| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a8fe69350807251308m377fc8b7qaa15613b9bea467@mail.gmail.com> Date: Fri, 25 Jul 2008 15:08:26 -0500 From: "Fredrick Diggle" <fdiggle@...il.com> To: "Nate McFeters" <nate.mcfeters@...il.com> Cc: Untitled <full-disclosure@...ts.grok.org.uk> Subject: Re: Dan Kaminsky Disclosure Methodology + Super Critical vulnerability disclosure in Windows ****BREAKING**** This just in! Nate McFeters discovers new way of breaking DNS using a combination of different types of session ids of varying lengths.. On Fri, Jul 25, 2008 at 1:52 PM, Nate McFeters <nate.mcfeters@...il.com> wrote: > Funny how you chose to point to my blog, which basically just reported > the status that Ptacek had changed his mind about the flaw, causing > the thought that people should consider it an issue. > > Nate > > On Fri, Jul 25, 2008 at 1:37 PM, Fredrick Diggle <fdiggle@...il.com> wrote: >> Fredrick Diggle security would like to thank Dan Kaminsky for his new >> methodology for vulnerability disclosure. The Dan Kaminsky Method >> consists of the following steps. >> >> 1. Think of technology or protocol that has high exposure throughout >> the internets >> 2. Contact all of the vendors and tell them to patch all of the >> BADNESS in the standards which has been known about for 15 years. >> 3. Contact lots of media outlets with lots of readers but no technical >> skill (http://blogs.zdnet.com/security/?p=1468 <- Nate is good at >> being clueless) and have them write doomsday stories about the end of >> the internets. >> 4. Publicly disclose an 'undisclosed' vulnerability in said >> technology. It is critical that you make a HUGE deal out of telling >> smart people that they should NOT speculate as to the nature of the >> vulnerability as it would threaten the entire internets. On the side >> tell people that you will give them partial credit if they find 'your' >> vulnerability before the public disclosure in a year or so. >> 5. Wait for someone smart to find a real vulnerability and then act >> all pissed that they talked about it before you. >> 6. Have a popular blogger with questionable morals 'accidentally' leak >> the full technical details of the vulnerability. >> 7. ??? >> 8. PROFIT!!!! >> >> ========================================================== >> >> As a supplement to this, Fredrick Diggle security would like to >> disclose a critical vulnerability in the Windows IPv4 network stack. >> This vulnerability is trivially remotely exploitable and could doom >> the entire internets if disclosed prior to being patched. All vendors >> have been notified and are working on patches. Fredrick Diggle will >> disclose the details of this vulnerability once he is sure that >> everyone is immunized (at Blackhat security conference in 2015). He >> would like to make it very clear that people should not speculate as >> to the nature of this vulnerability as public disclosure could >> threaten the entire infrastructure of the world (Halvar, This means >> you!). Anyone who independently discovers this vulnerability prior to >> public disclosure will be invited on stage to be recognized as having >> found it second. >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists