#16 Colloquy Vuln
William A. Carrel
Colloquy -> Check for updates... if you happen to be a user.
--
wac
alfre...@aol.com
It seems that Colloquy General preference "automatically check for new
versions" is on by default. I didn't even know about #16, but when
Colloquy launched, it found new version, and, with a single click of
myacceptance, downloaded the new version, installed it, put old version
in trash, and relaunched. Nice.
Rosyna
lhm/kf were actively using it on IRC to disconnect users.
--
Sincerely,
Rosyna Keller
Technical Support/Carbon troll/Always needs a hug
Unsanity: Unsane Tools for Insanely Great People
It's either this, or imagining Phil Schiller in a thong.
st...@info-pull.com
On Jan 17, 9:27 am, Rosyna <ros...@gmail.com> wrote:
> They actually fixed it before the exploit was even published because
> lhm/kf were actively using it on IRC to disconnect users.
You should be very careful before going around like an internet tough,
accusing people with nothing more than your own speculation. Unless you
can prove that (that is, using proofs you can't tamper with, which
makes pasting something out of your Text Edit window plain invalid), we
request you to keep away of any future claims like these.
It's the second time we ask you politely to stop the malicious
non-sense you're getting into. We aren't going to enter any
claims/counter-claims cycle with you, given that you are neither
technically nor personally qualified for keeping good manners (that
excludes insulting, fallacies and false claims like these, without any
supporting argument other than your personal issues).
There are many people out there interested on making a fool out of
yourself and complicating your day. We aren't the only ones you've been
insulting, but you obviously know that. The fact that someone has
targeted the IRC channel where you rant is just another proof.
Given your skill base, lack of care of any type and definitive
malicious attitude, developing more hostilities with people out there
isn't really the best thing for you. It's a suicidal path, literally.
And this is sincere, friendly advice. We have nothing personal against
you, besides being a malicious retard from times to times.
Anyway, back on topic (Rosyna, you manage to include a rant in every
e-mail you send): the Colloquy development team has done a *great* job
on the fix (preventing that prank from continuing). Probably one of the
most timely fixes released during the MoAB, including OmniGroup's one.
None credited their finding, though. Certainly better than Apple, for
instance.
Cheers.
Rosyna
>On Jan 17, 9:27 am, Rosyna <ros...@gmail.com> wrote:
>> They actually fixed it before the exploit was even published because
>> lhm/kf were actively using it on IRC to disconnect users.
>
>You should be very careful before going around like an internet tough,
>accusing people with nothing more than your own speculation. Unless you
>can prove that (that is, using proofs you can't tamper with, which
>makes pasting something out of your Text Edit window plain invalid), we
>request you to keep away of any future claims like these.
>
Here's the proof. http://tachibanalabs.com/tmp/MOAB-16-01-2007.html
Compare and contrast to the current
http://projects.info-pull.com/moab/MOAB-16-01-2007.html Notice the
missing pieces?
The first link is hosting the original unmodified file. It's also why
thinks like CSS don't show up. Nothing about it was modified. Also,
it's not being hosted by me or anyone affiliated with me.
Furthermore, there's about 20+ people that can verify that the
tachibanalabs.com link has the original text of the advisory.
FWIW, the original Ruby file's header said "the great #macdev raid".
>There are many people out there interested on making a fool out of
>yourself and complicating your day. We aren't the only ones you've been
>insulting, but you obviously know that.
That kind of seems a little like a threat.
> The fact that someone has
>targeted the IRC channel where you rant is just another proof.
That's funny, I don't seem to remember ever mentioning the IRC
channel or the fact I was on such an IRC channel....
>Given your skill base, lack of care of any type and definitive
>malicious attitude, developing more hostilities with people out there
>isn't really the best thing for you. It's a suicidal path, literally.
>And this is sincere, friendly advice. We have nothing personal against
>you, besides being a malicious retard from times to times.
Again, this seems like a threat...
purr...@gmail.com
it shortly after they realized what they had posted.
