L0pht Gives FAQ of @Stake Merger 70
Duke of URL writes "The gray hat hacker think tank L0pht Heavy Industries has provided a FAQ list on their recent merger with @Stake. It sounds like there will be a few more changes than I personally previously thought, (i.e. Web site changes, etc.) but the good news is that L0pht 'will continue to act as a Consumer Reports style organization in posting our general findings through analysis and evaluation as general customers reviewing software.' Also Hacker News Network will still be run by L0pht/@Stake and will receive more time and resources.
"
Hey L0pht, nice hats. (Score:2)
But seriously, this is fantastic. Hackers get VC, story at 11--network security gets accepted as a real, actualy important thing. ohmigosh! What a concept! I've always admired the l0pht's methods of impriving security, and their general air of professionalism (with the normal caveats).
please post the faq if you get in (Score:1)
Thanks in advance
Re:OT: "white hat" hacker training material? (Score:4)
Some books to get you on the right direction follow:
1. A good C book if you do not already know C. I personally learned with C Programming, A Modern Approach, it's a good book. Knowledge of C is essential because you will need it to write your test exploits and most of the following books assume knowledge of C.
2. Advanced Programming in the UNIX Environment and a good OS theory book such as Operating Systems by Stallings or "the dinosaur book". This is necessary so that you understand the both the nature and implementation of modern operating systems.
3. TCP/IP Illustrated Volumes 1 and 2. These are necessary so that you understand TCP/IP at a very low level. Most attacks involve a network and that network usually runs TCP/IP, a lower level network book covering such topics as Ethernet may be necessary as well.
4. The Tao of the Buffer Overflow by Aleph1. This can be found in the Bugtraq archives. Stack based overflows remain the most common method of compromise (besides social engineering). This article does an excellent job of explaining how to exploit and find them. Dildog wrote an NT version for the l0pht which you may also need.
5. w00w00 published an article on heap based overflows which you may need.
6. A general Internet + Systems security book, O'Reilly has one I have heard good things about, I can't recall it's title. Note however that a general security book is not enough.
7. Various academic pubications and thesis papers. These can be an invaluable resource for descriptions of more esoteric attacks not covered in published books. These also have the benefit of assuming a much higher level of knowledge than most papers/websites/books for dummies.
8. OS Specific docs and books. In order to secure or break an OS you need to know everything about that OS.
9. Mailing lists such as Bugtraq and OS specific security lists will provide a history of previous vulnerabilities and solutions.
Security is a very broad and difficult subject requiring its practitioners to be skilled in many different areas. I hope this is a good transition and you enjoy your new post.
Cheers
Re:OT: "white hat" hacker training material? (Score:1)
2.B.I If they insist on it going out immediately, it gets sent to the list. My moderating policy ends here.
Whether or not it's a good thing is debatable. It does allow security people to threaten the vendor with disclosure without having to post the full exploit details.
For example, someone can post "I discovered a serious problem with MS XYZ, disable PDQ until MS produces a fix. If they don't have a fix out in 60 days, I'm going public." Now of course, the person could be lying -- perhaps there isn't really an exploit in MS XYZ PDQ, but that's up to the reader to judge.
--
Re:OT: "white hat" hacker training material? (Score:1)
What I did, in a similar situation, was to think like the dirtiest malicious-brand hacker. It was easy for me since I too was infatuated with the whole break n' enter side of things early on. I spent time reading exploits, and I was quite interested in how they worked. I sometimes felt the itch to do something stupid, but thankfully I was too chicken to actually mess around with systems -- unless I had permission.
My advice is to keep in the back of the mind how you would circumvent any security mechanism anywhere, especially outside your reign. This way you'll quickly spot exploitable configurations. It's amazing, when I started doing it myself, everything changed, I could instantly point out the weaknesses of any design I fully understood. This is really good for a programmer, very little will escape you if you pretend you're going to break you code later... but it also works with any system's configuration.
If you have in-house coding/development, talk to the developers, and find out what kind of access those programs have to your system that you don't want outsiders to get, ensure they're secured against abuse. Obscurity is (obviously) not a long-term solution to anything.
While doing this, learn about every service you provide... and look at all of the setuid programs that can be executed by users -- even if you don't give out shell access, if someone pulls a buffer-overflow on your webserver then thier 'nobody' user can still execute your setuid toys -- so really, you have to take a look at anything that people aren't supposed to have access to in the first place.
Finally, read CERT (and all the others) like you read slashdot, when an exploit is found, check to see if you're vulnerable.
---
It's not smut it's data
Re:These merged companies need elite names... (Score:1)
---
It's not smut it's data
Re:These merged companies need elite names... (Score:1)
'Bitch nuggets and elite ass bastards formerly known as l0pht'?
luv it when you talk dirty to me. start me up!
Re:OT: "white hat" hacker training material? (Score:1)
> I think he leaves it up to the person posting
> the security hole.
Of course its his policy, its his mailing list, he's the moderator. You have to send posts through him before they hit the list. He has in the past held onto a bug while waiting for a vendor to make a patch.
> Whether or not it's a good thing is debatable.
> It does allow security people to threaten the
> vendor with disclosure without having to post
> the full exploit details
Full disclosure is a good thing. It has been proven over the last 7 years of Bugtraq's existence. If vendors don't fix their bugs before they get out the door, the proven best method for getting things fixed is to force them through full disclosure.
> For example, someone can post "I discovered a
> serious problem with MS XYZ, disable PDQ until
> MS produces a fix. If they don't have a fix out
> in 60 days, I'm going public." Now of course,
> the person could be lying -- perhaps there
> isn't really an exploit in MS XYZ PDQ, but
> that's up to the reader to judge.
First off, this type of thing doesn't happen with a full disclosure list, because when others try and reproduce the results (one of the benefits of full disclosure) they see there isn't a problem. With 'partial' disclosure the scenario you lay out above COULD happen, since no one but the discoverer of the bug, the vendor, and perhaps the moderator of the list are involved.
Actualy, it is "in the can" (Score:1)
I am curious to see how it is. They did change it a little after some 2600 protesting.
Re:OT: "white hat" hacker training material? (Score:1)
And he got ripped for it. Thus the policy documented you linked to, where he pretty much leaves the disclosure policy up to the poster.
I'm not sure how BugTraq works. Would they reject a post that read "I discovered a serious problem with MS XYZ, disable PDQ until MS produces a fix. If they don't have a fix out in 60 days, I'm going public."? As far as day-to-day administration goes, I'd rather have that information (even inaccurate) than nothing. (Or is that enough info to give the black hats a clue, and not enough to really kick the vendor in the butt?)
--
Re:OT: "white hat" hacker training material? (Score:1)
I discover a bug. I do one of two things
1) Full Disclosure
I send the bug to bugtraq, along with whatever info i've been able to glean about it. This way, a huge community can first, verify that the bug exists, second, figure out an effective workaround, third, produce a patch, or make a stink about the vendor until they produce a patch
2) Partial disclosure
I send a scary letter to bugtraq saying theres a bug, but i don't want to release the details, and this is how I think you should fix it. Assuming my 'fix' is fine, everything works great, but if my 'fix' has a problem with it, no one can verify the problem since they don't know the nature of the bug. Responsible vendors start looking over their code trying to find the bug, or if the finder has notified them will release a patch, eventually. There aren't many vendors with quick security turnaround, so you have no alternative but to sit around and wait and hope the fix is the correct one. In the meantime, the blackhats, who are a lot smarter and quicker about finding bugs then vendors, figure out the problem, and start exploiting the bug.
I'd much rather go for #1.
Re:OT: "white hat" hacker training material? (Score:1)
Not much I can say about it -- which is the crux of the NTBugTraq problem -- they can't make you disclose anymore than you want to.
(For the record, I'm not advocating partial disclosure by any means, just casting doubt on if NTBugTraq is really responsible for white hats that prefer partial disclosure. It seems to me that folks in single vendor cultures [MS, IBM] tend to "give the vendor a chance to fix it" policy, while the "open systems" [Unix] folks seem to prefer the full review policy, preferably with source code at their disposal. Just something to chew over.)
