From exibar at thelair.com Wed Oct 1 00:21:20 2008 From: exibar at thelair.com (Exibar) Date: Tue, 30 Sep 2008 19:21:20 -0400 Subject: [Full-disclosure] [inbox] Re: Supporters urge halt to, hacker's, extradition to US In-Reply-To: <1222810093.6726.3.camel@roswell.ausics.net> Message-ID: <20080930232127.47DFA778@lists.grok.org.uk> excuse me? You're attempt at insults are pointed wrongly. I've read the legal brief on his case, the UK documents on his case too, he's ADMITTED guilt. In my book that's enough to call him a criminal, he should be arrested and tried in a court of law to determine if that is a fact or not. It's up to his accusers to prove his guilt. He is not actually guilty until he is found to be guilty in the court of law. If they cannot prove he is guilty, he must walk a free man. Not to difficult to prove guilt when the accuser admits to what he's done.... He is completely innocent until found guilty... at least in the US, UK, and even Australia that is the way things are. Lets see what the Chinese would do to him if he did the same thing over then than over here. oh, to answer your question, YES, I'm an American, and proud of it.... Exibar _____ From: Noel Butler [mailto:noel.butler at ausics.net] Sent: Tuesday, September 30, 2008 5:28 PM To: Exibar Cc: full-disclosure at lists.grok.org.uk; info at freegary.org.uk Subject: Re: [Full-disclosure] [inbox] Re: Supporters urge halt to,hacker's, extradition to US On Wed, 2008-10-01 at 00:03, Exibar wrote: Look, Mckinnon broke into the computer systems. Under his own admission he ran scripts to help him do this. Some of those scripts crashed systems. He possibly deleted files and what-not in his travels, either willfully or not, doesn't really matter. He loaded software on those systems so he could get in AGAIN easier... AND he leaves a note threatening that he will do it again. All this on KNOWN government computer systems. He intentionally wanted to get into these systems to look for UFO crap. This goes way beyond just simply leaving a note stating that your door is unlocked. This is going into the unlocked car, putting in a remote control door opener, and threatening to re-enter the car again. He knew what he was doing, he knew who's machines he was doing it to, he was obviously going to keep doing it until caught by the sound of his message. He's a criminal, period. He should be properly tried in a court of law. The way the UK an dthe US law is written, that means extradited to the US for a trial. All the protesting or debating won't change the fact that he's a criminal. Plain and simple, deal with it.... His sentence will be based upon what comes up in court, and it hardly ever is the maximum. I'm sorry, are you American? Are you a typical American? If so, you have just demonstrated why he should not be extradited, as you, as a typical American have him decided GUILTY already without seeing and hearing all the ACTUAL evidence. not just the rhetoric the politicians want the media to tell you about, so he has no chance of fair trial. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080930/20c42e8d/attachment.html From erc at pobox.com Wed Oct 1 00:17:55 2008 From: erc at pobox.com (Ed Carp) Date: Tue, 30 Sep 2008 16:17:55 -0700 Subject: [Full-disclosure] THC releases video and tool to create fake ePassports In-Reply-To: <20080929220955.GC30277@segfault.net> References: <20080929220955.GC30277@segfault.net> Message-ID: <1b0d006c0809301617q1193fb79k8298e8a160c203f6@mail.gmail.com> And obvious (and interesting) use would be to generate an ePassport that would flag the bearer as having diplomatic immunity. From xploitable at gmail.com Wed Oct 1 00:50:11 2008 From: xploitable at gmail.com (n3td3v) Date: Wed, 1 Oct 2008 00:50:11 +0100 Subject: [Full-disclosure] Supporters urge halt to, hacker's, extradition to US In-Reply-To: <48E27BC0.4060305@gmail.com> References: <4b6ee9310809291642o5d6c2418t23c8d038b7341bbf@mail.gmail.com> <20080930163425.DCA76535@lists.grok.org.uk> <4b6ee9310809301148h63a922acode9474adac3890d5@mail.gmail.com> <48E27BC0.4060305@gmail.com> Message-ID: <4b6ee9310809301650l7b7d81do23ad16fe5dea9567@mail.gmail.com> On Tue, Sep 30, 2008 at 8:19 PM, Brian Anderson wrote: > n3td3v wrote: >> The systems were 'public domain' because the door was open. > > So if I wait outside your door, when you open it, everything inside becomes public domain???? > All im saying is the guy didn't break into anything in the traditional sense, he walked in, he didn't 'hack' anything. So stop using these terms: hack, break, broke, hacked etc. These words are abrasive words, there was no struggle to get in or any difficulty, he walked in... he wasn't questioned, there were no security guards. He walked in, he walked out. If you can walk into a public building unchallenged, you keep walking in. Its not the person's fault, especially if they have mental problems which Mckinnon has. If you're an internet robot working for the intelligence services, you definitely keep walking in. Its not rocket science to know if you leave the door open, that some one will walk in... get a fucking clue! If it wasn't Mckinnon it wouldn've been someone else. There are a million Mckinnon's out there if you don't set your passwords, there is nothing unique about Mckinnon whatsoever. You were always going to be shipping someone over to U.S, it just happens to be Mckinnon, there is a long list of people who would have been right behind him. He isn't particularly evil, he seen the door was open and thought, hell why not, big super power!!! They basically had the welcome mat laid out for him, with goodies inside, someone might liken it to a honey