will.

> The only semi-exclusive work they do (to my knowledge) is the data
> plotting (charting, graphing, etc.) that examines a few trends (number
> of advisories, risk levels of vulnerabilities, patches available, etc.)
> for specific products.

Semi exclusive? Theres no such thing, and you were the one who
questioned my professional scene whore wording. Unbelieveable. The
more I read your post, the more you seemed to be pro n3td3v in my anti
Secunia "mind think", because you've just repeated all the bad things
I was saying about them, just in different wording with a sinister
anti n3td3v twist, but essentially, in your post, you've just
highlighted all the things I was saying about them. I think to begin
with you were very much looking to stab me, but the more you wrote,
the more it exposed you were sub-consciously agreeing with me. BTW,
good luck on passing college ;-)

I'll send Robert Lemos another 50 bucks to mention your name, since
theres no one else to write about in his articles right now. Its a
dead time of year in the media right now, so I guess that explains
everything.

Regards,

n3td3v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/