--
Re:Consumer Reports? (Score:1)
"The Sun StarFire server has been found to tip over during fast/heavy CGI turning...."
"How to properly secure you're baby-pilot in its car cradle.."
ect...
Re:OT: "white hat" hacker training material? (Score:2)
----------------
"Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein
Re:please post the faq if you get in (Score:4)
Re:OT: "white hat" hacker training material? (Score:1)
Re:OT: "white hat" hacker training material? (Score:2)
Re:What am I missing (Score:1)
Re:These merged companies need elite names... (Score:2)
'Bitch nuggets and elite ass bastards formerly known as l0pht'?
Sorry, I didn't take Skr1ptk1dd13 as my elective foreign language in college.
Re:CNN is covering this too (Score:1)
A nice link for you... [slashdot.org]
Moderators -- Please, take your time while you moderate. Even looking at the URL without going there, would you think "http://www.dorsai.org/~delchi/cnn.htm" would be where CNN posts its news? With the label "CNN Entertainment"
Damn, Slashdot moderators need their heads checked...
Re:OT: "white hat" hacker training material? (Score:1)
For those behind evil firewalls... (Score:2)
1. Is it true? Did L0pht Heavy Industries actually merge with @Stake?
YES. L0pht Heavy Industries was incorporated, had employees on the payroll, and sold
software products and consulting services. In short, we were a real company and had
been operating that way for a couple years. L0pht Heavy Industries legally merged
with @Stake in the beginning of 2000 so we are all one company now. The new
company will go by the name of @Stake.
2. Why did you do it? You seemed to have a perfect club-house environment.
We strived to be (and achieved) a pure R&D environment. Unfortunately pure research
and development is not a very profitable arena. In addition, one needs business people,
sales and productization of services. So, while we tried to keep the research and fun
environment we were fighting a losing battle in making ends meet.
To summarize, we had problems scaling. Everyone was spending more money and
effort doing less research and experiments. The L0pht wanted desperately to avoid
having to compromise our goals and ideals which would have happened if we had
continued to go the route we were. The solution was obvious. We needed to find an
organization that valued the R&D work that we did, could benefit from it, profit from it,
and enable us to keep contributing to the community.
We feel very fortunate in having come across such people in @Stake. We see this as a
win-win situation where we will be able to do a lot of the research that we were unable
to do while just being the L0pht. We also feel very fortunate in finding an organization
that did not expect us to about-face in the way we approach sharing our findings with
people.
3. So, how's the cultural fit with @Stake? How do the L0pht's values fit in there?
Here is a PARTIAL list of components that we find work very well with our VALUES and
make us very comfortable about the merger:
@Stake is aiming to be completely product / vendor neutral. This enables them to
make the best design decision and recommendations possible to the customer
without unknown biases. This is accomplished in the following ways:
@Stake will not take commissions / kick-backs from product vendors for
recommending a product into a customer.
@Stake is in the business of providing strategic services rather than
tactical ones. What this means is that they see the benefit in helping design
/ implement solutions with security and functionality from the beginning
rather than looking for known problems and helping to only remediate them
when they could have been avoided all together.
@Stake will not sell products. Thus they do not have customers being
worried that they will recommend their own product even if it might not be
the best solution. What this means to us is that we get to continue coming
out with tools and programs but are forced to give them away for free!
How cool is that! We are completely non-biased in out opinions of products
and technologies, and we are able to continue our experimentation and
reverse-engineering of such. This also allows us to continue our "consumer
reports"-style announcements, papers and research.
@Stake is committed to a strong research and development leg as a method of
always being a leader and not just a follower.
@Stake wants smarter customers rather than dumber ones in the community. By
helping to educate everyone as much as possible it not only helps differentiate
the company but allows more interesting and thorough solutions to be deployed
for customers. This is the same belief that the L0pht has always held.
4. So what's going to happen to the old L0pht space you were in?
We still have the space. Some of the hardware projects that were going on over there
are just not practical to move. We are also setting up new lab space that has many of
the things that we could not manage at the old location.
5. And what about the webpage? Is it going to go away? Is it going to be put on
'atstake.com'?
Not in the immediate future. There will obviously be a period of time before we manage
to fully integrate everything. As was stated in a previous response one of the reasons
we embarked upon this merger is due to the like-minded beliefs. So, when the two web
sites finally merge you can expect to find the same sort of information that is currently
published in an even better format. It might even be that they stay as individual web
sites, one focusing more on R&D and the other on business angles. What it boils down
to is that you can expect some changes but the main focus will be quite similar to what
it currently is.
6. What exactly is L0pht doing over at @Stake? Are you consulting now?
The L0pht forms the nucleus of the Research and Development group in @Stake. By
continuing to push the envelope in security research we can help productize new
services to the consulting and business legs of @Stake.
7. What's going to happen to all the advisories? Are you still going to publish them?
The L0pht will continue to publish advisories. This will not change. The L0pht never did
and never will publish an advisory based upon insider information that would betray
someones trust. However, we will continue to act as a Consumer Reports style
organization in posting our general findings through analysis and evaluation as general
customers reviewing software.
We still beleive in Full-Disclosure in our advisories. We are also happy that we will be
better able to work with companies in giving them advance notice before posting
publicly to the world.
8. Are you still going to sell L0phtCrack? And AntiSniff? Will there be new versions?
Since @Stake is purely a consulting services company, it did not acquire the products
that were sold commercialy from the L0pht. L0phtCrack and AntiSniff are being moved
to a holding company independent of @Stake and will continue to be sold. We will be
donating the proceeds (after operational expenses) to non-profit and educational
organizations.
The free versions will continue to be free and include source code. A new version of
L0phtCrack was 95% complete at the time of the merger. The authors will probably
finish the last bit and release L0phtCrack 3.0 but the schedule is uncertain.
A Linux version of the researchers version of AntiSniff is underway and will be released
under the same free researchers license that the command line AntiSniff currently has.
9. What's the deal with Hacker News Network anyway? Is that actually part of L0pht, and
was it picked up by the merger?
Hacker News Network was run by l0pht employees on l0pht equipment so it certainly
was a part of l0pht. We feel it provides a valuable news source to the security
community so it will continue to operate as part of @Stake. We expect to be able to
spend more time and resources in making it an even better resource for the community.
10. How does it feel working with a bunch of business stiffs?
@Stake is definitely not populated with a bunch of business stiffs. One of the reasons
L0pht merged with @Stake was the quality of the people there. They understand our
vision of computer security. Some of them would even be considered hackers exactly
the same way we think of ourselves as hackers.
Things are a bit more businesslike at the merged company but the place is a place that
values openness, diversity, creativity, thinking outside of the box, and coming up with
non-conventional solutions.
11. What are the financial makings of this merger?
@Stake is not a publicly traded company right now and as such we are not able to give
those details. We are happy to say that the main impetus for the merger was the ability
to engage in much more grandious research work and not compromise our morals in the
process. We started into this field in order to learn, educate, and contribute and are
happy to say that we should only be able to do this things even better now.
12. You talk about 'Strategic Security Solutions' on the @Stake webpage, and you talk about
being truly 'vendor-neutral'... isn't that what everyone else is doing? What makes @Stake
different? Explain in small words.
The answer to question #3 should help on the vendor-neutral aspect being more than
just lip service.
As for the 'Strategic Security Solutions' this is similar to how the L0pht always handled
customers. An example in the software world between tactical and strategic might help:
Problem:
A buffer overflow was found in a section of code. The offending call was the
unbounded strcpy().
Tactical approach:
Replace that particular strcpy() call with the bounded strncpy(). If a
similar problem is found elsewhere later on fix that one after it is reported.
Repeat as necessary.
Strategic approach:
From the design point help model with security involved. Use bounded
string functions to remove that class of future problems.
Obviously the above is just an example of the way we see tactical being different from
strategic approaches. This is how we view all projects be they in the infrastructure,
content, operational, network, etc. fields. It also does not preclude us from
implementing tactical solutions as necessary but the main focus is enabling, not only
reacting.
13. I don't trust hackers like you. Why should I?
We call ourselves hackers using the original, positive meaning of the word. A good
definition can be found in Eric Raymond's Hacker's Dictionary. We think hackers have
higher ethical standards than most in the business world. We do not do anything illegal
with our computers or anyone else's. We get our kicks finding and solving security
vulnerabilities in products and technologies using our own networks, hardware, and
other resource. This is the way we have always operated and that is the way we will
continue to operate. If you can't relate to this, then you should probably reinvestigate
the meaning of the word 'hacker'.
14. Are you still going to get drunk and rant at cons? What about your 'professional image'?
We will continue to be involved in conferences the way we always have. Don't you
think that if @Stake had told Mudge he would not be able to have a beer with his friends
and talk about crypto-systems that would have been a show stopper for the merger
right there?
15. Are you hiring? Can I be a L0pht Member?
We are definitely hiring. We cannot thrive and be the leader in security without the
best people on the planet. Submit your resume to jobs@atstake.com if you are
interested. We want to work with the best and you probably do, too. If you have top
notch security skills in consulting or research we urge you to apply. That being said, we
cannot accept everyone that applies but will do our best to make sure everyone gets a
fair shake.
The L0pht is fully integrated with @Stake so there is no seperate group of people called
"L0pht Members". We are proud to call ourselves members of the @Stake team. We
will now be known as 'The Hackers Formerly Known As The L0pht', or perhaps some
unpronouncable symbol.
16. Does @Stake have an open-door policy?
@Stake operates in a similar fashion to most other professional service organizations.
The reason we went to the closed door policy at the L0pht was to enable ourselves to
get work done and not just have the place be a local hang-out for people wanting to
kick back with a beer and watch TV. While we will be more accesible at @Stake, we are
there to do R&D work and as such it will continue to not be an open-door-hangout type
environment.
Keep in mind, however, that L0pht has not had a true open-door policy for many years.
At our original location, the L0pht was more of a club-house and place for general
hanging-out of hackers from around the world. When we moved to our new location
and decided to do real research and provide to the community, the L0pht was not open
for everybody. We occasionally gave tours and threw parties, but the space was not
open for visitors 24 hours a day.
17. Are you still going to the MIT Swapfest and selling funky stuff?
We will still be going to the MIT Swapfest to see people and pick up various things. We
hope we won't have to sell our scraps at it anymore in order to make ends meet
However, as most people going to the MIT flea, we will also want to "upgrade our junk
pile". We will be selling, just not every month as in the past.
18. Are you still using your handles? Or are you going to use your real names now?
We have been using our handles for over 10 years now. It is what we have published
under in academic journals, magazines, books, given training courses under, and
provided recommendations to the US Senate under. As such they are as much our
recognized names in the security community and we will continue to use them. Many
companies seem to be scared of doing business with people using pseudonyms or
handles. This is a problem that we would like to solve. We are not really hiding from
anyone, but this is how we've been known for a long time, and for some, is what our
parents call us. We hope to educate those companies by showing them that its not the
name that's important, rather the information and services that can be provided.
19. What's up with Guerilla Net? Are you guys still doing hardware projects over at @Stake?
@Stake has committed to enabling the R&D labs to work on hardware related projects
as well as protocol and software ones. We see an ultimate marriage between all of
these areas as technology is progressing and would be remiss if we turned a blind eye
towards any of them.
20. Will you be coming out with any more T-shirts?
The T-shirts were fun little projects that we did more out of amusement than anything
else. Should the opportunity and inspiration strike again we would not rule out the
possibility of coming out with some new designs.
Re:OT: "white hat" hacker training material? (Score:1)
I highly recommend:
"Maximum Security: A Hacker's Guide to Protecting your Internet Site and Network" by Anonymous, published by SAMS, ISBN 0-672-31341-3
It's a real crackers/hackers point of view book, with heaps of refs to web sources/sites/RFCs etc.
