SamH
What you have to remember is people release working poc codes on a daily basis all over the place on some trusted well known security sites.We have guide lines we follow also.
What you have to remember is people release working poc codes on a daily basis all over the place on some trusted well known security sites.We have guide lines we follow also.
Yeh that is not inforce at the moment but im guessing it will only be a matter of time.Any ways who said i was in the uk.
I know germany has enforced it and france is about to.
I know germany has enforced it and france is about to.
2 days the poc code was released 1 week later if not longer.
Last edited by muhaa, .
Lol sam i know where i stand it is not illegal to release poc codes.It depends where you are from they are clamping down in some country and yes you would probly get some sort of court aperiance depending on the situation where im for it is not illegal to publicly release exploit or poc code.If i was to use it then yes it would be.
I will try and find some stuff to back my claims up.
I will try and find some stuff to back my claims up.
SamH
There is nothing illegal in what i done i can say that with known i would get no come backs.The disclaimer is there for a reason to stay with in the recommendations of releasing the poc code.So if any of the skiddys do use it that it is down to them not me.
I think Kada_CZ knows alot about the security industry and how it works.
If the developers had actually took the time to contact me and talk about the bug and let me know when roughly the patch would come out or contact me at a later date,About the date of the patch no poc code would have been released at all till the patch or just before tha patch was released.The developers didnt give me a time scale on when a patch would be applied that is one of the main reasons for the public disclosure.You also forget the av company take the file offsets and stuff and add them to there data base so anti virus picks them straight up.That is anther reason for releasing a poc code.
You guys are not looking into the whole subject with an open mind all your thinking of is the malicious things that can be done.I could have even sold the exploit to some one who was wanting a few extra vic legaly.But i wouldn't do that i wont sell myself out.
There is nothing illegal in what i done i can say that with known i would get no come backs.The disclaimer is there for a reason to stay with in the recommendations of releasing the poc code.So if any of the skiddys do use it that it is down to them not me.
I think Kada_CZ knows alot about the security industry and how it works.
If the developers had actually took the time to contact me and talk about the bug and let me know when roughly the patch would come out or contact me at a later date,About the date of the patch no poc code would have been released at all till the patch or just before tha patch was released.The developers didnt give me a time scale on when a patch would be applied that is one of the main reasons for the public disclosure.You also forget the av company take the file offsets and stuff and add them to there data base so anti virus picks them straight up.That is anther reason for releasing a poc code.
You guys are not looking into the whole subject with an open mind all your thinking of is the malicious things that can be done.I could have even sold the exploit to some one who was wanting a few extra vic legaly.But i wouldn't do that i wont sell myself out.
Last edited by muhaa, .
SamH what i do and what zone horg do are two completely different things.if i was to dos a network and take down the back bone of the Internet then yes fair enough.If i was to write a local exploit im hardly going to take down a net work.Skiddy who d0s can be held accountable im not saying they can not.But that is the skiddys not people who write poc code.You will see when i release an exploit it usually comes with a disclaimer.
What them chose to do with the information provided is nothing to do with me as it was released for educational use only.
SamH
Ive looked into this trust me there is nothing illigal of what i done nothing what so ever if it was there would be loads of people even at "Stanford university" that release a windows exploit some years ago be held for there actions.
If i was to deface a server then yes or get acsess to some ones computer then yes.But i think your missing the point i dont actually hack since the laws change.I have kidds and responsibilities to take care of.If i thought for one minute i was going to get jail time for any of my actions for pentesting i would not do it simple.But some one has to and as the laws stand at this moment in time i have not committed no offence.
<?php
----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
?>
SamH
Ive looked into this trust me there is nothing illigal of what i done nothing what so ever if it was there would be loads of people even at "Stanford university" that release a windows exploit some years ago be held for there actions.
If i was to deface a server then yes or get acsess to some ones computer then yes.But i think your missing the point i dont actually hack since the laws change.I have kidds and responsibilities to take care of.If i thought for one minute i was going to get jail time for any of my actions for pentesting i would not do it simple.But some one has to and as the laws stand at this moment in time i have not committed no offence.
Last edited by muhaa, .
Public disclosure is not illegal.Depending on where you live of course if your in germany your f*cked.
I did not write a dos for lfs that was not me i think you are confusing the situation.Im not a defacer i don't like zone-horg i know some people from there the admins and stuff.But i don't associate with people like that.That zone horg is not a legit security site there full of skiddy who wreak other peoples site.I have nothing but hatred for these types of people.And the people i know don't like them at all.
I dont know where the denial of service comes into this,We are talking 3rd party software its totally different from what there actually talking about.There on about bot nets which skiddys love to d0s people.
[merge double post]
I did not write a dos for lfs that was not me i think you are confusing the situation.Im not a defacer i dont like zone-horg i know some people from there the admins and stuff.But i dont associate with people like that.
xaotik
You dont even know me im not some skiddy.Not like your thinking your blowing the whole thing out of context.I agree im not the best person in the security industry but i do know what im talking about.Go on try and recreate the bug i found in lfs,You know why you cant simple you have no debugging experience or coding skills.I have been playing with security related subjects for 7 years if not longer.
