malsploit

A fost un fel de compromis si decizia a fost luata la area51. Cei care au serviciile sticky, doneaza bani pentru plata serviciilor de hosting.

Nu o sa te ajute nimeni cu parola. Parola este criptata pentru a tine pe cei ca tine departe de respectivul program. CRYPO: Encrypt or Decrypt sensitive data using AES/DES/RCA encryptors.

E o poveste pe care eu am auzit-o de prea multe ori. Daca e cu adevarat contul tau, exista modalitati prin care poti redobandi accesul la el. Vorbesti direct cu cei de la facebook, le arati niste dovez, le dai niste date si se rezolva problema. Daca vrea cineva sa te ajute, iti poate trimite un mesaj privat si vorbiti intre voi.

Unii dintre voi va plangeti ca niste fete la ciclu. Incercati sa fiti ontopic, sa invatati cate ceva, sa ajutati comunitatea si nu o sa mai considere nimeni inutila prezenta voastra. Daca a primit cineva ban pe nedrept, problema s-a discutat in interiorul staff-ului si a fost rezolvata. Gecko a fost ales moderator de catre noi. A facut mai multe pentru forum decat multi dintre noi si nu e corect fata de el nici fata de voi, sa-l tratati asa. Daca a existat vreo decizie nedreapta de a lui, aceasta a fost dezbatuta la Area51. O sa facem o discutie interna si e posibil ca acest thread sa fie vizibil doar pentru admini si moderatori. Cand cineva are o problema reala cu cineva din staff, posteaza aici si daca este ceva ce merita atentie, vom rezolva problema si vom face postul public.

Strategia Minutul urmatorului gol cu intervale de 10 minute Prezentare si intrebari

hater... Files from Cernica Ionut Cosmin ? Packet Storm https://www.linkedin.com/pub/cernica-ionut/45/447/ba8 PayPal Fixes Vulnerability That Allowed Hackers to Delete Any Account – Video (Updated) PayPal fixes critical account switcheroo bug after researcher tipoff • The Register

Reckon, urat din partea ta

Are you reading this blog? If so, you are committing a crime under 18 USC 1030(a) (better known as the “Computer Fraud & Abuse Act” or “CFAA”). That’s because I did not explicitly authorize you to access this site, but you accessed it anyway. Your screen has a resolution of 1920x1080. I know this, because (with malice aforethought) I clearly violated 18 USC 1030(a)(5)(A) by knowingly causing the transmission of JavaScript code to your browser to discover this information. So we are all going to jail together. That's silly, you say, because that’s not what the law means. Well, how do you know what the law means? The law is so vague that it’s impossible to tell. The CFAA was written in 1986. Back then, to access a computer, you had to have an explicit user account and password. It was therefore easy to tell whether access was authorized or not. But then the web happened, and we started accessing computers all over the world without explicit authorization. So, without user accounts or other form of explicit authorization, how do we tell if access to a website is “authorized” or not? Well, we could come up with a theory of “implicit” authorization. Obviously I intend people to read this blog, and therefore, I’ve implicitly authorized you to do so. Likewise, your browser makes your screen size available to JavaScript so that websites can render better, so it’s implicit that you’ve authorized me to grab this information. But what are the limits of implicit authorization? Let’s say you are reading a website that has “articleId=31337” at the end. You wonder what the next article is, so you go to the URL and change it “articleId=31338” and hit return. Have you “exceeded authorized access”? It’s hard to say. If article “31337” is public, why not “31338”? But in our scenario, let’s say that article “31338” is a press release that is not intended to be published until tomorrow announcing the quarterly corporate earnings. While the article itself is online, a link to it won’t be posted to the home page until tomorrow, so not even Google spiders can find it. Because you’ve gotten early access, you can make a huge profit buying/selling stocks. Is it your fault for accessing the pre-posted financial results? Or their fault for making them accessible? What does the Computer Fraud and Abuse Act say on this matter? A well-known legal phrase is “ignorance of the law is no defense”. But that doesn’t really apply here. You know the law exists. You may have read it in detail. You may have even consulted your lawyer. It’s just that nobody can tell precisely whether this act as crossed the line between “authorized” and “unauthorized” access. We won’t know until if and when somebody tries to prosecute you. Let’s say that instead of trying to profit from your accidental discovery, you simply post it to your blog, saying “look at what these idiots have done”. As a Fortune 500, the FBI takes notice, searches your home, confiscates all your computers, arrests you, and successfully convicts you under the CFAA. This is selective enforcement. The FBI doesn’t go after everyone who adds one to a URL, only those who embarrass the Fortune 500. They don’t go after any cow in the herd, only those who stick their heads up. This violates the concept of “rule of law”. Everyone isn’t treated equally under law, some are treated more equally than others. For cybersecurity researchers like me, this creates chilling effect. In order to fix security we have to point out when it’s broken. When we see this broken press release, what do we do? Do we keep our head down, or do we speak up? Even if we'll probably be found innocent, why take the risk? Better to keep quiet. This is the issue behind the recent conviction of Andrew Auernheimer for “hacking” AT&T. The guy isn’t a criminal. He wasn’t trying to profit. He simply noticed that AT&T had made user accounts publicly available, and published proof. He believed that since the information was publicly available he was not exceeding authorization. He stuck his head up above the herd. For that, he was convicted today under the CFAA and is on his way to jail (well, currently still out on bail awaiting sentencing). By the way, this post is based on the legal concept “void for vagueness". It’s good reading. Errata Security: You are committing a crime right now Vechi, dar interesant.

Faptul ca ai facut un print-screen in care ti se vad ip-urile dupa care te ascunzi, e o chestie prosteasca. Se pot face legaturi, de catre cine are posibilitatea, intre ora la care ai facut postarea, ip-ul pe care l-ai folosit in acel moment etc. Au fost utilizatori care au folosit mai multe solutii de anonimizare decat tine si tot au fost prinsi. Au facut unele greseli la un moment dat.

Inchidem thread-ul. Deja o dati in chestii ciudate cu vise umede.

Bine ai venit! Sper sa ramai la fel de entuziast si pe viitor.

Multi dintre utilizatorii de aici suntem la curent cu legislatia. Suntem constienti ca se pot face abuzuri de ambele parti. Inchidem thread-ul ca iar ati inceput sa renuntati la idei cand vreti sa argumentati ceva.

si marmota invelea ciocolata in staniol...

Topic inchis onslaught a primit ban pentru acumulare de infractiuni.

Asa sti tu sa argumente-zi? https://rstforums.com/forum/71013-demascarea-industriei-muzicale-romanesti-2.rst#post459703

Ai primit ban 7 zile. E posibil sa se transforme in permanent. Sa vedem ce zic batranii. Nu mai tratati totul ca pe o joaca.

A primit ban pentru acumularea de infractiuni

Cine a comentat aiurea in postul asta, a fost avertizat. Incercati sa va abtineti. @andr3yutzu12 : https://en.wikipedia.org/wiki/Transmission_Control_Protocol https://en.wikipedia.org/wiki/User_Datagram_Protocol Informeaza-te putin si o sa vezi ca exista lucruri mai interesante si uneori mai amuzante

Bafta! sa ai grija de tine! Oricum e destul de trista situatia ta. In loc sa infrunti niste idei, alegi sa fugi(te retragi). Asa o sa faci toata viata? Deja mi-e mila de cei care or sa iti stea alaturi si or sa aiba incredere in tine. Prostii nu trebuiesc incurajati. Si ted bundy avea potential.

Certati-va pe mirc.

Te simteai mai bine daca iti ziceam ca esti ratat? Tinkode a fost unul dintre administratorii RST. Nu zice nimeni sa-l pupi in cur. Daca nu iti convine ceva la el, da-ti intalnire cu el si spune-i in fata sau ignora-l. Nu ne intereseaza pe noi ca te exciti cand il faci ratat. A facut greselile lui dar nu cred ca merita sa-l faci tu ratat. Cearta-te cu oameni adevarati, nu cu nick-nameuri, socializeaza, mai iesi pe afara. Uneori face minuni si poate te ajuta sa scapi si de iesirile astea.

Am raportat niste xss-uri de proba si au dat duplicate la toate. Fac la fel ca la paypal.

Povestea a continuat La vreo 2 saptamani, am primit un email de la CISO in care mi se propunea sa testez periodic securitatea site-urilor administrate de catre companie. Le-am zis ca sunt interesat si joi m-am intalnit cu CISO-ul lor la bucuresti si am semnat un contract de consultanta. Am posibilitatea sa fac orice fel de teste, atata timp cat nu pun in pericol infrastructura. Am primit acces la reteaua interna a companiei si chiar am posibilitatea sa fac SE pe angajati. Mi s-a permis sa public ce vulnerabilitati gasesc numai pe blog-ul meu, pe care l-am specificat in contract. Inainte de data de 5 a fiecarei luni trebuie sa fac un raport in care sa le spun ce am gasit si pana pe data de 10 primesc o anumita suma de bani.

In loc sa va plangeti de comportamentul unor persoane din staff, ganditi-va ce cautati in aceasta comunitate. Nu cred ca a incercat cineva sa invete ceva aici si a fost luat la misto sau injurat. Asa functioneaza RST. Daca tipi in gura mare ca esti prost, nu trebuie sa ai pretentia ca cineva sa te ia in serios sa sa te respecte. Ganditi-va ca persoanele din staff, sacrifica si timp si bani pentru a tine comunitatea in picioare. Cand am venit prima oara pe rst, l-am facut ratat pe kw3. Am postat un thread nou si ca titlu am pus un vector xss. Au ras toti de mine, dar si-au facut timp sa imi arate ce inseamna un xss. Apoi m-a banat kw3. In general, acum ceva vreme, orice prietenie buna pe RST, incepea cu o inuratura. //incercat sa ramaneti ontopic aici.

Nu e amuzant. Asta e amuzant: