lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 15 Jul 2008 22:34:02 -0400
From: Ureleet <ureleet@...il.com>
To: n3td3v <xploitable@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DNS Cache Dan Kamikaze (Actual Exploit
	Discussion)

most of what u wrote i actually agree with, let me just say a few
things where you need to adjust.

On Tue, Jul 15, 2008 at 3:48 PM, n3td3v <xploitable@...il.com> wrote:
> Does he go to jail if he breaks the secrecy, or is this his own little
> crusade of half-disclosure?

no, but i am sure he has some kind of contract with all the vendors
involved so that he can't disclose it.

>
> Cnet News called him "The man who changed internet security", so does
> this mean the end of full-disclosure and a new trend of half
> disclosure?
>
> This has got to be a bad precedence he is setting if cnet news are
> right and everyone is going to start half-disclosures, and only the
> rich can afford to buy a ticket to the security conference.
>
> Information should be free to all not a small circle of people, who
> could be rogue employees or eavesdropping could of happened we don't
> know, the info could already be in the hands of the bad guys,

this sounds like ur jealous

>
> And how much does it take to appear like a responsible security
> researcher on the surface while doing evils or doing cash for info
> behind the scenes?

ppl have to make money somehow, not everything is free u know.

>
> It is dangerous that the info is out there, but not out there if you
> know what I mean, you just don't know who has the info anymore, what
> they're doing with it and who hasn't.
>
> At least with FULL disclosure you know everyones got the info and not
> an elite circle of friends and co-workers, of which some might be
> rogue or tempted to swap cash for info over a beer in a bar, or at the
> corporations cafe.
>
> The sad truth of the matter is, this exploit and how it works will be
> gossip all over a corporation floor on an open plan cube layout, even
> though its not on the mailing lists, a lot of people will know about
> it, and it just takes one person to be tempted to sell the info or
> become rogue and start exploiting with it on a spear-target basis of
> little enemies the rogue may have, that wouldn't be picked up by the
> internet security vendors honeypots and sensors.
>
> Security info should not be gossip over an office floor for a month,
> over phone calls, email, IM and at the corporation cafe and after work
> at the bar, because you don't know who is shoulder surfing you, or you
> don't know there won't be a rogue employee, cash for info deal or even
> a hacker managing to intercept the gossip electronically.
>
> We should not be making security info into gossip and rumor mill, just
> to make a security conference more popular.
>
> You think this is giving vendors a gap to patch, but infact its a gap
> for money deals to be done, gossip / exploit info to spread to unknown
> employees or rogues and other craziness.

we know what u are saying here, but u repeat yourself like 4x.  and i
still dont understand why u r bitching.

>
> By the time the day before the talk comes, its gonna be a mess, more
> and more behind the scenes people will know and god knows what money
> deals done and possible rogue exploitation, and it won't be clear to
> everyone who actually knows and who doesn't know and even hard for Dan
> Kaminsky to keep track and remember, who knows and who doesn't and
> whether the info has been mis handled by one or two bad apples.
>
> No, while I see what you were thinking, a gap in disclosure to allow
> vendors to patch seems like a good saftey mechanism on paper, the
> truth is practically it isn't.

seems to be working so far.

>
> The human species is a social, curious and inquisitive animal, there
> is no way this kind of thing is being kept secret with a select few,
> and I for one don't trust that everything is being kept hush hush.

because u arent in the inside of the circle?

> Yes
> its being kept publically hush hush on a mailing list level, but lots
> of things can still be public and known without getting onto a mailing
> list and the internet, and this is where I see Dan Kaminsky's ideology
> on disclosure tactic as flawed in reality and unworkable, and it
> creates a feeling of uncertainty and tension on the security industry,
> and under world.

what, betwen u and dan?

>
> I'm sure the intelligence service intercepted Dan Kaminsky chatter a
> long time ago and have the exploit code and may be using it for covert
> operations, or even just normal employees mishandling the information
> or even some of the trusted ppl exploiting ppl with the code on a low
> level or selling info for cash in small time deals.

get ur head out of mi6's ass.

>
> This isn't a world I want to live in where the government and
> employees on certain corporate floors know all about it but the rest
> of us don't.

too late.  theyve been doing it 4 years.  ur too late.

>
> So, Dan Kaminsky the man who changed internet security flaw disclosure
> by setting a new standard in disclosure, or Dan Kaminsky who is
> setting a new standard in a whole bunch of unknowns when researchers
> tell a select few people and its hard to keep track of who knows and
> who has or hasn't managed to keep it secret. And mailing list secret
> doesn't mean its secret, it just means its not on the published on the
> internet!

what mailing list is it on?

>
> A month, is a month too long! I'm sure all DNS servers are now
> patched,

uh, no.

> this is all for sure to make blackhat security conference and
> Dan Kaminsky more popular,

and whats wrong with that?  its the biggest conference of the year.

> with his security theater that he is
> currently doing, but in reality we are all left feeling insecure for a
> whole damn month. Feeling insecure can be worse than actually having
> your servers insecure, its just a feeling of insecurity people don't
> want to have to suffer for a whole damn month, and I for one am sick
> of it.

sounds like u have slow self estemm

> Security theater, security conference ticket sale agendas and
> researchers looking for celebrity status while the actual security is
> taken second shelf.
>
> Who knows who has the exploit info, but we sure don't and i'm not even
> sure Dan Kaminsky knows who knows anymore. Yes he knows who he told,
> but does he know who they told or who may have intercepted the info?
> I'm sure its not just the government who knows how to eavesdrop, there
> could be terrorists, criminals or be in the hands of anybody. And I
> for one am sick of it if this is the way things are going to be
> happening around here from now on in the security scene, I just hope
> Cnet news are hell of wrong that people are going to start copying
> this Dan Kaminsky jerk and that he has set a new standard in
> information disclosure, because I think there are too many unknowns in
> his tactical half disclosure based around a security conference talk
> date and a ticket sales agenda.

i wouldnt consider cnet a news organization.  its like a group of
professional bloggers.  always has been.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