Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source

From: "Jason Coombs" <jasonc () science org>
Date: Thu, 21 Aug 2003 11:34:40 -1000
Nick FitzGerald came to his senses and removed me from the pedestal he had
placed me on, and then launched into a well-written barrage of fact, beginning
thus:

I agree completely. The sobig spam is valuable -- it shows us who we
should not trust to operate a computer.

_If_ you know what to take from the headers _AND_ have omniscient
access to the mythical IP-to-user mapping address list...


Ah, but Nick, I *DO* have omniscient access to the non-mythical IP-to-user
mapping list -- and so do you. How many FD subscribers post to the list from
the ISP "NetZero/United Online/untd.com" out of Honolulu, Hawaii? I can assure
you that I am the only one.

Received: from smtp04.lax.untd.com (outbound28-2.lax.untd.com [64.136.28.160])
        by netsys.com (8.11.6p2/8.11.6) with SMTP id h7KJJA401175
        for <full-disclosure () lists netsys com>; Wed, 20 Aug 2003 15:19:10 -0400 (EDT)
Received: from dialup-67.30.168.213.dial1.honolulu1.level3.net (HELO win2kdev)
(67.30.168.213)
  by smtp04.lax.untd.com with SMTP; 20 Aug 2003 19:19:08 -0000

Likewise, you are quite possibly the only person who posts from CLEAR Net
Mail, New Zealand. At least while using your mobile device...

From: Nick FitzGerald <nick () virus-l demon co uk>
Received: from smtp2.clear.net.nz (smtp2.clear.net.nz [203.97.37.27])
        by netsys.com (8.11.6p2/8.11.6) with ESMTP id h7LDigC13293
        for <full-disclosure () lists netsys com>; Thu, 21 Aug 2003 09:44:42 -0400 (EDT)
Received: from mobilenick (218-101-96-116.dialup.clear.net.nz
[218.101.96.116])
 by smtp2.clear.net.nz (CLEAR Net Mail)
 with ESMTP id <0HJZ0009D26ETO () smtp2 clear net nz> for
 full-disclosure () lists netsys com; Fri, 22 Aug 2003 01:44:41 +1200 (NZST)

I appreciate your attention to detail, but the relevant detail you missed was
my conclusion, a witty challenge to Len Rose to stop concealing the truth and
give us full disclosure:


it's the least he could do after intentionally covering
up for these people.


Humor was the detail you missed, and a strict interpretation of the empirical
evidence of the design of SoBig just wasn't very funny.

I did get a private "Hah!" e-mail out of Len, which revealed to me the IP
address, OS, mail transfer agent and patch level, and mail user agent he was
using at the time, which allowed me to launch an attack against his computer
and its surrounding network, which turned out to be the same network used by
the FD server itself. I noted that the patch level of my ISP's mail transfer
agent is lower than that of FD's and I was appropriately humbled.

Return-Path: <len () netsys com>
        by helsinki.west-network.net (8.11.6/8.11.6) with ESMTP id h7KLIox30956
        for <jasonc () science org>; Wed, 20 Aug 2003 17:18:50 -0400
Received: (from len@localhost)
        by netsys.com (8.11.6p2/8.11.6) id h7KLDU105559
        for jasonc () science org; Wed, 20 Aug 2003 17:13:30 -0400 (EDT)
Date: Wed, 20 Aug 2003 17:13:26 -0400
User-Agent: Mutt/1.4i

Thor Larholm then came up with a very good idea to post a Web-based
full-disclosure archive of everything received not just everything that ends
up distributed to the list. The potential forensic value of Thor's suggestion
is staggering.

Thor Larholm wrote:

In that case, I would prefer if Len put up an archive of all the virus
mails sent to FD so everybody on the list could have fun analyzing it.
Couple it with the archives of normal posts and some regging+grep'ing
you will be bound to find correlations between posting IP addresses.


Nick, I truly did not deserve to be on your pedestal, anyway, so this has all
been very constructive.

It's important that we remember to laugh a little, especially at ourselves.

The funniest thing I've seen in a long time is the direct relationship between
Symantec's stock price (SYMC) and the release of successful worms/virii...
Antivirus software vendors may not be paying the authors of malware directly,
but it sure looks like a good business to write and release malware in order
to manipulate the market price of certain A/V vendors' stock. You gotta love
the free market...

Sincerely,

Jason Coombs
jasonc () science org

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of Nick
FitzGerald
Sent: Thursday, August 21, 2003 3:45 AM
To: full-disclosure () lists netsys com
Subject: RE: [inbox] Re: Fwd: Re: [Full-disclosure] Administrivia:
Binary Executables w/o Source


"Jason Coombs" <jasonc () science org>, whose input is usually
intelligent, considered and well-reasoned, chose to fall from his
pedestal thus:

...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: