Forum Replies Created
-
AuthorPosts
-
dan-i-amMember
Im not sure. It’s a catch either way. Here’s the dilemna.
If an exploit has been found and it is being actively used across the network community then, obviously, not much more harm can come if it is released to the public. However, if it’s not a well known exploit (such as logfile, and adding ID’s) then is it beneficial to make it well known, if only for a few days until it’s patched? Take a look at this …
Let’s use fictitious numbers to represent the percentage of users exploiting any particular vunerability and the potential damage.
Scenario 1:
Well Known Exploit – Unpublished (to a major source such as BugTraq)
Used by: 70 % (of yahoo community)
Potential additional damage if released: 100 % of community using this exploit.With this scenario…. the damage only increases 30%…not really a big deal. Publishing this exploit doesnt really add much more harm.
Scenario 2:
Little Known Exploit – (only available to a small community of hackers/lamers/etc.)Used by: 20%
Potential additional damage if released: 100% of communityNow..you can see an 80% increase in possible abuse if this is released.
Publishing this exploit greatly increase the chances of abuse.
This is a classic and historical dilemna often portrayed in movies. “Do we sacrifice a few to save many?” or “Do we sacrifice many to save a few”Consider the very recent airspace breach around the White House a few weeks ago. A decision could have easily been made to shoot down the airplane that was heading toward the White House (sacrifice a few to save many).
I hope you aren’t taking my responses the wrong way. I (and Im sure many others) appreciate the dilligence involved into discovering these holes. I just wonder if, sometimes, a greater advance notice is needed to Yahoo (though by your experience, they don’t seem to really care as much as they do). I’m actually enjoying this thread more now that you’ve joined it. It’s actually good to hear from the source.
Take Care,
– dan –
dan-i-amMemberTorseq Tech. wrote:Dan – Yes, notified Yahoo! Inc. at exactly the same time (within minutes or so) of releasing the first two bugtraq advisories.Well, you see, that is part of my issue here. While it is very noble of you to have contacted Yahoo and have done your part to find these flaws, I dont agree with the lack of notice you gave them before releasing the details to the public. Once that Bugtraq is out, it’s public knowledge.
Read this excerpt from one of yesterday’s Bugtraqs
=======================================>
“NGSSoftware are going to withhold details of this flaw for three months.Full details will be published on the 25th August 2005. This three monthwindow will allow users of L-Soft’s LISTSERV the time needed to apply the patch before the details are released to the general public. This reflects NGSSoftware’s approach to responsible disclosure.”
<========================================If you are really concerned about the security aspect of these exploits, they why not give them advance notice before it’s public knowledge?
Once again, I’m sure the Yahoo community appreciates your dilligence but for the sake of protection, a little more advance warning would probably help. Even though their responses to your emails seemed nonchalant at least give them the chance to correct the problem first. Then, after a few weeks, if the issue has not been adressed, then I fully support the “slap in the face” approach of making it public knowledge. Sometimes this is what it takes for them to step up to the plate.
Lastly, I agree that the problem with logfile is a serious one but only now since the exploit has been published. Hopefully they’ll do something about as the 7.0 Beta builds are released.
– dan –
dan-i-amMemberUnSaKreD wrote:Hey Dan,That particular day/week/month range varies from security company or individual.
Some times its 2 weeks, others its 30 days.
Yeah, I know all about it. I was just curious about his advance notice since it wasnt listed in the BugTraq. Ironically, it was you (through your post here) that I found this out from because I didnt realize my Gmail notification wasn’t working (which is where all my BugTraq mail goes to).
It’s angering reading through the BugTraqs and seeing how many times a company has been given plenty of advance notice to fix the exploit or alert their customers but they do nothing about it. By the time it becomes a BugTraq warning it’s like a slap in their face to fix the problem. Only then do they seem to “jump” and do something (if only superficial) about the problem.
Also, I know, Brandon, that you probably (through our conversations about BuddySpy) didn’t realize that I’ve been in the I.T. industry for many years. I have been part of several I.T. “Think Tanks” and such and in each one, this topic of exploits and patching seems to come up. Many tend to criticize Microsoft for the number of Service Packs and other patches they come out with. I, however, applaud companies like that who are diligently patching. Yes, the number of patches indicates the number of vunerabilities, but at least they are getting patched. Using Microsoft as an example again, do you realize that a vast majority of viruses that affect Microsoft software could have been prevented by System Admins and Engineers around the world if they had applied previously released patches? This means they are one of the few companies that aggresively pursues exploits and does something about them.