Skiddys dont write exploits they use them.
I dont know where the denial of service comes into this,We are talking 3rd party software its totally different from what there actually talking about.There on about bot nets which skiddys love to d0s people.
[merge double post]
I did not write a dos for lfs that was not me i think you are confusing the situation.Im not a defacer i dont like zone-horg i know some people from there the admins and stuff.But i dont associate with people like that.
xaotik
You dont even know me im not some skiddy.Not like your thinking your blowing the whole thing out of context.I agree im not the best person in the security industry but i do know what im talking about.Go on try and recreate the bug i found in lfs,You know why you cant simple you have no debugging experience or coding skills.I have been playing with security related subjects for 7 years if not longer.
Skiddys dont write exploits they use them.
No i think if im willing to except some part of the blame the developers should take some responsibility,You forget like the above post mentions i didn't have the source code reverse engineering is not an option as it is illegal.
Im not saying the code is bad or any thing i wouldn't like to code the whole game i can imagine the amount of time and stress and problem solving that go into a project like this.And it can be easy for a compiler to change some functions making the compiled application which looks safe on code but when the completed binary is released not so safe.
I still stand by to what i done i think i could have may be given alot more time before releasing the poc code maybe 2-4 weeks which is fare enough.But i was right to release the poc code this is what i do i test software for bugs.This is the guide lines and ethics i follow
1)find bug
2)contact developers
3)release poc code
Simple as that and that is for any company.I just think this is a massive witch hunt,Your all directing your anger at me when im not 100% responsible for the bugs i cant surly be held responsible for the whole thing.
If the developers had took the time like i did to write a whole description on the bug i wrote a full page in a txt file which took over 2 hours to write and collect all the information,But they couldnt just get in touch i mean the developers not some messenger,And then all of a sudden nothing.
I asked for 1 thing only and that 1 thing was if i kept the pocs none public would they let me know 3 hours before they released the patch so i can get a cv number for the exploit that was the only request i asked.I asked them 4 times nothing come back.After i made the post on this forum in the bugs section i received alot of bad mojo from most of the community this had alot to do with why the poc was released.No one was taking me seriously so i released them.
I think the game will be 100% safe when the release comes out the new y patch which im looking forward to.If the bugs had been found after the final lfs2 came out i think it would have been alot worse for the developers.Yes it was a bad timing with all the stuff that has happened over the coming month with the hacks and stuff but there is never a good time to tell the developers about problems.
Im not saying the code is bad or any thing i wouldn't like to code the whole game i can imagine the amount of time and stress and problem solving that go into a project like this.And it can be easy for a compiler to change some functions making the compiled application which looks safe on code but when the completed binary is released not so safe.
I still stand by to what i done i think i could have may be given alot more time before releasing the poc code maybe 2-4 weeks which is fare enough.But i was right to release the poc code this is what i do i test software for bugs.This is the guide lines and ethics i follow
1)find bug
2)contact developers
3)release poc code
Simple as that and that is for any company.I just think this is a massive witch hunt,Your all directing your anger at me when im not 100% responsible for the bugs i cant surly be held responsible for the whole thing.
If the developers had took the time like i did to write a whole description on the bug i wrote a full page in a txt file which took over 2 hours to write and collect all the information,But they couldnt just get in touch i mean the developers not some messenger,And then all of a sudden nothing.
I asked for 1 thing only and that 1 thing was if i kept the pocs none public would they let me know 3 hours before they released the patch so i can get a cv number for the exploit that was the only request i asked.I asked them 4 times nothing come back.After i made the post on this forum in the bugs section i received alot of bad mojo from most of the community this had alot to do with why the poc was released.No one was taking me seriously so i released them.
I think the game will be 100% safe when the release comes out the new y patch which im looking forward to.If the bugs had been found after the final lfs2 came out i think it would have been alot worse for the developers.Yes it was a bad timing with all the stuff that has happened over the coming month with the hacks and stuff but there is never a good time to tell the developers about problems.
Last edited by muhaa, .
Well i didnt code the game if the code was safe there wouldnt be any thing to worry about.!!
If any one is responsible it the devs simple as that.They coded the game they used bad coding practice which there is no excuse for.Every post ive saw with the same people trying to make it out as if im doing this for some sort of ego trip.Which is not the case im not even going to argue with any one unless they have a valid argument in the first place actually know what i done and why.
You forget im s2 licence i payed for the game and i would like it secure also.
You forget im s2 licence i payed for the game and i would like it secure also.
Last edited by muhaa, .
Im not even going to bother to feed some trolls i just lost the will to argue over some thing so stupid as this..
You guys need to know what your actually talking about i was advised after i wrote that i had done nothing wrong by loads of people who i took advice from.Im not in the wrong here.
now stop going on about it.
If you have any questions you can contact me via pm like many others have done which i will say was alot more reasonable than some people in here.I don't care about public recognition i tried to report a vouln thats it if you don't like it tough.The devs should use better coding standards simple.
now stop going on about it.
If you have any questions you can contact me via pm like many others have done which i will say was alot more reasonable than some people in here.I don't care about public recognition i tried to report a vouln thats it if you don't like it tough.The devs should use better coding standards simple.
Last edited by muhaa, .
nvrmm your a bunch of immature kids.I really cant be bothered with this crap.Oh they hurt our little game and blah blahblah.Get over your self,And grow up.
If you want to contact me via pm to discuss it im more than happy to answer any questions but before you do read this the whole thing.
http://www.securityfocus.com/columnists/391
please leave it as that i don't want to go off topic again
If you want to contact me via pm to discuss it im more than happy to answer any questions but before you do read this the whole thing.
http://www.securityfocus.com/columnists/391
please leave it as that i don't want to go off topic again
Last edited by muhaa, .
Definitions of Phreaker on the Web:
A person who hacks (breaks into) telephone systems to make free long-distance phone calls at someone else's expense.
Pmsl your so wrong its funny.Just shut up we could have released all the exploits with out telling the company we done the right thing by telling them and then we release the poc code.
I treat this company like i would have any other there is no law against what i or the other guy done and if you don't like it it's tough.This is the way the security industry works if you don't belive me do some research then pm me.
I will be more than happy to discuss the issues with any one over pm.We done the right thing just because we released the poc codes and told the developer's they better try and be quick about it because we wanted to release them.We could have just released them with out telling the devs or any thing.So stop bitching about it.
Unless you are in the security industry please don't comment on what me or the other guy oh yeh i think the developers were so bussy they couldnt talk to to us directly comon wtf.Then you try to pass the buck on to us who coded the game.Easy to pass the buck if you want to go that far we can take this alot further if you would like.
A person who hacks (breaks into) telephone systems to make free long-distance phone calls at someone else's expense.
Pmsl your so wrong its funny.Just shut up we could have released all the exploits with out telling the company we done the right thing by telling them and then we release the poc code.
I treat this company like i would have any other there is no law against what i or the other guy done and if you don't like it it's tough.This is the way the security industry works if you don't belive me do some research then pm me.
I will be more than happy to discuss the issues with any one over pm.We done the right thing just because we released the poc codes and told the developer's they better try and be quick about it because we wanted to release them.We could have just released them with out telling the devs or any thing.So stop bitching about it.
Unless you are in the security industry please don't comment on what me or the other guy oh yeh i think the developers were so bussy they couldnt talk to to us directly comon wtf.Then you try to pass the buck on to us who coded the game.Easy to pass the buck if you want to go that far we can take this alot further if you would like.
Last edited by muhaa, .
Ffs ive already said i take full responsibility for my actions and will not make the same mistake again what you want blood..This is the way the security industry works and always will.And next time i wont release any thing about it till the patch has been applied.
Lets not turn this into a crap post its good that the fixes have been made.
Lets not turn this into a crap post its good that the fixes have been made.
I will learn by my mistakes im sure for future releases of any other exploit or poc code.I take this as a valid learning lesson on which i will be more than happy to improve in the future.People make bad mistakes and often make bad decision,But if i could change things i would.Can we drop it before people start to flame.I've admitted i made a mistake and thats all i can say.I thought you guys was not taking it seriously i think it was more than 2 days before the poc was released.
Well there must have been some mix up some where i gave you enough time before releasing the poc code.I sent many emails alot with no replys.
I dont want any public recognition.I sent you all the information you need.But meh any ways good luck.The server voulns had nothing to do with me at all.Atleast it is going to be secure now and much better for the community.I made a choice about the release of the poc code.For reason that none public disclosure is a bad thing.Any way going off topic,Good luck with the fixes.
I dont want any public recognition.I sent you all the information you need.But meh any ways good luck.The server voulns had nothing to do with me at all.Atleast it is going to be secure now and much better for the community.I made a choice about the release of the poc code.For reason that none public disclosure is a bad thing.Any way going off topic,Good luck with the fixes.
Last edited by muhaa, .
Scawen any news on the buffer over flows i found in lfs the local ones.Any news on the new patch please.Im guessing you got all the emails i sent you with the debugging and poc code's.
Your a dick you dont even know me so shut the hell up im not a skiddy.!!
tristancliffe have you nothing better to do with your time than troll the forum's.
Get a life.
There is nothing skilled about these hacks what so ever,all there doing is changing the value at an address in the memory.
One thing the team speak vulnerability is or has nothing to do with this bug in any way what so ever,The only thing they share in common they are both client and server applications and that is it.So there is no point in comparing the 2 problems.
m4ccy i have some thing that will work for you if you want the code pm me and ill send it to you.
m4ccy i have some thing that will work for you if you want the code pm me and ill send it to you.
Yeh but the strange thing is its all back to normal,I had done a speed test on my line and it was exactly the same as yesterday strange.
Strange thing is since it come back online i see the server pings are alot higher than usual.
FGED GREDG RDFGDR GSFDG