[Full-Disclosure] RE: Isecom.org ideahamster.org and the hackerhighschool.org

your_momma_at_hushmail.com
Date: 12/02/04

  • Next message: Jason Coombs: "Re: [Full-Disclosure] If Lycos can attack spammer sites, can we all start doing it?" 
    To: full-disclosure@lists.netsys.com
Date: Thu,  2 Dec 2004 09:34:41 -0800

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    (fast note.. written in 2 minutes with a notepad.. )

     What the hell.. finally I understood!!! I know why you attempt to
    defend isecom, all your security-lies-based-easy-money-bussines
    belongs
    to Pete ;)

     I've got somethings to tell you robert.. about a million things..
    now
    i have to express myself 'monosilabicaly' enough for you to
    understand
    them all.

     You, Robert.. don't buster!

    > "While this may be CEH compliant.. it is not OSSTMM compliant
    :)."

     It was compliant with our own compliant methodologies.. and our
    methodology, like YOURS, is a mess.. little *** to sell your
    customers,
    all standard based (I have some more standards if you want to
    include them).
    YOUR methodology SHOULD be an *** if you plain to comply all
    the
    standars you include into, as some of them are oppossite.. better
    stop googling
    looking for more standars to include and start doing security.

    > Also it's a total fabrication of what you actually did. You
    actually exploited
    > a PHP problem in the forums. Some of your humor would be funny
    and even appreciated
    > if you had enough Ethics to be honest. I guess you can't even
    qualify as a CEH.
    > Oh well, maybe you could study up and pass the CISSP.

     Well.. as you said.. We actually "exploited" a php problem in the
    forums.. A WELL KNOWN
    problem. It's isecom-ideahamster-hhs fault to not update or fix
    this problem? Let's
    call it NEGLIGENCE.. here it's the name for that reason.. and for
    you.. if you
    blame NEGLIGENCE is correct.. them let us call you dumb buster too,
    blame!

     Humor is a part of our lifes, as ethics.. We can afford someone
    breaking us, could you?

     By the way, don't base all your skills in qualifying.. you'll get
    stucked. that's it,
    stop qualifying and start doing more security.

    > Hehe .. wouldn't it be fun if we all could just make believe that
    things
    > really happened? It certainly would be a lot easier that way.

     Intelligent humor needs intelligent people to understand it.

     If you consider local exploits as dificult as you point.. stop
    considering and
    start doing security, money-monkey.

    > Pedro, you know, with all of that desire with the right
    mentoring, you may
    > even become useful someday. Until you can learn to be honest
    about your
    > findings however, I suggest staying out of the lime light.

     Who do you think you are to educate? Is that what you've learnt at
    isecom?
    talk talk and talk? stop talking and start doing security, savvy.

     It was fun to pwn isecom stuff. It was not fun talk to you.. It's
    like
    talking to my mother, but my mother had sexual relations.. did you?

     And now that you mention..

     I was suprised when I saw your domain.. first (osstm compliant)
    with the
    whois.. Now I'm confussed.. Am I talking with dyadsecurity's CTO or
    am i
    talking to dyadsecurity system administrator? Don't you have
    qualified
    people to register your domain and you have to do all by yourselfs?

     Now, I don't want to see more.. but I can't.. Just get a round..
    google
    results are filled with your name.. conferences, forums.. tons of
    places
    where we have to read your stupidity (later you'll see). Stop
    writting and
    start doing some security!

     All your bussines is based on isecom, even one of your latest
    conferences..
    didn't you have your own methodology? All your bussines is based in
    isecom's
    ***. It's easy to understand why YOU and not Pete answered
    previous email.
    From qualifying through services.. all your bussines is Isecomed!
    then, GO TO HELL WITH PETE!

     You can check my IP address in the downloads and start DDoSing
    me.. read
    osstm DoS test carefully to acomplish your mission, doggie. I
    downloaded your
    *** just to see what did you offer to the world.. wtf.. doogie..

    Unicornscan 0.4.2
    Alicorn (php web interface)

     Simple review of alicorn code..

     Line 51 of htdocs/scan_data/scan_info.php

         switch ($_GET["_action"]) {
             case "delete_confirm":
                  delete_scan((int)$_GET["_scan_id"]);
                  print "Scan ID: ".(int)$_GET["_scan_id"]." has been
    successfully deleted.";
                  print "<br/><a href=\"./scan_info.php\"
    target=\"body\"><- back</a>\n";
                  break;
             case "delete":
                  $scan = new scanclass;
                  print "<a
    href=\"scan_info.php?_scan_id=".(int)$_GET["_scan_id"]."&amp;_action
    =delete_confirm\">Yes, I am sure I want to ...
    51: $scan = $scan->db2scan($_GET["_scan_id"]); <-------
    - ---------
                  $scan[0]->print_scan_info();
                  // yes, this is intended behavior
             case "details":

    uooooooooooooo is it a $_GET from http request withouth any
    filter?? it must be an error...
    look for $scan->db2scan() to see what happends....

