lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 15 Jul 2008 22:34:02 -0400 From: Ureleet <ureleet@...il.com> To: n3td3v <xploitable@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) most of what u wrote i actually agree with, let me just say a few things where you need to adjust. On Tue, Jul 15, 2008 at 3:48 PM, n3td3v <xploitable@...il.com> wrote: > Does he go to jail if he breaks the secrecy, or is this his own little > crusade of half-disclosure? no, but i am sure he has some kind of contract with all the vendors involved so that he can't disclose it. > > Cnet News called him "The man who changed internet security", so does > this mean the end of full-disclosure and a new trend of half > disclosure? > > This has got to be a bad precedence he is setting if cnet news are > right and everyone is going to start half-disclosures, and only the > rich can afford to buy a ticket to the security conference. > > Information should be free to all not a small circle of people, who > could be rogue employees or eavesdropping could of happened we don't > know, the info could already be in the hands of the bad guys, this sounds like ur jealous > > And how much does it take to appear like a responsible security > researcher on the surface while doing evils or doing cash for info > behind the scenes? ppl have to make money somehow, not everything is free u know. > > It is dangerous that the info is out there, but not out there if you > know what I mean, you just don't know who has the info anymore, what > they're doing with it and who hasn't. > > At least with FULL disclosure you know everyones got the info and not > an elite circle of friends and co-workers, of which some might be > rogue or tempted to swap cash for info over a beer in a bar, or at the > corporations cafe. > > The sad truth of the matter is, this exploit and how it works will be > gossip all over a corporation floor on an open plan cube layout, even > though its not on the mailing lists, a lot of people will know about > it, and it just takes one person to be tempted to sell the info or > become rogue and start exploiting with it on a spear-target basis of > little enemies the rogue may have, that wouldn't be picked up by the > internet security vendors honeypots and sensors. > > Security info should not be gossip over an office floor for a month, > over phone calls, email, IM and at the corporation cafe and after work > at the bar, because you don't know who is shoulder surfing you, or you > don't know there won't be a rogue employee, cash for info deal or even > a hacker managing to intercept the gossip electronically. > > We should not be making security info into gossip and rumor mill, just > to make a security conference more popular. > > You think this is giving vendors a gap to patch, but infact its a gap > for money deals to be done, gossip / exploit info to spread to unknown > employees or rogues and other craziness. we know what u are saying here, but u repeat yourself like 4x. and i still dont understand why u r bitching. > > By the time the day before the talk comes, its gonna be a mess, more > and more behind the scenes people will know and god knows what money > deals done and possible rogue exploitation, and it won't be clear to > everyone who actually knows and who doesn't know and even hard for Dan > Kaminsky to keep track and remember, who knows and who doesn't and > whether the info has been mis handled by one or two bad apples. > > No, while I see what you were thinking, a gap in disclosure to allow > vendors to patch seems like a good saftey mechanism on paper, the > truth is practically it isn't. seems to be working so far. > > The human species is a social, curious and inquisitive animal, there > is no way this kind of thing is being kept secret with a select few, > and I for one don't trust that everything is being kept hush hush. because u arent in the inside of the circle? > Yes > its being kept publically hush hush on a mailing list level, but lots > of things can still be public and known without getting onto a mailing > list and the internet, and this is where I see Dan Kaminsky's ideology > on disclosure tactic as flawed in reality and unworkable, and it > creates a feeling of uncertainty and tension on the security industry, > and under world. what, betwen u and dan? > > I'm sure the intelligence service intercepted Dan Kaminsky chatter a > long time ago and have the exploit code and may be using it for covert > operations, or even just normal employees mishandling the information > or even some of the trusted ppl exploiting ppl with the code on a low > level or selling info for cash in small time deals. get ur head out of mi6's ass. > > This isn't a world I want to live in where the government and > employees on certain corporate floors know all about it but the rest > of us don't. too late. theyve been doing it 4 years. ur too late. > > So, Dan Kaminsky the man who changed internet security flaw disclosure > by setting a new standard in disclosure, or Dan Kaminsky who is > setting a new standard in a whole bunch of unknowns when researchers > tell a select few people and its hard to keep track of who knows and > who has or hasn't managed to keep it secret. And mailing list secret > doesn't mean its secret, it just means its not on the published on the > internet! what mailing list is it on? > > A month, is a month too long! I'm sure all DNS servers are now > patched, uh, no. > this is all for sure to make blackhat security conference and > Dan Kaminsky more popular, and whats wrong with that? its the biggest conference of the year. > with his security theater that he is > currently doing, but in reality we are all left feeling insecure for a > whole damn month. Feeling insecure can be worse than actually having > your servers insecure, its just a feeling of insecurity people don't > want to have to suffer for a whole damn month, and I for one am sick > of it. sounds like u have slow self estemm > Security theater, security conference ticket sale agendas and > researchers looking for celebrity status while the actual security is > taken second shelf. > > Who knows who has the exploit info, but we sure don't and i'm not even > sure Dan Kaminsky knows who knows anymore. Yes he knows who he told, > but does he know who they told or who may have intercepted the info? > I'm sure its not just the government who knows how to eavesdrop, there > could be terrorists, criminals or be in the hands of anybody. And I > for one am sick of it if this is the way things are going to be > happening around here from now on in the security scene, I just hope > Cnet news are hell of wrong that people are going to start copying > this Dan Kaminsky jerk and that he has set a new standard in > information disclosure, because I think there are too many unknowns in > his tactical half disclosure based around a security conference talk > date and a ticket sales agenda. i wouldnt consider cnet a news organization. its like a group of professional bloggers. always has been. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists