lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4b6ee9310807151248i6d208f25k8dce5b3c1861a957@mail.gmail.com>
Date: Tue, 15 Jul 2008 20:48:02 +0100
From: n3td3v <xploitable@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: DNS Cache Dan Kamikaze (Actual Exploit
	Discussion)

On Tue, Jul 15, 2008 at 3:28 PM, Rob <spamproof@...pammail.net> wrote:
> Dan is sworn to secrecy until his talk, so we have to wait till then.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Does he go to jail if he breaks the secrecy, or is this his own little
crusade of half-disclosure?

Cnet News called him "The man who changed internet security", so does
this mean the end of full-disclosure and a new trend of half
disclosure?

This has got to be a bad precedence he is setting if cnet news are
right and everyone is going to start half-disclosures, and only the
rich can afford to buy a ticket to the security conference.

Information should be free to all not a small circle of people, who
could be rogue employees or eavesdropping could of happened we don't
know, the info could already be in the hands of the bad guys,

And how much does it take to appear like a responsible security
researcher on the surface while doing evils or doing cash for info
behind the scenes?

It is dangerous that the info is out there, but not out there if you
know what I mean, you just don't know who has the info anymore, what
they're doing with it and who hasn't.

At least with FULL disclosure you know everyones got the info and not
an elite circle of friends and co-workers, of which some might be
rogue or tempted to swap cash for info over a beer in a bar, or at the
corporations cafe.

The sad truth of the matter is, this exploit and how it works will be
gossip all over a corporation floor on an open plan cube layout, even
though its not on the mailing lists, a lot of people will know about
it, and it just takes one person to be tempted to sell the info or
become rogue and start exploiting with it on a spear-target basis of
little enemies the rogue may have, that wouldn't be picked up by the
internet security vendors honeypots and sensors.

Security info should not be gossip over an office floor for a month,
over phone calls, email, IM and at the corporation cafe and after work
at the bar, because you don't know who is shoulder surfing you, or you
don't know there won't be a rogue employee, cash for info deal or even
a hacker managing to intercept the gossip electronically.

We should not be making security info into gossip and rumor mill, just
to make a security conference more popular.

You think this is giving vendors a gap to patch, but infact its a gap
for money deals to be done, gossip / exploit info to spread to unknown
employees or rogues and other craziness.

By the time the day before the talk comes, its gonna be a mess, more
and more behind the scenes people will know and god knows what money
deals done and possible rogue exploitation, and it won't be clear to
everyone who actually knows and who doesn't know and even hard for Dan
Kaminsky to keep track and remember, who knows and who doesn't and
whether the info has been mis handled by one or two bad apples.

No, while I see what you were thinking, a gap in disclosure to allow
vendors to patch seems like a good saftey mechanism on paper, the
truth is practically it isn't.

The human species is a social, curious and inquisitive animal, there
is no way this kind of thing is being kept secret with a select few,
and I for one don't trust that everything is being kept hush hush. Yes
its being kept publically hush hush on a mailing list level, but lots
of things can still be public and known without getting onto a mailing
list and the internet, and this is where I see Dan Kaminsky's ideology
on disclosure tactic as flawed in reality and unworkable, and it
creates a feeling of uncertainty and tension on the security industry,
and under world.

I'm sure the intelligence service intercepted Dan Kaminsky chatter a
long time ago and have the exploit code and may be using it for covert
operations, or even just normal employees mishandling the information
or even some of the trusted ppl exploiting ppl with the code on a low
level or selling info for cash in small time deals.

This isn't a world I want to live in where the government and
employees on certain corporate floors know all about it but the rest
of us don't.

So, Dan Kaminsky the man who changed internet security flaw disclosure
by setting a new standard in disclosure, or Dan Kaminsky who is
setting a new standard in a whole bunch of unknowns when researchers
tell a select few people and its hard to keep track of who knows and
who has or hasn't managed to keep it secret. And mailing list secret
doesn't mean its secret, it just means its not on the published on the
internet!

A month, is a month too long! I'm sure all DNS servers are now
patched, this is all for sure to make blackhat security conference and
Dan Kaminsky more popular, with his security theater that he is
currently doing, but in reality we are all left feeling insecure for a
whole damn month. Feeling insecure can be worse than actually having
your servers insecure, its just a feeling of insecurity people don't
want to have to suffer for a whole damn month, and I for one am sick
of it. Security theater, security conference ticket sale agendas and
researchers looking for celebrity status while the actual security is
taken second shelf.

Who knows who has the exploit info, but we sure don't and i'm not even
sure Dan Kaminsky knows who knows anymore. Yes he knows who he told,
but does he know who they told or who may have intercepted the info?
I'm sure its not just the government who knows how to eavesdrop, there
could be terrorists, criminals or be in the hands of anybody. And I
for one am sick of it if this is the way things are going to be
happening around here from now on in the security scene, I just hope
Cnet news are hell of wrong that people are going to start copying
this Dan Kaminsky jerk and that he has set a new standard in
information disclosure, because I think there are too many unknowns in
his tactical half disclosure based around a security conference talk
date and a ticket sales agenda.

All the best,

n3td3v

http://n3td3v.googlepages.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