lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.58.0508142010320.6680@kungfunix.net>
Date: Mon Aug 15 01:22:14 2005
From: sil at infiltrated.net (J. Oquendo)
Subject: (no subject)


On Sun, 14 Aug 2005, n3td3v wrote:

> I think its pathetic the way everyone has handled the whole affair. I
> don't blame Cisco for anything. To see these self proclaimed hackers
> goto Blackhat and Defcon is a complete joke.

You don't blame Cisco for knowing for years they'd been shipping cruddy
products and keeping a "don't ask won't tell" policy when it comes to
their products? Silly you.

> Then we had the self procalimed hackers saying they would target Cisco
> products and make a 0-day disclosure to give Cisco Systems Inc a black
> eye for pulling their planned coordinated speech with this dude
> M.Lynn. What a joke the security community is being right now.

Whom stated this. The purpose of Lynn's presentation which can be seen at:
www.infiltrated.net/cisco/holygrail.pdf was to provide those in the
industry a glimpse at a huge problem in the making. A huge problem Cisco
had not been disclosing.

> Its a classic case of jumping on the bandwagaon. Before the summer
> most hadn't given Cisco any thought, but suddenly their public enemy
> number one.

They are public enemy number one right now. I would say 75% plus of the
networks online right now are running Cisco products. For Cisco to take a
lackadaisical attitude in fixing their problems is irresponsible.


> I suggest that the majority of those attending these conferences are
> indeed script kiddies, not hackers.

Indeed. You should have followed suit and replaced that line with "3y3
sUgGeST,..." sInCeReLy n3td3v!@

Seriously though, for anyone in the industry who's been in "the game" for
some time, many know that this entire industry has gone from "fixing holes
for fun and fame", to "fsck that hole and just get the profits". Far too
many in the field have "sold out" and forgotten what security was, due to
too many "mega corps" (Symantec, Cisco, NAI, etc) dishing out money and
skirting responsibilities.

When it comes to Cisco, kudos to Lynn and others who speak out about
vulnerabilities. Especially in the case of Lynn who disclosed this to
Cisco way beforehand. Heck it was disclosed in a previous briefing, why
the lenghty time to produce patches... Cisco's attitude seemed to be that
of Microsoft's old attitude: "The vulnerability is theoretical" until it
bit them in the ass.

As for the feds bullying Mr. Lynn under the guise of "National Security"
why not dish out fines to Cisco for everyday they have not released a fix
for it. Did Team Cisco lobby that many in congress to make people turn a
blind eye.

Kudos to Mr. Lynn, and kudos to others who disclose (appropriately)
security holes when vendors solely want to appease investors. (Hey Team
Oracle and Larry Ellis... Hope someone over there is reading this too...)

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x97B43D89
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89

To conquer the enemy without resorting to war is the most
desirable.  The highest form of generalship is to conquer
the enemy by strategy." - Sun Tzu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