Re: [Full-disclosure] Yahoo recommends you write down account information

Like I marked up earlier in this thread, its not about how an account would
be compromised. It was PHUN pointed at peoples I REGULARY post to off list
on a politically incorrect stance of having different wordings between Yahoo
teams.

The highlight of the thread is that once again i've proved Yahoo does not
co-ordinate, as I have ranted about on the n3td3v blog before I killed off
the trend of blogging.

Politically, a security team hates for the outside world to know they aren't
co-ordinated. The same goes for the number and skill level of incident
response staff they have on stand-by at certain times of year.

However, if you want to get into the criminal element of how paperwork is
obtained. Its often caught at refuge sites at dot coms. In the same was
fraud is carried out to obtain credit card info via receipts.

And you can bet Yahoo Inc have no CCTV at their refuge areas, in the same
way they don't take the threat of folks following folks home to break into
homes and steal hardware, in the same way they don't check for folks
standing outside Sunnyvale for peoples looking for insecure wireless
connections, and in the same way they don't take the threat from rogue
employees feeding out information from within to thrid party groups who are
offering them money.

Many folks in the industry seperate CRIMINALS, from cyber threats (ie:
hackers), although both are the same. You need to be tripping if you think
someone behind a computer wouldn't raid a corporate refuge area, to later go
back to a computer to compromise an account.

In the same way its trippy to think theres not yahoo employees harvesting
paper work information for third parties.

Its time for the industry to wake upto the fact that "cross criminality"
exists in computer crimes, and stop thinking say, phishing is equal to
criminals, while exploit code is equal to hackers.



On 3/18/06, MR BABS <mrbabs@xxxxxxxxx> wrote:

I did read them, and this again enforces my point, you guys are just
trolls.
Nobody takes you guys seriously.
Provide me with a legitimate situation, in which a 'bad guy' has access to
physically printed out documents, and the mailbox of the user , where he
could not simply either install a keylogger, sniff the passwords off the
network, or get them from the system.
The truth is, yahoo uses this as a way to prevent annoyance. I'd suspect
if they DIDN'T ask for this information n3td3v would be on here claiming
that it was a DoS vulnerability or some comparable bull***.

Anyways, great troll, but this is an old meme, so lets keep moving the
FDRUIN forward, shall we?


On 3/17/06, n3td3v <n3td3v@xxxxxxxxx> wrote:

Didn't you read this http://groups.google.com/group/n3td3v/browse_thread/thread/c18d3cb3267fc4a0/0e1a4176301c25c8#0e1a4176301c25c8
before you carried out your own sector of trolling? http://groups.google.com/group/n3td3v/browse_thread/thread/c18d3cb3267fc4a0/0e1a4176301c25c8#0e1a4176301c25c8

Please keep politically correct on FD, otherwise, the CERT folks might
get worried :P



On 3/18/06, MR BABS <mrbabs@xxxxxxxxx> wrote:

WOW great troll n3td3v you are truly the greatest trolling
organization on the earth! I bet you and bantown are cooking up some schemes
right now!

On 3/16/06, bigdaddyzeroday@xxxxxxx < bigdaddyzeroday@xxxxxxx> wrote:

Do you blow everything out of perportion like this? How old must
you be to have this attitude.

On Thu, 16 Mar 2006 15:52:06 -0800 n3td3v group
<system_outage@xxxxxxxxx > wrote:
You're Yahoo's top security advisor, who I talk to every day off
the record, but you say PEOPLE LIE ABOUT INFORMATION THEY PUT ON
ONLINE FORMS?

I think you're missing the point. The account information YAHOO
ask users to print out is the ACTUAL information on the users
ACCOUNT table.

SURE, folks can type COMPLETE crap in their registeration for
signing upto a Yahoo account, but whatever information is
submitted to the Yahoo account, it is the TRUE information that
would give access to that account.

SO, no matter the trend of users giving BOGUS information to
sign up for an account, the only people who would print out
information is people who would have submitted TRUE information.
Otherwise, why would they print out info they knew was bogus?

MARK, you're Yahoo's top security advisor, and I respect you off

the record, but coming on here trying to defend Yahoo's sec pros
for getting it totally wrong in their CONTRADICTION between sites
is totally wrong.

Yahoo said the wording "DONT WRITE DOWN YOUR PASSWORD" but on
the registeration proceedure it says "YAHOO RECOMMEND YOU WRITE
DOWN YOUR ACCOUNT INFORMATION"

YOU AS YAHOO SECURITY ADVISOR NEED TO ADMIT "YAHOO" AS A
CORPORATION GOT IT WRONG.

I speak to you every day off list, but going off on your own
crusade won't make the rest of the Yahoo security team like you
better.

SEE YOU OFF LIST SEIDEN.

Sorry to everyone else, this is part of an off list argument
that Yahoo's top advisor can't get a grip of.

(How did you become Yahoo's top security advisor? :P)
SEE YOU OFF LIST
Bye




mis@xxxxxxxxxx wrote:
a certain number of people lie about their birthdate and
zipcode, or
they forget just what they lied about, or move from place to
place and forgot where they lived when they registered,
and they don't have a working alternate email address.


---------------------------------
Yahoo! Mail
Use Photomail to share photos without annoying attachments.



Concerned about your privacy? Instantly send FREE secure email, no
account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485 <https://www.hushssl.com/?l=485>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/