Very good.
--
Simon
Re:These merged companies need elite names... (Score:1)
________________________________
Re:OT: "white hat" hacker training material? (Score:3)
> up breaking into systems that is along the
> lines of Applied Cryptography.
Sure there is. Hacking Exposed. Its already been mentioned in this thread, but its a great resource. I'm a security manager for a large ISP that is responsible for penetration testing as well as a bunch of other stuff, and being that its rather hard to find qualified security people for reasonable salaries, hiring a good unix/nt guy and making him read that book has proved pretty effective at making people 'think secure'
Also, the content of that book comes out of the security practice at Ernst and Young, where they offer a great 5 day course called "Extreme Hacking" [ey.com] (as well as courses on Incident Reponse and Computer Forensics) , taught by some of the authers of "Hacking Exposed". Its $5000, but well worth it if you don't have the white or grey hat background. I haven't taken the course (my grey hat saved me $5k
Another important point to consider is that you don't neccesarily need to have black hat skills to sucessfully secure a system. It helps, but you don't need it.
@Stake isn't just l0pht (Score:1)
Re:CNN is covering this too (Score:1)
Still, I'm hoping that Takedown: The Movie never actually gets made. Honestly, whatever a person may think about Kevin, a movie about him from Miramax will probably be a hacker/techie nightmare. I can see it now, "Christopher Walken to play darkside hacker Kevin Mitnick. You've Got Mail star Tom Hanks to play the man who brought him down, John Markoff."
Honestly, it would just be an excuse to paint all hackers with a broad brush, as evil, demon-like people. So, here's hoping Markoff's dreams of having his "masterpiece" filmed go up in smoke.
I hope the @stake merger doesn't domesticate the L0pht, but I'm going to wait and see before making a judgement.
Re:OT: "white hat" hacker training material? (Score:1)
Re:OT: "white hat" hacker training material? (Score:1)
Oh man, did the pick the wrong name (Score:2)
Re:Damned internet filters... .. begone. :) (Score:1)
it tacks on the destination address to the end of the URL; it may or may not be blocked at your companies proxy:
here [magusnet.com] for a https connection to the l0pht article, or
here [magusnet.com] for a regular http connection.
For reference, the address is:
Standard HTTP ---
http://proxy.magusnet.com:8081/-_-http://[the site you want]
SSL ---
https://proxy.magusnet.com:9000/-_-http://[the site you want]
Hope this helps you.
Mirror (Score:1)
Re:OT: "white hat" hacker training material? (Score:1)
In fact, on further thought I should have included Applied Cryptography itself on that list because knowledge of how to break and detect weak cryptosystems is necessary.
Hacking Exposed is probably a good start but it certainly cannot cover all of the information at the level of detail he will need.
Re:OT: "white hat" hacker training material? (Score:1)
> In the next month and a half or so I'll be
> making a transition out of my current job into
> another post. This new position will require
> me, among other things, to crack our pre-
> deployment systems so that holes can be patched
> before release.
Hacking Exposed can certainly get him a good start on that. I'm assuming this is not a full fledged security job, because it was, they wouldn't be hiring someone who's posting here asking how to do the job. If this is a full fledged security job, I agree with what you've posted for resource however: You can read all you want, there's no substitute for experience, on the white or black hatted side of the line. If yer looking to become a full fledged security professional, you can't just read what others write (although you do have to do that). Thats where 99% of the security "professionals" come from, and they have no idea what they are doing because, while they may know how aleph1 writes a buffer overflow, they don't know where the buffer overflows are on their system.
Re:OT: "white hat" hacker training material? (Score:1)
Just browsing SecurityFocus can be immensely educational, especially some of the guest features. I've told them before, but if any of the securityfocus folks are reading this, Thank you for a great tool!
Re:What am I missing (Score:2)
post on www.ompages.com/news, it's free, no login required, and no moderators...
mergers, mergers and more mergers (Score:1)
Good for them! (Score:2)
OT: "white hat" hacker training material? (Score:3)
In the next month and a half or so I'll be making a transition out of my current job into another post. This new position will require me, among other things, to crack our pre-deployment systems so that holes can be patched before release.
