Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Re: systrace silently patches full local bypass vulner

from [marius aamodt eriksen] Network Security [Permanent Link]
Subject: [Full-Disclosure] Re: systrace silently patches full local bypass vulnerability on Linux
Date: Tue, 30 Mar 2004 13:14:41 -0500 
what's up with brad spengler?

brad has told me in person that he would not do security commercially
since he believed that would change the motivation for doing security
work; that it would become competitive, and thus "unpure."  brad -
what is your motivation now?

do you consider systrace a competitor now?  why are your motivations
now seemingly not pure?

as a member of the PHC, brad is credited with contributing to text
such as

   --[ 3.1.1 PHC-switch-a-w00

   This is an idea spawned off many, many hours of television from
   warez mullah. He suggested that you create a fake identity by
   creating a paper trail to your whitehat or w00w00 member because
   they make so much money for selling out. I suggest using someone
   like Dug Song because I'm sure Arbornet pays him pretty well for
   writing _shit_. Although I hear Niels Provos author of systrace
   (most useless and bug ridden security tool EVER) is now employed at
   Google. I would basically rely on using their credit card
   information to fund your jihad. So when the police go and track
   down serial numbers and shit like that. Their cc# connects to the
   shit you bought. Great for buying illegal hardware to store images
   monkey.org's user accounts! 

as you can see, brad uses his awesome interpersonal skills to make
friends with respected members of the computer security community.
people who have made real contributions, both academic and in
important software.

brad, isn't it funny we all presented projects, side-by-side, and had
fruitful discussions about computer security?  what happened?

   http://lsm.abul.org/program/topic02/topic02.php3

this attitude of yours seems to be consistent,

   http://www.monkey.org/openbsd/archive/misc/0304/msg01399.html

and even through artistic expression

   http://www.grsecurity.net/~spender/dsc18910.jpg

archived at

   http://monkey.org/~marius/tmp/spender-art-dsc18910.jpg

in case he changes it.

so brad -- what's up?

and for the record -- the reason i did not make a big fuss about the
ptrace issue is that in order to actually escape systrace protection
with this, the user would have to ehtier ptrace the process themselves
and/or explicitly allow sys_ptrace in the respective policy/ies.

marius.

-- 
marius a eriksen <marius@umich.edu> | http://www.citi.umich.edu/u/marius/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-Disclosure] R7-0017: TCPDUMP ISAKMP payload handling denial-of-service vulnerabilities, advisory
Next by Date:  RE: [Full-Disclosure] RE: new internet explorer exploit (was new worm), Drew Copley
Previous by Thread:  [Full-Disclosure] Re: systrace silently patches full local bypass vulnerability on Linux, KurruPt - FiLe
Next by Thread:  [Full-Disclosure] Re: Status, m . mohr
Indexes:  [Date] [Thread] [Top] [All Lists]