Though I am not a coder, I am a Computer Science major and have been around this a while. I know that coding is not an exact science and mistakes are bound to happen. It’s human. However, I think more companies, such as Yahoo, should have a better open door policy and more avenues to report such exploits as they are found. Maybe they can even offer some type of reward based on the severity. Bugtraq posters, however, are not looking for financial rewards. For the most part, they seem to be doing it for the good of the industry (hence the good faith efforts to notifice each vendor).
Anyways, enough rambling; just my two cents, and then some 😀
– dan –
dan-i-amMemberTorseq Tech. wrote:For those of you that still think this works, it doesn’t. Yahoo! fixed this several days ago (should have fixed it sooner). “Fixed” as in disabled the functionality altogether until they can make sure that this won’t occur again.Assuming that you are the same “Torseq Tech” that discoverd this original flaw (as noted in the Bugtraq), I think it’s awesome that you have joined this forum and have added to it.
I have a question for you. In many of the BugTraqs that I have read (I get them in my email everyday) most authors include what steps they have performed in order to contact the responsible vendor of the security exploit they have found. In your 5/13 Bugtraq release of this exploit, I can find no such notification, although I’m sure you had tried. Did you try to reach Yahoo in advance? If so, how far in advance did they know about this and failed to do anything?
I have found a BugTraq submission from 2/21/2002 that mentions the ablility to add names without permission, just like you mentioned. Apparently Yahoo is slow to implement patches when vunerabilities are discovered.
Thanks again for your input in this site.
– dan –
dan-i-amMemberpcaddicted wrote:Hi Dan,
I downloaded the newest beta release not being successful in logging in as of yet. Can I ask what server yours is set on and what port it is on?
I reinstalled previous versions and they will log in. When I try them on myself they always show me offline even when I am on and visible. Saying that you can see why I am anxious to try out the new beta. Any info or suggestions would be appreicated. I agree kudo’s always to Unsakred his talents seem unlimited.
PcaddictedI am using cs16…default port of 5050.
I changed to this one a couple of weeks ago when Yahoo was doing some patches and bots were having trouble logging in. If you are trying to narrow down if it’s a server problem, just do a netstat while you are in a chatroom and see what server you are connected to and switch BuddySpy to that one… at least you know it’s one that is accepting logins. However, Im sure Unsakred know his app much better than I so you might have to wait until he can figure it out.– dan –
dan-i-amMemberHey Brandon,
2.2.3 is looking good. I love the export function and the timer. Awesome stuff.
A couple of notes.
1) As with the previous releases, the timestamp in the “Status Report” does not change upon subsequent scans. It will retain the time of the first scan on that name and never change. However, the correct timestamps appear in the “History”
2) This release (not sure if it happened in previous ones) is doing an ID check even though the option is not checked.
3) The Automatic Update works well, however, due to the nature of bots logging themselves out (or Yahoo disconnecting them) is it possible to have it check if it’s logged in and, if not, log back in before continuing. I had a scan going all night only to find out that it stopped a couple hours after I started it because the bot was logged out.
4) This color coding on the “History” is awesome because you can quickly differentiate statuses when going through a long list. Is it possible to carry this same color scheme over to the exported HTML page so that is easily readable as well?
This is getting better and better with every .x release.
– d –
dan-i-amMemberA feature just for me? I’m honored 😀
I can’t wait to play with it. I just download the latest Beta.
I’ll report back soon 😀– dan –
dan-i-amMemberfd64stang wrote:I done the same. I’m not trying to argue with you or anyone else. My point is – if Buddy Spy is going to stay – why not release the Anti-Buddy Spy as well. That way it is fair. At least with the Anti-Buddy your only checking who is being nosey with you – not everyone.OMG… Quick, someone call Bill Gates and have him create a tool that will expose everyone known exploit for Windows!