I don't think I'll have much trouble with the more prosaic "skript kiddie" side of the assignment, things like netcat and ping floods, but I'm concerned that I might miss some of the less glamorous holes due to lack of specific training in "white hat" cracking. This groups is more concerned about a coalition like the l0pht finding a vulnerability than they are about the more typical attacks.
Does anyone here have any expertise or suggestions about suitable books or webpages? Something along the lines of Applied Cryptography, except in the domain of cracking. Again, I'm looking higher-level material, not Online Hooliganism for Dummies
Thanks!
-konstant
Yes! We are all individuals! I'm not!
Re:OT: "white hat" hacker training material? (Score:3)
OKOK, I could not spell my name without notes, but check the above places as well as Packetstorm (link at http://www.hackernews.com), yea a daily scan of hackernews is good too.
Listen to Off the Hook http://www.2600.com/offthehook/ check 2600 news daily, buy 2600 magazine too for a general look at some of the more out-of-the-way items that crop up.
Your local 2600 meeting (if there is one in your area) will probably have other professionals with the same concerns as you, with solutions.
These merged companies need elite names... (Score:2)
How Many More Changes (Score:1)
Still I do think that the community will come out for the better, but if this many changes have already been announced then how many more are planned that we don't know about? For better or worse?
Re:OT: "white hat" hacker training material? (Score:1)
Cert: http://www.cert.org/ [cert.org]
Packetstorm: http://packetstorm.securify.com/index.s html [securify.com]
and Attrition has some stuff too http://www.attrition.org/ [attrition.org]
Re:What am I missing (Score:1)
So, you re-reporting it really does add nothing to it. But with the L0pht posting a FAQ, that's new news, rather than old news.
Consumer Reports? (Score:5)
Cover: More bugs found in W2K. Microsoft denies problem exists and says they're working to fix it as quickly as possible.
MacOS: Most secure? Performance details p. 30
AOL users swindled (again)- passwords leak out by the thousand.
AOL 5.0 Upgrade of Death: Marketing ploy or gross incompetence?
Slashdot source released: Malda's e-mail was out for a few weeks, thus bypassing the mandatory "24 hour wait per request" problem.
L0pht drops SuperMegaCorp's pants with another vulnerability.
The Press: Getting it wrong again. HNN goes inside to reveal why "they didn't get it" again.
Buffer Overflow found in Cup 'O' Noodles. (After 2:30, the thing spills all over the inside of the microwave).
Also inside: A feature on Kevin Mitnick - Martyr or idiot, and an in-depth review of Emacs as an Operating System.
Re:These merged companies need elite names... (Score:1)
________________________________
Bah... why couldn't they just say... (Score:1)
Re:OT: "white hat" hacker training material? (Score:1)
Damned internet filters... (Score:3)
SmartFilter Control List Restriction
SmartFilter denied access to the URL http://WWW.L0PHT.COM/MERGER.HTML It matches the category 'Criminal skills content'.
If you have a business reason to access this site, in adherence to Company Internet Use policy, there may be an error in the category sites list. Please contact your Division IT Director to have the error corrected.
Randroid Watch (Score:1)
Of course the other choices aren't that great either-- AntiOnline (haha, yeah right..) or Rootshell (completely out of date). Bugtraq is good but it mostly focuses on bugs not hackers.
Too bad there isn't a site that reports on the biases of the different internet news sources (and I don't just mean computer-news sites).
Business as usual... (Score:1)
Re:OT: "white hat" hacker training material? (Score:3)
There's a lot of stuff deliberately left out of it, along the lines of specific exploits to run on a buffer overflow (if you need it, go write it yourself!), but gives information on general attacks.
For higher security, check out some of the lovely online articles, like the stuff on Sage [usenix.org]. The 'securing a Solaris server' is definitely required reading, regardless of your platform.
Should have kept the name (Score:2)
Jazilla.org - the Java Mozilla [sourceforge.net]