[Full-disclosure] sans handler gives out n3td3v e-mail to public
ihasshovel at gmail.com
Fri Mar 21 17:47:36 GMT 2008
For the love of everything sane, please seek medical attention, and grow up.
On Fri, Mar 21, 2008 at 8:00 AM, n3td3v <xploitable at gmail.com> wrote:
> [15:49] * Now talking in ##security
> [15:55] <worried> someone wants my attention
> [15:55] <njan> worried, best way to make them go away: Don't give it to
> [15:56] <worried> njan, query me their IP address
> [15:57] <njan> worried, sorry, we don't hand out that sort of information.
> [15:57] <sfirefinch> you fail
> [15:58] <worried> where there is a will there is a way
> [15:58] <worried> i don't need your help ;)
> [15:58] <sfirefinch> heh, good luck
> [15:58] <worried> sfire, thanks
> [15:59] <worried> ex gov employee
> [15:59] <sfirefinch> oh yeah?
> [16:00] <worried> did you fall or did you get pushed?
> [16:01] <lunaphyte_> just because you're paranoid doesn't mean they're
> not out to get you.
> [16:01] <sfirefinch> and just because you are paranoid doesn't mean
> someone is listening to you
> [16:01] <lunaphyte_> right.
> [16:01] <worried> thats good
> [16:02] <worried> how is sans institute coming along?
> [16:02] <sfirefinch> quite well i am sure.
> [16:03] * naxx|nothere is now known as naxxatoe
> [16:03] <worried> i'm sure
> [16:03] <worried> you didn't know much about iframe attacks for about
> a whole weekend
> [16:04] <worried> it was funny
> [16:04] <sfirefinch> no.
> [16:04] <sfirefinch> we didn't publish anything
> [16:04] <sfirefinch> there is a difference
> [16:04] <worried> you were crying out for info from random members of
> the public to e-mail you
> [16:04] <worried> and you thought there were two iframe attacks
> [16:04] <sfirefinch> doesn't mean we didn't know, we wanted more info
> [16:05] <iamnowonmai>
> [16:08] <worried> as i said in e-mail, you exposed a break/weakness in
> your intelligence gathering chain.
> [16:09] * riotz is now known as riotz_
> [16:09] <sfirefinch> and that is?
> [16:09] <worried> you don't have strong links with non-professional
> [16:10] <sfirefinch> oh, how you are so colorfully wrong.
> [16:10] <worried> to know whats going on, when you need to know, when
> the pro scene dont come up with answers
> [16:10] * riotz_ is now known as riotz
> [16:11] <worried> when your rely on shirt and tie to e-mail you info
> 100% of the time then you're going toe ventually trip up and thats
> what the iframe weekend showed folks like me
> [16:11] <sfirefinch> well, the folks like you are more wrong then you
> [16:11] <sfirefinch> the beauty part about it is, you will never know.
> [16:12] <worried> i know you didn't have intelligence on the iframe
> weekend, so i know what type of sources you have
> [16:13] <worried> you needed underground links for that, and you
> obviously didn't have any
> [16:13] <sfirefinch> please read my previous statement where I say
> "you are wrong" in more ways than one?
> [16:13] <sfirefinch> you ASSUME we didn't know anything
> [16:13] <worried> good folks know the ppl behind the attack and would
> be in their hideout.
> [16:13] <sfirefinch> and are therefore wrong
> [16:14] <worried> nevermind
> [16:14] <worried> i dont want to continue this
> [16:15] <worried> let's move on
> [16:15] <sfirefinch> good, because you were going in an endless loop.
> [16:15] <worried> your blog just exposed more than it should of that
> you probably didn't realise you were giving away
> [16:15] <rexy__> where was the writeup about iframe posted on sans ?
> [16:16] <worried> the smallest of indications gives away clues to the
> [16:16] <sfirefinch> we were quite aware, thank you.
> [16:17] <worried> you guys are all sitting on gmail addresses
> [16:17] <rexy__> because i cant seem to find it
> [16:17] <sfirefinch> you guys?
> [16:17] <worried> contact.html
> [16:18] <sfirefinch> that's the submission page
> [16:18] <worried> are you willing to give your real name
> [16:19] <sfirefinch> you should know it
> [16:19] <echelon_> why is there a security conference in spain?
> what've they contributed?
> [16:19] <sfirefinch> lol
> [16:20] <worried> echelon: its a few tents in the middle of a field
> with wireless a campfire and beer
> [16:20] <worried> i spoke to the guy already
> [16:20] <echelon_> france would be a better location
> [16:21] <worried> he is looking for english speaking people to talk
> about security, cos its all spanish so far
> [16:22] <worried> i'm not an enemy of sans im just an ethical enemy
> [16:22] <worried> dont worry
> [16:22] <rexy__> http://isc.sans.org/diary.html?storyid=4144&rss is
> that the one you were talking about sfirefinch ?
> [16:23] * naxxatoe is now known as naxx|nothere
> [16:23] <worried> its not obvious to me how to fix the problem!!lolol
> [16:23] <sfirefinch> rexy__: i think it would be more accurate to ask
> if that's the one that worried was talking about.
> [16:23] <worried> its a simple input valdiation flaw
> [16:24] <rexy__> sfirefinch: probably :P
> [16:24] <worried> they exploited
> [16:24] <worried> which i e-mailed them to tell them
> [16:24] <worried> lol
> [16:24] <echelon_> what do you guys think of tunneling through a
> nat-traversed connection?
> [16:25] <sfirefinch> "its times like this that proves one thing to me
> that you dicks dont
> [16:25] <sfirefinch> have good intelligence links with the
> underground, you're too busy
> [16:25] <sfirefinch> show boating with your depaertment of homeland
> security and cia type
> [16:25] <sfirefinch> boffins, that you haven't got good underground
> contacts, which prove
> [16:25] <sfirefinch> invaluable at times like these when the
> professional scene has no idea
> [16:25] <sfirefinch> what's going on."
> [16:25] <worried> they rely on http based intelligence at sans
> [16:25] <sfirefinch> yeah, real polite.
> [16:26] <rexy__> so what writeuup were you reffering to worried
> [16:26] <worried> do you jsut know you broke your privacy agreement
> and i'm lodging a complaint right now
> [16:26] <worried> im serious
> [16:27] <worried> want to give out any other info while you're
> breaking your privacy agreement?
> [16:27] <worried> this is going on FD dude
> [16:27] <worried> and i hope you get taken off the sans handlers
> [16:27] <sfirefinch> you say you are not an enemy
> [16:27] <sfirefinch> yet you shout publically
> [16:27] <njan> worried, I did warn you before that if you started
> publishing things from ##security to FD or elsewhere, that you'd be
> removed from the channel.
> [16:27] <sfirefinch> you call names and are rude
> [16:28] <sfirefinch> not a good way to get respect nor to get people to
> [16:28] <sfirefinch> I think what you did was selfish and rude
> [16:28] <sfirefinch> I don't respect that
> [16:28] <sfirefinch> n3td3v, I am sure you have something to
> contribute to the community
> [16:28] <sfirefinch> and Id like you to do so
> [16:28] <sfirefinch> however, at this point all you are doing is
> making people made and not trust you
> [16:28] <worried> you jsut pasted a private e-mail to the world wide web
> [16:29] <morning_wood> kill it!
> [16:29] <sfirefinch> no, i posted an email to irc
> [16:29] <sfirefinch> and i only posted a part of it
> [16:29] <sfirefinch> and not even the worst part
> [16:29] <sfirefinch> the privacy agreement applies if you agree to it
> [16:29] <sfirefinch> which you never have
> [16:29] * morning_wood throws the towles used to clean up TubGirl at
> [16:30] <sfirefinch> worried: seriously dude, do you want me to help
> you? I will.
> [16:30] <sfirefinch> I'm through trying to degrade you, i'll help you
> and be nice
> [16:30] <sfirefinch> but you have to be nice to the community in return
> [16:30] <njan> sfirefinch++
> [16:30] <sfirefinch> and you have years of doing the exact opposite.
> [16:31] <sfirefinch> I am SERIOUSLY laying down the olive branch
> [16:31] <worried> "Note: All information submitted via this form will
> be sent to all ISC handlers. The information will be kept confidential
> within this group. We will only publish your information with your
> consent. "
> [16:31] <sfirefinch> yes, SUBMITTED THIS FORM
> [16:31] <sfirefinch> you don't submit via the form
> [16:31] <sfirefinch> you bypass everything you are SUPPOSED TO DO
> [16:31] <sfirefinch> and email us directly
> [16:31] <sfirefinch> therefore you violate the agreement
> [16:32] <sfirefinch> again
> [16:32] <sfirefinch> olive branch
> [16:32] <sfirefinch> http://en.wikipedia.org/wiki/Olive_branch
> [16:32] <rexy__> thanx i was just about to look that up
> [16:32] <sfirefinch> In Western culture, the olive branch, apart from
> its literal meaning as a branch of an olive tree, symbolizes peace or
> [16:33] <sfirefinch> I'll be nice to you, if are nice to us
> [16:33] <worried> you mean you dont want me tell people what you've jsut
> [16:33] <sfirefinch> it's that simple.
> [16:33] <samson--> worried: someone posted another security conference
> on full-disclosure, you should warn them that the fedz are gonna raid
> [16:33] <sfirefinch> if I was scared that you were going to tell
> people what I've just done, i would have said that
> [16:33] <sfirefinch> i'm pretty black and white dude.
> [16:34] <sfirefinch> want me to help you? I will.
> [16:34] <sfirefinch> want people to take you seriously, I will.
> [16:34] <sfirefinch> but you have to be nice in return
> [16:34] <sfirefinch> and you don't do that
> [16:34] <sfirefinch> for years.
> [16:34] <rexy__> never knew worried was famous
> [16:35] <samson--> sfirefinch: it is impossible to take him seriously,
> all he does is lays down FUD after FUD
> [16:35] <samson--> it helps noone
> [16:35] <samson--> it doesnt even spread awareness properly
> [16:35] <sfirefinch> okay, well at least me
> [16:35] <sfirefinch> rexy__: worried = n3td3v
> [16:36] <rexy__> familiar nick, not ringing bells
> [16:36] <sfirefinch> he has a group on google groups and posts to FD
> all the time
> [16:37] <sfirefinch> currently he's off writing an email to FD about
> how sans sucks.
> [16:37] <rexy__> ah
> [16:37] <morning_wood> like ppl care lol
> [16:37] <rexy__> postings any good?
> [16:37] <sfirefinch> and how i clearly violated the privacy agreement
> that he does not adhere to.
> [16:37] <rexy__> n3td3v (leetspeak for net-dev) is a person or persons
> who has had a history of posting some fairly obnoxious stuff
> on Full Disclosure
> [16:37] <sfirefinch> rexy__: depends on your perspective
> [16:38] <sfirefinch> is there merit in what he says? sometimes yes
> [16:38] <sfirefinch> but the way he says it is so rude and brash it's
> not well received or respected.
> [16:38] <samson--> sfirefinch: the group he has consists of one
> person, which he has publicly admitted
> [16:38] <sfirefinch> I think he has some descent things to say
> sometimes, he shoots for the moon
> [16:39] <sfirefinch> samson--: well, it has a bunch of members, lets say
> [16:39] <iamnowonmai> hey morning_wood long time no see.
> [16:39] <morning_wood> hey0
> [16:40] <sfirefinch> he has some unfounded paranoia
> [16:40] <samson--> only "some"?
> [16:40] <sfirefinch> no, some of what he says is correct.
> [16:40] <sfirefinch> he just says it so wildly and rudely that no one
> [16:41] <samson--> the kid is borderline paranoid schizophrenia
> [16:41] <sfirefinch> well i am not making a medical diagnosis
> [16:42] <samson--> i'm not a doctor either, but i did stay at a
> holiday inn express last night
> [16:43] <sfirefinch> heh
> [16:43] <iamnowonmai> sfirefinch++ for being the peacemaker.
> [16:44] <sfirefinch> i'm tryig to do the right thing
> [16:44] <sChaaa> hola
> [16:45] <worried> say sorry for pasting a message sent to
> handlers at sans.org
> [16:45] <sfirefinch> okay, i apologize for pasting a message. Now,
> you say you are sorry for being rude.
> [16:46] <worried> rude about what? there are so many things
> [16:46] <sfirefinch> just the general statement
> [16:47] <worried> you statement you pasted?
> [16:47] <sfirefinch> you are just rude in general, and i ask you to be
> nicer and apologize for it
> [16:48] <worried> its true that you showboat about your cia and dhs
> [16:48] <sfirefinch> um, no.
> [16:48] <worried> and help the cia push out disinformation about power
> cuts carried out by hackers
> [16:48] <sfirefinch> that's not what i asked you to say
> [16:48] <worried> via the sans con
> [16:49] <sfirefinch> i had nothing to do with it, and again, not what
> i asked you to say
> [16:49] <morning_wood> oh phear
> [16:50] * naxx|nothere is now known as naxxatoe
> [16:53] <worried> i'm sorry for calling you dicks, thats the only part
> i can say sorry for.
> [16:54] <worried> a private e-mail shouldn't be disucssed in this
> fashion via a public channel of communication
> [16:54] <worried> this is highly unacceptable on any level of thinking
> [16:54] <morning_wood> you could apoligize for being a total idiot
> [16:55] <sfirefinch> worried: okay, fair enough, i apologized for it
> already. But why do you post IRC conversations to the web?
> [16:55] <sfirefinch> err
> [16:55] <sfirefinch> email
> [16:55] <worried> an irc conversation is already on the web
> [16:55] <njan> effectively to the web, given how much FD is archived.
> [16:55] <njan> worried, not here, it isn't.
> [16:55] <morning_wood> last one he posted on FD was him talking to himself
> [16:56] <njan> worried, this channel explicitly doesn't log publicly,
> and freenode explicitly bans people doing that without channel
> [16:56] <morning_wood> then he follows it up with a post from "n3td3v" lol
> [16:56] <njan> worried, anyone who logs this channel to the web does
> so in the knowledge they're breaking the channel and network
> guidelines, and they can be banned or klined for it.
> [16:56] <morning_wood> responding to his own troll food
> [16:56] <sfirefinch> and neither one has an expectation of privacy
> [16:56] <sfirefinch> i am just asking a question
> [16:57] <worried> njan, are you saying thats what you're going to do?
> [16:58] <njan> worried, I've told you in the past if you log the
> channel to the web, you'll be removed from the channel at the very
> [16:58] * morning_wood ant figure out why he hasnt been klined yet...
> [16:58] <njan> worried, and for persistent offences in instances where
> people know they're not supposed to publicly log without channel
> consent, freenode can and does intervene where appropriate.
> [16:58] <sfirefinch> i am going to go eat pizza
> [16:58] <njan> worried, http://blog.freenode.net/?p=62 <= for instance.
> [16:59] <worried> my google group isn't public
> [16:59] <morning_wood> who gives a fuck
> [17:00] <sfirefinch> it is if you can sign up for it for free.
> [17:00] <iamnowonmai> sfirefinch: mushroom pizza++
> [17:00] <sfirefinch> i am suprised you aren't more paranoid about google
> [17:01] <worried> im not paranoid
> [17:02] <njan> worried, for the purposes of this conversation, yes, it is.
> [17:02] <samson--> what what what?
> [17:02] <worried> tell me what i'm paranoid about
> [17:02] <sfirefinch> the government for one.
> [17:03] <samson--> RBN caring enough to send someone out to UK to take
> care of you
> [17:03] <worried> why would i be paranoid about them
> [17:03] <Renski_> *cough* russian hackers *cough*
> [17:03] <njan> worried, CCTV? ;)
> [17:03] <samson--> if you arent paranoid, you are delusional
> [17:03] <sfirefinch> i think you give them more credit then they are worth
> [17:03] * sfirefinch is away for pizza
> [17:03] <worried> i dont break laws
> [17:03] <worried> so why would the gov phase me
> [17:04] <worried> if anything its them who are paranoid if they are
> tracking me, cos there is nothing to uncover
> [17:04] <worried> its a waste of their time trying
> [17:04] <njan> worried, http://en.wikipedia.org/wiki/First_they_came
> [17:05] <njan> worried, I think that's a pretty powerful response to
> the notion that anyone who isn't doing anything wrong doesn't have
> anything to fear from their own government.
> [17:05] <worried> what would the government do to someone who hasn't
> broke a law?
> [17:06] <rexy__> information
> [17:06] <Renski_> worried: where were you during history?
> [17:06] <worried> i haven't broke a law and im not a poltical threat
> to the national interest
> [17:06] <njan> Who was it that said that the price of freedom was
> perpetual vigilence?
> [17:07] <transzorp> eternal vigilence is the usual phrasing
> [17:07] <njan> Ah.. Jefferson.
> [17:07] <worried> there is no useful intelligence on my gmail
> accounts, there is simply copy&pasted public news articles, everything
> sent from my gmails goes straight to a mailing lsit where it can be
> read by anyone, so the wiretap would be pointless
> [17:07] <transzorp> yup
> [17:08] <njan> or Wendell Phillips, according to wikipedia. hmm.
> [17:08] <njan> <3 stolen quotes. :)
> [17:08] <worried> i dont send e-mail to private ppl
> [17:08] <iamnowonmai> njan: I would have guessed someone else.
> [17:08] <transzorp> so since I'm lazy and don't want to read scroll
> back who's wire taping who?
> [17:08] <samson--> worried: you just sent an email to sans
> [17:08] <worried> thats a list, its not a one on one e-mail
> [17:08] <samson--> with the expectation that it was private
> [17:08] <worried> no i dodnt think it was private
> [17:09] <samson--> then what did you pitch a fit for?
> [17:09] <worried> ethics
> [17:09] <iamnowonmai> transzorp: worried has hurt feelings about his
> note to the ISC being partially pasted here.
> [17:09] <worried> no i dont have hurt feelings
> [17:09] <worried> i jsut stated the person broke sans policy
> [17:10] <Renski_> worried: stop whining alreadly
> [17:10] <Renski_> he said sorry, and you havnt done the same.
> [17:10] <worried> yes, i wasnt the one who brought it up again
> [17:11] <worried> i did say sorry
> [17:11] <worried> i said sorry for calling them dicks
> [17:11] <transzorp> ok
> [17:11] <worried> im not discussing a closed e-mail with this channel,
> its unacceptable that this conversation is even possible
> [17:12] <iamnowonmai> But you are discussing it.
> [17:12] <worried> not now
> [17:12] <worried> no, you brought it up
> [17:12] <worried> i responded
> [17:12] <iamnowonmai> That counts - you still are.
> [17:12] <worried> you brought it up
> [17:12] <Renski_> worried: the internet is a giant copying machine, get
> over it.
> [17:12] <transzorp> so since I don't really care about emails etc.
> what else is going on?
> [17:13] <iamnowonmai> transzorp: not much. I'm still trying to glean
> more information about the Hannaford breach.
> [17:13] <worried> renski: no its not actually, there are rules and
> regulations for professionals
> [17:13] <iamnowonmai> Now they are blaming misconfiguration.
> [17:13] <worried> im finished discussing this
> [17:13] <transzorp> iamnowonmai: I haven't heard about the hannaford
> [17:13] <Renski_> worried: really?
> [17:14] * Renski_ doesnt recall signing anything
> [17:14] <iamnowonmai>
> [17:15] <iamnowonmai> also here -
> [17:31] <worried> sweet, thats the transcript saved
> [17:31] * Disconnected
> ---------- Forwarded message ----------
> From: n3td3v <xploitable at gmail.com>
> Date: Thu, Mar 20, 2008 at 5:43 PM
> Subject: breach in sans policy about to go public
> To: handlers at sans.org
> one of your sans handlers post one of the e-mails i sent to this
> e-mail address to a ##security on freenode, this event has just
> i'm posting the full transcript unedited onto full-disclosure
> let's see how many media outlets pick this up :)
> he said because the e-mail was sent to handlers at sans.org and not via
> the form then
> "All submissions are kept confidential. Your submission will reach all
> ISC handlers. Your e-mail address will only be used to reply to your
> submission." doesn't count.
> we'll see what the public has to say eh?
> this is a major news event thats about to unfold...
> the name of the offender will remain undisclosed until i decide if i
> go public with this or not and what the strategy will be....
> the next few hours the transcript will be post to full-disclosure or
> n3td3v list. maybe both.
> this is a window of opportunity for dialog if you want to have it to
> stop the transcript from being made public and for the person to owe
> up to sans and the other handlers that this incident has just taken
> an e-mail i sent to handlers at sans.org was in the last hour post to
> ##security freenode, which led to the e-mail being publically
> discussed with all the channel members, much to my embarassment.
> i dont buy his excuse that because it wasn't sent via the form then
> the e-mail was allowed to be copy& pasted to a public channel and be
> discussed publically,
> the person then told me to apologise for what i sent to sans infront
> of everyone.
> it is a big public channel, this is completely unacceptable.
> ---------- Forwarded message ----------
> From: n3td3v <xploitable at gmail.com>
> Date: Thu, Mar 20, 2008 at 8:17 PM
> Subject: Re: sans handler gives out n3td3v e-mail to public
> To: Johannes Ullrich <jullrich at euclidian.com>, handlers at sans.org
> On Thu, Mar 20, 2008 at 7:08 PM, Johannes Ullrich
> <jullrich at euclidian.com> wrote:
> > n3td3v:
> > thanks for letting us know. We will deal with this breach internally.
> n3td3v please don't make this public, please please.
> > Please refrain from sending any additional e-mail either regarding this
> > incident or additional incidents to handlers at sans.org or other aliases
> > by this group or its individuals.
> we're begging you, please!!!
> > Thanks.
> its too late for thanks, prepare for a PR crisis.
> [10:28] <PhilKC> Hi.
> [10:31] <worried> hi
> [10:32] <PhilKC> Hiya, fancy filling me in on all the details of your
> issue? :)
> [10:32] <worried> a sans.org handler post an e-mail i sent to
> handlers at sans.org to ##security
> [10:33] <worried> this goes against their privacy agreement
> [10:33] <worried> and the handler made fun of me and made me say sorry
> about the e-mail
> [10:33] <worried> which should never of been copy&pasted to the channel
> [10:33] <worried> and then i said i want to post the channel log to a
> mailing list and njan said he would k-line me if i did
> [10:34] <PhilKC> Ah
> [10:35] <worried> njan says he will ban me from security channel and
> k-line me if i post proof of the sans violation to a public mailing
> [10:35] <worried> this is unfair
> [10:35] <worried> my rights to privacy were violated and i was made
> fun of in a public freenode channel
> [10:35] <PhilKC> Every channel has its own rules on public logging
> (Wikipedia for example prohibits all public logging), breaking these
> rules can result in you being banned from the channel/project, but,
> from what you have told me, I don't see why a kline would be applied.
> [10:36] <PhilKC> (njan is a channel op on ##security and as such can
> enforce said rules about logging)
> [10:36] <worried> so tell njan that, so i can proceed to press send on
> this e-mail
> [10:36] <worried> njan is just being a dick to protect his friend
> [10:37] <worried> he is trying to stop me posting to a mailing list
> through a technicality
> [10:37] <worried> of a freenode rule
> [10:37] <PhilKC> There's nothing to stop you sending the email, *but*
> if it breaches the channel policy on public logging then you may be
> banned from that channel.
> [10:37] <worried> njan says k-line too
> [10:38] <worried> he is trying his best to scare me
> [10:39] <PhilKC> Hows about, before you send the mail, I have a chat
> with njan and we'll see if we can sort this out?
> [10:39] <worried> deal
> [10:39] <PhilKC> :)
> [10:39] <worried> are u a senior staff?
> [10:40] <PhilKC> I'm staff, not senior though. :)
> [10:40] <PhilKC> Will you be around for a couple of hours whilst I try
> and summon njan?
> [10:40] <worried> yes
> [10:40] <PhilKC> Great, I shall poke you as soon as he's about. :)
> [10:41] <PhilKC> And, thank you for coming to us to talk about the
> issue, it is appreciated :)
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part --------------
An HTML attachment was scrubbed...
Full-Disclosure is hosted and sponsored by Secunia.