trap. If you put honey on a stick, the bee's are gonna swarm in, Mckinnon was just a bumble bee wanting some honey. If you don't want people in your systems, don't fucking invite them in with honey on a stick. You look fucking foolish though shipping over a bumble bee when all it knows is honey and making a 'buzz' noise. You can't teach a bee new tricks, its their natural instinct to buzz around and goto honey, like flies to dog shit. The US military I.T department, heads up their own arses, the stars and strips have gone to their head, their head is currently up their own arses. This is national pride coming before common sense, shipping over some bumble bee who was attracted to your honey. You are hella stupid, I tell th-ee. Mckinnon is guilty of being a BUMBLE BEE in a big swarm, not worth your time bringing such a lamer over, to U.S. You got yourself a bumble bee, a useless fucking bumble bee, I could understand if he was an HD Moore, but he is a skill-less fucking bumble bee. Leave the windows in your house open, flies are going to come in, Mckinnon was a fly, an insect, a bee, nothing more nothing less. Get a fucking grip, im sick of this whole conversation and how someone as lame as Mckinnon who simply walked in could be subject of such a big media circus, extradition and 60 years in jail. For what, being a bee, a stupid fucking bumble bee who flew through an open window. We got ourselves a bee, a stupid fucking bumble bee, ship him over to U.S!!! Not worth it. From erc at pobox.com Wed Oct 1 00:58:45 2008 From: erc at pobox.com (Ed Carp) Date: Tue, 30 Sep 2008 16:58:45 -0700 Subject: [Full-disclosure] Supporters urge halt to, hacker's, extradition to US In-Reply-To: <4b6ee9310809301650l7b7d81do23ad16fe5dea9567@mail.gmail.com> References: <4b6ee9310809291642o5d6c2418t23c8d038b7341bbf@mail.gmail.com> <20080930163425.DCA76535@lists.grok.org.uk> <4b6ee9310809301148h63a922acode9474adac3890d5@mail.gmail.com> <48E27BC0.4060305@gmail.com> <4b6ee9310809301650l7b7d81do23ad16fe5dea9567@mail.gmail.com> Message-ID: <1b0d006c0809301658y46de6efdtb2a907dddeba2534@mail.gmail.com> On Tue, Sep 30, 2008 at 4:50 PM, n3td3v wrote: > If you can walk into a public building unchallenged, you keep walking > in. Its not the person's fault, especially if they have mental > problems which Mckinnon has. If you're an internet robot working for > the intelligence services, you definitely keep walking in. Actually, if you do that here, and there's a big fat sign at the entrance saying it's a restricted area deadly force authorized, it doesn't matter that the door was wide open, you're going to be lucky if you don't get your ass shot off. McKinnon was warned, he chose to ignore the warning at his own peril. I agree that extradition and 60 years in the slammer is a bit extreme, though. From xploitable at gmail.com Wed Oct 1 01:25:35 2008 From: xploitable at gmail.com (n3td3v) Date: Wed, 1 Oct 2008 01:25:35 +0100 Subject: [Full-disclosure] Supporters urge halt to, hacker's, extradition to US In-Reply-To: <1b0d006c0809301658y46de6efdtb2a907dddeba2534@mail.gmail.com> References: <4b6ee9310809291642o5d6c2418t23c8d038b7341bbf@mail.gmail.com> <20080930163425.DCA76535@lists.grok.org.uk> <4b6ee9310809301148h63a922acode9474adac3890d5@mail.gmail.com> <48E27BC0.4060305@gmail.com> <4b6ee9310809301650l7b7d81do23ad16fe5dea9567@mail.gmail.com> <1b0d006c0809301658y46de6efdtb2a907dddeba2534@mail.gmail.com> Message-ID: <4b6ee9310809301725u264e3f62s50031eca34633a8f@mail.gmail.com> On Wed, Oct 1, 2008 at 12:58 AM, Ed Carp wrote: > On Tue, Sep 30, 2008 at 4:50 PM, n3td3v wrote: > >> If you can walk into a public building unchallenged, you keep walking >> in. Its not the person's fault, especially if they have mental >> problems which Mckinnon has. If you're an internet robot working for >> the intelligence services, you definitely keep walking in. > > Actually, if you do that here, and there's a big fat sign at the > entrance saying it's a restricted area deadly force authorized, it > doesn't matter that the door was wide open, you're going to be lucky > if you don't get your ass shot off. > > McKinnon was warned, he chose to ignore the warning at his own peril. > I agree that extradition and 60 years in the slammer is a bit extreme, > though. > He is a bumble bee, a useless fucking bumble bee. Why don't you get him psychiatric help instead of sending him to U.S and locking him up? Surely the guy needs help, not a jail sentence? I'm leaving this thread now I can't be bothered with the stupidity of this topic anymore. From erc at pobox.com Wed Oct 1 01:31:31 2008 From: erc at pobox.com (Ed Carp) Date: Tue, 30 Sep 2008 17:31:31 -0700 Subject: [Full-disclosure] Supporters urge halt to, hacker's, extradition to US In-Reply-To: <4b6ee9310809301725u264e3f62s50031eca34633a8f@mail.gmail.com> References: <4b6ee9310809291642o5d6c2418t23c8d038b7341bbf@mail.gmail.com> <20080930163425.DCA76535@lists.grok.org.uk> <4b6ee9310809301148h63a922acode9474adac3890d5@mail.gmail.com> <48E27BC0.4060305@gmail.com> <4b6ee9310809301650l7b7d81do23ad16fe5dea9567@mail.gmail.com> <1b0d006c0809301658y46de6efdtb2a907dddeba2534@mail.gmail.com> <4b6ee9310809301725u264e3f62s50031eca34633a8f@mail.gmail.com> Message-ID: <1b0d006c0809301731u86d4cbeq97699c2ebfed40f6@mail.gmail.com> On Tue, Sep 30, 2008 at 5:25 PM, n3td3v wrote: > He is a bumble bee, a useless fucking bumble bee. Why don't you get > him psychiatric help instead of sending him to U.S and locking him up? > Surely the guy needs help, not a jail sentence? I'm leaving this > thread now I can't be bothered with the stupidity of this topic > anymore. Oh, that's easy - the US wants to make an