Yet another FD flood.. but cool ASCII art

well, what happened:
1. they couldn’t spoof sunshine’s address.
2. they didn’t manage to do it right (a ‘.’ comes before ‘quit’, y’know).
3. they were mildly annoying with a silly spam.
4. they advertised sunshine’s lecture at defcon amazingly well.

as Sunshine said: “so… who’s coming to my lecture? ;)”

the other ascii art isn’t worth mentioning. just a swastika and “gay*”.

cool ascii art, stick to that guys. other than that, can you please read some smtp spoofing articles from the 1980’s?

oh yeah, and don’t expect emails to arrive at the other side at the order you send them, mkay? silly kiddies.

2005’s BlackHat books, got `em?

There’s a rumour going around about Michael Lynn doing a book signing at this year’s defcon.

What will he be signing, you ask? Why, last year’s BlackHat books. Yes, the ones with the pages of his presentation torn out! :)
If the whispers are to be believed the income from this book signing would be donated to the EFF! Now, ain’t that cool?

In our opinion some of that money should go to cover Mike’s huge legal costs due to Ciscogate, but we are just rumour mongers! What do we know?

We wonder how much these would sell for on eBay, before and after? If they are sold now, their price is about to go up!

A Review of Headlines in Security

How do you tell that news in security has gone downhill? Well, if today is any indication, you tell when the headlines are: Microsoft Releases Flash Player Patch and TippingPoint Buys Vulnerability Information on its Own Code.

Here at SecuriTeam, we often read that vulnerability researchers provide free quality-assurance for vendors. Unless, of course, that vendor is Tipping Point. Yesterday’s ZDI disclosure avoided the “patch or run for the bunkers” theme of major vulnerabilities in widely-used software:

ZDI-06-013: 3Com TippingPoint SMS Server Information Disclosure Vulnerability

I don’t know about you, but if I have a choice between two IPS vendors with good products and one is willing to pay researchers who report even minor vulnerabilities in the code, I know where my money’s going.

One place your money probably didn’t go was on this:

MS06-020: Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution

Yes, that’s right folks, a Microsoft patch for Flash Player. I was checking my eyes, too. This patch, for many desktop users, will be the only significant one from May.

Why is everyone reading FD again?

After years of arguments about the validity of the Full-Disclosure mailing list, flame wars, endless kiddie arguments and trolling, there came the mail bombings.

People actually quit FD after that.

A year ago a friend told Ren the following: “I finally got promoted, now one of the new kids can read FD!”

This past week, that same friend said: “I love reading FD, for the funny stuff.”

Ren immediately asked: “You read n3td3v?”
Friend: “Yeah.”
Ren: “I figured.”
Friend: “Well, it’s like with Howard Stern, you just want to see what he’ll say next”.

Another friend of Ren quickly pointed out: “Such people are good for enjoyment, but tend to discourage productive work due to frequent, uncontrollable laughter.”

There you have it folks, n3td3v will now and forever be known as the very special person who saved FD.

Code Red: Opera Cannot Handle Insufficent Disk Space and the SecuriTeam vs. Sendmail armed conflict

You gotta love those hilarious security advisories:

Opera > 8.02 with torrent support can’t handle not enough space on drive

If your partition is full and u choose to save a torrent on this
partition opera will start using 100% of your cpu and momery and
eventually crash

Tested with opera 9 p 2

Our feel on this is that if you’re out of disk space, the least of your problems is Opera utilizing 100% of your CPU!

By the way, while we’re on the subject of making a fool of yourself, we did our share of the ‘sky is falling’ bit, too. But we’re professionals (well, we’ve had practice) so at least we did it with some style: We followed up with Ido’s non-existing Sendmail memory leak which got Eric Allman all worked out and ended it with a pointy cartoon. Yeah! finally a good fight. Hope it’ll last a least a mounth.

A final word to Ido: you’re new in the industry, aren’t you? Here, we don’t apologize for mistakes. We bury them in flamewars!

Full-Disclosure to be rated PG-13

earlier today a surprising announcement came from the new full-dicklosure moderators. according to the announcement titled “cheap pr0n, we believe in it!”, the well known cestpool spammers list full-disklosure is undergoing facial reconstruction following their synergy with senunia.
“the first step in implementing the new changes is by making sure advisories will be sent to subscribers at the very least, 200 times. then, to ensure delivery, we will send it 100 more times”. other enhancements as reported by the new moderator, kiddiescript. “the list was recently declared pg-13. we don’t have the word ‘fuck’ on our posts, so we were able to dodge the x rating. shit, i guess we lost that now”.
in response to kiddie’s appointment, the old moderation crew went to their local pub.

the renowned researcher dave aitel said to us in an interview: “what? who told them about my latest gay shit 0day overflow?! it was to be used in the next super secret nsa worm!”

many other self-proclaimed security researchers also showed their amazement with this revolution “how will we get our pr0n now?! well, at least i hope they will revive the old guillotine” said the microsn0t msrc director.

in a press conference this afternoon, gadi evron, another self-proclaimed “expert” said: “i thank the committee for choosing me as the best fd spammer for the year of 2006 but i cannot accept this reward, as i believe i can do even better by the year’s end!”

in shocking surprise (or was it a surprising shock?), the us army remote viewing and psy-ops division came out with the following prediction:
“in the following weeks, there will be several email threads dominating the mailing list, starting with “sunshine sucks”, going through “yeah, we already knew dave sucks” and ending with an extremely unexpected thread on the moderation of the mailing list. the corps is mother. the corps is father. trust the corps.”

and now for the “facts”:
massive mail bombing hit the full-disclosure mailing list this morning. joe jobbing many known security professionals and vendors such as ilja van sprundel, gadi evron and idefense labs, forging their email addresses to send fake advisories declaring vulnerabilities in isc bind, sourcefire snort, microsoft products, vmware, “immunity dave aitel” and other applications.

as one of our readers put it:
“i’ve been trying to unsubscribe all morning, the server must be over-loaded relaying spam!”

the mail bomb is done from one machine:

received: from www.c0replay.net (unknown [206.251.72.74])
by lists.grok.org.uk (postfix) with esmtp id 3bf512123
for ;
sun, 12 mar 2006 07:27:17 +0000 (gmt)

www.c0replay.net, according to another reader, has interesting open ports. the server however is “known” according to some to serve a kiddies group.

arin whois information:

rtechhandle: du24-arin
rtechname: unfried, david
rtechphone: +1-909-727-5045
rtechemail: dru@linkline.com

orgabusehandle: linkl-arin
orgabusename: linkline communications
orgabusephone: +1-909-972-7118
orgabuseemail: abuse@linkline.com

orgnochandle: lcn3-arin
orgnocname: linkline communications noc
orgnocphone: +1-909-972-7118
orgnocemail: noc@linkline.com

orgtechhandle: mb1596-arin
orgtechname: benzakein, marc a
orgtechphone: +1-909-972-7111
orgtechemail: mbenz@linkline.com

(got anything to tell ren&stimpy? email us: rennstimpy@securiteam.com)