Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: RE: Isecom.org ideahamster.org and the hackerhighschool.org
From: robert () dyadsecurity com
Date: Thu, 2 Dec 2004 12:00:37 -0800

your_momma () hushmail com(your_momma () hushmail com)@Thu, Dec 02, 2004 at 09:34:41AM -0800:
 is that,, (IMHO) an sql injection flaw on a SECURITY SOFTWARE YOU 

Just try getting alicorn installed, I dare you :).  Alicorn doesn't work
yet.  Maybe this Friday's release will. The release you looked at was a
prelim devel release that was noted to have security issues.  Don't act
like you're doing anyone any favors by pointing out something that was
already documented to be true.

 DEVELOPMENT and all that you could offer us is "if you truely want
 security, please use selinux"????

It is inevitable that software modules will have mistakes.  The
unicornscan code is actually pretty well written from a security
perspective, but I'm sure it will be shown to have a problem somewhere
someday... though I notice you didn't bother to find one yet.  If you
do, please share.  I am a fan of full disclosure as a rule ;).

The real take away here though is that if you run software in a
Discretionary Access Control model, you have no inherent security
assurances.  This is why we recommend using SE Linux, so you can enforce
what the software is allowed to do in case it comes to light that there
was a mistake made in the software module.

 So you want war.. you'll have war.

I don't want a war.  To be honest, I've always though you guys were
pretty funny, if not a bit on the childish side.  I appreciate your
humor.  What is annoying though is after I tried to reach out and make
the peace with you, you've decided to resort to baseless personal

 a little retard, you know.. another script kiddie that broke isecom

Heh .. I hate the term script kiddie.  It's overused and is most
commonly used by people who aren't technical enough to be throwing
around comments like that.  Granted you didn't get root on the box...
but that wasn't your point.  Your point was to deliver a political blow
against ISECOM by making it seem as though you fully compromised the
website.  That's actually a brilliant social hack, and I can appreciate
that even if the technical details of the hack were a bit lame :).

In closing .. I mean you no harm.  Please move on.  It will only get
ugly from here on.



Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert () dyadsecurity com
M - (949) 394-2033

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]