example of him ... that's obvious. From gtb at slac.stanford.edu Wed Oct 1 01:38:52 2008 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Tue, 30 Sep 2008 17:38:52 -0700 Subject: [Full-disclosure] Supporters urge halt to, hacker's, extradition to US In-Reply-To: <4b6ee9310809301650l7b7d81do23ad16fe5dea9567@mail.gmail.com> References: <48E27BC0.4060305@gmail.com> <4b6ee9310809301650l7b7d81do23ad16fe5dea9567@mail.gmail.com> Message-ID: > He isn't particularly evil, he seen the door was open and thought, > hell why not, big super power!!! They basically had the welcome mat > laid out for him, with goodies inside, someone might liken it to a > honey trap. Perhaps during the trial, Gary McKinnon's lawyer should put n3td3v on the stand to attempt nullification. If that does not work, perhaps during the sentencing phase one should put n3td3v on the stand as a character witness. And, of course, n3td3v is free to submit an amicus curiae brief to the court (I suspect that they are not going to be reading full disclosure). From exibar at thelair.com Wed Oct 1 01:52:17 2008 From: exibar at thelair.com (Exibar) Date: Tue, 30 Sep 2008 20:52:17 -0400 Subject: [Full-disclosure] [inbox] Re: Supporters urge haltto, hacker's, extradition to US In-Reply-To: <1222821563.11507.32.camel@roswell.ausics.net> Message-ID: <20081001005221.E3C0B953@lists.grok.org.uk> < tons of dribble snipped> He is completely innocent until found guilty... at least in the US, UK, and even Australia that is the way things are. You seem to be contradicting yourself here, but maybe a little bit of light is getting in. Nope, he is completely innocent until he is FOUND guilty by a court of law. Right now, there is fair evidence to bring him in for the crime committed. He is the prime suspect at this time for that crime. The details of his crime, his testimony, his accuser's testimony, and evidence both against and for him will be submitted. Based upon those facts that are presented he will either be found guilty or not guilty. If he's found guilty, he will be sentenced. That's the way the laws of our countries work. Lets see what the Chinese would do to him if he did the same thing over then than over here. China has changed a lot in recent times, I think you'd find he'd get a fair trial, and you wouldnt have ministers their saying he needs to "fry" sure, with a huge difference... During trial, you have to prove yourself innocent. HUGE difference there.... Oh and he'd be put to death in China for crimes against the state. So he'd literally be fighting for his life during a trial in China. End of conversation... this is getting fruitless... lets all just sit back and watch what happens.... Exibar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080930/1683a3b0/attachment.html From xploitable at gmail.com Wed Oct 1 02:07:43 2008 From: xploitable at gmail.com (n3td3v) Date: Wed, 1 Oct 2008 02:07:43 +0100 Subject: [Full-disclosure] Supporters urge halt to, hacker's, extradition to US In-Reply-To: <1b0d006c0809301731u86d4cbeq97699c2ebfed40f6@mail.gmail.com> References: <4b6ee9310809291642o5d6c2418t23c8d038b7341bbf@mail.gmail.com> <20080930163425.DCA76535@lists.grok.org.uk> <4b6ee9310809301148h63a922acode9474adac3890d5@mail.gmail.com> <48E27BC0.4060305@gmail.com> <4b6ee9310809301650l7b7d81do23ad16fe5dea9567@mail.gmail.com> <1b0d006c0809301658y46de6efdtb2a907dddeba2534@mail.gmail.com> <4b6ee9310809301725u264e3f62s50031eca34633a8f@mail.gmail.com> <1b0d006c0809301731u86d4cbeq97699c2ebfed40f6@mail.gmail.com> Message-ID: <4b6ee9310809301807j350e4e37qc618d51cc812d917@mail.gmail.com> On Wed, Oct 1, 2008 at 1:31 AM, Ed Carp wrote: > On Tue, Sep 30, 2008 at 5:25 PM, n3td3v wrote: > >> He is a bumble bee, a useless fucking bumble bee. Why don't you get >> him psychiatric help instead of sending him to U.S and locking him up? >> Surely the guy needs help, not a jail sentence? I'm leaving this >> thread now I can't be bothered with the stupidity of this topic >> anymore. > > Oh, that's easy - the US wants to make an example of him ... that's obvious. > Nobody will think that, they will think stupid yanks again who didn't set their passwords, why are they bothering with this kid. It will just highlight their stupidity, not his. Stars and strips up their own arses. They will call him a hacker, even though nothing was hacked, he walked straight in. If you're going to make an example of someone, actually get a hacker who actually hacked something! Mckinnon is no hacker! The whole thing is ridiculous. From vigilantgregorius at gmail.com Wed Oct 1 02:25:34 2008 From: vigilantgregorius at gmail.com (Miller Grey) Date: Tue, 30 Sep 2008 20:25:34 -0500 Subject: [Full-disclosure] [inbox] Re: Supporters urge halt to, hacker's, extradition to US In-Reply-To: <4b6ee9310809301210r6235eb04r65e017995c08fafa@mail.gmail.com> References: <4b6ee9310809291642o5d6c2418t23c8d038b7341bbf@mail.gmail.com> <20080930163425.DCA76535@lists.grok.org.uk> <4b6ee9310809301148h63a922acode9474adac3890d5@mail.gmail.com> <1c89a5ed0809301207i1536ed54w126feab5b2ab8f8e@mail.gmail.com> <4b6ee9310809301210r6235eb04r65e017995c08fafa@mail.gmail.com> Message-ID: Wrong...dead wrong. On Tue, Sep 30, 2008 at 2:10 PM, n3td3v wrote: > > On Tue, Sep 30, 2008 at 8:07 PM, offbitz wrote: > > On Tue, Sep 30, 2008 at 1:48 PM, n3td3v wrote: > >> > >> > >> > >> The systems were 'public domain' because the door was open. > >> > >> > > > > > > Proof or GTFO. > > > > No passwords were set = public domain. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080930/c4d8a284/attachment.html From xploitable at gmail.com Wed Oct 1 02:33:29 2008 From: xploitable at gmail.com (n3td3v) Date: Wed, 1 Oct 2008 02:33:29 +0100 Subject: [Full-disclosure] [inbox] Re: Supporters urge halt to, hacker's, extradition to US In-Reply-To: References: <4b6ee9310809291642o5d6c2418t23c8d038b7341bbf@mail.gmail.com> <20080930163425.DCA76535@lists.grok.org.uk> <4b6ee9310809301148h63a922acode9474adac3890d5@mail.gmail.com> <1c89a5ed0809301207i1536ed54w126feab5b2ab8f8e@mail.gmail.com> <4b6ee9310809301210r6235eb04r65e017995c08fafa@mail.gmail.com> Message-ID: <4b6ee9310809301833n322fc40ew7b0ecac13597ddb1@mail.gmail.com> Dead right, you got your systems accessed by 'the public', because the systems were 'public domain'. Your systems were public domain, get over yourselves and stop arguing about it. On Wed, Oct 1, 2008 at 2:25 AM, Miller Grey wrote: > Wrong...dead wrong. > > On Tue, Sep 30, 2008 at 2:10 PM, n3td3v wrote: >> >> On Tue, Sep 30, 2008 at 8:07 PM, offbitz wrote: >> > On Tue, Sep 30, 2008 at 1:48 PM, n3td3v wrote: >> >> >> >> >> >> >> >> The systems were 'public domain' because the door was open. >> >> >> >> >> > >> > >> > Proof or GTFO. >> > >> >> No passwords were set = public domain. > From vigilantgregorius at gmail.com Wed Oct 1 02:47:42 2008 From: vigilantgregorius at gmail.com (Miller Grey) Date: Tue, 30 Sep 2008 20:47:42 -0500 Subject: [Full-disclosure] [inbox] Re: Supporters urge halt to, hacker's, extradition to US In-Reply-To: <4b6ee9310809301833n322fc40ew7b0ecac13597ddb1@mail.gmail.com> References: <4b6ee9310809291642o5d6c2418t23c8d038b7341bbf@mail.gmail.com> <20080930163425.DCA76535@lists.grok.org.uk> <4b6ee9310809301148h63a922acode9474adac3890d5@mail.gmail.com> <1c89a5ed0809301207i1536ed54w126feab5b2ab8f8e@mail.gmail.com> <4b6ee9310809301210r6235eb04r65e017995c08fafa@mail.gmail.com> <4b6ee9310809301833n322fc40ew7b0ecac13597ddb1@mail.gmail.com> Message-ID: Legally, is there any precedence that private systems owned by the government are public domain? Furthermore, has there ever been any legal precedent that any private system, if left unsecured, is in the public domain? Either way, I hark back to: http://blog.wired.com/27bstroke6/2008/09/brits-us-passed.html This whole thing has been blown way out of proportion...c'est tout On Tue, Sep 30, 2008 at 8:33 PM, n3td3v wrote: > > Dead right, you got your systems accessed by 'the public', because the > systems were 'public domain'. > > Your systems were public domain, get over yourselves and stop arguing about > it. > > On Wed, Oct 1, 2008 at 2:25 AM, Miller Grey > wrote: > > Wrong...dead wrong. > > > > On Tue, Sep 30, 2008 at 2:10 PM, n3td3v wrote: > >> > >> On Tue, Sep 30, 2008 at 8:07 PM, offbitz wrote: > >> > On Tue, Sep 30, 2008 at 1:48 PM, n3td3v wrote: > >> >> > >> >> > >> >> > >> >> The systems were 'public domain' because the door was open. > >> >> > >> >> > >> > > >> > > >> > Proof or GTFO. > >> > > >> > >> No passwords were set = public domain. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080930/da7cc08c/attachment.html From Valdis.Kletnieks at vt.edu Wed Oct 1 02:57:13 2008 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 30 Sep 2008 21:57:13 -0400 Subject: [Full-disclosure] Supporters urge halt to, hacker's, extradition to US In-Reply-To: Your message of "Wed, 01 Oct 2008 01:25:35 BST." <4b6ee9310809301725u264e3f62s50031eca34633a8f@mail.gmail.com> References: <4b6ee9310809291642o5d6c2418t23c8d038b7341bbf@mail.gmail.com> <20080930163425.DCA76535@lists.grok.org.uk> <4b6ee9310809301148h63a922acode9474adac3890d5@mail.gmail.com> <48E27BC0.4060305@gmail.com> <4b6ee9310809301650l7b7d81do23ad16fe5dea9567@mail.gmail.com> <1b0d006c0809301658y46de6efdtb2a907dddeba2534@mail.gmail.com> <4b6ee9310809301725u264e3f62s50031eca34633a8f@mail.gmail.com> Message-ID: <51262.1222826233@turing-police.cc.vt.edu> On Wed, 01 Oct 2008 01:25:35 BST, n3td3v said: > He is a bumble bee, a useless fucking bumble bee. Why don't you get > him psychiatric help instead of sending him to U.S and locking him up? Physician, heal thyself. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080930/2fe579cb/attachment.bin From xploitable at gmail.com Wed Oct 1 03:10:30 2008 From: xploitable at gmail.com (n3td3v) Date: Wed, 1 Oct 2008 03:10:30 +0100 Subject: [Full-disclosure] [inbox] Re: Supporters urge halt to, hacker's, extradition to US In-Reply-To: References: <4b6ee9310809291642o5d6c2418t23c8d038b7341bbf@mail.gmail.com> <20080930163425.DCA76535@lists.grok.org.uk> <4b6ee9310809301148h63a922acode9474adac3890d5@mail.gmail.com> <1c89a5ed0809301207i1536ed54w126feab5b2ab8f8e@mail.gmail.com> <4b6ee9310809301210r6235eb04r65e017995c08fafa@mail.gmail.com> <4b6ee9310809301833n322fc40ew7b0ecac13597ddb1@mail.gmail.com> Message-ID: <4b6ee9310809301910m8356fcv8f00294207536a26@mail.gmail.com> Let's hope this Jacqui Smith chick stops him going... hopefully her cyber security advisors are reading the mailing lists. On Wed, Oct 1, 2008 at 2:47 AM, Miller Grey wrote: > > This whole thing has been blown way out of proportion...c'est tout > From Valdis.Kletnieks at vt.edu Wed Oct 1 04:17:26 2008 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 30 Sep 2008 23:17:26 -0400 Subject: [Full-disclosure] [inbox] Re: Supporters urge halt to, hacker's, extradition to US In-Reply-To: Your message of "Tue, 30 Sep 2008 20:47:42 CDT." References: <4b6ee9310809291642o5d6c2418t23c8d038b7341bbf@mail.gmail.com> <20080930163425.DCA76535@lists.grok.org.uk> <4b6ee9310809301148h63a922acode9474adac3890d5@mail.gmail.com> <1c89a5ed0809301207i1536ed54w126feab5b2ab8f8e@mail.gmail.com> <4b6ee9310809301210r6235eb04r65e017995c08fafa@mail.gmail.com> <4b6ee9310809301833n322fc40ew7b0ecac13597ddb1@mail.gmail.com> Message-ID: <58187.1222831046@turing-police.cc.vt.edu> On Tue, 30 Sep 