     Line 59 of unicorn-lib/scanclass.php

           function db2scan($val = null)
            {
                    dprint("Entering db2scan...");
                    global $db;
    59: $query = "select * from
    scan".echo_on_set($val,null," where scan_id = ".$val);

     Line 96 of unicorn-lib/defines.php

    function echo_on_set($dat, $ret1, $ret2="", $val="")
    {
            if ($dat == $val) return $ret1;
            return $ret2;
    }

     GOOBLES GOOBLES GOOBLES!!!!

     select * from scan where scan_id = $val;

     ROBUST RELIABLE USERFRIENDLY MOTHERFUCKER 0day WAREZ!!!!

     is that,, (IMHO) an sql injection flaw on a SECURITY SOFTWARE YOU
    RELEASED?

     You dumb doggie.. is that isecom compliant? didn't you do reviews
    of code?
    oh, wait a minute.. It's not true.. Is this the security you sell?
    Are
    your customers reading this now? wtf.. doggie..

     I downloaded a copy of unicorscan to check also.. But I readed the
    README's and
    saw this:

     .....
     SPECIAL NOTE:
          if you have a development release, be carefull, there could
    be `security issues'
          with it. no joke, i make mistakes often,
     .......

       Blah blah blah.. excuses.. excuses and excuses..

     .......
         we audit the code at release cycles, not before and not after
    them. if you
         truely want security, please use selinux, BUT YOU MUST REVIEW
    the policy and
         your system configuration as it applies to YOU.
     .......

     SO, IT SEEMS YOU DON'T UNDERSTAND SECURITY, NEITHER SECURE
    DEVELOPMENT and all
     that you could offer us is "if you truely want security, please
    use selinux"????
     Dumb PETE
    DOGGIE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

     As you metion in the readmes code is messy and there's a lot of
    *** there : that works!
     HOLY ***! Are these your programming skills? didn't you qualify?

    ......
            tcp `connection' code:
                    there is alot to say here. for us (on linux) it
    works almost in a usable form HOWEVER it fails sometimes to connect
                    because there is code missing, and the api and code
    is not well thought out.
    ........

     XDDDDDDDD

    .......
            clustering mode:
                    it works for us, neener neener. but we have real
    code, you dont. sorry about that.
    .......

    .......
    what is due to be fixed cause we think it sucks:
            the configuration parser:
                    its a small wonder it works, and it getting
    replaced with a real implementation.
            the database interface:
                    no comment. it does work however (with the database
    type we like and if you read things)
    ........

       "is does work however?"
    XDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

     And now the final ***.. ALL YOUR CUSTOMERS WOULD LIKE TO READ
    STUFF:

    .........
      The doCumenTaion:
            what can we say here. it sucks. the API for modules also is
    messy. obviously we have to fix that before we can write
    documentation
            about it, otherwise we would be wasting my time (for
    example).
    .........

     INCREDIBLE!!!!!!!!!!!!!!!!

     Please, Pete, keep your doggies safe, stop them to open their
    mouths and
    try to say something that sounds really what people want to know.

    It's: You will retire soon!!

     You talk about ethics and disclosed names, companies and all..

     You talk about ethics and denied broken boxes..

     So you want war.. you'll have war.

     a little retard, you know.. another script kiddie that broke
    isecom b0x.

     Ah, a little reminder.. call us script kiddies doesn't tell much
    about your security
    skills.. as we did exploit that php ;)

    In reply to:

    robert@dyadsecurity.com robert@dyadsecurity.com
    Tue, 30 Nov 2004 15:24:22 -0800

    Previous message: [Full-Disclosure] makelovenotspam website defaced

    Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    - --------------------------------------------------------------------
    - ------------

    While this may be CEH compliant.. it is not OSSTMM compliant :).

    Also it's a total fabrication of what you actually did. You
    actually exploited a PHP problem in the forums. Some of your humor
    would be funny and even appreciated if you had enough Ethics to be
    honest. I guess you can't even qualify as a CEH. Oh well, maybe
    you could study up and pass the CISSP.

    > tar xvzf freebsdlocal0day-donotdistributed-suppliedby-
    divineint.tgz
    > make freebsdlocal0day-donotdistributed-suppliedby-divineint
    > uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys),
    4(tty), 5(operator), 20(staff), 31(guest)

    Hehe .. wouldn't it be fun if we all could just make believe that
    things really happened? It certainly would be a lot easier that
    way.

    Pedro, you know, with all of that desire with the right mentoring,
    you may even become useful someday. Until you can learn to be
    honest about your findings however, I suggest staying out of the
    lime light.

    Robert

    - --
    Robert E. Lee
    CTO, Dyad Security, Inc.
    W - http://www.dyadsecurity.com
    E - robert@dyadsecurity.com
    M - (949) 394-2033

    -----BEGIN PGP SIGNATURE-----
    Note: This signature can be verified at https://www.hushtools.com/verify
    Version: Hush 2.4

    wkYEARECAAYFAkGvUjYACgkQhzkSqM0TRRQFcwCfUPuM1GZTDewIPZH8oU0MuoTVe/UA
    oJsaweBuPSuDw7/QR05F6Hd5xOgs
    =lPaw
    -----END PGP SIGNATURE-----

    Concerned about your privacy? Follow this link to get
    secure FREE email: http://www.hushmail.com/?l=2

    Free, ultra-private instant messaging with Hush Messenger
    http://www.hushmail.com/services-messenger?l=434

    Promote security and make money with the Hushmail Affiliate Program:
    http://www.hushmail.com/about-affiliate?l=427

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Jason Coombs: "Re: [Full-Disclosure] If Lycos can attack spammer sites, can we all start doing it?"