From jericho at attrition.org Mon Jan 4 20:17:55 2010 From: jericho at attrition.org (security curmudgeon) Date: Mon, 4 Jan 2010 20:17:55 +0000 (UTC) Subject: [attrition] DataLossDB Winter Fundraiser Message-ID: [DatalossDB started out as an Attrition.org 'errata' project, and re-homed to OSF a while back. - jericho] ---------- Forwarded message ---------- From: David Shettler Good morning all. The Open Security Foundation is pleased to announce that we're kicking off our first public fundraiser. The goal is to raise $9500 this quarter. The funds will go to supporting development of the site over the next few months, as well as ongoing maintenance, Freedom of Information Act requests, and other ongoing costs. We support Paypal (which accepts all major credit cards) for one-time and recurring donations. We'd love to see recurring donations. A gift of $10/month (or even $5 a month) can go a long way! Please help us reach our goal and help us continue to build and enhance the project. You can donate via the link below, and also read about where your support dollars go. http://opensecurityfoundation.org/projects/2-DATALOSSDB All donations are made to the Open Security Foundation, a 501(c)(3) organization. Donations are tax-deductible. We also have a similar campaign going for our sister project, the Open Source Vulnerability Database (OSVDB): http://opensecurityfoundation.org/projects/1-OSVDB As always, thank you for your support, The Open Security Foundation Team From jericho at attrition.org Tue Jan 5 06:00:10 2010 From: jericho at attrition.org (security curmudgeon) Date: Tue, 5 Jan 2010 06:00:10 +0000 (UTC) Subject: [attrition] Challenge: OSVDB Winter 2010 Fundraising Goal Message-ID: http://blog.osvdb.org/2010/01/04/challenge-osvdb-winter-2010-fundraising-goal CHALLENGE: OSVDB WINTER 2010 FUNDRAISING GOAL OSVDB has just announced its Winter 2010 Fundraising Goal , which currently hopes to raise $9,000 before April 1, 2010. Looking back over the last couple of years of advances in the project, it's easy to see not only how the project has evolved, but also how operational costs have increased to cover software development, content development, server hosting costs, and other assorted expenses to help keep OSVDB interesting, timely, and functional. On an average, OSVDB has promoted 10,000 to 12,000 vulnerabilites per year for the last the last few years. Breaking that down to about 1,000 per month, the vulnerabilities in the database are gathered from a variety of sources, such as CVE, Secunia and various vendor changelogs and advisories. Keeping up a pace of about 1,000 newly listed vulerabilities per month hasn't always been easy... but it's about to get interesting. I recently resigned my position as Chief Communications Officer with Open Security Foundation to focus more on the "content" aspect of OSVDB and DataLossDB. The extra time gained from giving up administrative duties will hopefully help the sites keep content fresh and accurate. Jericho, CJI, and I are going to keep working on new vulnerabilities as we can and keep the ball rolling. With that said, I'm issuing a challenge: For every new vulnerability issued an OSVDB ID from January 1, 2010 through April 1, 2010, I will donate $0.50 (fiddy cents) of my own money to the OSVDB fundraiser. I challenge anyone who feels that OSVDB is a valuable resource to the security community to match my donation. To make a few points clear: 1. I am no longer an OSF officer. My donation comes out of my own pocket, not the OSF coffers, and I will accept no compensation from OSF for this offer. If I have to sell a kidney, I hear you only need one anyway. 2. Since Jericho, CJI, and I are the ones who generally push new vulnerabilities to "live" status, there will be no slacking to save my bank account. If anything, I'll be more motivated to push the potential donations higher and they'll be motivated to watch me suffer on April 2. That's how we roll. 3. At an average of 1,000 vulnerabilities a month, over three months I expect to donate $1,500. It may be less, it may be more. There will be a maximum cap of $2,500 donated by myself and anyone who matches it. If we can push 5,000 vulns in three months, something is either very wrong or very great. YMMV. 4. If five other people and/or groups take me up on the challenge and we meet our average, OSF will meet its goal. We still hope everone else will contribute not only time but *effort* to help the project. 