lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 23 Jul 2008 16:29:23 +0100
From: imipak <imipak@...il.com>
To: "Full Disclosure" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Nominate Dan Kaminsky for Most Overhyped
	BugPwnie Award

mcwidget wrote:

> Given how easy it appears to be to redirect a client to a malicious web server,
>

The web != the Internet.

Think of POP and IMAP.Hmmm.
SMTP.
All those Cisco devices that still use telnet rather than Ssh...

I'm /sure/ there are no SP networks whose routers don't use BGP + MD5
*and* which use unpatched or NAT'd DNS servers. Why, that's just crazy
talk.

There's still no patches (or anything else) from Checkpoint, Cisco, or
any other vendors of vulnerable NATs, AFAIK, though Vixie and Dan
Kaminsky have both said CERT are working on it.


At http://blog.wired.com/27bstroke6/2008/07/kaminsky-on-how.html , Dan
is quoted saying:

  Q: How far along are people in patching the DNS servers? Do
      you know how many have been patched?

DK: [...] We were getting some pretty good pickup on
      this patch. The last time I looked at people who were testing
      against my site it was somewhere in 30 to 40 percent ...


Is it 22:58 already?


=i
-- 
make way for history
flickering like a long-lost memory

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