2008 20:47:42 CDT, Miller Grey said: > Legally, is there any precedence that private systems owned by the > government are public domain? At least in the US, systems owned by the federal government are considered "protected" under the Computer Fraud and Abuse Act of 1986 (18 USC 1030 has most of the legalese for this: http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html For this scenario, the interesting words are in 18 USC 1030 (a)(2)(C): (C) information from any protected computer if the conduct involved an interstate or foreign communication; "protected computer" is defined in 180 USC 1030(e)(2): (2) the term "protected computer: means a computer: (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States; Yes folks - that means that laptop is protected if it's used for eBay or Amazon or even Yahoo Messenger, and if you hack it from across the state or country line, you're in violation... > Furthermore, has there ever been any legal > precedent that any private system, if left unsecured, is in the public > domain? In the US, there have been a number of successful prosecutions in cases where people used an unsecured wireless access point to launch attacks. You'd probably need to show *all* of the following: 1) That it was unsecured. 2) That it was *intentionally* unsecured. 3) That the security was set up for the explicit purpose of allowing free guest access, and people were actively invited. In other words - if the sign at the coffeeshop says "Free Wifi", it's fair game. If the login banner says "Free guest shell access - no password needed", it's fair game. However, if you happen to find an unsecured WAP while wardriving, or an account that accidentally has a null password, things are a *lot* stickier for you... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080930/2eb16d5c/attachment.bin From degeneracypressure at gmail.com Wed Oct 1 04:23:34 2008 From: degeneracypressure at gmail.com (Eliah Kagan) Date: Tue, 30 Sep 2008 23:23:34 -0400 Subject: [Full-disclosure] [inbox] Re: Supporters urge halt to, hacker's, extradition to US In-Reply-To: <58187.1222831046@turing-police.cc.vt.edu> References: <4b6ee9310809291642o5d6c2418t23c8d038b7341bbf@mail.gmail.com> <20080930163425.DCA76535@lists.grok.org.uk> <4b6ee9310809301148h63a922acode9474adac3890d5@mail.gmail.com> <1c89a5ed0809301207i1536ed54w126feab5b2ab8f8e@mail.gmail.com> <4b6ee9310809301210r6235eb04r65e017995c08fafa@mail.gmail.com> <4b6ee9310809301833n322fc40ew7b0ecac13597ddb1@mail.gmail.com> <58187.1222831046@turing-police.cc.vt.edu> Message-ID: Valdis Kletnieks wrote: > In the US, there have been a number of successful prosecutions in cases where > people used an unsecured wireless access point to launch attacks. You'd > probably need to show *all* of the following: > > 1) That it was unsecured. > 2) That it was *intentionally* unsecured. > 3) That the security was set up for the explicit purpose of allowing free > guest access, and people were actively invited. > > In other words - if the sign at the coffeeshop says "Free Wifi", it's fair > game. If the login banner says "Free guest shell access - no password needed", > it's fair game. However, if you happen to find an unsecured WAP while > wardriving, or an account that accidentally has a null password, things are a > *lot* stickier for you... Not that this actually pertains to the case of Gary McKinnon, but... They used them **to launch attacks**. It's illegal to launch cruise missiles from the public park, but that doesn't mean it's illegal to go in the public park. Has anyone ever been prosecuted for using unsecured wireless for legal purposes? Wouldn't that contradict FCC rules governing use of wireless (in the general sense of wireless), where a wireless system must accept interference? (Whereas breaking into, or perhaps even using with a null password, encrypted wireless, even if the encryption is as pathetic as WEP, would still be illegal.) What am I missing? -Eliah From noel.butler at ausics.net Wed Oct 1 01:39:24 2008 From: noel.butler at ausics.net (Noel Butler) Date: Wed, 01 Oct 2008 10:39:24 +1000 Subject: [Full-disclosure] [inbox] Re: Supporters urge halt to, hacker's, extradition to US In-Reply-To: <20080930232128.BE6363FC186@valhalla.ausics.net> References: <20080930232128.BE6363FC186@valhalla.ausics.net> Message-ID: <1222821563.11507.32.camel@roswell.ausics.net> On Wed, 2008-10-01 at 09:21, Exibar wrote: > excuse me? You're attempt at insults are pointed wrongly. > > I've read the legal brief on his case, the UK documents on his case > too, he's ADMITTED guilt. In my book that's enough to call him a > criminal, he should be arrested and tried in a court of law to > determine if that is a fact or not. It's up to his accusers to prove > his guilt. He is not actually guilty until he is found to be guilty > in the court of law. If they cannot prove he is guilty, he must walk > a free man. Not to difficult to prove guilt when the accuser admits > to what he's done.... No, he admits to gaining entry and leaving a message that he did exactly that, he admits to causing *no* damage, *unlike* what the U.S accuse him of. Does he need to be punished? Yes. Where? The crime was committed in the U.S because thats the location of the devices entered, so he should stand trial in the U.S *if* it can be proved there is strong evidence for all allegations of serious nature, and if a reasonable person may consider he will get a fair trial he should be extradited, but due to the U.S governments own f-ups and public termper tamtrums because he exposed their incompetence in IT security, or extreme lack thereof, they are going all out showing it is unlikely