5. This is not a gimmick. It's not smoke and mirrors. You can see what OSVDB pushes on a daily basis on our Twitter page and on our contributors page. We will push all legitimate vulnerabilities just as we have been doing for years. If we're slow for a few days, don't worry. We'll catch up. So, that's the challenge. If anyone wants to play and match my offer, please contact us at moderators[at]osvdb.org. I'm going back to work now. From lyger at attrition.org Sun Jan 10 22:20:32 2010 From: lyger at attrition.org (lyger) Date: Sun, 10 Jan 2010 22:20:32 +0000 (UTC) Subject: [attrition] postal: i'm the only sour cherry on the fruit stand Message-ID: http://attrition.org/postal/p0020.html quality control he asked the wrong people they call it FANTASY football for a reason has his priorities straight holiday greetz shining spandex ketamine and alcohol BALLZ retarded ninjas happy ending [...] From lyger at attrition.org Mon Jan 11 03:34:43 2010 From: lyger at attrition.org (lyger) Date: Mon, 11 Jan 2010 03:34:43 +0000 (UTC) Subject: [attrition] last chance: attrition.org flasks on Ebay Message-ID: yes, they're still available, but they will probably not be up again for auction any time soon, if ever. http://attrition.org/news/content/flask.html http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=260522888618 Limited edition attrition.org "Lazlo" the squirrel drinking flask. Lazlo is the new official mascot for attrition.org, and graces the side of our flasks. See the site for details and history of this glorious creature. Flask is stainless steel with the design laser etched. Item sales are final. Shipping to the US only. Paypal only. Lazlo says so. 10% of the final sale price will support ASPCA: American Society for the Prevention of Cruelty to Animals. From jericho at attrition.org Sun Jan 24 12:01:01 2010 From: jericho at attrition.org (security curmudgeon) Date: Sun, 24 Jan 2010 12:01:01 +0000 (UTC) Subject: [attrition] Nessus, Harmful? Message-ID: SecurityFocus sometimes ignores my posts. Apparently they are not deemed 'helpful', despite a level of honesty most list members aren't used to. This post bounced as 'moderator did not act on..' (And Zaki did not reply either, what a jerk) ---------- Forwarded message ---------- From: security curmudgeon To: Zaki Akhmad Cc: pen-test at securityfocus.com Date: Tue, 12 Jan 2010 09:53:13 +0000 (UTC) Subject: Re: Nessus, Harmful? really? and i say this in the context of many of the replies too. all these years in the industry, and we're actually discussing this question on such a basic level? what, is Google broken completely? On Thu, 7 Jan 2010, Zaki Akhmad wrote: : I want to do a nessus scanning, but before I'd like to know is it nessus : scanning harmful? Because I don't want to make the server down. yes. running Nessus will not only crash your network, it will sodomize your sigoth and throw plastic into the pacific ocean while voting for $political party and killing a baby kitten. (oh don't fret, nmap will do much worse, just don't ask for permission or about your grandma's virtues) is this really a serious question? any vulnerability scanner will do what first.. a port scan? what happens when you plug "port scan dos" in your favorite VDB? http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=port+scan+dos six results.. oh, but you don't like CVE? http://webapp.iss.net/Search.do?keyword=port+scan+dos&searchType=vuln&doSearch.x=0&doSearch.y=0 lots of results.. oh, but you want a more powerful search and more vulnerabilities than any other VDB? http://osvdb.org/search?search%5Bvuln_title%5D=port+scan+dos&search%5Btext_type%5D=titles 31 results for "port scan dos" in case you didn't realize a vuln scanner does a port scan first, you of course knew they would do a vulnerability scan after.. right? so search that? http://osvdb.org/search?search%5Bvuln_title%5D=vulnerability+scan+dos&search%5Btext_type%5D=titles 10 results Cliff notes? YES... si.. oui.. ja.. Sim.. Ken.. jes.. hai.. ndiyo.. running ANY scanner (port or vulnerability) against a host has the chance to crash it. vendors that release crappy software continue to do so, and don't even run ./nmap or ./nessus against their software before selling it to customers for tens of thousands of dollars. if you decide to run nmap against a host, there is a *chance* it will crash it. if you runn Nessus against a host, there is a *chance* it will crash it. guess what.. if you run *ping* against (or on) the remote host, there is a chance you crash it: http://osvdb.org/search?search%5Bvuln_title%5D=ping+dos&search%5Btext_type%5D=titles seriously, how can anyone not understand this, or fail to find Google results for related topics? the fact that nessus actually gives you options to protect against DoS attacks by not scanning a) printers b) Novell hosts and finally, disabling DoS attacks or only running "SAFE CHECKS" <- wow... something about that configuration option stands out. and hey, that is the *friendly* GUI based options, because nmap assumes the user has SOME clue about security tools i think. if not, i officially request Fyodor add a --i_cant_google and --please_dont_crash_host options to nmap in the next version that are default, and must be overridden by --my_first_time_running_nmap for the scan to actually happen. - jericho p.s. fyodor mugged me for my wallet, true story