mods feel free to delete any of the spam

-id

But his postings were soooooooooo entertaining! ;)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Does anyone care to share how his account info was compromised?

-----------------------------------------------------------------------
(ú=(θ='',[µ=!(Φ=!θ+{})+θ,Θ=Φ[ø=+!θ]+Φ[+θ],ĩ=µ[ø],Ø=µ[º=ø+++ø],Ç=Φ[º+ø],à=ú[Φ[º+º]+Φ[+θ]+Ç+ĩ]][Ø+Ç+Θ])())[ĩ+à('•êí')](Ç+à('Á«)'))

His gmail account was compromised, which allowed the attacker to get his sla.ckers password reset.

-id

any details on the compromission of his account ? i find it difficult to believe he falled for standards attacks like CSRF or bruteforce.

this could be a major PR pain in the ass for him...

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

Malkav Wrote:
-------------------------------------------------------
> this could be a major PR pain in the ass for
> him...

Don't worry, if there's one thing pdp's good at; it's PR.

P.S. He has bigger things to worry about than his sla.ckers.org account getting compromised; like his emails for several years getting posted to ful-disclosure.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Steps to Success:

1) Listen to RSnake's talk about hacking google.
2) Steal promitent hacker's credentials
3) Profit!!!

:)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Just goes to show, leave the laptops at home next time you head to a security conference. Airport and hotel included.

-Marcin
[tssci-security.com]

I don't know if it had anything to do with bringing his laptop to a con. And really how much of a security guy are you if you can't bring your laptop somewhere?...turns out there are bad guys at places other than DefCon.

RSnake and I had the chance to sit down with pdp at DC and talk about it a bit. One interesting comment he made was that he never intended that account to have sensitive information in it, but since he had used to to post to mailing lists people began using it for other discussions. I'm sure it wouldn't have mattered if only his full disclosure posts were in the mailbox, but human nature got in the way and and mailbox creep got him.

It's of course easy to say don't use a 3rd party such as gmail, but like everything in the security world, it's a trade off. Not everyone has the time/resources/skills to run and secure their own resources. For example, the vast majority of posters here use one of the big free email services or their company's email.

-id

Alan Shimel was compromised as well

[www.gossamer-threads.com]

-id

Umm.. no, that's not a compromise, that is Full Rectal Penetration.

EDIT: Funny that I chose those words to describe it, considering that his "still secure after all these years" website got redirected to a gay porn site.. heh

Also.. I can see how building a rocket to orbit the earth might be a little hard for someone to do, but come on.. setting up your own SMTP server is NOT rocket science, especially for someone who touts themselves as 'security professionals'..

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill



Edited 1 time(s). Last edit at 08/11/2008 02:45PM by thrill.

As I pointed out there are other things besides the difficulty of setting up infrastructure.

-id

Are you guys going to reset his password and change the email addy on his account so he can have his account back?

________________________________________________________________________
www.crypticmauler.com
"You must be the change you wish to see in the world."

I will send him new account info. I had beers with him last week in London, so no worries we're in touch.

-id

@id

Any new info on how his account was compromised?

------------------------------------------------------------------------------------------------------------

"-/style=-=expression&#40/*WAFs..Evasion..Filters'/-/*',/**/alert(/People who say it cannot be done should not interrupt those who are doing it./)//);"

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

It was his gmail account which had a reset password in it (yes, we should force users to change it after a reset, but you're all security guys...you should all know better!). Nothing was compromised via sla.ckers.

-id

any infos on how his gmail account got compromised ?

Yeah that's what I meant, if they had access to his gmail then it wouldn't matter what his password was if it was linked to his slackers account.

------------------------------------------------------------------------------------------------------------

"-/style=-=expression&#40/*WAFs..Evasion..Filters'/-/*',/**/alert(/People who say it cannot be done should not interrupt those who are doing it./)//);"

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

I don't know how his gmail account was compromised, and I'm not going to speculate...

-id