he will get a fair trial, a reasonable person in this country would also say it is unlikely he would get a fair trial. If he is able to get out of this, he can in fact thank the U.S big mouths who, I dare say getting close to the U.S elections are only political grandstanding (which in fairness is typical of most countries in election times anyway) But since he's admitted to gaining entry, but did no damage, one would expect he should be fined, rather then sent to prison, but if prison was mandatory, I fail to see how they could lock him up for more than 12 months, a crime was committed, so a penalty must be paid, but a fair penalty that fits the crime. I beg to ask the question, what has happened to the IT staff responsible for this, are they standing trial as well for compromising national security? Are they being held under the patriot act somewhere because some paranoid delusional thinks they might have left things open deliberately for cyber terrorists? .. No, I bet those twats are sitting at their desks telling stories of who they screwed on the weekend, still safe in their jobs, even if not for the U.S Government, they most likely still making the same mistakes for the past 6 years as they did back then. > > He is completely innocent until found guilty... at least in the US, > UK, and even Australia that is the way things are. You seem to be contradicting yourself here, but maybe a little bit of light is getting in. > Lets see what the Chinese would do to him if he did the same thing > over then than over here. China has changed a lot in recent times, I think you'd find he'd get a fair trial, and you wouldnt have ministers their saying he needs to "fry" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20081001/70e6f854/attachment.html From noel.butler at ausics.net Wed Oct 1 01:56:38 2008 From: noel.butler at ausics.net (Noel Butler) Date: Wed, 01 Oct 2008 10:56:38 +1000 Subject: [Full-disclosure] [inbox] Re: Supporters urge haltto, hacker's, extradition to US In-Reply-To: <20081001005221.84B663FC186@valhalla.ausics.net> References: <20081001005221.84B663FC186@valhalla.ausics.net> Message-ID: <1222822598.11507.34.camel@roswell.ausics.net> On Wed, 2008-10-01 at 10:52, Exibar wrote: > > < tons of dribble snipped> > They always say truth hurts the most -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20081001/a1e53fe9/attachment.html From Valdis.Kletnieks at vt.edu Wed Oct 1 04:42:10 2008 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 30 Sep 2008 23:42:10 -0400 Subject: [Full-disclosure] [inbox] Re: Supporters urge halt to, hacker's, extradition to US In-Reply-To: Your message of "Tue, 30 Sep 2008 23:23:34 EDT." References: <4b6ee9310809291642o5d6c2418t23c8d038b7341bbf@mail.gmail.com> <20080930163425.DCA76535@lists.grok.org.uk> <4b6ee9310809301148h63a922acode9474adac3890d5@mail.gmail.com> <1c89a5ed0809301207i1536ed54w126feab5b2ab8f8e@mail.gmail.com> <4b6ee9310809301210r6235eb04r65e017995c08fafa@mail.gmail.com> <4b6ee9310809301833n322fc40ew7b0ecac13597ddb1@mail.gmail.com> <58187.1222831046@turing-police.cc.vt.edu> Message-ID: <59298.1222832530@turing-police.cc.vt.edu> On Tue, 30 Sep 2008 23:23:34 EDT, Eliah Kagan said: > Has anyone ever been prosecuted for using unsecured wireless for legal purposes? Not to my knowledge - mostly because all the white hats are too damned busy dealing with bigger issues. I doubt that we, as a society, can ever get to the point where this one will be on prosecutor's radar. I certainly could envision a *civil* suit for somebody pirating an unsecured WAP - but unless the plaintiff has a truly viable and novel reason to claim huge monetary damages, it would be cheaper and more productive to just secure the WAP. > Wouldn't that contradict FCC rules governing use of wireless (in the > general sense of wireless), where a wireless system must accept > interference? No, because the interference regs have a very specific meaning - the wireless system isn't allowed to freak out and misbehave just because somebody uses a device in some *other* spectrum range. It's explicitely *allowed* to not work if something else stomps on its range (so if two WAP's overlap in channel and coverage, there's no requirement that *either* one work properly). If your device *generates* interference, and it causes a problem for a device operating in a licenced spectrum range, it's your problem to cut the crap out. (So if your vacuum cleaner generates interference on your neighbor's TV, it's your problem). If it's in an unlicensed range (as almost all consumer-class electronics are - cordless phones, WAPs, etc), it's basically up to the two parties involved to work it out between themselves somehow. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080930/9d2842ce/attachment.bin From erc at pobox.com Wed Oct 1 07:38:20 2008 From: erc at pobox.com (Ed Carp) Date: Tue, 30 Sep 2008 23:38:20 -0700 Subject: [Full-disclosure] THC releases video and tool to create fake ePassports In-Reply-To: <20081001081957.74d0a926@wssyg122.sygroup-int.ch> References: <20080929220955.GC30277@segfault.net> <1b0d006c0809301617q1193fb79k8298e8a160c203f6@mail.gmail.com> <20081001081957.74d0a926@wssyg122.sygroup-int.ch> Message-ID: <1b0d006c0809302338l2bd1074vaa5e527ae8b8976a@mail.gmail.com> On Tue, Sep 30, 2008 at 11:19 PM, Tonnerre Lombard wrote: > Salut, Ed, > > On Tue, 30 Sep 2008 16:17:55 -0700, Ed Carp wrote: >> And obvious (and interesting) use would be to generate an ePassport >> that would flag the bearer as having diplomatic immunity. > > As you may or may not have noticed, the bearers of diplomatic immunity > in most countries do not get epassports "for security reasons". Yes, but do the folks at the border know this? ;) A false diplomatic ePassport might get one out of a foreign country before it is discovered it is a fake - and I'd rather spend time in an American jail for a false diplomatic passport than in just about any other country for anything else! From tonnerre.lombard at sygroup.ch Wed Oct 1 07:50:36 2008 From: tonnerre.lombard at sygroup.ch (Tonnerre Lombard) Date: Wed, 1 Oct 2008 08:50:36 +0200 Subject: [Full-disclosure] THC releases video and tool to create fake ePassports In-Reply-To: <1b0d006c0809302338l2bd1074vaa5e527ae8b8976a@mail.gmail.com> References: <20080929220955.GC30277@segfault.net> <1b0d006c0809301617q1193fb79k8298e8a160c203f6@mail.gmail.com> <20081001081957.74d0a926@wssyg122.sygroup-int.ch> <1b0d006c0809302338l2bd1074vaa5e527ae8b8976a@mail.gmail.com> Message-ID: <20081001085036.0f148087@wssyg117.sygroup-int.ch> Salut, Ed Carp, On Tue, 30 Sep 2008 23:38:20 -0700, Ed Carp wrote: > >> And obvious (and interesting) use would be to generate an ePassport > >> that would flag the bearer as having diplomatic immunity. > > > > As you may or may not have noticed, the bearers of diplomatic > > immunity in most countries do not get epassports "for security > > reasons". > > Yes, but do the folks at the border know this? ;) A false diplomatic > ePassport might get one out of a foreign country before it is > discovered it is a fake Please remind me, which electronic attribute tags an ePassport as diplomatic if no diplomatic ePassports exist? > - and I'd rather spend time in an American jail for a false > diplomatic passport than in just about any other country for anything > else! You're into SM/torture? TMD. Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 G?terstrasse 86 Fax:+41 61 383 14 67 4053 Basel Web:www.sygroup.ch tonnerre.lombard at sygroup.ch -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20081001/93a52c4a/attachment.bin From tonnerre.lombard at sygroup.ch Wed Oct 1 07:19:57 2008 From: tonnerre.lombard at sygroup.ch (Tonnerre Lombard) Date: Wed, 1 Oct 2008 08:19:57 +0200 Subject: [Full-disclosure] THC releases video and tool to create fake ePassports In-Reply-To: <1b0d006c0809301617q1193fb79k8298e8a160c203f6@mail.gmail.com> References: <20080929220955.GC30277@segfault.net> <1b0d006c0809301617q1193fb79k8298e8a160c203f6@mail.gmail.com> Message-ID: <20081001081957.74d0a926@wssyg122.sygroup-int.ch> Salut, Ed, On Tue, 30 Sep 2008 16:17:55 -0700, Ed Carp wrote: > And obvious (and interesting) use would be to generate an ePassport > that would flag the bearer as having diplomatic immunity. As you may or may not have noticed, the bearers of diplomatic immunity in most countries do not get epassports "for security reasons". Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 G?terstrasse 86 Fax:+41 61 383 14 67 4053 Basel Web:www.sygroup.ch tonnerre.lombard at sygroup.ch -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 832 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20081001/add0d612/attachment.bin From erc at pobox.com Wed Oct 1 08:22:32 2008 From: erc at pobox.com (Ed Carp) Date: Wed, 1 Oct 2008 00:22:32 -0700 Subject: [Full-disclosure] THC releases video and tool to create fake ePassports In-Reply-To: <20081001085036.0f148087@wssyg117.sygroup-int.ch> References: <20080929220955.GC30277@segfault.net> <1b0d006c0809301617q1193fb79k8298e8a160c203f6@mail.gmail.com> <20081001081957.74d0a926@wssyg122.sygroup-int.ch> <1b0d006c0809302338l2bd1074vaa5e527ae8b8976a@mail.gmail.com> <20081001085036.0f148087@wssyg117.sygroup-int.ch> Message-ID: <1b0d006c0810010022y73051b4ld05f9d94dfb8e5ff@mail.gmail.com> On Tue, Sep 30, 2008 at 11:50 PM, Tonnerre Lombard wrote: > Please remind me, which electronic attribute tags an ePassport as > diplomatic if no diplomatic ePassports exist? I'm sorry, but you don't have the appropriate security clearance for me to tell you, nor do you have a demonstrated need-to-know. The diplomatic version exists, all right, but I can't tell you which bits to set in the header to flag it as such - again, that's classified. From pete at petefinnigan.com Wed Oct 1 12:38:02 2008 From: pete at petefinnigan.com (Pete Finnigan) Date: Wed, 01 Oct 2008 12:38:02 +0100 Subject: [Full-disclosure] Oracle password cracker written in PL/SQL Message-ID: <48E3611A.7070803@petefinnigan.com> Hi Guys, I have just released a free Oracle password cracker written completely in PL/SQL on my website. The reason for doing this is to try and encourage people to "test" passwords for strength in their own databases. I am not seeing any real improvements in password strength generally across the industry over the last 8 years. It is not the intention to replace the fast C based crackers such as woraauthbf but instead to suppliment it. In my experience I find that people have not covered the bases yet, that is they still have passwords set to usernames, passwords set to defaults and also extremely weak passwords. I often suggest to people to download binary based crackers but there is often a reticence to do this. Hence I decided to create a PL/SQL based one. This way there is no excuse, its a SQL script that can be run in SQL*Plus and also its going to find the core issues anyway before you need a faster cracker. Some details on how it works and what it does are included in the page http://www.petefinnigan.com/oracle_password_cracker.htm for the cracker. You can also download it from the same page. hope its useful cheers Pete -- Pete Finnigan Principal Consultant PeteFinnigan.com Limited From kyrian at ore.org Wed Oct 1 12:45:59 2008 From: kyrian at ore.org (Kyrian) Date: Wed, 01 Oct 2008 12:45:59 +0100 