Sometimes, I just can’t believe what I’m reading in these posts :rolleyes:
– dan –
dan-i-amMemberUnSaKreD wrote:The Scan History bug should be fixed in 2.2.02 i havent had any problems with it as of yet.As for your question, it is time based. 10 attempts to join the same room within a certain time allotment. I believe anyway.
Im working on that, are you using the newest update dan? or are you still on the original release?
Im on 2.2.1
dan-i-amMemberAs of 5:45PM (CST) on Sunday 5/15– I was still able to perform this test on myself, therefore it has not been patched yet. 🙁
– dan –
dan-i-amMemberdan-i-am wrote:“Automate 5” is a software package used for automating tasks…. basically macros for automating any windows function.Brandon,
Some more info for ya…
I noticed another quirk in the “history” page. It never displays the name of the room in the history. It will always come back as “Not In Chat”Also… question…
I know that if a user attempts 30 times to get into any number of chatrooms in a short time period, then that ID will be blocked from entering any room for about 10-15 minutes. Also, if you leave a chatroom and try to enter any room (even the same one) you are allowed only 10 attempts. This has been my Yahoo experience forever and others have known this also.My question to you is… are the bots we are using in “Buddy Spy” succeptible to this behaviour as well? It appears as though they may be. I recently tried scanning my own name in one of the “Lobbies” with only 4 people in it… and it showed me online..just “Not In Chat”. However, I logged out and in with a different bot and the result was correct. It found me in the room I was in.
– dan –
Hey….
Any clues on this yet?Thanks,
– dan –
dan-i-amMemberLet’s twist this a bit.
Does anyone know of a way to make your aliases appear offline when your main ID is online?– dan –
dan-i-amMemberDobrin wrote:I downloaded AutoMate 6 but can you tell me how to configure that task so that Buddy Spy scans a list every 5 minutes (I can’t find the “wait a certain time” task in the Task Builder) ?When you start up the wizard, one of the first screens allows you to add a “trigger” event. Add a “schedule watcher” trigger and set your interval.
– dan –
dan-i-amMember“Automate 5” is a software package used for automating tasks…. basically macros for automating any windows function.
Brandon,
Some more info for ya…
I noticed another quirk in the “history” page. It never displays the name of the room in the history. It will always come back as “Not In Chat”Also… question…
I know that if a user attempts 30 times to get into any number of chatrooms in a short time period, then that ID will be blocked from entering any room for about 10-15 minutes. Also, if you leave a chatroom and try to enter any room (even the same one) you are allowed only 10 attempts. This has been my Yahoo experience forever and others have known this also.My question to you is… are the bots we are using in “Buddy Spy” succeptible to this behaviour as well? It appears as though they may be. I recently tried scanning my own name in one of the “Lobbies” with only 4 people in it… and it showed me online..just “Not In Chat”. However, I logged out and in with a different bot and the result was correct. It found me in the room I was in.
– dan –
dan-i-amMemberHere’s a short story to show how Buddy Spy recently helped with some recent drama in a Yahoo chatroom.
An old reg of a room I visit decided that she was going to start messing with some of her friends heads (I only knew her from the chatroom she was closer friends with others I knew). She created a new ID and came in the room pretending to be someone else and started telling people that the person we knew was dead. Then as we were questioning this “new” person, the story changed from not dead, to just in a coma but not expected to live. Then a few days later she was supposedely responding…then a day later expected to go home in a few days. A week after this initial “death notice” this reg came back under a new name claiming the previous story about being in a coma and having lost much of her memory. At some friends behest, I started doing some information digging. Along with a lot of information I found out, one of the biggest discoveries/confirmations came with using Buddy Spy.
After this regs “return”, I started thinking that maybe the “friend” (who told of her death) and this reg were the same person, just using different names (one was possibly the alias of the one we knew). So I started scanning both names with Buddy Spy (using Automate 5 to scan every 10 minutes). One night, both names (the admitted new name and the “friend” name) appeared online and offline at least 4-5 times SIMULTANEOUSLY within an hour. This proved to me (and others) that they were both one in the same person and just a cruel game that was played in order for some attention. They always came online and went offline at the exact same times. I started taking screen captures of the “Scan History” page (which held many, many scans) and posted them on a web page for all to see.
Now…this person has been busted with my digging and the use of Buddy Spy and hopefully wont try to pull this stunt again.
– dan –
-
AuthorPosts