log
78 entries in 0.56s
mircea_popescu: asciilifeform, it's the obvious vuln
asciilifeform: re 'professionals', i can also picture 'you wrote it like a vuln reveal, but this is not a vuln, this is our masters getting jus primae noctis with our raw starfishes like god intended' irritation
asciilifeform: how the fuck is this a vuln tho
asciilifeform: douchebag: you did ~only~ the minimal interpretation of what was asked. like a schoolboy. instead of, e.g., annotating this list with 'is this an actual vuln in actual physical trb'
a111: Logged on 2018-05-14 13:30 asciilifeform: ^ pretty lulzy prehistory -- usg is burning the vuln in the most traditional way, complete with 'responsible disclosure'ism and a boeck-style 'researcher' ; nao spinning in every propaganda organ in unison as 'pgp broken!'
BingoBoingo: <asciilifeform> ^ pretty lulzy prehistory -- usg is burning the vuln in the most traditional way, complete with 'responsible disclosure'ism and a boeck-style 'researcher' ; nao spinning in every propaganda organ in unison as 'pgp broken!' << Apparently @hanno has a take on this too that sums to the rest of the party line "who could be using this with hygeine?"
asciilifeform: ^ pretty lulzy prehistory -- usg is burning the vuln in the most traditional way, complete with 'responsible disclosure'ism and a boeck-style 'researcher' ; nao spinning in every propaganda organ in unison as 'pgp broken!'
zx2c4: found a vuln!
douchebag: Well they already patched my Subdomain Takeover vuln
douchebag: url -> url w/ js added in vuln parameter
asciilifeform: the philosophical puzzler of 'what is a vuln' probably cannot be answered from strictly 1side pov. consider the ultimate degenerate case, microshit, who produces more vulns every day than mircea_popescu spermatozoids , but not 1 of them dings it in any substantial way ( and many in fact are a profit )
asciilifeform: ben_vulpes: check this out, the 'vuln test' is... https://github.com/crocs-muni/roca/tree/master/roca/tests << spoiler: checks fp against enumerated badness
andreicon: or other vuln scanning utilities i've used
a111: Logged on 2017-06-28 00:18 Framedragger: btw maersk (some related ports) is down due to new "ransomware" (orange website says it's the same nsa "eternalblue" windows vuln)
Framedragger: btw maersk (some related ports) is down due to new "ransomware" (orange website says it's the same nsa "eternalblue" windows vuln)
asciilifeform: afaik vuln still not public...
asciilifeform: http://btcbase.org/log/2017-05-01#1650713 << again it makes 0 sense to say 'turns out, amt was vulnerable'. it IS A vuln, from day1☝︎
Framedragger: this one recent time, an actually decent outside person reported a fixable vuln in their craptography https://github.com/TokTok/c-toxcore/issues/426
asciilifeform: mircea_popescu: per the tards' internal logic -- 'we burned the vuln -- we own the tendrils'
a111: Logged on 2017-04-13 11:50 Framedragger: ohno wait this is something else.. i was planning to link https://nvd.nist.gov/vuln/detail/CVE-2016-10229
Framedragger: ohno wait this is something else.. i was planning to link https://nvd.nist.gov/vuln/detail/CVE-2016-10229
Framedragger: how do you amplify udp? i guess application-layer-specific stuff like bittorrent's uTP (which has some amplification vuln shit iirc), etc.; also, dns
asciilifeform: ben_vulpes: i dun even grasp how this is a vuln, it isn't as if 802.11 has rsa-authenticated endpoints to begin with
asciilifeform: (the fact that the original victim could, normally, relay his original faster than a typical plagiarist could hash, is immaterial, it is still a potential vuln)
asciilifeform: trinque: example concerned x86 vuln finder/exploiter firms
asciilifeform: i will add that i have not succeeded in turning up any public record of what the vuln actually ~was~
asciilifeform: in other nyooz, http://www.theregister.co.uk/2016/07/04/lenovo_scrambling_to_get_a_fix_for_bios_vuln
mircea_popescu: well meanwhile google only shows trilema for any hannob/pgpmoduli search i do ; and i dunno how to derive an actual location from that url. when was the vuln moduli .txt published ?
punkman: did the power rangers ever find a remote code execution vuln?
gribble: CVE-2015-3641 - Common Vulnerabilities and Exposures - The ...: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3641>; [bitcoin-dev] Upcoming DOS vulnerability announcements for Bitcoin ...: <https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-June/009135.html>; CVE-2014-3641 - NVD - Detail: <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3641>
assbot: Logged on 16-11-2015 21:04:39; pete_dushenski: in other news, https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8126#VulnChangeHistoryDiv
pete_dushenski: in other news, https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8126#VulnChangeHistoryDiv
jurov: and saying that vuln in truecrypt management utility makes whole thing "fatally flawed to an unusable extent" is...
mats: asciilifeform: grsec, afaik, has had _exactly one_ publicly disclosed vuln, to my knowledge
asciilifeform: (alternatively, vuln is kept alive for some nth-generation revised variant that never lost contact)
asciilifeform: a simple calculation shows that - unless one is extraordinarily lucky - the effort which goes into finding a typical vuln, vs the typical 'bug bounty' offered by, e.g., microshit, works out to approximately u.s. minimum wage.
asciilifeform: (ring0 code can still trigger smi by writing particular vendor-specific magic to the southbridge, but this is in no sense a vuln)
mats: https://android.googlesource.com/platform/frameworks/av/+/master/media/libstagefright/MPEG4Extractor.cpp exercise for a bored reader: spot the vuln in parse3GPPMetaData().
asciilifeform: jurov: flood is not the only known past ntp vuln
asciilifeform: it's the one ~protocol~ vuln, yes
ascii_field: i'm half-certain that last one actually removes a vuln
ascii_field: in other news, https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3459
mats: Fun fact: Media companies (or contractors thereof) are doing vuln research on media players in order to plant bug-triggering media files on warez sites.
asciilifeform: in past 24 hrs, only some spew from a diffbot, and a query from a n00b re: 'ghost' vuln.
ascii_field: mircea_popescu: there are quite likely more women in the deep-water oceanic oil prospecting industry than in vuln digging
ascii_field: http://arstechnica.com/security/2015/04/dell-support-software-gets-flagged-by-antivirus-program << the vuln is a few weeks old but this is lulzy
ascii_modem: ssl vuln << yes; check log
mircea_popescu: trinque some ubuntu vuln reported or something ?
mircea_popescu: BingoBoingo apparently c diff is particularly vuln
mircea_popescu: someone refresh me on what exactly that vuln was anyway ?
kakobrekla: was there a new ssh vuln found past 24hrs?
kakobrekla: 360 vuln nodes ? lol
mircea_popescu: bounce you mayhap have a point. iirc this vuln was writing past the end tag and adding a 2nd spurious end tag.
PinkPosixPXE: Good, almost done, I had to jump in a work meeting to discuss the Bash Shellshock vuln, and repatching some systems.. But I gave BingoBoingo an update, and will be sending it off shortly. It's my first shot at this, so I hope it's not too egregious.
thickasthieves: wait, Ripple has a vuln? lololol
pentestr: bounce: nah, that'll just give you the vuln to fix.. i'll just hack it, he gave me perms after all.
xmj: kuzetsa: did you secure your systems against the vuln in nss too?
mike_c: yes, that checks if bash is vuln.
b00lcrap: some vuln dev
b00lcrap: i do windows malware / vuln dev mostly
Mats_cd03: http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms.pdf re: iOS vuln posted by benkay
mircea_popescu: this may actually be a vuln lol.
asciilifeform: it is quite impossible to sell a vuln this way. other than to suckers, of course.
mircea_popescu: kakobrekla don't fix the down vuln thing it's splendid
tg2: I don't think there has been a root vuln on nginx in a while
C01DA51CE: is vuln
mircea_popescu: you mean last year's chrome vuln ?
mircea_popescu: so it'd seem bitcointalk has a xss vuln in the trust rating system, because mpoe-pr just managed to spam trust three times by simply refreshing the page.
nubbins`: i reported a gaping CSRF vuln on havelock last year
TradeFortress: took me 5 seconds to find vuln in havelockinvestments.com :P
Diablo-D3: I think they fixed that vuln
bgupta: ThickAsThieves: Litecoin has same vuln.
deadweasel: could i go up to ASS and offer up a vuln?
mircea_popescu: critical vuln in old version or something ?
gesell: alright, important question... where are some ruby based exchanges... gonna go get me some bitcoin https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0333
iz: so far they have released 2 different "patches" that "fix" the same vuln, but not really
mircea_popescu: how often something is used also matters, simple reported vuln count by itself is meaningless.
rg: and your site is vuln to exploit