Subject: [Full-disclosure] The new Police Central e-crime Unit (PCeU) In-Reply-To: References: Message-ID: <48E362F7.6090509@ore.org> > > The new Police Central e-crime Unit (PCeU) will provide specialist > officer training and co-ordinate cross-force initiatives to crack down > on on-line offences. > > http://community.zdnet.co.uk/blog/0,1000000567,10009434o-2000331759b,00.htm > > This is great news, i've been fighting for this ever since the > National Hi-Tech Crime Unit (NHTCU) was closed down and merged into > SOCA in 2006. > I sure hope they have actually employed some investigative staff who actually have a clue about how things work, and are actually going to work towards improving the failing legal framework in which they work ("the attacker wasn't in the UK so we can't help"??), rather than re-hiring the same staff from the NHTCU. Having had to call them up due to an unnoticed hole left by a previous systems administrator that was exploited (obviously I was f**ked off that I missed it), I wished I hadn't bothered in the end. They were no help at all. I don't think we even received a crime reference number for the incident. It was a weird experience, though, it seemed more as though they were trying to work out my skills (and why would they want to know other than as a prelude to either hiring, or [eek!] framing me?), rather than being interested in the actual incident. ISTR the excuse was they were 'going for' this guy because it was more 'high profile': http://news.zdnet.co.uk/security/0,1000000189,39226548,00.htm Which oddly, sounds rather like the McKinnon case in some respects, but enough about that one already! K. From mcwidget at gmail.com Wed Oct 1 10:36:05 2008 From: mcwidget at gmail.com (mcwidget) Date: Wed, 1 Oct 2008 10:36:05 +0100 Subject: [Full-disclosure] [inbox] Re: Supporters urge halt to, hacker's, extradition to US In-Reply-To: <59298.1222832530@turing-police.cc.vt.edu> References: <4b6ee9310809291642o5d6c2418t23c8d038b7341bbf@mail.gmail.com> <4b6ee9310809301148h63a922acode9474adac3890d5@mail.gmail.com> <1c89a5ed0809301207i1536ed54w126feab5b2ab8f8e@mail.gmail.com> <4b6ee9310809301210r6235eb04r65e017995c08fafa@mail.gmail.com> <4b6ee9310809301833n322fc40ew7b0ecac13597ddb1@mail.gmail.com> <58187.1222831046@turing-police.cc.vt.edu> <59298.1222832530@turing-police.cc.vt.edu> Message-ID: <4e324cb0810010236w5bcfb145qd2d27a72089f7cc4@mail.gmail.com> On Wed, Oct 1, 2008 at 4:42 AM, wrote: > On Tue, 30 Sep 2008 23:23:34 EDT, Eliah Kagan said: > > > Has anyone ever been prosecuted for using unsecured wireless for legal > purposes? > > Not to my knowledge - mostly because all the white hats are too damned busy > dealing with bigger issues. I doubt that we, as a society, can ever get to > the point where this one will be on prosecutor's radar. I certainly could > envision a *civil* suit for somebody pirating an unsecured WAP - but unless > the plaintiff has a truly viable and novel reason to claim huge monetary > damages, it would be cheaper and more productive to just secure the WAP. This has happened in the UK a few years back - http://news.bbc.co.uk/1/hi/technology/4721723.stm. A guy was fined ?500, given a 12 months conditional discharge and had his laptop and wireless card confiscated for repeatedly using someone's unsecured wireless with his laptop from his car. There was no evidence to suggest he was doing anything malicious with it. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20081001/40d8321a/attachment.html From xploitable at gmail.com Wed Oct 1 13:36:24 2008 From: xploitable at gmail.com (n3td3v) Date: Wed, 1 Oct 2008 13:36:24 +0100 Subject: [Full-disclosure] [inbox] Re: Supporters urge halt to, hacker's, extradition to US In-Reply-To: <4b6ee9310810010443m4626a988jd812388e60504452@mail.gmail.com> References: <20080930232128.BE6363FC186@valhalla.ausics.net> <1222821563.11507.32.camel@roswell.ausics.net> <4b6ee9310810010443m4626a988jd812388e60504452@mail.gmail.com> Message-ID: <4b6ee9310810010536j3a04bb42vc1878a7c93ddaed6@mail.gmail.com> you're not getting our gary!!! leave our gary alone!!! he's not coming to your stupid u.s, so GTFO. you're not getting our gary!!! leave our gary alone!!! he's not coming to your stupid u.s, so GTFO. you're not getting our gary!!! leave our gary alone!!! he's not coming to your stupid u.s, so GTFO. From xploitable at gmail.com Wed Oct 1 14:27:15 2008 From: xploitable at gmail.com (n3td3v) Date: Wed, 1 Oct 2008 14:27:15 +0100 Subject: [Full-disclosure] Comments on: Kevin Mitnick detained, released after Colombia trip Message-ID: <4b6ee9310810010627t7d25e434w684cfba5c14fded6@mail.gmail.com> by n3td3v October 1, 2008 6:07 AM PDT its good to know their keeping tabs on this person, it makes me feel safe. good work cops!! http://news.cnet.com/8601-1009_3-10054569.html?communityId=2114&targetCommunityId=2114&blogId=83&tag=mncol;tback#5011632 From teuquooch1seero at hushmail.com Wed Oct 1 13:33:21 2008 From: teuquooch1seero at hushmail.com (teuquooch1seero at hushmail.com) Date: Wed, 01 Oct 2008 08:33:21 -0400 Subject: [Full-disclosure] XSS in Celoxis project management software Message-ID: <20081001123322.596761A0040@smtp.hushmail.com> ==Background== >From Celoxis.com: > Celoxis is a comprehensive web based project management > tool to improve collaboration and streamline management > of projects, time sheets, expenses and even business > processes specific to your organization ==Problem== The Celoxis project management software contains several pages that accept parameters in their URLs and display the contents of those parameters as page content. Many of these parameters may contain HTML tags, including the