Rosyna
>Unless you
>can prove that (that is, using proofs you can't tamper with, which
>makes pasting something out of your Text Edit window plain invalid),
Also, there's a screenshot.
http://farm1.static.flickr.com/123/360396261_05ca8f43b9_b.jpg
Jens Ayton
> Rosyna:
>> They actually fixed it before the exploit was even published because
>> lhm/kf were actively using it on IRC to disconnect users.
>
> You should be very careful before going around like an internet tough,
> accusing people with nothing more than your own speculation. Unless you
> can prove that (that is, using proofs you can't tamper with, which
> makes pasting something out of your Text Edit window plain invalid), we
> request you to keep away of any future claims like these.
As you are well aware, the concept of "proof" is essentially
inapplicable to something as ephemeral as internet communications.
However, I witnessed the events to which Rosyna refers and can attest
to the following:
* At or about 0800 this morning (Wed Jan 17 2007), Central European
time, several persons on the #macdev channel on Freenode IRC were
repeatedly disconnected with unusual quit messages.
* Several of these persons attested they were using Colloquy.
* It was established that the disconnects were immediately preceeded
by invitations to channels with names along the lines of #%n%n%n%n.
* At least one of these persons was able to catch the name of the
person sending the invitation.
* The whois command (or possibly whowas) showed that said person's
host mask was kfinisterre@..., a name that is familiar to watchers of
the MoAB spectacle.
* There was a small amount of speculation at the time as to whether
this was in fact a MOAB crew stunt, or someone attempting to dirty Mr.
Finisterre's name.
* The bug was quickly identified and fixed; offhand, I believe this
was done by Alexander Strange.
* At approximately 0845 CET I saw the MOAB-16 advisory. At that time,
the page included a list of people "pwned" using this exploit. The
list closely matched those who had been disconnected using the very
vulnerability described in the advisory.
Unfortunately I am missing some details as I do not currently have
access to my IRC logs. This can be rectified in an hour or so.
--
Jens Ayton
Sed quis custodiet ipsos custodes?
Colin Barrett
On Jan 17, 2007, at 12:53 AM, st...@info-pull.com wrote:
> Probably one of the most timely fixes released during the MoAB,
> including OmniGroup's one.
> None credited their finding, though. Certainly better than Apple, for
> instance.
If you expect Apple, a huge corporation, to release patches every time
you publish an exploit, you're more deranged than I thought -- I had
you pegged as the type to include annoying sounds on his web page for
no good reason, and to overuse internet cliché's like PWN.
Hubris indeed.
Seriously, LMH, you're not winning any hearts OR minds by posting
here. Your overly defensive attitude towards Rosyna on this pretty
much solidifies it in my mind that you WERE in fact using it to
disconnect users.
Why do you bother posting here except to troll, anyway?
-Colin
Remy Porter
and focus on our main goal- contributing to a more secure and reliable
operating system.
I love this mailing list, but it's rapidly decaying into LMH posturing
and people getting offended. Let's please keep it technical?
William A. Carrel
"This group serves as a gathering place to discuss the technical and
coding issues for MOAB bug fixes."
This conversation has taken a turn which doesn't have anything to do
with the work required analyzing or preparing fixes. People are
welcome to engage in conversations about who is or isn't trying to
attacking who and who hates who's freedom... somewhere else. Please do
not bait each other (or be baited) into attacks and accusations here,
there are plenty of other forums for the circus sideshow antics of all
sides.
Eric Hall
Indeed. I was just getting ready to write something similar...
The only addition is:
Please remember that others may not follow short-circuits in your
logic/thinking, and that others may say (write) things in a way that
doesn't match the way you would. Keep a more open mind to what people
are saying and, if you don't think they're on the right track, indicate
so rather than saying they just don't get it or that they're morons.
Cut the absolutes and you might just find that people are smarter and
more aware than you think they are.
-eric
Alexander Strange
On Jan 17, 5:40 am, "Jens Ayton" <jens.ay...@gmail.com> wrote:
> * The bug was quickly identified and fixed; offhand, I believe this
> was done by Alexander Strange.
I wish to disclaim responsibility for this; Timothy Hatcher, the author
of Colloquy, fixed it and I just linked to the trac changeset.